1. Healthcare Data: Privacy and Security Issues in Medical Informatics Sheila D. Joyce, Esq. MMI 407 Session 2

2. Table of Contents 3: Different Perspectives: Patient vs. Informaticist 4: What is HIPAA? 5: Introducing ARRA and HITECH 6: HIPAA: Titles I, III, IV & V 7: HIPAA: Title II 8: HIPAA Timeline 9: Implementing Regulations: Healthcare Data Privacy 10-12: Key HIPAA Privacy Concepts 13: Protected Health Information (PHI) 14-19: De-Identification 20-25: General HIPAA Privacy Rule 26-27: Implementing Regulations: Transaction Standards & Medical Data Code Sets 28: Implementing Regulations: Standard Unique Identifier for Healthcare Providers 29-30: Implementing Regulations: Security Rule 31: Implementing Regulations: Standard Unique Identifier for Employers 32: Consequences of Non-Compliance with HIPAA 33: State Preemption 34: Balancing HIPAA and FERPA Privacy Protections 35: International Data Protection & Transfer Laws 36: ARRA Timeline & Provisions 37-40: Key Changes to the HIPAA Privacy & Security Rules Under ARRA 41-47: Case Study: UHC 48: Conclusion Slide Number 2

3. Different Perspectives: Patient vs. Informaticist This presentation will cover the following topics from the perspective of a professional medical informaticist, not from the perspective of a patient… although we consider some of the differences in those two perspectives: Data privacy Confidentiality Security 3

4. What is HIPAA? A federal law: Originally referred to as the Kennedy-Kassebaum Bill, the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. Scope of the HIPAA legislation: -HIPAA Privacy Rule covers health information (PHI) in whatever form, whether electronic, paper or verbal -HIPAA Security Rule only applies to electronically transmitted PHI... but best security practices call for rules to apply to all PHI. -There are five Titles (or parts) of the HIPAA law, of which only Title II is relevant to this course. 4

5. Introducing... ARRA & HITECH ARRA: American Recovery & Reinvestment Act of 2009 The “Economic Stimulus Bill.” Federal spending bill that provides for investments in U.S. infrastructure, transportation, education, healthcare and increases unemployment benefits. HITECH: Health Information Technology for Economic & Clinical Health Act Included in ARRA Provides for over $20 billion in federal funds to invest in the adoption of HIT Also expands privacy and security requirements under HIPAA More on ARRA later... 5

6. HIPAA: Titles I, III, IV & V Professional medical informaticists are unlikely to need to know about the provisions in the other parts of HIPAA, but for the sake of completeness, here they are: Title I: Health Care Access, Portability, and Renewability. Title I protects health insurance coverage for employees and their families when they change or lose their jobs (portability). Includes provisions for certificates of coverage and prohibits discrimination in enrollments and in premiums charged to employees and their dependents based on health status related factors. Its provisions primarily affect employers. Title III: Tax-Related Health Provisions Title III provides for certain deductions for medical insurance, and makes other changes to health insurance law. Title IV: Application and Enforcement of Group Health Plan Requirements Title IV specifies conditions for group health plans regarding coverage of persons with preexisting conditions, and modifies continuation of coverage requirements. Title V: Revenue Offsets Title V includes provisions related to company-owned life insurance, treatment of individuals who lose U.S. citizenship for income tax purposes and repeals the financial institution rule to interest allocation rules. 6

7. HIPAA Title II: Preventing Fraud and Abuse; Administrative Simplification The “Administrative Simplification” provisions of HIPAA are most important to the work of medical informaticists Title II requires HHS to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers to encourage electronic commerce in the health care industry. It also addresses the security and privacy of health data. – Requires that Covered Entities use designated standard transaction formats and code sets for the electronic transmission of health information – Establishes standards for the privacy and security of individually identifiable health information – Provides penalties for its wrongful disclosure 7

8. HIPAA Title II: Timeline & Provisions August 1996: Congress enacts HIPAA, and gives CMS three years to enact comprehensive regulations that govern how the HIPAA law will be implemented August 1999: CMS misses its deadline 12 years after Congress enacts HIPAA, CMS finally issues the last of the five (5) implementing regulations for those 5 parts of HIPAA that are most relevant to medical informaticists, as follows: 1- Final Privacy Regs: Effective April 2003 2- Final Regs for Transaction Standards and Medical Data Code Sets: Effective October 2003, with 1-year extension – ASC X12N specifications, CPT codes, ICD-9, ICD-10 codes) 3- Final Regs for Standard Unique Employer Identifier (EIN): Effective July 2004 4- Final Security Regs: Effective April 2005 5- Final Regs for Standard Unique Health Identifier for Healthcare Providers (NPI): Effective May 2008, with up to 1-year of extensions When studying HIPAA, we are actually studying the 5 regulations that CMS drafted to implement the Congressionally-mandated HIPAA law. 8

9. 1 HIPAA Implementing Regulations: Healthcare Data Privacy Let’s review these five HIPAA implementing regulations …starting with healthcare data privacy: After lengthy and robust rule-making process involving over 11,000 comments to CMS, on December 28, 2000 CMS published a Final Privacy Regulation to implement the privacy provisions of HIPAA (it is 1526 pages long) Then-HHS Secretary Thompson ordered the public comment period to be re-opened twice since the original Privacy Regulation was published. August 14, 2002, final modifications to the Privacy Regulation published Effective date: Covered entities must be in compliance with Final Privacy Regulation (as amended) by April 14, 2003 Responsible for enforcement: HHS Office for Civil Rights (OCR) 9

10. 1HIPAA Implementing Regulations: Privacy Key HIPAA Privacy Concepts The HIPAA Privacy Rule applies only to Covered Entities, which include: - Healthcare providers and institutions - Health Plans: Individual and group plans that provide or pay the cost of medical care are Covered Entities, including health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies), employer-sponsored group health plans, government and church- sponsored health plans, and multi-employer health plans. There are exceptions to this definition that are not relevant for this course. - Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard format or data content, or vice versa, including billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions. 10

11. More Key HIPAA Privacy Concepts Covered Entities may need to share PHI with entities who are not themselves Covered Entities. Such entities are called Business Associates. In general, a Business Associate is a person or organization, other than a member of a Covered Entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of individually identifiable health information (PHI). -A Business Associate’s functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. - -A Business Associate’s services to a covered entity are include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services -Covered Entities cannot share PHI with Business Associates unless they enter into a Business Associate Agreement. 11

12. More Key HIPAA Privacy Concepts Business Associate Agreement (BAA): When a Covered Entity uses a contractor or other nonworkforce member to perform "business associate" services or activities, the HIPAA Privacy Rule requires that the Covered Entity include certain protections for that PHI in a business associate agreement (BAA) and specify what “uses and disclosures” that Business Associate can make. In that contract, a Covered Entity must impose specified written safeguards on the PHI used or disclosed by its business associates. 12

13. Protected Health Information (PHI): A Definition PHI is "any information, whether oral or recorded in any form or medium" that "[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse“ (aka Covered Entities); and "[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual." HIPAA Privacy Rule does NOT cover PHI that has been “de- identified” HINT: If you are working with a de-identified data set, as defined by HIPAA, then HIPAA does not apply to your work… although state privacy/security laws may still apply 13

14. De-Identification Four ways to de-identify a healthcare data set: 1) Remove all individual patient identifiers from PHI; 2) Create a Limited Data Set; 3) Obtain “Certification” by a qualified statistician; or 4) Waiver from IRB or Privacy Committee REMEMBER - The HIPAA Privacy Rule does NOT cover PHI that has been “de-identified” Consider why a de-identified data set is important to informaticists 14

15. De-Identification Option 1 1) Remove all individual patient identifiers from PHI (“HIPAA Safe Harbor”) The HIPAA Privacy Rule lists 18 data elements considered to be individually identifiable health information HIPAA says a patient has a right to privacy in individually identifiable health information (PHI), so remove all the 18 patient identifiers to have a de-identified data set 15

16. Patient Identifiers (A)Patient Names; (B)All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1)The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2)The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. (C)All elements of dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (D)Telephone numbers; (E)Fax numbers; (F)Electronic mail addresses; (G)Social security numbers; (H)Medical record numbers; (I)Health plan beneficiary numbers; (J)Account numbers; (K)Certificate/license numbers; (L)Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N)Web Universal Resource Locators (URLs); (O)Internet Protocol (IP) address numbers; (P)Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and (R)Any other unique identifying number, characteristic, or code. 16

17. De-Identification Option 2 2)Create a Limited Data Set A limited data set is PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A "limited data set" is similar to a de-identified data set, just slightly larger with 5 patient identifiers added back in. The use of a limited dataset allows a researcher and other to have access to: - dates of admissions and discharge; - dates of birth and death; - five-digit zip code or “other geographic subdivisions other than street address or P.O. box.” A limited data set may be used and disclosed for research, health care operations, and public health purposes only, provided the recipient enters into a Data Use Agreement promising specified safeguards for the PHI in that limited data set 17

18. De-Identification Option 3 3)Obtain Certification from “qualified statistician” (Section 164.514(b)(1)) Who? “A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” Have a qualified statistician, applying such principles and methods, determine that the risk is very small that the data could be used by an anticipated recipient, alone or in combination with other reasonably available information, to identify an individual who is a subject of the data Moreover, the de-identifier must not “disclose the key or other mechanism that would have enabled the data to be re-identified”; this includes not divulging pseudo-random number algorithms or seed values. The qualified statistician must document the methods and results of the analysis that justify such a determination… i.e. the “Certification.” Fewer patient identifiers may need to be removed, for data to be de- identified, if you get a qualified statistician Certification 18

19. De-Identification Option 4 4) Waiver of Patient Authorization (for research) from Institutional Review Board (IRB) or Privacy Committee Establish Research Need: The IRB/Committee must determine that the research could not practicably be conducted without the requested waiver, AND could not practicably be conducted without access to and use of the PHI. Criteria to be evaluated by an IRB in approving an Authorization waiver: The PHI use/disclosure involves no more than minimal risk to the privacy of individuals based on at least the presence of: (1) an adequate plan presented to the IRB to protect PHI identifiers from improper use and disclosure; (2) an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers; and (3) adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except: (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule. 19

20. De-Identification Option 4 (cont’d): IRBs and Research IRBs have authority to approve, require modification to, or disapprove all research activities covered by the HHS and FDA Protection of Human Subjects Regulations Every institution engaged in human subjects research supported by a Federal agency is required to designate one or more IRBs… also, when FDA-regulated products are investigated in human subjects, the protocol is subject to review and approval by an IRB. Hospitals, academic medical centers, government units, and others engaged in federally supported health research activities all have their own designated IRBs. Among other responsibilities, the IRB must determine the research protocol includes "adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data" 20

21. HIPAA Privacy Rule “ A covered entity may not use or disclose protected health information (“PHI”), except as permitted or required by [the final HIPAA privacy regulation].” 45 C.F.R. 164.502(1a) Basically, only 6 ways HIPAA allows you to “use or disclose” PHI: -Treatment, Payment and Healthcare Operations (“TPO”) -By operation of law (e.g. subpoena, court order or public health) -Covered Entity obtains written Patient Authorization -Obtain Waiver of Patient Authorization from IRB or Privacy Committee Intended to give patients more control over how their medical records are “used” and “disclosed.” Did it succeed? 21

22. Treatment, Payment or Healthcare Operations Treatment, Payment or Healthcare Operations (“TPO”) are the 3 key exceptions to a patient’s right of privacy in their PHI. Any PHI can be used and disclosed for these 3 purposes, as long as only the “minimum necessary” PHI is used or disclosed: 1) Treatment: attending physicians, consulting providers and other healthcare providers can share PHI while treating their patient 2) Payment: a patient’s physician and insurance company can process the claim, and process insurance premiums 3) Healthcare Operations: a catch-all phrase that is the key to how a medical informaticist is allowed to use and disclose PHI in their work Let’s take a look at Healthcare Operations in more detail… virtually anything an informaticist does is included in Healthcare Operations. 22

23. Healthcare Operations Include all of the following activities: a) Quality assessment and improvement activities, including case management and care coordination… May also use, analyze, and disclose the PHI in its possession for the public health activities and purposes set forth at C.F.R. § 164.512(b); (b) Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) Insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) Business planning, development, management, and administration; and (f) General administrative activities of the Covered Entity, including but not limited to: de-identifying PHI (follow 45 C.F.R. §164.514(b)); creating a limited data set; and certain fundraising for the benefit of the Covered Entity Can you think of anything an informaticist does that isn’t arguably included in here? 23

24. What Can Be Disclosed? Minimum Necessary Standard: Whenever a Covered Entity uses or discloses PHI (e.g. to a payer, provider, or other for TPO purposes), or requests such information from another Covered Entity, it must make reasonable efforts to limit the information to the minimum amount necessary to accomplish the intended purpose of the use or disclosure. What are some ways to limit disclosure to the minimum amount necessary? 24

25. Incidental Uses and Disclosures of PHI Incidental Uses and Disclosures are defined as secondary uses or disclosures of PHI that: - cannot be reasonably prevented; -are limited in nature; and -occur as a by-product of an otherwise permissible use or disclosure. Examples: A patient or other person happens to see individually identifiable health information of other patients on sign-in sheets in waiting rooms, patient charts at bedside, X-ray lightboards or empty prescription vials. Incidental uses and disclosures are permissible only to the extent that reasonable safeguards have been used and, where applicable, the minimum necessary standard has been implemented. The concept is that covered entities are required to protect PHI with a minimum standard of care. So long as that standard of care (defined by the use and disclosure requirements under the Privacy Rule) is maintained, Covered Entities will be in compliance even in the event of an incidental use or disclosure of PHI. HHS says it did not intend for the Privacy Rule to impede customary and necessary healthcare communications or practices. While Covered Entities are prohibited from using or disclosing PHI except in accordance with the Privacy Rule, incidental disclosures are not generally violations, assuming that reasonable safeguards are in place to minimize such disclosures. Accordingly, the modified rule explicitly permits certain incidental uses and disclosures. 25

26. A Note on Research Under the Privacy Rule The Privacy Rule was not intended to impede research using records within databases and repositories that include PHI, but the Privacy Rule does place conditions on the use and disclosure of PHI by covered entities for research The HIPAA Privacy Rule permits a covered entity to use or disclose PHI for research under the following circumstances and conditions: -For data reviews “preparatory to research” (to see if sufficient data to conduct a study or to recruit patients for a study, for example), but only if certain representations are obtained from the researcher -For research solely on decedents' information if certain representations are obtained from the researcher Consider the challenges HIPAA may present to conducting research – potential research paper topic. 26

27. 2. HIPAA Implementing Regulations: Transaction Standards & Medical Data Code Sets In the past, health providers and plans have used many different electronic formats to transact medical claims and related business. Implementing national standards for data elements, diagnosis and procedure codes, etc. is intended facilitate the exchange of electronic data. Goal is to simplify and improve efficiency, affordability and profitability. Healthcare providers do not need to conduct transactions electronically; however, if they do, compliance with Regulation is required Healthcare providers participating in Medicare MUST submit claims electronically and health plans must be capable of accepting electronic transactions that comply with this Regulation Responsible for enforcement: HHS Office of E-Health Standards and Services (OESS) 27

28. Implementing Regulations: Transaction Standards & Medical Data Code Sets (cont’d) ASC X12N technical specifications – Insurance subcommittee of ANSI; implementation guides Facilitates consistency by requiring standard data content, codes and formats for the following electronic health “standard transactions”: + Health care claims or equivalent encounter information; + Health care payment and remittance advice; + Coordination of benefits; + Health care claim status; + Enrollment and disenrollment in a health plan; + Eligibility for a health plan; + Health plan premium payments; and + Referral certification and authorization. Code sets were already widely used by Covered Entities (ICD-9-CM & CPT) 28

29. 3. Implementing Regulations: Standard Unique Identifier for Employers This final rule was jointly developed by CMS, and the U.S. Departments of Treasury, Labor, and Defense. The regulation adopts an employer's tax ID number or Employer Identification Number (EIN) as the standard for electronic transactions, implementing an administrative simplification initiative that has a national scope beyond the Medicare and Medicaid programs. Responsible for enforcement: HHS Office of E-Health Standards and Services (OESS) 29

30. 4.Implementing Regulations: Security Rule The Final HIPAA Security Rule provides for a uniform level of protection of all PHI that is housed or transmitted electronically and that pertains to an individual. Applies only to PHI transmitted electronically… ePHI HIPAA ePHI Security Safeguards require Covered Entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by the Covered Entity’s workforce (i.e. training and auditing). Responsible for enforcement: HHS Office of E-Health Standards and Services (OESS) 30

31. Implementing Regulations: Security Rule (cont’d) The Security Standard is intended to be scalable to apply to the broad spectrum of healthcare, from solo practice to a large academic medical center; in other words, it does not require specific technologies to be used. Covered Entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis. “Required” vs. “Addressable” specifications found in Rule – Required: Mandated. The Security Rule requires “reasonable and appropriate administrative, technical and physical Safeguards” to ensure the confidentiality, integrity, and availability of ePHI (e.g., security incident procedure, data backup, disaster recovery, etc.) Administrative Safeguards: application of appropriate policies and procedures Technical Safeguards: Ensuring that technical security measures are in place to protect networks, computers and other electronic devices Physical Safeguards: Safeguarding physical access to ePHI – Addressable: Based on risk analysis (e.g., e-mail encryption) Is it reasonable and appropriate for the Covered Entity? If so, implement If not, document this fact and implement "an equivalent alternative measure" if reasonable and appropriate. 31

32. 5. HIPAA Implementing Regulations: Standard Unique Identifier for Healthcare Providers In the past, healthcare organizations have used multiple identification formats when conducting business with each other – a confusing, error- prone and costly approach. It is expected that standard unique identifiers will reduce these problems. Referred to as the “National Provider Identifier” (“NPI”), this Final Rule establishes a standard unique identifier for all health care providers under HIPAA. The NPI, published 2004, requires hospitals, doctors, nursing homes, and other healthcare providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers can apply for an identifier once and keep it if they relocate or change specialties Responsible for enforcement: HHS Office of E-Health Standards and Services (OESS) 32

33. Consequences of Non-Compliance with HIPAA Under "General Penalty for Failure to Comply with Requirements and Standards," HIPAA says: … the HHS Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this [law]. Under "Wrongful Disclosure of Individually Identifiable Health Information," HIPAA states: … a person who knowingly and wrongfully: – uses or causes to be used a unique health identifier; – obtains individually identifiable health information relating to an individual; or – discloses individually identifiable health information to another person, … shall be fined not more than $50,000, imprisoned not more than 1 year, or both; and if the offense is committed under false pretenses, than be fined not more than $100,000, imprisoned not more than 5 years, or both; and if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. 33

34. State Preemption HIPAA generally preempts state law. Three exceptions: – Prevention of fraud & abuse or insurance regulation – Controlled substances – Privacy Therefore, a state’s data privacy and security laws may supersede the federal HIPAA law, to the extent those state laws are more stringent than the federal HIPAA law. For example, in Illinois records of an HIV diagnosis, as well as patient mental health and genetics records (Illinois Genetic Information Privacy Act) among others, are more stringently protected under Illinois state privacy laws than under HIPAA. What does that mean to medical informaticists? Complex privacy framework - You may work in or your data might be provided in a state that has tougher healthcare data privacy or security rules; be aware and consult Chief Privacy or Chief Security Officer. 34

35. Balancing Privacy Protections of HIPAA and FERPA This is for those informaticists who may work in an academic medical center or educational institution which receives federal funding Family Educational Rights and Privacy Act of 1974 (FERPA) – Privacy protections for an individual’s educational records, including some medical records… but not so strong protections as HIPAA HIPAA exempts medical records covered by FERPA Therefore, the records of a typical college student health clinic are NOT covered by the HIPAA privacy regulations, but if clinic is open to faculty of dependents of students, then HIPAA applies At best, an artificial distinction between the medical records of students and all other patients, and at worst a dysfunctional overlap of regulatory schemes… a topic ripe for exploring in the MMI 407 class final Research project. 35

36. International Data Transfer & Protection Laws Europe: EU Data Protection Directive 95/46/EC (1995) -For the current status of data protection legislation in EU states, see http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm Canada: Personal Information Protection & Electronic Documents Act of 2004 Asia/pacific region: For example, see Hong Kong’s Personal Data (Privacy) Ordinance and Code on Access to Information at: http://www.pcpd.org.hk/english/ordinance/ordfull.html and http://www.access.gov.hk/en/code.htm http://www.pcpd.org.hk/english/ordinance/ordfull.html http://www.access.gov.hk/en/code.htm United States: See the U.S. Safe Harbor Registration List, at http://web.ita.doc.gov/safeharbor/SHList.nsf/WebPages/Safe+Harbor+List http://web.ita.doc.gov/safeharbor/SHList.nsf/WebPages/Safe+Harbor+List and http://www.export.gov/safeharbor/http://www.export.gov/safeharbor/ 36

37. ARRA Timeline & Provisions Signed by Pres. Obama on February 17, 2009; various compliance dates required 1.Leadership: Establishes Office of National Coordinator for Health Information Technology (ONCHIT) as well as committees on HIT policies, standards, etc. 2.Funding/Incentives: Establishes payments and loan programs to encourage the use of HIT. Includes incentives to physicians and hospitals for “meaningful use” of EHRs before 2014. After 2014, incentives phased out and reductions in Medicare and Medicaid reimbursements to occur. 3.Standards: Requires initial set of standards, certification criteria and implementation specifications to be issued by 12/31/2009. 4.Certification: Authorizes creation of a voluntary HIT certification program. 5.R&D: Authorizes the establishment of programs to promote innovations in HIT. 6.Education: Authorizes the establishment of programs and grants for assistance and outreach in adopting HIT. 7.Privacy/Security: Modifies privacy and security standards in HIPAA to enable widespread HIT adoption. 37

38. Key Changes to the HIPAA Privacy & Security Rules Under ARRA Why were changes needed? – Lack of federal preemption: Constitution provides that federal law will trump state law where there is a conflict, but HIPAA did not include language preempting the states from enacting stronger data privacy laws. Therefore a complex scheme of privacy laws has developed since HIPAA was enacted. – Technological advances: When HIPAA was enacted it did not cover certain key players who are now key handlers of PHI (e.g., RHIOs and PHR vendors which include covered entities, consumers, third party vendors such as Google and PassportMD) – Desire to promote HIT: Earlier attempts to pass HIT legislation have been stalled by privacy concerns; Congress felt the need to increase privacy protections in order to promote the larger goal of widespread adoption of HIT. 38

39. Key Changes to the HIPAA Privacy & Security Rules Under ARRA Business Associates: RHIOs, PHR vendors etc. are now considered Business Associates BAs are now directly responsible for complying with certain HIPAA requirements, including administrative, physical and technical safeguards Civil and criminal penalties for violations of the security provisions applicable to CEs are now also applicable to BAs Breaches: Creates a federal notification requirement for security breaches of “unsecured” PHI; “secured” = encryption or destruction of media Generally, a CE or BA much notify each individual whose unsecured PHI has been accessed or disclosed as a result of a breach within 60 days after discovery Notice must also be provided to the Secretary and media outlets if the breach affects >500 individuals Safe Harbor from notification if compliance with HHS guidance – strong incentive to comply Similar requirements for PHR vendors or third parties who are not CEs or BAs – NOTE: FTC jurisdiction rather than HHS 39

40. Key Changes to the HIPAA Privacy & Security Rules Under ARRA Minimum Necessary: Secretary to issue further guidance on what constitutes “minimum necessary” In the meantime, CEs should limit uses and disclosures to Limited Data Set or to make a judgment about the minimum necessary. This clarifies that the determination is made by the discloser, not the recipient of the PHI. Accounting: Gives individuals the right to request an accounting if CE uses an EHR – no exception for TPO. Includes BAs – BAs are required to respond to individuals if requests made directly. Access: Gives individuals the right to obtain copies of PHI in electronic format CE may impose a fee to cover costs 40

41. Key Changes to the HIPAA Privacy & Security Rules Under ARRA Marketing/Sale of PHI: Clarifies that marketing does not constitute “operations” for TPO purposes No CE or BA to receive $$ for PHI unless individual provides authorization (Exceptions include public health data, research data, treatment, operations related to business mgmt and general admin activities, or payment to BA for services provided to CE pursuant to a BAA, etc.) Penalties & Enforcement: Criminal penalties may now apply to individuals (e.g., employees) and not only to CEs Changes to civil monetary penalties, as low as $100 but could be as high as $1,500,000 Changes the distribution of civil penalties collected – determining methodology to award percentage to the individual Permits state attorneys general (AGs) to bring enforcement actions in federal court, however, if the Secretary brings an action then state AGs cannot Stay tuned... much, much more detail to come! 41

42. Case Study: University HealthSystem Consortium UHC aggregates member Academic Medical Center (AMC) patient data into databases for use in clinical, operational, financial and supply chain informatics work, QI and clinical benchmarking UHC’s databases contain terabytes of PHI from UHC members with embedded patient identifiers, including: 1) zip code; 2) dates of admit/discharge; 3) birth/death dates; 4) account numbers; 5) health plan beneficiary numbers; 6) SS numbers; and 7) medical record numbers What are UHC’s options to continue its database activities for it’s members in compliance with HIPAA, but without compromising the quality and value offered by terabyte-sized databases full of PHI? 42

43. UHC Case Study: The 5 HIPAA Compliance Options Five HIPAA Compliance Options are Available to UHC: Data aggregation activities qualify as “Healthcare Operations,” so PHI can be used and disclosed without patient consent/authorization Create only “Limited Data Sets” in UHC databases De-identify the database to qualify for HIPAA “safe harbor” Covered Entity obtains written Patient Authorization Obtain Waiver of Patient Authorization from IRB or Privacy Committee Let’s look at each of these 5 Options in detail… and discuss on the Discussion Board this week which Option or Options is best for UHC. 43

44. Case Study: Option 1: “Healthcare Operations” Exception Healthcare Operations is defined to include quality assessment and improvement activities, and comparative analyses that involve PHI data aggregation UHC’s database activities, intended for clinical, financial, supply chain and operational QA/QI, qualify as Healthcare Operations, so PHI can continue to be collected from members without de- identification Pros? Cons? 44

45. Case Study: Option 2: Create a “Limited Data Set” Most recent revision to the privacy rule allows a limited set of PHI, stripped of certain patient identifiers, to be used for healthcare operations, public health or research purposes Would require each covered entity to have a “Data Use Agreement” with UHC, similar to a Business Associate Agreement Limited Data Set would allow collection of: -dates of admissions and discharge; - dates of birth and death; and - five-digit zip code or “other geographic subdivisions other than street address or P.O. Box.” But, Limited Data Set will still not allow UHC to collect account numbers, SS numbers, medical record numbers, health plan beneficiary numbers, or other PHI Pros? Cons? 45

46. Case Study: Option 3: De-identify…The HIPAA “Safe Harbor” Database research using de-identified PHI is permitted if there is no reasonable basis to believe the information can be used to identify an individual De-identification of UHC database data may have significant negative impact on the value of the databases Pros? Cons? 46

47. Case Study: Option #4: Obtain Patient Authorization For every patient whose PHI is sent to a UHC database, the Covered Entity must obtain a signed Authorization from that patient HIPAA says a Covered Entity may not deny treatment to a patient who refuses to sign such an Authorization Potential to significantly compromise the quality and volume of the data flowing into the database, by reducing the flow of data Pros? Cons? 47

48. Case Study: Option #5: Waiver of Patient Authorization UHC could apply for a waiver of authorization from either an Institutional Review Board (“IRB”) or the new Privacy Board at each Covered Entity which sends PHI to UHC UHC grounds for waiver: HIPAA allows a waiver if privacy risks are reasonable in relation to anticipated benefits to patients and the value of the knowledge to be gained Pros? Cons? Discuss on the Discussion Board this week which Option is best for UHC… 48

49. Professionally, a solid understanding of HIPAA is critical to how medical informaticists work with healthcare data. HIPAA rules are evolving based on ARRA. Expect changes over the next 18 months. Since CMS will include all relevant players in any HIPAA enforcement investigation, a solid knowledge of HIPAA and eventually ARRA can keep both you and your CIO out of jail! 49 Conclusion