Patient Privacy Provisions of the HITECH Act Implications for Patients and Small Healthcare Providers

Uploaded on

Fred L. Ingle

Fred L. Ingle

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Patient Privacy Provisions of the Health Information Technology for Economic and Clinical Health Act Implications for Patients and Small Healthcare Providers Fred L. Ingle HIMA 5060
  • 2. Topics• Confidentiality and privacy provisions of the Health Insurance Portability Act of 1996 (HIPAA)• Confidentially and privacy provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH)• Implications for Patients• Implications for small healthcare providers• Recommendations
  • 3. Confidentiality and privacy provisions of the Health Insurance Portability Act of 1996 (HIPAA) Predecessor to HITECH• Covered entities (CEs) - health plans, health care providers, and healthcare clearing houses• The act protects PHI in any form including oral, paper, and electronic media
  • 4. When can PHI be used under HIPAA?• Information can be used without permission from the subject individual for: – Personal use by the subject individual or his/her designee – Treatment, payment, or healthcare operations – Public health and benefit activities – Research and public health (limited data set stripped of individualized information)• Only the minimum information necessary under the above provisions• PHI used for any other reason requires written authorization from the patient
  • 5. Responsibility of the CE• Must provide the patient with the CEs privacy policy that is in accord with the Privacy Rule of 2002• Privacy Policy must contain information about where to report concerns both to the CE and to U.S. Department of Health and Human Services
  • 6. HIPAA Penalties• Both civil and criminal• Civil penalties – $100 per infraction – $25,000 for multiple infraction that do not include willful intent• Criminal Penalties – $50,000 and up to one year in prison for willful intent – $100,000 and up to five years in prison for false pretenses – $250,000 and up to ten years in prison for the sell, transfer, commercial use, or malicious harm
  • 7. Confidentiality and privacy provisions of the Health Information Technology for Economic and Clinical Health Act• Definition of CEs expanded under HITECH to include business associates (BAs) of CEs• Under HIPAA termination of relationships with BAs was the only penalty for violating BAs• Under HITECH BAs are subject to the same penalties as CEs• Individuals can receive a copy of their PHI, receive information about who has accessed their PHI (3 year audit trail), and can request restrictions on PHI for any reason
  • 8. HITECH and PHI Breaches• CEs and BAs are required to notify each individual affected• Methods of notification include mail, e- mail, telephone• If breach affects 500 or more individuals, a prominent media outlet must be used• Notification must occur within 60 days after initial discovery• HIPAA did not require individual notification
  • 9. New Penalties Under HITECH• Under HIPAA there was no civil penalties for breaches that were not due to willful neglect if the violation was corrected within 30 days of discovery• Under HITECH any “unknowing wrongful disclosure” is subject to penalties that range from $100 to $25,000• HITECH increases violations not due to willful neglect to $1000 to $100,000• Penalties for repeated or uncorrected violations can extend to $1.5 million
  • 10. Is HIPAA and HITECH working?• Under HIPAA in 2008, 9200 cases were resolved by the Office for Civil Rights (OCR)• Since HITECH started in 2009 through the end of 2011, over 19 million patient records were involved in breaches• Why? Lax enforcement due to lack of funds to prosecute• Audits required under the laws are moving at a snail’s pace• Failure of healthcare providers to perform risk analysis as required by the law
  • 11. Recommendations• Education of patients on the provision of the law pertaining to PHI should be increased. There is a plethora of information on the Office of Civil Rights website that is useful in assisting patients in understanding their privacy rights. However, this information is not readily available at the point-of-care. Materials should be offered to patients at each encounter.• The “minimum necessary” stipulation of shared PHI for research needs to be replaced with exact language from HHS.• There should be some standards for not only certifying EHRs for privacy technology standards, but also required standards for the training and certification of administrators and others who interface with EHRs.• Audits by the Office of Civil Rights should be increased with appropriate funding. These audits should have an educational rather than a punitive focus intitially.• Providers should be conduct assessments to determine their capability of being compliant before an audit. Small providers that do not have the trained personnel available should consider out-sourcing the position of privacy and security officer to a well-qualified and certified entity.
  • 12. The Hippocratic Bargain• The Hippocratic Oath established the tenets of privacy and confidentiality as fundamental aspects of aspects of medical care in ancient Greece 2400 years ago.• What once was a two-party, physician patient relationship has completely changed• The original Hippocratic bargain has evolved into the patient’s information being shared with numerous and unknown healthcare individuals and others for a variety of reasons.
  • 13. The New Hippocratic Bargain• Patient’s are apprised of who sees what and why• Access is based on “tiers” of minimum amount of information needed to treat• Providers diligently work to exchange sufficient information for treatment without overstepping privacy and confidentiality boundaries• Patients are active participants in this process
  • 14. Sources • References• Anderson, H. (2010a). HIPPA audits inch closer to reality [Article]. In Retrieved from• Anderson, H. (2010b). HIPPA privacy, security updates coming [Article]. In Retrieved from• Blumenthal, D. (2009). Health IT adoption and the new challenges faced by solo and small group healthcare practices [Congressional Testimony]. In Retrieved from• Brown, B. (2009). Privacy provisions of the American Recovery and Reinvestment Act. Journal of Health Care Compliance, 11(3), 37-73. Retrieved from• (2012). Meaningful Use Stage 2 Final Rules. Retrieved from• Greene, A. H. (2011). HHS Steps up HIPAA Audits... ...Now is the time to review security policies and procedures. Journal of AHIMA, 82(10), 58-59. Retrieved from• Heindel, C. & Boateng, C. (2012). Your organization could be next: How to prepare for an OCR audit. Journal of Health Care Compliance, 14(4), 47-76. Retrieved from• Hewlett Packard. (2011). White Paper: Financing your EHR: Options to bridge the ARRA reimbursement gap. Retrieved from your-ehr-implementation.pdf• Kohn, D. (2009). Impact on the enterprise content management industry: The 2009 ARRA & HITECH Acts. Infonomics, 23(5), 28-31. Retrieved from• Martin, M. (2009). HITECH increases exposure of personal care records [Article]. In Health Care News. Retrieved from• Miller, J. (2010). Locking down privacy. Managed Healthcare Executive, 20(3), 12-16. Retrieved from• Patton , C. (2012). Health Informatics "Hiring Spree": Demand for Health Informatics Workers Grows. Retrieved from informatics-jobs-demand• Redspin Inc. (2012). Red spin breach report 2011: protected health information. Retrieved from• Silver, J., Levin, T., & Garrison, L. (2003). Staff workshop report: technologies for protecting personal information. Report prepared from the workshop convened by the Federal Trade Commission to examine the current and potential role of technology in protecting consumer information. Retrieved from• The Future of Health Now. The Future of Health Now -. (n.d.). Retrieved from• United States Department of Health and Human Services, Office Of Civil Rights, . (2012). 2012 HIPAA privacy and security audits report. Retrieved from• United States Department of Health and Human Services, Office of Civil Rights. (2003). Summary of the HIPPA Privacy Rule. Retrieved from• Veazie, J. (2009). Hidden impact of the stimulus package. Health Care Collector, 23(4). Retrieved from