Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Published bySimon Penniston Modified over 10 years ago

Similar presentations

Presentation on theme: "Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office."— Presentation transcript:

1 Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office

2 Privacy Trends TRICARE Management Activity HEALTH AFFAIRS

3 TRICARE Management Activity HEALTH AFFAIRS 3 Privacy Trends Purpose The purpose of this presentation is to provide awareness and insight into current privacy initiatives and activities that could one day potentially impact operations

4 TRICARE Management Activity HEALTH AFFAIRS 4 Privacy Trends Objectives Upon completion of this presentation, you should be able to: − Identify Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Privacy and Security Framework principles − Explain recent Health Insurance Portability and Accountability Act (HIPAA) enforcement examples − Describe applicable provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)

5 TRICARE Management Activity HEALTH AFFAIRS 5 Privacy and Security Framework & Toolkit

6 TRICARE Management Activity HEALTH AFFAIRS 6 Privacy Trends Privacy and Security Framework In December 2008, OCR published the “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (the framework) − Establishes privacy and security principles for health care stakeholders engaged in the electronic exchange of information − Designed to complement and work with existing federal, state, territorial, local and tribal laws and regulations − Provides a single, consistent approach to address the privacy and security challenges related to electronic health information exchange

7 TRICARE Management Activity HEALTH AFFAIRS 7 Privacy Trends Privacy and Security Framework (continued) The framework consists of eight guiding principles − Individual access − Correction − Openness and transparency − Individual choice − Collection, use & disclosure limitation − Data quality & integrity − Safeguards − Accountability

8 TRICARE Management Activity HEALTH AFFAIRS 8 Privacy Trends Privacy and Security Framework (continued) Individual access: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format Correction: Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied

9 TRICARE Management Activity HEALTH AFFAIRS 9 Privacy Trends Privacy and Security Framework (continued) Openness and transparency: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information Individual choice: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information

10 TRICARE Management Activity HEALTH AFFAIRS 10 Privacy Trends Privacy and Security Framework (continued) Collection, use & disclosure limitation: Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately Data quality & integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner

11 TRICARE Management Activity HEALTH AFFAIRS 11 Privacy Trends Privacy and Security Framework (continued) Safeguards: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure Accountability: This principle should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches

12 TRICARE Management Activity HEALTH AFFAIRS 12 Privacy Trends Privacy and Security Toolkit OCR also published the “Privacy and Security Toolkit to Implement the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (the toolkit) The toolkit is a series of documents that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information exchange in a networked environment − How HIPAA covered entities can utilize the Privacy Rule’s established baseline of privacy protections and individual rights with respect to elicit greater consumer confidence, trust, and participation − Includes Frequently Asked Questions (FAQs), fact sheets, and information papers relating to each of the framework principles

13 TRICARE Management Activity HEALTH AFFAIRS 13 Privacy Trends Privacy and Security Framework & Toolkit No new rules, regulations, or mandates have been made as a result of the framework that was issued by OCR on December 15, 2008 Staff can utilize the fine points provided within the framework and toolkit for informational purposes

14 TRICARE Management Activity HEALTH AFFAIRS 14 Privacy Trends Recent HIPAA Enforcement

15 TRICARE Management Activity HEALTH AFFAIRS 15 Privacy Trends Providence Health and Services Resolution Agreement − Includes OCR and Centers for Medicare & Medicaid Services (CMS) − Terms and conditions include a fine of $100,000 and a Corrective Action Plan (CAP) − Covered incidents refer to Providence Health and Services (PHS) of Seattle, Washington loss of electronic backup media containing records of 386,000+ PHS patients and laptop computers containing individually identifiable health information in 2005 and 2006

16 TRICARE Management Activity HEALTH AFFAIRS 16 Privacy Trends Providence Health and Services (continued)  Corrective Action Plan − Policies and Procedures: Consistent with federal standards that govern Protected Health Information (PHI) and electronic Protected Health Information (ePHI); submit policies and procedures to HHS for approval − Training: Within 90 days of HHS approval of policies, PHS shall provide evidence that training has been provided to all members of PHS workforce − Monitoring (quarterly): Ensures understanding of policies and procedures, may include unannounced site visits − Implementation and Annual Reports: Within 120 days after receiving HHS approval of policies and procedures, a written report summarizing status of PHS implementation of CAP requirements must be submitted to HHS

17 TRICARE Management Activity HEALTH AFFAIRS 17 Privacy Trends CVS Resolution Agreement − Agreement includes OCR and CVS Pharmacy, Inc. (CVS Entities) − Covered conduct includes disposing of PHI in dumpsters, lack of policies and procedures, lack of sanctions policy, and insufficient HIPAA Privacy Rule training − CVS Entities must designate a compliance representative that will be responsible for ensuring compliance with the Resolution Agreement and CAP (including providing policies, procedures, training, and internal monitoring services) − CVS Entities must pay HHS $2,250,000 − Execute and comply with the CAP

18 TRICARE Management Activity HEALTH AFFAIRS 18 Privacy Trends CVS (continued) Corrective Action Plan − Policies and procedures: Develop, maintain, and revise uniform, written privacy policies and procedures and submit to OCR for review and approval. Each member of workforce must submit a compliance certification acknowledging receipt and understanding − Training: Provide to all workforce members with access to PHI − Monitoring Internal: Written internal monitoring plan describing plan to monitor compliance with policies and procedures Assessments: Annual third party assessments on compliance with CAP obligations − Internal reporting: Procedure for reporting violation of policies and procedures

19 TRICARE Management Activity HEALTH AFFAIRS 19 Privacy Trends American Recovery and Reinvestment Act

20 TRICARE Management Activity HEALTH AFFAIRS 20 Privacy Trends American Recovery and Reinvestment Act HIPAA Privacy & Security Rules extended to business associates − Requirements, as well as civil and criminal penalties, now apply to business associates in the same manner as covered entities − Business associate contracts must include new requirements Breaches − Current DoD breach notification requirements are MORE stringent − Covered entities must notify individuals whose unsecured PHI has been breached within 60 days of discovery − Notification to HHS based on number of individuals affected − Business associates must notify covered entities of a breach and provide each individual’s name − Methods and content of notification are specified

21 TRICARE Management Activity HEALTH AFFAIRS 21 Privacy Trends ARRA (continued) Health Information Technology (HIT) − Appropriates approximately $20 billion to HIT − HHS will appoint a National Coordinator for HIT responsible for Coordinating HIT policies and programs Developing a voluntary HIT certification program Setting milestones for electronic health records by 2014 Accounting of disclosures − Covered entities that maintain ePHI must include routine disclosures for treatment, payment, or health care operations (TPO) in its accounting list − Limited to three years (other accounting of disclosures remain for six years)

22 TRICARE Management Activity HEALTH AFFAIRS 22 Privacy Trends ARRA (continued) Remuneration for the exchange of PHI − Prohibits direct or indirect exchange of remuneration for any exchange of PHI, unless authorized by individual Disclosure restrictions for payment and health care operations − Covered entities must agree to an individual’s request to restrict disclosure to a health plan when payments have been paid out of pocket in full

23 TRICARE Management Activity HEALTH AFFAIRS 23 Privacy Trends Summary You should now be able to: − Identify OCR Privacy and Security Framework principles − Explain recent HIPAA enforcement examples − Describe applicable provisions of ARRA

24 TRICARE Management Activity HEALTH AFFAIRS 24 Privacy Trends Resources http://www.hhs.gov for further information on Privacy and Security Framework and Toolkits and HIPAA enforcement actions http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname =111_cong_bills&docid=f:h1enr.pdf for a link to the complete ARRA Privacymail@tma.osd.mil for subject matter questions

Download ppt "Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
JCAHO –A HIPAA Business Associate National HIPAA Summit

JCAHO –A HIPAA Business Associate National HIPAA Summit
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
1 Targeted Case Management (TCM) Changes Iowa Medicaid Enterprise October 14, 2008.

1 Targeted Case Management (TCM) Changes Iowa Medicaid Enterprise October 14, 2008.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Surveillance TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Surveillance TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

Similar presentations

Ads by Google