Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.

Slides:



Advertisements
Similar presentations
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Advertisements

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA
HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
HIPAA – Health Insurance Portability & Accountability Act and the Privacy Act MSgt Nechele M. Chambers Senior Enlisted Liaison TRICARE Area Office-Europe.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
HIPAA OBJECTIVES  Define HIPAA  Define PHI  Use of PHI  Your rights  Your responsibilities.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Working with HIT Systems
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
Health Insurance portability and Accountability Act (HIPAA)‏
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
HIPAA Health Insurance Portability and Accountability Act.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
 Health Insurance and Accountability Act Cornelius Villalon Jr.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act
HIPAA Privacy Rule Training
Health Insurance Portability and Accountability Act of 1996
UNDERSTANDING WHAT HIPAA IS AND IS NOT
HIPAA THE PRIVACY RULE Reviewed December 2012.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
Health Insurance Portability and Accountability Act
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
South Jordan City Fire Department
Presentation transcript:

Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 1U24OC

Privacy, Confidentiality, and Security of PHI Learning Objectives 2 By the end of this unit learners will be able to: Identify the privacy and security requirements for public health agencies Identify when public health agencies can receive identifiable health information to perform public health functions without patient authorization Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Privacy 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI The right to keep things to yourself The state of being free from intrusion into one’s private life

Confidentiality Healthcare providers are responsible for protecting health records, and personal & private information from improper use or disclosure 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Security 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability NIST, Glossary of Key Information Security Terms

HIPAA 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Statute: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) called for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy.

HIPAA Titles 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Title I Health care access, portability, renewability Title II Preventing health care fraud and abuse, administrative simplification, medical liability reform

Administrative Simplification Authority to enact privacy and security regulations Transaction and code set standards Identifiers for employers and providers Enforcement cement/process/index.htmlhttp:// cement/process/index.html 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

HIPAA Privacy Rule 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI PHI includes health information recorded in any form or medium that is created or received by a covered entity, including oral communication The Privacy rule defines what health information is protected (PHI) and the circumstances in which it can be used and disclosed

Covered Entity 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Covered entities A health care provider that conducts transactions in electronic form (most providers) A health care clearinghouse A health plan (e.g. HMO’s)

Business Associate A person or organization that performs functions on behalf of a covered entity that involves the use and disclosure of PHI (Protected Health Information) Under HITECH proposed modifications to HIPAA (discussed later), Business Associates would be directly accountable to the federal government for improper uses and disclosures of PHI 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

PHI Information created or received by covered entity relating to the past or present medical condition, provision of care for the condition, or payment for services related to the condition and can be used to identify the individual patient 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Public Health Agencies and PHI May handle PHI as covered entities, non- covered entities, or hybrid entities – which means they perform both functions –Public Health Agency as a covered entity Public Health Agency runs STD clinics, providing patient diagnosis and treatment –Public Health Agency as a non-covered entity Mandated by state statute to receive provider reports of identified patients with certain illnesses (usually communicable diseases) for epidemiological investigations 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Public Health Agency as a Covered Entity The patient must provide authorization for the public health agency to release PHI It should be in writing; paper or electronic Specific description of the information (e.g., lab report or entire record) Purpose for the release & applicable limitations An expiration date 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Public Health Agency as a Covered Entity The public health agency does not need permission from the patient to release PHI in the following scenarios –When required or permitted by federal, state, or tribal statutes –Required public health reporting –Treatment (e.g., referrals, lab orders), Payment (e.g., billing), Healthcare operations (e.g., quality improvement activities) 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Public Health Agency as a Non- Covered Entity HIPAA does not regulate these activities by public health agencies However, it allows exceptions for covered entities to disclose PHI to the public health agency without patient authorization 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

HIPAA Public Health Exceptions for Covered Entities 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Disease Injury Disability Prevent/Control (as authorized by law): Deaths Births Report vital events Public health surveillance Investigations Interventions Conduct: Acting in collaboration with a public health authority Foreign government agency

HIPAA Public Health Exceptions for Covered Entities (cont.) 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Child abuse and neglect (many states require reporting by covered entities – some involve the public health agency) Domestic violence Neglect of elderly/incapacitated Violence (as authorized by state or local law) Adverse events Tracking FDA regulated products Product recalls, repairs or replacement Conducting post marketing surveillance Quality, safety or effectiveness of a product or activity regulated by FDA

HIPAA Public Health Exceptions for Covered Entities(cont.) 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Person at risk of contracting or spreading a diseaseWorkplace medical surveillance Health Oversight (e.g., disclosure to a state Medicaid program) Worker’s compensation

Public Health Agencies as Hybrid Entities Many public health agencies perform both covered and non-covered activities under HIPAA The agency must designate its components that are covered under the HIPAA Privacy and Security Rule The covered entity part of the agency must treat PHI as any other covered entity would, and not share with other parts of the agency unless it complies with HIPAA and applicable state and local laws 20 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

HIPAA Security Rule Requirements 21 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Potential risks the HIPAA Security Rule attempts to address Unlocked doors Natural disasters Employees Lack of firewalls Computer systems that are not backed up

Administrative Safeguards 22 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Contingency planning What is the policy regarding access? What is the procedure for termination? The policies, procedures, contracts, & plans (people and processes)

Physical Safeguards 23 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Protecting the environment from unauthorized individuals as well as fires and floods Workstation use and security Theft prevention of portable devices

Technical Safeguards Five required standards:: 24 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI 1. Access controls 2. Audit controls 3. Integrity 4. Person or entity authentication 5. Transmission security

Technical Safeguards (cont.) 25 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Access controls Unique user ID Automatic logoff Encryption Audit controls A method of examining activity in an information system Integrity of data Transmission security

Enforcement of HIPAA 26 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Responsible for code sets and transaction standards Centers for Medicare and Medicaid Services Responsible for privacy and security Office for Civil Rights (OCR)

Violation of HIPAA Privacy and Security Rules 27 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI For violations occurring prior to 2/18/2009 Civil Penalties Up to $100 per violation Penalty Amount $25,000 Calendar Year Cap

Violation of HIPAA Privacy and Security Rules 28 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI For violations occurring on or after 2/18/2009 – HITECH modifications to HIPAA Enforcement Penalty Amount $100 to $50,000 or more per violation Calendar Year Cap $1,500,000 ml

Violation of HIPAA Privacy and Security Rules (cont.) 29 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Criminal Penalties An individual who knowingly obtains or discloses information can receive: Up to $50,000 and one year imprisonment Up to $100,000 and five years imprisonment Up to $250,000 and 10 years imprisonment Sentencing and fees is based on conduct performed (e.g., malicious harm, personal gain)

ARRA/HITECH 30 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI HITECH Act amended sections of HIPAA Introduced Breach Notification rule, increased accountability for business associates, and increased accounting for disclosures

Breach Notification If the public health agency performing the function of covered entity and suffers a breach, it must follow the Breach Notification Rule which was promulgated under the HITECH Act If the public health agency is a non-covered entity and suffers a breach, then the Breach Notification Rule would not apply – instead consult state/local law 31 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Breach Notification Rule Requires the covered entity notify the patient if there is a breach of unsecured protected health information without reasonable delay and in no case later than 60 days of discovery If more than 500 individuals are impacted, the entity must notify the individuals and the media serving the state or jurisdiction The entity must notify the Secretary of HHS too, but the process is determined by the number of individuals impacted dex.htmlhttp:// dex.html 32 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Accounting for Disclosures When a provider discloses information to a public health agency (when required or permitted by law) without the patient’s authorization, this disclosure should be recorded under the accounting for disclosures rule A covered entity must provide the accounting of disclosures to a patient upon request 33 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Proposed Revisions to HIPAA Privacy Rule As per statutory requirements of the HITECH Act, covered entities and business associates would be required to account for disclosures of PHI for treatment, payment, and health care operations if disclosures are via an EHR. A notice of proposed rulemaking on this provision was released, but the final rule is still pending 34 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Privacy, Confidentiality, and Security of PHI Summary Exceptions allowing covered entities to disclose PHI to public health agencies without authorization are important for protecting individuals and the public Public health agencies that are covered entities under HIPAA must follow all of the provisions that apply to other covered entities 35 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Privacy, Confidentiality, and Security of PHI References References 1.Disclosures for Public Health Agencies. Retrieved on June 10, 2010 from HIPAA Privacy Rule and Public Health. Retrieved on June 10, 2010 from Retrieved on June 10, 2010 from HIPAA: 4.Regulatory Guidance. Retrieved on June 10, 2010 from 5.Turning Point Model State Public Health Act. Retrieved on June 10, 2010 from Center for Law & Public Health. Retrieved on June 10, 2010 from 7.Retrieved on June 10, 2010 from 8.Federal Register. Retrieved on June 10, 2010 from 9.Federal Register ARRA Changes to HIPAA. Retrieved on June 10, 2010 from Office of Civil Rights. Retrieved on June 10, 2010 from 11.Center for Medicare and Medicaid. Retrieved on June 10, 2010 from 12.Centers for Disease Control and Prevention. Retrieved on June 10, 2010 from 13.The American Health Information Management Association (AHIMA). Retrieved on June 10, 2010 from Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Privacy, Confidentiality, and Security of PHI References References: 14.Breaches and Resources. Retrieved on June 10, 2010 from 15.Government Security. Retrieved on June 10, 2010 from 16.Health Data Management. Retrieved on June 10, 2010 from 17.HIPAA Proposed Rule for Accounting of Disclosures. Retrieved on June 10, 2010 from Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.