Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.

Published byDaniela Carter Modified over 7 years ago

Similar presentations

Presentation on theme: "Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded."— Presentation transcript:

1 Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 1U24OC000003.

2 Privacy, Confidentiality, and Security of PHI Learning Objectives 2 By the end of this unit learners will be able to: Identify the privacy and security requirements for public health agencies Identify when public health agencies can receive identifiable health information to perform public health functions without patient authorization Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

3 Privacy 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI The right to keep things to yourself The state of being free from intrusion into one’s private life

4 Confidentiality Healthcare providers are responsible for protecting health records, and personal & private information from improper use or disclosure 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

5 Security 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability NIST, Glossary of Key Information Security Terms http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf

6 HIPAA 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Statute: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) called for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.html

7 HIPAA Titles 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Title I Health care access, portability, renewability Title II Preventing health care fraud and abuse, administrative simplification, medical liability reform

8 Administrative Simplification Authority to enact privacy and security regulations Transaction and code set standards Identifiers for employers and providers Enforcement http://www.hhs.gov/ocr/privacy/hipaa/enfor cement/process/index.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/enfor cement/process/index.html 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

9 HIPAA Privacy Rule 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI PHI includes health information recorded in any form or medium that is created or received by a covered entity, including oral communication The Privacy rule defines what health information is protected (PHI) and the circumstances in which it can be used and disclosed

10 Covered Entity 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Covered entities A health care provider that conducts transactions in electronic form (most providers) A health care clearinghouse A health plan (e.g. HMO’s)

11 Business Associate A person or organization that performs functions on behalf of a covered entity that involves the use and disclosure of PHI (Protected Health Information) Under HITECH proposed modifications to HIPAA (discussed later), Business Associates would be directly accountable to the federal government for improper uses and disclosures of PHI 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

12 PHI Information created or received by covered entity relating to the past or present medical condition, provision of care for the condition, or payment for services related to the condition and can be used to identify the individual patient 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

13 Public Health Agencies and PHI May handle PHI as covered entities, non- covered entities, or hybrid entities – which means they perform both functions –Public Health Agency as a covered entity Public Health Agency runs STD clinics, providing patient diagnosis and treatment –Public Health Agency as a non-covered entity Mandated by state statute to receive provider reports of identified patients with certain illnesses (usually communicable diseases) for epidemiological investigations 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

14 Public Health Agency as a Covered Entity The patient must provide authorization for the public health agency to release PHI It should be in writing; paper or electronic Specific description of the information (e.g., lab report or entire record) Purpose for the release & applicable limitations An expiration date 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

15 Public Health Agency as a Covered Entity The public health agency does not need permission from the patient to release PHI in the following scenarios –When required or permitted by federal, state, or tribal statutes –Required public health reporting –Treatment (e.g., referrals, lab orders), Payment (e.g., billing), Healthcare operations (e.g., quality improvement activities) 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

16 Public Health Agency as a Non- Covered Entity HIPAA does not regulate these activities by public health agencies However, it allows exceptions for covered entities to disclose PHI to the public health agency without patient authorization 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

17 HIPAA Public Health Exceptions for Covered Entities 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Disease Injury Disability Prevent/Control (as authorized by law): Deaths Births Report vital events Public health surveillance Investigations Interventions Conduct: Acting in collaboration with a public health authority Foreign government agency

18 HIPAA Public Health Exceptions for Covered Entities (cont.) 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Child abuse and neglect (many states require reporting by covered entities – some involve the public health agency) Domestic violence Neglect of elderly/incapacitated Violence (as authorized by state or local law) Adverse events Tracking FDA regulated products Product recalls, repairs or replacement Conducting post marketing surveillance Quality, safety or effectiveness of a product or activity regulated by FDA

19 HIPAA Public Health Exceptions for Covered Entities(cont.) 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Person at risk of contracting or spreading a diseaseWorkplace medical surveillance Health Oversight (e.g., disclosure to a state Medicaid program) Worker’s compensation

20 Public Health Agencies as Hybrid Entities Many public health agencies perform both covered and non-covered activities under HIPAA The agency must designate its components that are covered under the HIPAA Privacy and Security Rule The covered entity part of the agency must treat PHI as any other covered entity would, and not share with other parts of the agency unless it complies with HIPAA and applicable state and local laws 20 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

21 HIPAA Security Rule Requirements 21 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Potential risks the HIPAA Security Rule attempts to address Unlocked doors Natural disasters Employees Lack of firewalls Computer systems that are not backed up

22 Administrative Safeguards 22 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Contingency planning What is the policy regarding access? What is the procedure for termination? The policies, procedures, contracts, & plans (people and processes)

23 Physical Safeguards 23 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Protecting the environment from unauthorized individuals as well as fires and floods Workstation use and security Theft prevention of portable devices

24 Technical Safeguards Five required standards:: 24 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI 1. Access controls 2. Audit controls 3. Integrity 4. Person or entity authentication 5. Transmission security

25 Technical Safeguards (cont.) 25 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Access controls Unique user ID Automatic logoff Encryption Audit controls A method of examining activity in an information system Integrity of data Transmission security

26 Enforcement of HIPAA 26 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Responsible for code sets and transaction standards Centers for Medicare and Medicaid Services Responsible for privacy and security Office for Civil Rights (OCR)

27 Violation of HIPAA Privacy and Security Rules 27 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI For violations occurring prior to 2/18/2009 Civil Penalties Up to $100 per violation Penalty Amount $25,000 Calendar Year Cap

28 Violation of HIPAA Privacy and Security Rules 28 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI For violations occurring on or after 2/18/2009 – HITECH modifications to HIPAA Enforcement Penalty Amount $100 to $50,000 or more per violation Calendar Year Cap $1,500,000 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.ht ml

29 Violation of HIPAA Privacy and Security Rules (cont.) 29 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI Criminal Penalties An individual who knowingly obtains or discloses information can receive: Up to $50,000 and one year imprisonment Up to $100,000 and five years imprisonment Up to $250,000 and 10 years imprisonment Sentencing and fees is based on conduct performed (e.g., malicious harm, personal gain)

30 ARRA/HITECH 30 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI HITECH Act amended sections of HIPAA Introduced Breach Notification rule, increased accountability for business associates, and increased accounting for disclosures

31 Breach Notification If the public health agency performing the function of covered entity and suffers a breach, it must follow the Breach Notification Rule which was promulgated under the HITECH Act If the public health agency is a non-covered entity and suffers a breach, then the Breach Notification Rule would not apply – instead consult state/local law 31 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

32 Breach Notification Rule Requires the covered entity notify the patient if there is a breach of unsecured protected health information without reasonable delay and in no case later than 60 days of discovery If more than 500 individuals are impacted, the entity must notify the individuals and the media serving the state or jurisdiction The entity must notify the Secretary of HHS too, but the process is determined by the number of individuals impacted http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/in dex.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/in dex.html 32 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

33 Accounting for Disclosures When a provider discloses information to a public health agency (when required or permitted by law) without the patient’s authorization, this disclosure should be recorded under the accounting for disclosures rule A covered entity must provide the accounting of disclosures to a patient upon request 33 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

34 Proposed Revisions to HIPAA Privacy Rule As per statutory requirements of the HITECH Act, covered entities and business associates would be required to account for disclosures of PHI for treatment, payment, and health care operations if disclosures are via an EHR. A notice of proposed rulemaking on this provision was released, but the final rule is still pending 34 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

35 Privacy, Confidentiality, and Security of PHI Summary Exceptions allowing covered entities to disclose PHI to public health agencies without authorization are important for protecting individuals and the public Public health agencies that are covered entities under HIPAA must follow all of the provisions that apply to other covered entities 35 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

36 Privacy, Confidentiality, and Security of PHI References References 1.Disclosures for Public Health Agencies. Retrieved on June 10, 2010 from http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/publichealth/publichealth.pdf http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/publichealth/publichealth.pdf 2.HIPAA Privacy Rule and Public Health. Retrieved on June 10, 2010 from http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm 3.Retrieved on June 10, 2010 from HIPAA: http://www.hhs.gov/ocr/privacy/http://www.hhs.gov/ocr/privacy/ 4.Regulatory Guidance. Retrieved on June 10, 2010 from http://www.cms.gov/home/regsguidance.asphttp://www.cms.gov/home/regsguidance.asp 5.Turning Point Model State Public Health Act. Retrieved on June 10, 2010 from http://www.publichealthlaw.net/ModelLaws/MSPHA.php http://www.publichealthlaw.net/ModelLaws/MSPHA.php 6.Center for Law & Public Health. Retrieved on June 10, 2010 from http://www.publichealthlaw.net/http://www.publichealthlaw.net/ 7.Retrieved on June 10, 2010 from http://www.publichealthlaw.net/links.phphttp://www.publichealthlaw.net/links.php 8.Federal Register. Retrieved on June 10, 2010 from http://www.gpoaccess.gov/fr/http://www.gpoaccess.gov/fr/ 9.Federal Register ARRA Changes to HIPAA. Retrieved on June 10, 2010 from http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf 10.Office of Civil Rights. Retrieved on June 10, 2010 from http://www.hhs.gov/ocr/http://www.hhs.gov/ocr/ 11.Center for Medicare and Medicaid. Retrieved on June 10, 2010 from http://www.cms.gov/http://www.cms.gov/ 12.Centers for Disease Control and Prevention. Retrieved on June 10, 2010 from http://www.cdc.gov/http://www.cdc.gov/ 13.The American Health Information Management Association (AHIMA). Retrieved on June 10, 2010 from http://www.ahima.org/ http://www.ahima.org/ 36 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

37 Privacy, Confidentiality, and Security of PHI References References: 14.Breaches and Resources. Retrieved on June 10, 2010 from http://www.phiprivacy.net/http://www.phiprivacy.net/ 15.Government Security. Retrieved on June 10, 2010 from http://www.govinfosecurity.com/index.phphttp://www.govinfosecurity.com/index.php 16.Health Data Management. Retrieved on June 10, 2010 from http://www.healthdatamanagement.com/http://www.healthdatamanagement.com/ 17.HIPAA Proposed Rule for Accounting of Disclosures. Retrieved on June 10, 2010 from http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf 37 Health IT Workforce Curriculum Version 3.0/Spring 2012 Public Health IT Privacy, Confidentiality, and Security of PHI

Download ppt "Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded."

Similar presentations

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.

1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

Similar presentations

Ads by Google