SUNWEST ETHICS AND COMPLIANCE PROGRAM
Download
Report
Transcript SUNWEST ETHICS AND COMPLIANCE PROGRAM
CURRENT COMPLIANCE, PRIVACY
AND SECURITY ISSUES
Tim Timmons
GOBHI Corporate Integrity Officer
CCEP, CHP, CHSS
1
COMMON HIPAA
PRIVACY QUESTIONS
2
HIPAA Privacy Q&A
Question #1: May health care providers share protected
health information with developmental disability agencies
without the client’s authorization?
Answer: Developmental disability agencies are not health
care providers and therefore are not HIPAA covered
entities. So authorization is necessary unless otherwise
permitted by the Privacy Rule or other federal or state
law.
3
HIPAA Privacy Q&A
Question #2: Health care providers can share personal
health information with public health agencies without the
client’s authorization.
Answer: Public health agencies meet the definition of
“health care providers” under HIPAA, so all the disclosure
exceptions in the Privacy Rule apply.
4
HIPAA Myths and Misunderstandings
Question #3: Under the Privacy Rule, does the minimum
necessary standard apply to the use and disclosure of PHI
for treatment purposes.
Answer: Under the Privacy Rule, the minimum necessary
standard does not apply to the disclosure of PHI to a
health care provider for treatment, but technically, does
apply to the use of PHI for treatment.
5
HITECH Imposes Additional
Restrictions
HITECH limits covered entities’ discretion for determining
what constitutes the minimum necessary and requires a
two tiered approach to limit the use, disclosure or request
of PHI
Disclosure should, to the extent practicable, be restricted to a
limited data set or, if needed,
To the minimum necessary to accomplish the intended purpose of
such use, disclosure, or request.
6
HITECH Imposes Additional
Restrictions
The Privacy Rule allows the disclosing party to rely on the
professional judgment of other health care professionals
requesting PHI to determine how much information they
need.
According to HITECH, however, the entity disclosing the
PHI (as opposed to the requester) is responsible for
making the minimum necessary determination.
7
Determining Who Should Have
Access to PHI
You should develop role based access controls to
determine who should have access to all PHI, regardless
of whether it’s electronic or paper based.
This is a requirement in the HIPAA Security Rule as well.
8
HIPAA Privacy Q&A
Question #4: A covered entity may disclose PHI for health
care operations with the patient/client’s authorization for
health care operations
9
HIPAA Privacy Q&A
Answer: The exception to the requirement for an
authorization applies to disclosures for treatment only if:
Each entity either has or had a relationship with the individual who
is the subject of the information,
The protected health information pertains to the relationship; and
The disclosure is for a quality-related health care operations
activity or for the purpose of health care fraud and abuse
detection or compliance
10
HITECH
STATUS ON THE
FINAL RULES
11
Final Rules Implementing the 2009
HITECH Act
Susan McAndrew, OCR deputy director for health information
privacy, said the omnibus rules were accepted for clearance
by the Office of Management and Budget on March 24 and
are expected to be released after a review of up to 90 days
12
Final Rules Implementing the 2009
HITECH Act
Harm standard will be addressed
Breach risk assessment highlighted
Responsibility and liability of business associates
Sample BA agreement
Protection for marketing and fundraising
13
Final Rules Implementing the 2009
HITECH Act
Ban on sale of PHI with list of exceptions
Prohibition of use of genetic information for underwriting
Will require the development of a new NPP outlining
patient rights and responsibilities
14
Final Rules Implementing the 2009
HITECH Act
Lifting of protections for deceased individuals after 50
years in proposed rule will be addressed
More liberal provisions for family members to obtain
records of decedents
15
Final Rules Implementing the 2009
HITECH Act
Guidance on minimum necessary
More liberal access to records of decedents for family
members involved in the care of the decedent immediately
prior to death
16
Are Small Organizations Safe
From Privacy Sanctions?
Complaint lodged against a small Phoenix cardiac
surgical practice
OCR investigation revealed
Surgical appointments posted online with patient names
Emails containing PHI using personal email accounts
No HIPAA training
Role of privacy officer uncertain
Few privacy policies and procedures
17
Are Small Organizations Safe
From Privacy Sanctions?
Result:
$100,000 fine
Corrective action plan with the OCR
Damage to the practice’s reputation
All it takes is one complaint, prompting an OCR
investigation – Just ask Michael Kurtz
18
PRIVACY OF DRUG AND
ALCOHOL RECORDS
42 CFR Part 2
19
Who is Covered under Part 2
An individual or entity must be federally assisted and
hold itself out as providing, and provide, alcohol or drug
abuse diagnosis, treatment or referral for treatment (42
CFR § 2.11).
20
What are the Restrictions
on Disclosure
The Part 2 regulations “impose restrictions upon the
disclosure and use of alcohol and drug patient records
which are maintained in connection with the
performance of any federally assisted alcohol and drug
abuse program.” (42 CFR § 2.3(a)) The restrictions on
disclosure apply to any information disclosed by a Part 2
program that “would identify a patient as an alcohol or
drug abuser …” (42 CFR §2.12(a) (1))
21
What Does Disclosure Mean
“Disclose or disclosure” means the “communication
of patient identifying information, the affirmative
verification of another person’s communication of patient
identifying information, or the communication of any
information from the records of a patient who has been
identified.”
22
What is Considered PHI Under Part 2
“Patient identifying information” means the “name,
address, social security number, fingerprints,
photographs of similar information by which the identity
of a patient can be determined with reasonable accuracy
and speed either directly or by reference to other
publicly available information.”
23
When May PHI be Shared
Unlike HIPAA, which generally permits the disclosure of
protected health information without patient consent or
authorization for the purposes of treatment, payment, or
health care operations, Part 2, with limited exceptions
(i.e., medical emergencies and audits and evaluations),
requires patient consent for such disclosures (42 CFR §§
2.3, 2.12, 2.13).
24
When May PHI be Shared
Some types of exchange, however, may take place
without patient consent when a qualified service
organization agreement (QSOA) exists or when
exchange takes place between a Part 2 program and an
entity with administrative control over that program.
25
What is a Qualified
Service Organization
A qualified service organization (QSO) means a person
or organization that:
Provides services to a [Part 2] program, such as data processing,
bill collecting, dosage preparation, laboratory analyses, or legal,
medical, accounting or other professional services or services to
prevent or treat child abuse or neglect, including training on
nutrition and child care and individual and group therapy, and
26
What is a Qualified
Service Organization
A qualified service organization (QSO) means a person
or organization that:
Has entered into a written agreement with a program under
which that person acknowledges that in receiving, storing,
processing or otherwise dealing with any patient records from
the programs, it is fully bound by these regulations; and
if necessary, will resist in judicial proceedings any efforts to
obtain access to patient records, except as permitted by these
regulations.
27
STATUS OF OPT OUT
REQUIREMENT FOR THE
DISCLOSURE OF ePHI
28
Status of Opt Out Requirement
Question: Does the HITOC Subcommittee recommend an
indefinite deferral or have any affirmative recommendation
on whether consent should be required for the disclosure of
all electronic PHI?
Answer: The Subcommittee has expressed concern, which it
strongly reiterated in its last meeting, that an opt-out
policy, at this time, could harm the development of
coordinated care organizations (CCOs) and/or their use of
health IT.
29
Status of Opt Out Requirement
SB 1580 provides that information transfer within a CCO
does not require patient authorization.
Question: How can one reconcile an opt-out consent model
with SB 1580?
Answer: The Subcommittee did not see a feasible way to do
so at this time.
30
Senate Bill 1580
SECTION 16. (1) Notwithstanding ORS 179.505, a health
care provider that is a participant in a coordinated care
organization, as defined in ORS 414.025, shall disclose
protected health information:
(a)To other health care providers participating in the coordinated
care organization for treatment purposes, and to the coordinated
care organization for health care operations and payment purposes,
as permitted by ORS 192.558; and
31
Senate Bill 1580
SECTION 16. (1) Notwithstanding ORS 179.505, a health
care provider that is a participant in a coordinated care
organization, as defined in ORS 414.025, shall disclose
protected health information:
(b) To public health entities as required for health oversight
purposes.
32
Senate Bill 1580
(2) The disclosures described in subsection (1) of this
section may be provided without the authorization of the
patient or the patient’s personal representative.
(3) Subsection (1) of this section does not apply to
psychotherapy notes, as defined in ORS 179.505.
33
Senate Bill 1580
(2) The disclosures described in subsection (1) of this
section may be provided without the authorization of the
patient or the patient’s personal representative.
(3) Subsection (1) of this section does not apply to
psychotherapy notes, as defined in ORS 179.505.
34
CURRENT PRIVACY AND
SECURITY CHALLENGES
35
Current Privacy Challenges
Use of social media by staff containing PHI
Facebook
Twitter
Off-site “friending” and “tweets”
Medical identity theft
World Privacy Forum pegged growth at 3% to 7% a year
AHIMA reported that a purloined medical identity has a street value
of about $50 compared to $1 for a Social Security number
36
Current Privacy Challenges
Sharing PHI in integrated care without patient/client
authorization
Disclosure of PHI for QA/QI purposes if the patient/client doesn’t
have an established relationship with all parties within the CCO
Consent restrictions for A&D providers
Absence of policies and procedures to comply with the
HIPAA Security Rule
37
Current Privacy Challenges
Business associate compliance with the Privacy Rule and
HITECH
Breach notification is still the covered entity’s responsibility,
according to HHS
Breach responsibilities should be spelled out in the BA agreement
What do you do when the BA wants you to use its BA agreement
and it doesn’t contain all the necessary assurances you need, and
the BA is vital to your operation?
38
QUESTIONS??
39