Privacy and Security In an Evolving Environment Dialogue on Diversity May 15th, 2013
0 likes | 114 Views
Privacy and Security In an Evolving Environment Dialogue on Diversity May 15th, 2013 . Laura E. Rosas, JD, MPH Office of the Chief Privacy Officer. Privacy and Security: A Shared Responsibility.
Privacy and Security In an Evolving Environment Dialogue on Diversity May 15th, 2013
An Image/Link below is provided (as is) to download presentationDownload Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.Content is provided to you AS IS for your information and personal use only. Download presentation by click this link.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.During download, if you can't get a presentation, the file might be deleted by the publisher.
E N D
Presentation Transcript
Privacy and SecurityIn an Evolving EnvironmentDialogue on DiversityMay 15th, 2013
Laura E. Rosas, JD, MPH Office of the Chief Privacy Officer
Privacy and Security: A Shared Responsibility Government: Establish, enforce, coordinate, and communicate affordable and workable Privacy & Security regulations Providers: Understand Privacy & Security requirements, establish and promote Privacy & Security policies and practices, train and monitor staff, and manage risk Vendors: Integrate easy-to-use Privacy & Security features into products and provide updates as regulations evolve Patients: Understand rights and basic means used to secure PHI
Origins of Medical Privacy “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.” Hippocrates , c. 460 BC - 370 BC
Patient Privacy and Patient Safety “The treatment that a patient receives can be greatly affected by what the patient chooses to disclose to their physician.” - Annals of Family Medicine, 2008 Medical confidentiality protections are meant toencourage disclosure…” - Archives of Internal Medicine, 2005
Privacy and Security in Practice Use technology that has privacy and security built into the technology Privacy and Security are considered as part of physical environment, patient care, and all communications HavePrivacy and Security checkups and communicate results to all Training, is regular updated and an essential part of the overall strategic plan
Key Federal Health Information Privacy Laws HIPAA Privacy and Security Rules Health Insurance Portability and Accountability Act of 1996, as amended by. . . Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 State Laws that are more restrictive are not pre-empted by HIPAA 5
HIPAA Privacy Rule: General Overview Set a federal floor for protecting health information Apply to many, but not all, key actors in health care system Limit how key actors may use and disclose individually identifiable health information they receive or create (“protected health information”) Give individuals rights with respect to their protected health information (right to request restriction if paid in full) Impose administrative requirements Require breach notification Establish civil and criminal penalties http://www.acpinternist.org/archives/2003/09/privacy.htm 6
Who Must Comply with HIPAA Privacy Rule? Covered entities Health plans Health care clearinghouses Process health information into and/or out of HIPAA standard format Health care providers that electronically transmit health information in connection with a HIPAA-specified covered transaction Essentially those related to processing claims for health care Business associates (certain provisions)
Who Is a Business Associate (BA)? Perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI including: Data analysis Data aggregation Claims processing Quality assurance Legal services Accounting Others specified
Mobile Health Research & Education Provider Adoption of Mobile Devices in the U.S. Health Care Community
Scenario #1 You are a physician consulting on the case of a 79 year-old woman with recent surgery for a broken hip and suspected dementia. After seeing the patient, her daughter-in-law wishes to speak with you about her condition.
In Response…. In response you: Ask to have the patient’s son, her spouse contact you Speak with the patient and check the patient’s EHR for any restrictions on speaking to particular family members. If not, use your professional judgment in discussing the patient’s condition with the daughter-in-law. Tell the patient that you appreciate her concern, however due to the HIPAA Privacy Rule you cannot share any information with her Consult with the patient first, and if the patient provides written authorization, then you can speak with the daughter-in-law
Answer: Scenario #1 In response you: Ask to have the patient’s son, her spouse contact you Speak with the patient and check the patient’s EHR for any restrictions on speaking to particular family members. If not, use your professional judgment in discussing the patient’s condition with the daughter-in-law. Tell the patient that you appreciate her concern, however due to the HIPAA Privacy Rule you cannot share any information with her Consult with the patient first, and if the patient provides written authorization, then you can speak with the daughter-in-law
Scenario #2 A 26 year-old male patient has come to see you for a suspected sexually transmitted infection. After reaching a diagnosis and writing a prescription, the patient tells you that he will pay for the visit in full and requests that the information related to the visit not be disclosed to his insurance company.
In Response… “I’m sorry but the HIPAA Privacy Rule requires the information be transmitted to the insurance company regardless of whether you pay in full.” “Yes, but for each related transaction you will need to inform those organizations separately. For example, if you do not want the pharmacy to bill your insurance company you will need to inform them separately.” “No, state law requires that we inform your insurance company” “Yes, and we will ensure that any other information related to this visit, for example, your pharmacy, is also informed to ensure that the information is not sent to your insurance company.
Answer: Scenario #2 “I’m sorry but the HIPAA Privacy Rule requires the information be transmitted to the insurance company regardless of whether you pay in full.” “Yes, but for each related transaction you will need to inform those organizations separately. For example, if you do not want the pharmacy to bill your insurance company you will need to inform them separately.” “No, state law requires that we inform your insurance company” “Yes, and we will ensure that any other information related to this visit, for example, your pharmacy, is also informed to ensure that the information is not sent to your insurance company.
Scenario #3 You are a pediatrician seeing a 16 year-old girl for a physical. Just as you are finishing the exam, she informs you that she is sexually active, and requests a prescription for birth control pills. However, she does not want her parents to know and she requests that you keep this information and the prescription confidential. You practice in a jurisdiction that allows minors to consent to their care for the purposes of family planning.
In Response: You provide the prescription but tell her that you are required by law to inform her parents of the prescription You provide the prescription and note in the EHR that this information should not be disclosed to the parents without the patient’s authorization. You provide the prescription, but tell the patient that you will need to inform the parents due to the practice’s liability insurance You do not provide the prescription as it is against the practice’s policy to provide minor care without the parent’s consent.
Answer: Scenario #3 You provide the prescription but tell her that you are required by law to inform her parents of the prescription You provide the prescription and note in the EHR that this information should not be disclosed to the parents without the patient’s authorization. You provide the prescription, but tell the patient that you will need to inform the parents due to the practice’s liability insurance You do not provide the prescription as it is against the practice’s policy to provide minor care without the parent’s consent.
Mobile Health Research & Education Take the Steps to Protect and Secure Health Information When Using a Mobile Device The resource center HealthIT.gov/mobiledevices was created to help providers and professionals: Protect and Secure health information when using mobile devices regardless of whether the mobile device is personally owned, bring your own device (BYOD) or provided by an organization
Helping Providers Integrate Privacy and Security into Their Culture Designed to help health care practitioners and practice staff understand the importance of privacy and security of health information at various implementation stages Developed with assistance from the American Health Information Management Association (AHIMA) Foundation, with input from OCR and OGC Available at: http://www.healthit.gov/providers-professionals/ehr-privacy-security 20
Training Materials: Security Video Game Released September 2012 21
HHS Office for Civil Rights (OCR):Policy Guidance/Compliance ToolsWhat’s in the Works: Fact Sheets/Q&A on new provisions Breach Risk Assessment Tool Minimum Necessary Guidance Better Compliance Tools for Small Entities Adaptation of SAG Training for Covered Entities Expanded Consumer Materials/Videos
We are all responsible for creating a culture where privacy and security are respected and valued.