Presentation on theme: "HIPAA Privacy and Security at TGH"— Presentation transcript:
1HIPAA Privacy and Security at TGH Research Department TrainingJeh Mohr, Senior AuditorCorporate Compliance & Audit
2HIPAA Headline News Stories Minnesota Health System Fires 32 Employees for snooping in records. In another example of a spectacle that’s so intriguing that some health care workers will risk their jobs for a peek, Allina Hospitals and Clinics in Minnesota fired 32 employees recently for improperly accessing the records of patients involved in a headline-making incident.Jackson Health System (JHS) in Miami is conducting an internal investigation and cooperating with law enforcement after an employee inappropriately accessed patient information. JHS has terminated the individual’s employment and notified the affected patients. Richard Charette, who pleaded guilty in February to violating HIPAA, was sentenced to 33 months in prison, according to the U.S. Attorney’s Office for the District of Nevada. Charette participated in a scheme to receive and disclose records of trauma patients treated at the University Medical Center of Southern Nevada.
3HIPAA Headline News Stories University Medical Center (UMC) in Tucson, Ariz., said that three employees and a contract nurse inappropriately accessed patients’ electronic medical records in the wake of the shootings involving a U.S. Congresswoman and 18 others. The three clinical support staff members and the contracted nurse all have been terminated from their jobs by their employers.Hospital staffers fired for sending photo of patient's wounds . The Hospital of Saint Raphael in New Haven Connecticut recently fired three workers and disciplined four others after a clinician took a photo of a 17-year-old gunshot victim in the ED and sent it to others. (New Haven Register/Boston Globe reports)Hospital employee sentenced to 1 year in prison for accessing patient’s PHI and posting HIV status on website. Also, received 5 years probation and 200 hours of community service.
4HIPAA - BackgroundThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 established the basis for the Privacy and Security Rules.Why is the knowledge of HIPAA important?Healthcare providers must be knowledgeable of HIPAA to provide reasonable safeguards to protect the privacy of patients’ protected health information (PHI). Inappropriate use or disclosure of patients’ PHI that violates HIPAA, can result in civil and criminal penalties to TGH as well as you as an employee or as an individual.We must protect the privacy of our patient’s medical records.Inappropriate access, use or disclosure of a patient’s PHI can result in personal, civil and or criminal penalties.
5HIPAA - BackgroundPrivacy Rule: The Privacy Rule includes national standards for the protection of Protected Healthcare Information (PHI). Standards were developed by the Department of Health and Human Services (HHS). The Office of Civil Rights (OCR) implements and enforces the Privacy and Security Rules with respect to compliance and penalties.Security Rule: The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information in order to protect the privacy of PHI from intentional or unintentional use or disclosure.
6HIPAA - Privacy Privacy Basics: To protect patient information from being used or disclosed inappropriately.To give patients greater control over sharing of their PHI.To increase patient access to information.
7HIPAA- Definitions (Con’t) Notice of Privacy Practices:Each patient seen at TGH receives a written notice of privacy practices.The HIPAA privacy regulations provides that covered entities must make a good faith effort to provide the patient with its Notice of Privacy Practices and obtain a written acknowledgement of such receipt from the patient. The Notice describes:How medical information about a patient may be used and disclosed.How a patient can gain access to this information.How a patient should request amendments.How a patient should request accountings of disclosures.How a patient should request restrictions on or opt-out provisions.How a patient should request confidential communications of information.Patients can opt-out of being included in the hospital directory.Patients can also choose to be a “no information” or confidential, which means no information will be shared with anyone contacting the hospital unless they can provide the code word.Example –Patient requested to be confidential. Patient complained that a phone call was forwarded to their room. The patient was a TGH employee. A co-worker “looked” up the patient and called the room directly. This is a violation. Only “look up” or access patients you are involved in treatment, payment or operations of the hospital for.
8HITECH Notice of Privacy Practices (continued) Final Rule changes impact the content of the Notice of Privacy Practices, as set out in § The privacy notice, as of the compliance date, must contain the following additional statements:The covered entity must obtain an authorization for the use and disclosure of psychotherapy notes, marketing, and the sale of PHI (§ (a)(2)–(a)(4); if the covered entity does not maintain psychotherapy notes, it does not need to include the statement;Other uses and disclosures not described in the notice will be made only with the individual’s written authorization;The individual may revoke an authorization as provided by § (b)(5);If a covered entity intends to use PHI for fundraising;The covered entity intends to contact the individual for fundraising;
9HITECH Notice of Privacy Practices (continued) The individual has the right to opt out of the fundraising contacts;The covered entity will not “sell” PHI without the individual’s authorizationThe individual may restrict disclosure of PHI to a health plan where the individual has paid out-of-pocket in full for the services (only providers need include this statement);The individual’s right to be notified after a breach of unsecured PHI (a simple statement is sufficient for this requirement);For health plans (except long-term care issuers), a statement that the health plan is prohibited from using or disclosing PHI that is genetic information of an individual for underwriting purposes.
10HITECH Right to Request Restrictions Before the final rule amendments, an individual was permitted to request that the covered entity restrict disclosure of his/her PHI for treatment, health care operations, and payment and to family members (§ (a)). Covered entities did not need to agree to the restriction, but if they did, they must abide by it.Section 13405(a) of the HITECH Act adds a provision requiring the covered entity to comply with an individual’s request to restrict disclosure to a health plan or its business associate for payment or health care operations if the individual, a family member, or another individual has paid in full out-of-pocket for the items or services in question. Payment from a flexible spending account or health savings account is considered out-of-pocket payment. Covered entities will need to design a way to flag the required restriction.
11HIPAA –Definitions (Con’t) Accounting of Disclosures Currently a patient may request a detailed written accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested except for the following;Information for the treatment, payment of services and health care operations (TPO).Information disclosed to the patientSigned authorizations.Information used for national security, intelligence purposes, law enforcement or correctional institutions.Information that is part of a limited data set.Once the new regulations under the Health Information Technology for Economic and Clinical Health Act (HITECH), a division of American Recovery and Reinvestment Act (ARRA), go into effect, accounting of disclosures must include disclosures for TPO.Everyone that accessed the Medical Record outside of TPO (treatment, payment or operations of the hospital).There is a proposed new rule that changes the time to 3 years. But, if requested the patient may receive a list of EVERYONE that access their medical record. Many comments have been issued regarding this provision of the proposed rule. Comments included healthcare workers safety. IE Emergency room or psych workers.Example-Patient is in the hospital and their spouse – a physician accessed the medical record. The physician was not involved with the treatment of the spouse but reviewed the medical record. Subsequently there was divorce proceedings. The spouse requested an accounting of disclosure. The husband had accessed the spouse’s PHI, which was a violation.Example –A TGH employee accessed her adult daughter’s medical record without her permission. This is a HIPAA violation.CCA receives complaints from not just the patients, but physicians, and employees.
12HIPAA –Definitions (Con’t) Incidental disclosures means disclosures that are limited in nature and occur as a by-product of an otherwise permissible use or disclosure. Incidental disclosures will not be considered a violation of the privacy rule if reasonable safeguard are in place and the minimum necessary requirements are met. For example;Keep information on white boards/locator boards to a minimum.Do not discuss patients in public areas, such as elevators, corridors, cafeteria, etc.Use of cubicles, dividers, shields or curtains in areas of multiple patient-staff or physician communications, such as pre-op, admitting areas, waiting rooms, etc.Incidental disclosures are just that. Disclosures that occur in the daily caring of patients. However, TGH must have reasonable safeguards in place and appropriate training, policies and procedures.If visitors are in the room, ask the patient’s premission before discussing PHI, or if pt is in a semi-private room. This does make it more difficult is both patients are bed rest only. Speak in a quiet voice.Example-PHI disucced in hallway outside patient’s room. The family was not aware of the treatment plan.OR holding areas – obtaining history from patient.Complaints about patients being discussed in Starbucks. Even if you do not mention the patients name, a family member may recognize you as caring for their loved one.Be aware of “lurker”, visitors hanging out in the hallways and ease dropping on conversations.
13HIPAA –Definitions (Con’t) Minimum necessary standard requires that health care staff must make a reasonable effort to disclose or use only the minimum amount of PHI needed to provide patient care, the PHI they “need to know”.For example, records compiled in response to a PHI request for a specific date of service should not include treatment records for other dates of service.However, the minimum necessary limitation does not apply when the disclosure is for treatment purposes.ONLY view PHI necessary to perform your job duties!!Role based access.Laboratory, radiology techs, dietary personnel do not need to see the entire medical record to do their job.ExampleFax coversheet provided too much information. NO PHI on fax coversheet.
14Key Provisions of TGH’s HIPAA Policies (Con’t) If you are not involved in the provision of care to a patient then you have no right to access, use or disclose protected health information (PHI) related to that patient’s care. Your access to patient information must bein the context of providing direct orindirect patient treatment.Viewing or accessing the medical records of a family member, friend or associate without written authorization, for which you are not involved in the treatment of is a violation of HIPAA. Such violations are subject to disciplinary actions, up to and including termination.ExampleWe have had incidences employees accessing family member’s PHI, boy/girl friends PHI.Do not access your own record. Go to HIM release of information.Currently there is no policy but it is strongly discouraged. No policy as yet due to differing point of views. Arguments against include some employees could enter or alter information in their MR. Its not fair because not every employee has access.Future plans for EPIC Mychart – access to portions of your medical record via a portal. You will have a user name and password.
15Key Provisions of TGH’s HIPAA Policies (Con’t) You must be careful in communicating or discussing PHI.Prior to speaking to a patient in the presence of others, ask the patient if it is okay to discuss their patient information in the presence of others.Take the patient to a conference room; or ask others to wait outside of the room during confidential discussions.Very difficult but necessary.ExampleResident upon entering patient’s room, with family presents, discussed the patient’s HIV status. The patient had not disclosed this to his family at that time.
16Key Provisions of TGH’s HIPAA Policies (Con’t) Do not leave patient records or other confidential information out and available for anyone to see.Do not disposed of PHI in trashcans, place it in confidential trash bins.Do not discuss patient information outside of TGHDo not leave any papers with PHI in conference rooms, on fax machines, copiers, printers, etc.Dispose of PHI in CONFIDENTIAL TRASH BINS.ExampleOffice did not have the “official” confidential bin. They were using a blue “recycle” bin for shred items and thought it was ok as long as they emptied it into the confidential bin at the end of the day. Consequently, Environment emptied the bin – noticed and reported PHI in a recycle bin. This office now has a confid. Bin.
17HIPAA – Security Security Basics: Ensure confidentiality, integrity and availability of electronic PHI.Protect against threat or hazards.Protect against unauthorized uses of disclosures.Use of flash drives is STRONGLY discouraged.
18HIPAA (Con’t)TGH-issued equipment, such as laptop computers, cell phones, and pagers, must be protected from theft or damage.Never leave equipment unsecured or unattended in public areas.Locking equipment in file cabinets/drawers when not in use.Data stored on TGH’s equipment, such as laptops, PDAs, cell phones, and so forth, are the property of TGH. In order to prevent unauthorized access to the data, users are required to enable the password protection or lock code functions available on the equipment.A breach involving more than 500 patients results in notification to Media, notifying all patients involved and posting to the hospital’s web site.
19HIPAA Security (Con’t) Things you can do to safeguard security:Log on and log off of your computer.Never let others use your log-on and/or password, all users are required to have a unique user ID and password.Follow guidelines for password use.We have had more than one occasion where an employee did not log off. This was verified as the log on was active for almost 24 hours. LOG OFF!!!In EPIC anyone entering information into EPIC is electronically “signed” as the person that is logged on.Do not access patient’s information that is not in your care!! Even for a physician, physicians have their own usr name and password. If this happens please contact the Chief Medical Officer – Dr. Sally Houston.
20Key Provisions of TGH’s HIPAA Policies (Con’t) Automatic forwarding from a TGH-owned account to an external network account is prohibited.Faxing of Medical Information (Refer to Policy IM-31, Faxing of Medical Information) :Releases of medical information should be through the Health Information Management (HIM) department.Limited to use by healthcare providers for immediate and/or emergency patient care purposes.Fax only when the original document or mail delivered photocopies will not serve the purpose.A signed patient authorization is required.Ensure that the fax is sent to the appropriate destination, verify the fax number.A fax cover sheet (form F-561) must precede the transmission.Report misdirected faxes to Corporate Compliance immediately by completing an Incident Report.When printing information – for example for patient discharge or discharge to SNF, be sure to check that each page is ONLY for the patient you are working with and does not include any other documents that may have been printed by someone else on the unit for another patient.
21Key Provisions of TGH’s HIPAA Policies (Con’t) No PHI, including photographs, should be disclosed through the use of social networks, such as Facebook, MySpace, Twitter or other on-line personal communications networks. Social networks are considered public. Disclosures of PHI would potentially violate the HIPAA privacy rules.NO PHOTOS WITH CELL PHONES!!!!!!!
22Key Provisions of TGH’s HIPAA Policies (Con’t) All electronic mail messages and the data contained therein are the property of TGH.Users should not expect privacy of any messages created, sent, stored, or received using the system.TGH reserves the right to monitor with the express authorization by the CEO.
23Key Provisions of TGH’s HIPAA Policies (Con’t) Internet usage is provided by TGH and is intended primarily for business use.TGH reserves the right to monitor Internet usage.Computer Audit access logs for TGH’s applications records each user’s access of a patient’s PHI.Refer to TGH policy RI-54, “Information Privacy and Security Compliance “.Access logs are pulled at a patient’s request and periodic random audits.
24Key Provisions of TGH’s HIPAA Policies (Con’t) Check files for viruses before loading CDs, diskettes, or downloading files on TGH computers.Contact the Technology Support Center at extension 7490 to acquire or load software programs on TGH computers.Downloading movies, music and books, reports and other such files for personal use is not permitted.
25Key Provisions of TGH’s HIPAA Policies (Con’t) TGH management reserves and retains the authority to:Restrict or revoke any user's access to computerized information,Inspect, copy, remove or otherwise alter any data, program or other system resource that may undermine hospital policies directed to the protection of PHI,Take any other steps deemed necessary to manage and protect all protected health information on TGH information systems. This authority may be exercised with or without notice to the involved users. TGH disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.
26HIPAA (Con’t)Health care professionals, who fail to comply with TGH’s policies, procedures, or federal and state laws, shall be subject to disciplinary action in accordance with TGH administrative policies; which includes possible termination of employment.In certain circumstances you can be personally subject to civil and/or criminal prosecution for violations of HIPAA including monetary penalties.Refer to TGH policy RI-54, “Information Privacy and Security Compliance “.
27HIPAA IN AN EPIC WORLDEPIC will log the actions of all users as they routinely view and interact within the EMR.Break the Glass (BTG) – Is an event tracking feature for specialized groups of patients and encounters. Your Password and a Reason are required to proceed into the record.Confidential PatientPrivate EncounterBehavioral Health Unit (7F)BTG prompts users with a warning that they are entering a “restricted” patient record.BTG provides enhanced reporting/audit review of what is done after a BTG event.EPIC can also limit visibility of special unit lists (Behavioral Health).EPIC is configured for SSN masking (XXX-XX-1234).
28What will EPIC not do?EPIC will not…Prevent all intentional and inappropriate access to the recordEPIC’s recommendation is to use BTG to inform users, but users must understand—and are accountable for—the “appropriateness” of viewing a patient’s record.EPIC will not…Mask a patient’s identity without changing their name.USERS are responsible for their actionsin using any system containing PHI.
29Key Provisions of TGH’s HIPAA Policies (Con’t) If you believe a breach of patient privacy or security of information incident has occurred, complete an incident report. Check with a manager if you need assistance. You may also call the Corporate Compliance Line or the TGH Privacy or Security Officers.TGH’s Privacy Officer is Ron Peterson, Director of Corporate Compliance & Audit. His office number isTGH’s Security Officer is Balaji Ramadoss, VP, Chief Technology Officer. His office number is
30HIPAA Case Studies-Privacy Scenario #1A friend contacts you. The friend has a fellow employee or friend scheduled to have surgery at TGH. The friend asks if you would periodically check on their friend during and after surgery and provide updates. The friend pre-registered and did not opt-out of disclosing general condition information or directory information. You have no involvement with the care of the patient. During and after the surgery you find out information on the patient and provide more than general conditions or directory information to your colleague at Hospital A.
31HIPAA Case Studies-Privacy (Con’t) Question ?Have you violated HIPAA?
32HIPAA Case Studies (Con’t) Have You Violated HIPAA?Answer: YES!You have, if you provide more than general conditions updates.If as a clinician you have no involvement in the patient’s care, you should not access any information associated with the patient. HIPAA’s minimum necessary rule says that you can access information on patients that you are involved in providing care to.In that context you have a “need to know “the medical information necessary to provide care to the patient. Since you have no involvement with the patient you have no need to know anything about this patient.Disclosing more than general condition or directory information would be a violation of HIPAA and could subject you to potential disciplinary actions.
33HIPAA Case Studies-Privacy Scenario #2Two patients are in a semi-private room. In addition both patients have family members and friends present in the room.You enter the room and immediately begin to discuss patient A’s medical information in a voice loud enough for all present in the room to over hear the conversation.
34HIPAA Case Studies-Privacy (Con’t) Question ?Have you violated HIPAA?What could you have done differently?
35HIPAA Case Studies-Privacy (Con’t) Answer: YES!You may have, if you did not take reasonable safeguards to minimize the disclosures overheard by the persons present. Reasonable safeguards, such as:Ask the patient prior to any discussion of their medical information, whether it is okay to discuss it in front of the persons present in the room,Ask the persons, including the patient in the adjacent bed, if practical, to temporarily leave the roomTaking the patient to a conference room to discuss the medical information, andSpeaking in a quiet voice so that no one other than the patient could have heard the conversation, are a few examples of what might be considered reasonable safeguards. What if this was a waiting room, would this change your approach?
36HIPAA Case Studies-Security Scenario #3You receive an with an attachment from an unknown source. The reads that your computer has been infected with a virus and you need to follow the directions and open the attachment to get rid of it.Question ?Should you follow the instructions?
37HIPAA Case Studies-Security (Con’t) Answer: No!Never open unexpected attachments from unknown sources.If you are unsure about whether you should open something, contact the Technology Support Center at ext 7490.
38HIPAA Case Studies-Security Scenario #4A new resident hasn’t yet been given a username and password for the computer system. The resident needs to access the computer system.Question ?Should you just let the resident use your username and password until one is assigned?
39HIPAA Case Studies-Security (Con’t) Answer: No!You should never allow anyone to use your username and password to log on to the system.Have the new resident contact a manager or the Help Desk at ext to inquire about when to expect to receive his or her own username and password and what interim actions can be taken until one is assigned.
41HITECHHealth Information Technology for Economic and Clinical Health Act (HITECH)IMPROVING HEALTH CARE QUALITY, SAFETY, AND EFFICIENCYAPPLICATION AND USE OF ADOPTED HEALTH INFORMATION TECHNOLOGY STANDARDSIMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONSRELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES
42HITECHCERTIFIED EHR TECHNOLOGY —The term ‘certified EHR technology’ means a qualified electronic health record that is certified pursuant to section 3001(c)(5) as meeting standards adopted under section 3004 that are applicable to the type of record involved (as determined by the Secretary, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals).ENTERPRISE INTEGRATION —The term ‘enterprise integration’ means the electronic linkage of health care providers, health plans, the government, and other interested parties, to enable the electronic exchange and use of health information among all the components in the health care infrastructure in accordance with applicable law, and such term includes related application protocols and other related standards.
43HITECHSubtitle A—Promotion of Health Information Technology ‘‘SEC OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY.ESTABLISHMENT —There is established within the Department of Health and Human Services an Office of the National Coordinator for Health Information Technology (referred to in this section as the ‘Office’).PURPOSE —The National Coordinator shall perform the duties under subsection (c) in a manner consistent with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information and that—
44HITECHPurpose:(1) ensures that each patient’s health information is secure and protected, in accordance with applicable law;(2) improves health care quality, reduces medical errors, reduces health disparities, and advances the delivery of patient centered medical care;(3) reduces health care costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information;(4) provides appropriate information to help guide medical decisions at the time and place of care;(5) ensures the inclusion of meaningful public input in such development of such infrastructure;
45HITECHPurpose:(6) improves the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of health care information;(7) improves public health activities and facilitates the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;(8) facilitates health and clinical research and health care quality;(9) promotes early detection, prevention, and management of chronic diseases;(10) promotes a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services; and(11) improves efforts to reduce health disparities.
46HITECH Subtitle D—Privacy The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.ELECTRONIC HEALTH RECORD —The term ‘‘electronic health record’’ means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
47HITECH PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY ROVISIONS (a) APPLICATION OF SECURITY PROVISIONS — Sections , , and of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES — In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.
48HITECH SEC. 13402. NOTIFICATION IN THE CASE OF BREACH. (a) A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.
49HITECH TIMELINESS OF NOTIFICATION INDIVIDUAL NOTICE - All notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).MEDIA NOTICE - Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.NOTICE TO SECRETARY - Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.
50HITECH BUSINESS ASSOCIATE SEC NOTIFICATION IN THE CASE OF BREACH.(b) NOTIFICATION OF COVERED ENTITY BY BUSINESS ASSOCIATE — A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.
51HITECH BUSINESS ASSOCIATE Includes any organization that has “routine” access to PHI to perform a service for the covered entity (CE)Exception is if they do not have routine access, and they are considered “conduits” providing only courier services, such as the U.S. Postal Service or internet providers that offer data transmission onlyAn entity that maintains PHI on behalf of the CE is a BA even if it does not actually view the PHI.Researchers are not business associates unless they act in a business associate capacity for the CE
52HITECH BUSINESS ASSOCIATE Includes “Subcontractors” of Business Associates – a person to whom a business delegates a function, activity, or services other than in the capacity of a workforce member.Business Associate (BA) must obtain “satisfactory assurance” (BA agreement) from the subcontractor that it will protect PHI.Protects individuals PHI no matter how many subcontractors of subcontractors exist.
53HITECH BUSINESS ASSOCIATE AGREEMENT REQUIREMENTS If a covered entity wants a business associate to be liable for additional provisions of the privacy rule, compliance with the provision must be included in the business associate agreement § (e) .The agreement must state that the business associate will:Comply with the provisions of the security rule;Report breaches of unsecured protected health information under the breach reporting rules;Ensure that a subcontractor agrees to the same restrictions and conditions that apply to the business associate with respect to such information; andComply with the privacy requirements that apply to the covered entity in the performance of an activity the business associate is carrying out on behalf of the covered entity.
54HITECHPENALTIESNo knowledge / Carelessness - $100 for each violation, not to exceed $25,000; during a calendar for identical violations.Reasonable Cause (but not willful neglect) - $1,000 for each violation, not to exceed $100,000 during a calendar for identical violations.Willful Neglect (corrected) - $10,000 for each violation, not to exceed $250,000 during a calendar for identical violations.Willful Neglect (not corrected) - $50,000 for each violation, not to exceed $1,500,000 during a calendar for identical violations.HITECH Act also allows state attorney generals to levy fines, seek attorney’s fees, and award costs.
55HITECHPART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES; EFFECTIVE DATE; REPORTSHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT:The standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under sections 262(a) and 264 of the Health Insurance Portability and Accountability Act of 1996 shall remain in effect to the extent that they are consistent with this subtitle. The Secretary shall by rule amend such Federal regulations as required to make such regulations consistent with this subtitle.
57Human Research Privacy Human Research and HIPAA Privacy
58Human Research Privacy Ethical Research CodesNuremberg Code of 1947 – Doctors involved in Nazi human experimentsConsentAvoiding unnecessary physical and mental sufferingEnsure risk never exceeds humanitarian importance of experimentDeclaration of Helsinki in 1964Duty to protect life, health, dignity, integrity, privacy, confidentiality of research subjectsBelmont Report of 1972 – addressed ethical lapses in research (ie Tuskegee syphilis study)Informed Consent, Assessment of Risk and Benefits, Selection of SubjectsRespect for Persons, Beneficence, Justice
59Human Research Privacy Major Compliance RulesNational Science Foundation – Defines Privacy and ConfidentialityPrivacy relates to Persons, and Confidentiality relates to restricting access to DataHealth and Human Services - Common Rule for Human Subjects (45 CFR 46)Living Individual where investigator obtains Data or Identifiable Private InformationFood and Drug Administration Regulations - Definition of H.S. (21 CFR 50 and 56)Healthy Human or Patient participating in ResearchHIPAA Privacy Rule (45 CFR 160 and 164) – Does not define H.SDefines PHI and specifies compliance for deceased individualsPublic Health Service Act Certificates of Confidentiality (301 (d), 42 U.S.C. 241 (d))Can protect the privacy of subjects from Federal, State, or local civil, criminal, administrative, legislative proceedings
60Human Research Privacy Common RuleApplies to research funded by a federal department or agencyMust provide written assurance of compliance, filed with HHS Office of Human Research ProtectionsRequires Institutional Review Boards (IRB) to review proposed research. Criteria for approval includes:Risks to subjects are minimizedInformed Consent is sought and documentedResearch Plan ensures subject safetyProvisions to protect privacy of subjects and confidentiality of dataSafeguards for vulnerable populations
61Human Research Privacy Informed Consent – Requirements and ElementsGive opportunity for subject to decide whether or not to participateLanguage must be understandableStates research purpose, duration, and proceduresDescription of risks and benefitsDisclosure of alternative treatmentsStatement that participation is voluntaryState how confidentiality of records that identify the subject will be maintainedContact for questions and to report injuriesCompensation and medical treatment for injuries (more than a minimal risk)No waiver of legal rights of subject or release fro liability for negligence of sponsor, investigator, or institution
62Human Research Privacy Informed ConsentIRB may waive consent “if” (46.117(c)):Consent Form is the only record linking subject to the study and main risk is breach of confidentialityNo more than minimal risk and consent not normally required outside of research
63Human Research Privacy FDA Regulated Research - minor differencesNo ability to waive informed consentNo ability for IRB to alter or waive requirement for informed consent
64Human Research Privacy HIPAA Research RequirementsApplies to Use and Disclosure PHI ( )Use is sharing, utilization, examination, analysis of PHIDisclosure is release, transfer, access outside the entityApplies to research regardless of source of fundingResearch is not considered TPO, even if conducted inside a CE by a physician with access to the PHI for treatment, payment, or health care operations.Physician must comply with HIPAA research provisions to use PHI to conduct research, or disclose outside the CE for research purposesResearchers are not business associates unless they act in a business associate capacity for the CE
65Human Research Privacy HIPAA Research RequirementsResearch Authorization may be combined with Informed ConsentAuthorization must be obtained, orIRB or Privacy Board has documented the waiver, orPHI is used Preparatory to Research, orPHI is for research of deceased individuals, orPHI is part of a Limited Data Set
66Human Research Privacy Criteria for Alteration or WaiverNo more than a minimal risk to the individual’s privacyMust have a Plan to protect identifiers for unauthorized use and disclosure, and to destroy identifiers as expediently as possibleWritten assurance PHI will not be reused or disclosedResearch cold not be performed without the waiver or alteration, and access to the PHI
67Human Research Privacy Preparatory to ResearchCovered Entity (CE) must obtain written assurance that:[45 CFR (i)(1)(ii)]PHI used or disclosed is only used as necessary to prepare a research protocolResearcher cannot remove any PHI from the CE during this reviewPHI is necessary for the research
68Human Research Privacy Preparatory to ResearchMay use and disclose PHI to researchers to aid in Study RecruitmentResearcher may directly contact the potential study participant if the researcher is an employee of the CECE may contract with a Business Associate to assist in contacting individuals for the CE to obtain authorizationsCE may also discuss alternative treatments with patients, that may include participation in clinical trials as part of patient’s treatment
69Human Research Privacy DecedentsHIPAA requirements apply to the PHI of decedents.However, CE may use or disclose PHI of decedents to researchers if they obtain written assurance that:PHI used or disclosed will be used solely for research on the PHI of decedentsPHI is necessary for research purposesThe PHI of decedents will be protected for 50 years. After then, the data is no longer considered PHI.
70Human Research Privacy Limited Data Set [45 CFR (e)]CE may use or disclose a limited data set for research purposes:Data Use Agreement is requiredA benefit is that more detailed addresses and full dates can then be usedLimited data Set is protected health information that excludes the direct identifiers of the individual or of relatives, employers, or household members of the individual list on the subsequent slide:
71Human Research Privacy Limited Data SetNames, postal address information, other than town or city, state, and zip code.All elements of dates (except year) directly related to the individual.Telephone numbers, fax numbers, electronic mail ( ) addresses.Social Security numbers, medical record numbers.Health plan beneficiary numbers, account numbers, certificate/license numbers.Vehicle identifiers and serial numbers, including license plate numbers.Device identifiers and serial numbers.Web Universal Resource Locators (URLs).Internet Protocol (IP) address numbers.Biometrics identifiers, including finger and voice prints, full-face photographic images, and any comparable images.Any other unique identifying number, characteristic, or code.
72Human Research Privacy Accounting of DisclosuresDisclosures made other than with a patient’s authorization or Limited Data Set must be tracked. Such as:Preparatory to ResearchPursuant to alteration or waiver
73Human Research Privacy Data BreachesData breaches are subject to theBreach Notification rules of HIPAA