Patient Privacy Provisions of the HITECH Act Implications for Patients and Small Healthcare Providers
Patient Privacy Provisions of the Health Information Technology for Economic and Clinical Health Act Implications for Patients and Small Healthcare Providers Fred L. Ingle HIMA 5060
Topics• Confidentiality and privacy provisions of the Health Insurance Portability Act of 1996 (HIPAA)• Confidentially and privacy provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH)• Implications for Patients• Implications for small healthcare providers• Recommendations
Confidentiality and privacy provisions of the Health Insurance Portability Act of 1996 (HIPAA) Predecessor to HITECH• Covered entities (CEs) - health plans, health care providers, and healthcare clearing houses• The act protects PHI in any form including oral, paper, and electronic media
When can PHI be used under HIPAA?• Information can be used without permission from the subject individual for: – Personal use by the subject individual or his/her designee – Treatment, payment, or healthcare operations – Public health and benefit activities – Research and public health (limited data set stripped of individualized information)• Only the minimum information necessary under the above provisions• PHI used for any other reason requires written authorization from the patient
HIPAA Penalties• Both civil and criminal• Civil penalties – $100 per infraction – $25,000 for multiple infraction that do not include willful intent• Criminal Penalties – $50,000 and up to one year in prison for willful intent – $100,000 and up to five years in prison for false pretenses – $250,000 and up to ten years in prison for the sell, transfer, commercial use, or malicious harm
Confidentiality and privacy provisions of the Health Information Technology for Economic and Clinical Health Act• Definition of CEs expanded under HITECH to include business associates (BAs) of CEs• Under HIPAA termination of relationships with BAs was the only penalty for violating BAs• Under HITECH BAs are subject to the same penalties as CEs• Individuals can receive a copy of their PHI, receive information about who has accessed their PHI (3 year audit trail), and can request restrictions on PHI for any reason
HITECH and PHI Breaches• CEs and BAs are required to notify each individual affected• Methods of notification include mail, e- mail, telephone• If breach affects 500 or more individuals, a prominent media outlet must be used• Notification must occur within 60 days after initial discovery• HIPAA did not require individual notification
New Penalties Under HITECH• Under HIPAA there was no civil penalties for breaches that were not due to willful neglect if the violation was corrected within 30 days of discovery• Under HITECH any “unknowing wrongful disclosure” is subject to penalties that range from $100 to $25,000• HITECH increases violations not due to willful neglect to $1000 to $100,000• Penalties for repeated or uncorrected violations can extend to $1.5 million
Is HIPAA and HITECH working?• Under HIPAA in 2008, 9200 cases were resolved by the Office for Civil Rights (OCR)• Since HITECH started in 2009 through the end of 2011, over 19 million patient records were involved in breaches• Why? Lax enforcement due to lack of funds to prosecute• Audits required under the laws are moving at a snail’s pace• Failure of healthcare providers to perform risk analysis as required by the law
Recommendations• Education of patients on the provision of the law pertaining to PHI should be increased. There is a plethora of information on the Office of Civil Rights website that is useful in assisting patients in understanding their privacy rights. However, this information is not readily available at the point-of-care. Materials should be offered to patients at each encounter.• The “minimum necessary” stipulation of shared PHI for research needs to be replaced with exact language from HHS.• There should be some standards for not only certifying EHRs for privacy technology standards, but also required standards for the training and certification of administrators and others who interface with EHRs.• Audits by the Office of Civil Rights should be increased with appropriate funding. These audits should have an educational rather than a punitive focus intitially.• Providers should be conduct assessments to determine their capability of being compliant before an audit. Small providers that do not have the trained personnel available should consider out-sourcing the position of privacy and security officer to a well-qualified and certified entity.
The Hippocratic Bargain• The Hippocratic Oath established the tenets of privacy and confidentiality as fundamental aspects of aspects of medical care in ancient Greece 2400 years ago.• What once was a two-party, physician patient relationship has completely changed• The original Hippocratic bargain has evolved into the patient’s information being shared with numerous and unknown healthcare individuals and others for a variety of reasons.
The New Hippocratic Bargain• Patient’s are apprised of who sees what and why• Access is based on “tiers” of minimum amount of information needed to treat• Providers diligently work to exchange sufficient information for treatment without overstepping privacy and confidentiality boundaries• Patients are active participants in this process
Sources • References• Anderson, H. (2010a). HIPPA audits inch closer to reality [Article]. In HealthcareInfoSecurity.com. Retrieved from http://www.healthcareinfosecurity.com/articles.php?art_id=2359• Anderson, H. (2010b). HIPPA privacy, security updates coming [Article]. In HealthcareInfoSecurity.com. Retrieved from http://www.healthcareinfosecurity.com/articles.php?art_id=2468• Blumenthal, D. (2009). Health IT adoption and the new challenges faced by solo and small group healthcare practices [Congressional Testimony]. In HHS.gov. Retrieved from http://www.hhs.gov/asl/testify/2009/06/t20090624a.html• Brown, B. (2009). Privacy provisions of the American Recovery and Reinvestment Act. Journal of Health Care Compliance, 11(3), 37-73. Retrieved from http://ehis.ebscohost.com.jproxy.lib.ecu.edu/ehost/pdfviewer/pdfviewer?sid=6acbfad3-0a7a-46f6-a1a6-6a53f3b62a0d%40sessionmgr114&vid=4&hid=124• EMRapproved.com. (2012). Meaningful Use Stage 2 Final Rules. Retrieved from http://www.emrapproved.com/meaningful-use-stage-2.php• Greene, A. H. (2011). HHS Steps up HIPAA Audits... ...Now is the time to review security policies and procedures. Journal of AHIMA, 82(10), 58-59. Retrieved from http://search.proquest.com.jproxy.lib.ecu.edu/docview/890174092/13AC1C8147A275241B1/22?accountid=10639• Heindel, C. & Boateng, C. (2012). Your organization could be next: How to prepare for an OCR audit. Journal of Health Care Compliance, 14(4), 47-76. Retrieved from http://ehis.ebscohost.com.jproxy.lib.ecu.edu/ehost/pdfviewer/pdfviewer?sid=4d0d3484-e684-48f2-98b9-5db58e9ebff7%40sessionmgr115&vid=4&hid=115• Hewlett Packard. (2011). White Paper: Financing your EHR: Options to bridge the ARRA reimbursement gap. Retrieved from http://www.hp.com/sbso/solutions/healthcare/financing- your-ehr-implementation.pdf• Kohn, D. (2009). Impact on the enterprise content management industry: The 2009 ARRA & HITECH Acts. Infonomics, 23(5), 28-31. Retrieved from http://search.proquest.com.jproxy.lib.ecu.edu/docview/751997596/13AC1BC61537061FA4C/19?accountid=10639• Martin, M. (2009). HITECH increases exposure of personal care records [Article]. In Health Care News. Retrieved from http://www.heartland.org/healthpolicynews.org/article/25293/HITECH_Increases_Exposure_of_Personal_Care_Records.html• Miller, J. (2010). Locking down privacy. Managed Healthcare Executive, 20(3), 12-16. Retrieved from http://search.proquest.com.jproxy.lib.ecu.edu/docview/212588887/13AC1ABC3929A1691B/13?accountid=10639• Patton , C. (2012). Health Informatics "Hiring Spree": Demand for Health Informatics Workers Grows. Retrieved from http://www.healthinformaticsforum.com/profiles/blogs/health- informatics-jobs-demand• Redspin Inc. (2012). Red spin breach report 2011: protected health information. Retrieved from http://www.redspin.com/docs/Redspin_PHI_2011_Breach_Report.pdf• Silver, J., Levin, T., & Garrison, L. (2003). Staff workshop report: technologies for protecting personal information. Report prepared from the workshop convened by the Federal Trade Commission to examine the current and potential role of technology in protecting consumer information. Retrieved from http://www.ftc.gov/bcp/workshops/technology/finalreport.pdf• The Future of Health Now. The Future of Health Now -. (n.d.). Retrieved from http://www.thefutureofhealthnow.com• United States Department of Health and Human Services, Office Of Civil Rights, . (2012). 2012 HIPAA privacy and security audits report. Retrieved from http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf• United States Department of Health and Human Services, Office of Civil Rights. (2003). Summary of the HIPPA Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf• Veazie, J. (2009). Hidden impact of the stimulus package. Health Care Collector, 23(4). Retrieved from http://ehis.ebscohost.com.jproxy.lib.ecu.edu/ehost/pdfviewer/pdfviewer?sid=7ab09c68-e58a-4a34-b911-12824564f306%40sessionmgr111&vid=4&hid=103
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.