Download presentation
Presentation is loading. Please wait.
Published bySimon Penniston Modified over 10 years ago
1
Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office
2
Privacy Trends TRICARE Management Activity HEALTH AFFAIRS
3
TRICARE Management Activity HEALTH AFFAIRS 3 Privacy Trends Purpose The purpose of this presentation is to provide awareness and insight into current privacy initiatives and activities that could one day potentially impact operations
4
TRICARE Management Activity HEALTH AFFAIRS 4 Privacy Trends Objectives Upon completion of this presentation, you should be able to: − Identify Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Privacy and Security Framework principles − Explain recent Health Insurance Portability and Accountability Act (HIPAA) enforcement examples − Describe applicable provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)
5
TRICARE Management Activity HEALTH AFFAIRS 5 Privacy and Security Framework & Toolkit
6
TRICARE Management Activity HEALTH AFFAIRS 6 Privacy Trends Privacy and Security Framework In December 2008, OCR published the “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (the framework) − Establishes privacy and security principles for health care stakeholders engaged in the electronic exchange of information − Designed to complement and work with existing federal, state, territorial, local and tribal laws and regulations − Provides a single, consistent approach to address the privacy and security challenges related to electronic health information exchange
7
TRICARE Management Activity HEALTH AFFAIRS 7 Privacy Trends Privacy and Security Framework (continued) The framework consists of eight guiding principles − Individual access − Correction − Openness and transparency − Individual choice − Collection, use & disclosure limitation − Data quality & integrity − Safeguards − Accountability
8
TRICARE Management Activity HEALTH AFFAIRS 8 Privacy Trends Privacy and Security Framework (continued) Individual access: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format Correction: Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied
9
TRICARE Management Activity HEALTH AFFAIRS 9 Privacy Trends Privacy and Security Framework (continued) Openness and transparency: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information Individual choice: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information
10
TRICARE Management Activity HEALTH AFFAIRS 10 Privacy Trends Privacy and Security Framework (continued) Collection, use & disclosure limitation: Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately Data quality & integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner
11
TRICARE Management Activity HEALTH AFFAIRS 11 Privacy Trends Privacy and Security Framework (continued) Safeguards: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure Accountability: This principle should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches
12
TRICARE Management Activity HEALTH AFFAIRS 12 Privacy Trends Privacy and Security Toolkit OCR also published the “Privacy and Security Toolkit to Implement the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (the toolkit) The toolkit is a series of documents that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information exchange in a networked environment − How HIPAA covered entities can utilize the Privacy Rule’s established baseline of privacy protections and individual rights with respect to elicit greater consumer confidence, trust, and participation − Includes Frequently Asked Questions (FAQs), fact sheets, and information papers relating to each of the framework principles
13
TRICARE Management Activity HEALTH AFFAIRS 13 Privacy Trends Privacy and Security Framework & Toolkit No new rules, regulations, or mandates have been made as a result of the framework that was issued by OCR on December 15, 2008 Staff can utilize the fine points provided within the framework and toolkit for informational purposes
14
TRICARE Management Activity HEALTH AFFAIRS 14 Privacy Trends Recent HIPAA Enforcement
15
TRICARE Management Activity HEALTH AFFAIRS 15 Privacy Trends Providence Health and Services Resolution Agreement − Includes OCR and Centers for Medicare & Medicaid Services (CMS) − Terms and conditions include a fine of $100,000 and a Corrective Action Plan (CAP) − Covered incidents refer to Providence Health and Services (PHS) of Seattle, Washington loss of electronic backup media containing records of 386,000+ PHS patients and laptop computers containing individually identifiable health information in 2005 and 2006
16
TRICARE Management Activity HEALTH AFFAIRS 16 Privacy Trends Providence Health and Services (continued) Corrective Action Plan − Policies and Procedures: Consistent with federal standards that govern Protected Health Information (PHI) and electronic Protected Health Information (ePHI); submit policies and procedures to HHS for approval − Training: Within 90 days of HHS approval of policies, PHS shall provide evidence that training has been provided to all members of PHS workforce − Monitoring (quarterly): Ensures understanding of policies and procedures, may include unannounced site visits − Implementation and Annual Reports: Within 120 days after receiving HHS approval of policies and procedures, a written report summarizing status of PHS implementation of CAP requirements must be submitted to HHS
17
TRICARE Management Activity HEALTH AFFAIRS 17 Privacy Trends CVS Resolution Agreement − Agreement includes OCR and CVS Pharmacy, Inc. (CVS Entities) − Covered conduct includes disposing of PHI in dumpsters, lack of policies and procedures, lack of sanctions policy, and insufficient HIPAA Privacy Rule training − CVS Entities must designate a compliance representative that will be responsible for ensuring compliance with the Resolution Agreement and CAP (including providing policies, procedures, training, and internal monitoring services) − CVS Entities must pay HHS $2,250,000 − Execute and comply with the CAP
18
TRICARE Management Activity HEALTH AFFAIRS 18 Privacy Trends CVS (continued) Corrective Action Plan − Policies and procedures: Develop, maintain, and revise uniform, written privacy policies and procedures and submit to OCR for review and approval. Each member of workforce must submit a compliance certification acknowledging receipt and understanding − Training: Provide to all workforce members with access to PHI − Monitoring Internal: Written internal monitoring plan describing plan to monitor compliance with policies and procedures Assessments: Annual third party assessments on compliance with CAP obligations − Internal reporting: Procedure for reporting violation of policies and procedures
19
TRICARE Management Activity HEALTH AFFAIRS 19 Privacy Trends American Recovery and Reinvestment Act
20
TRICARE Management Activity HEALTH AFFAIRS 20 Privacy Trends American Recovery and Reinvestment Act HIPAA Privacy & Security Rules extended to business associates − Requirements, as well as civil and criminal penalties, now apply to business associates in the same manner as covered entities − Business associate contracts must include new requirements Breaches − Current DoD breach notification requirements are MORE stringent − Covered entities must notify individuals whose unsecured PHI has been breached within 60 days of discovery − Notification to HHS based on number of individuals affected − Business associates must notify covered entities of a breach and provide each individual’s name − Methods and content of notification are specified
21
TRICARE Management Activity HEALTH AFFAIRS 21 Privacy Trends ARRA (continued) Health Information Technology (HIT) − Appropriates approximately $20 billion to HIT − HHS will appoint a National Coordinator for HIT responsible for Coordinating HIT policies and programs Developing a voluntary HIT certification program Setting milestones for electronic health records by 2014 Accounting of disclosures − Covered entities that maintain ePHI must include routine disclosures for treatment, payment, or health care operations (TPO) in its accounting list − Limited to three years (other accounting of disclosures remain for six years)
22
TRICARE Management Activity HEALTH AFFAIRS 22 Privacy Trends ARRA (continued) Remuneration for the exchange of PHI − Prohibits direct or indirect exchange of remuneration for any exchange of PHI, unless authorized by individual Disclosure restrictions for payment and health care operations − Covered entities must agree to an individual’s request to restrict disclosure to a health plan when payments have been paid out of pocket in full
23
TRICARE Management Activity HEALTH AFFAIRS 23 Privacy Trends Summary You should now be able to: − Identify OCR Privacy and Security Framework principles − Explain recent HIPAA enforcement examples − Describe applicable provisions of ARRA
24
TRICARE Management Activity HEALTH AFFAIRS 24 Privacy Trends Resources http://www.hhs.gov for further information on Privacy and Security Framework and Toolkits and HIPAA enforcement actions http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname =111_cong_bills&docid=f:h1enr.pdf for a link to the complete ARRA Privacymail@tma.osd.mil for subject matter questions
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.