Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 1U24OC
Privacy, Confidentiality, and Security of PHI Learning Objectives 2 By the end of this unit learners will be able to: Identify the privacy and security requirements for public health agencies Identify when public health agencies can receive identifiable health information to perform public health functions without patient authorization Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Privacy 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI The right to keep things to yourself The state of being free from intrusion into one’s private life
Confidentiality Healthcare providers are responsible for protecting health records, and personal & private information from improper use or disclosure 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Security 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability NIST, Glossary of Key Information Security Terms
HIPAA 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Statute: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) called for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy.
HIPAA Titles 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Title I Health care access, portability, renewability Title II Preventing health care fraud and abuse, administrative simplification, medical liability reform
Administrative Simplification Authority to enact privacy and security regulations Transaction and code set standards Identifiers for employers and providers Enforcement cement/process/index.htmlhttp:// cement/process/index.html 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
HIPAA Privacy Rule 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI PHI includes health information recorded in any form or medium that is created or received by a covered entity, including oral communication The Privacy rule defines what health information is protected (PHI) and the circumstances in which it can be used and disclosed
Covered Entity 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Covered entities A health care provider that conducts transactions in electronic form (most providers) A health care clearinghouse A health plan (e.g. HMO’s)
Business Associate A person or organization that performs functions on behalf of a covered entity that involves the use and disclosure of PHI (Protected Health Information) Under HITECH proposed modifications to HIPAA (discussed later), Business Associates would be directly accountable to the federal government for improper uses and disclosures of PHI 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
PHI Information created or received by covered entity relating to the past or present medical condition, provision of care for the condition, or payment for services related to the condition and can be used to identify the individual patient 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Public Health Agencies and PHI May handle PHI as covered entities, non- covered entities, or hybrid entities – which means they perform both functions –Public Health Agency as a covered entity Public Health Agency runs STD clinics, providing patient diagnosis and treatment –Public Health Agency as a non-covered entity Mandated by state statute to receive provider reports of identified patients with certain illnesses (usually communicable diseases) for epidemiological investigations 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Public Health Agency as a Covered Entity The patient must provide authorization for the public health agency to release PHI It should be in writing; paper or electronic Specific description of the information (e.g., lab report or entire record) Purpose for the release & applicable limitations An expiration date 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Public Health Agency as a Covered Entity The public health agency does not need permission from the patient to release PHI in the following scenarios –When required or permitted by federal, state, or tribal statutes –Required public health reporting –Treatment (e.g., referrals, lab orders), Payment (e.g., billing), Healthcare operations (e.g., quality improvement activities) 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Public Health Agency as a Non- Covered Entity HIPAA does not regulate these activities by public health agencies However, it allows exceptions for covered entities to disclose PHI to the public health agency without patient authorization 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
HIPAA Public Health Exceptions for Covered Entities 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Disease Injury Disability Prevent/Control (as authorized by law): Deaths Births Report vital events Public health surveillance Investigations Interventions Conduct: Acting in collaboration with a public health authority Foreign government agency
HIPAA Public Health Exceptions for Covered Entities (cont.) 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Child abuse and neglect (many states require reporting by covered entities – some involve the public health agency) Domestic violence Neglect of elderly/incapacitated Violence (as authorized by state or local law) Adverse events Tracking FDA regulated products Product recalls, repairs or replacement Conducting post marketing surveillance Quality, safety or effectiveness of a product or activity regulated by FDA
HIPAA Public Health Exceptions for Covered Entities(cont.) 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Person at risk of contracting or spreading a diseaseWorkplace medical surveillance Health Oversight (e.g., disclosure to a state Medicaid program) Worker’s compensation
Public Health Agencies as Hybrid Entities Many public health agencies perform both covered and non-covered activities under HIPAA The agency must designate its components that are covered under the HIPAA Privacy and Security Rule The covered entity part of the agency must treat PHI as any other covered entity would, and not share with other parts of the agency unless it complies with HIPAA and applicable state and local laws 20 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
HIPAA Security Rule Requirements 21 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Potential risks the HIPAA Security Rule attempts to address Unlocked doors Natural disasters Employees Lack of firewalls Computer systems that are not backed up
Administrative Safeguards 22 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Contingency planning What is the policy regarding access? What is the procedure for termination? The policies, procedures, contracts, & plans (people and processes)
Physical Safeguards 23 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Protecting the environment from unauthorized individuals as well as fires and floods Workstation use and security Theft prevention of portable devices
Technical Safeguards Five required standards:: 24 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI 1. Access controls 2. Audit controls 3. Integrity 4. Person or entity authentication 5. Transmission security
Technical Safeguards (cont.) 25 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Access controls Unique user ID Automatic logoff Encryption Audit controls A method of examining activity in an information system Integrity of data Transmission security
Enforcement of HIPAA 26 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Responsible for code sets and transaction standards Centers for Medicare and Medicaid Services Responsible for privacy and security Office for Civil Rights (OCR)
Violation of HIPAA Privacy and Security Rules 27 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI For violations occurring prior to 2/18/2009 Civil Penalties Up to $100 per violation Penalty Amount $25,000 Calendar Year Cap
Violation of HIPAA Privacy and Security Rules 28 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI For violations occurring on or after 2/18/2009 – HITECH modifications to HIPAA Enforcement Penalty Amount $100 to $50,000 or more per violation Calendar Year Cap $1,500,000 ml
Violation of HIPAA Privacy and Security Rules (cont.) 29 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Criminal Penalties An individual who knowingly obtains or discloses information can receive: Up to $50,000 and one year imprisonment Up to $100,000 and five years imprisonment Up to $250,000 and 10 years imprisonment Sentencing and fees is based on conduct performed (e.g., malicious harm, personal gain)
ARRA/HITECH 30 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI HITECH Act amended sections of HIPAA Introduced Breach Notification rule, increased accountability for business associates, and increased accounting for disclosures
Breach Notification If the public health agency performing the function of covered entity and suffers a breach, it must follow the Breach Notification Rule which was promulgated under the HITECH Act If the public health agency is a non-covered entity and suffers a breach, then the Breach Notification Rule would not apply – instead consult state/local law 31 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Breach Notification Rule Requires the covered entity notify the patient if there is a breach of unsecured protected health information without reasonable delay and in no case later than 60 days of discovery If more than 500 individuals are impacted, the entity must notify the individuals and the media serving the state or jurisdiction The entity must notify the Secretary of HHS too, but the process is determined by the number of individuals impacted dex.htmlhttp:// dex.html 32 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Accounting for Disclosures When a provider discloses information to a public health agency (when required or permitted by law) without the patient’s authorization, this disclosure should be recorded under the accounting for disclosures rule A covered entity must provide the accounting of disclosures to a patient upon request 33 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Proposed Revisions to HIPAA Privacy Rule As per statutory requirements of the HITECH Act, covered entities and business associates would be required to account for disclosures of PHI for treatment, payment, and health care operations if disclosures are via an EHR. A notice of proposed rulemaking on this provision was released, but the final rule is still pending 34 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Privacy, Confidentiality, and Security of PHI Summary Exceptions allowing covered entities to disclose PHI to public health agencies without authorization are important for protecting individuals and the public Public health agencies that are covered entities under HIPAA must follow all of the provisions that apply to other covered entities 35 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Privacy, Confidentiality, and Security of PHI References References 1.Disclosures for Public Health Agencies. Retrieved on June 10, 2010 from HIPAA Privacy Rule and Public Health. Retrieved on June 10, 2010 from Retrieved on June 10, 2010 from HIPAA: 4.Regulatory Guidance. Retrieved on June 10, 2010 from 5.Turning Point Model State Public Health Act. Retrieved on June 10, 2010 from Center for Law & Public Health. Retrieved on June 10, 2010 from 7.Retrieved on June 10, 2010 from 8.Federal Register. Retrieved on June 10, 2010 from 9.Federal Register ARRA Changes to HIPAA. Retrieved on June 10, 2010 from Office of Civil Rights. Retrieved on June 10, 2010 from 11.Center for Medicare and Medicaid. Retrieved on June 10, 2010 from 12.Centers for Disease Control and Prevention. Retrieved on June 10, 2010 from 13.The American Health Information Management Association (AHIMA). Retrieved on June 10, 2010 from Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI
Privacy, Confidentiality, and Security of PHI References References: 14.Breaches and Resources. Retrieved on June 10, 2010 from 15.Government Security. Retrieved on June 10, 2010 from 16.Health Data Management. Retrieved on June 10, 2010 from 17.HIPAA Proposed Rule for Accounting of Disclosures. Retrieved on June 10, 2010 from Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI