Care at a Crossroads: The Intersection of Patient-Centered Records and Electr...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Small Healthcare Providers
1. Patient Privacy Provisions of the Health Information
Technology for Economic and Clinical Health Act
Implications for Patients and Small Healthcare
Providers
Fred L. Ingle
HIMA 5060
2. Topics
• Confidentiality and privacy provisions of the
Health Insurance Portability Act of 1996
(HIPAA)
• Confidentially and privacy provisions of the
Health Information Technology for Economic
and Clinical Health Act (HITECH)
• Implications for Patients
• Implications for small healthcare providers
• Recommendations
3. Confidentiality and privacy provisions of the Health
Insurance Portability Act of 1996 (HIPAA)
Predecessor to HITECH
• Covered entities (CEs) - health plans, health
care providers, and healthcare clearing houses
• The act protects PHI in any form including
oral, paper, and electronic media
4. When can PHI be used under HIPAA?
• Information can be used without permission from the
subject individual for:
– Personal use by the subject individual or his/her designee
– Treatment, payment, or healthcare operations
– Public health and benefit activities
– Research and public health (limited data set stripped of
individualized information)
• Only the minimum information necessary under the
above provisions
• PHI used for any other reason requires written
authorization from the patient
5. Responsibility of the CE
• Must provide the patient with the CEs privacy
policy that is in accord with the Privacy Rule of
2002
• Privacy Policy must contain information about
where to report concerns both to the CE and
to U.S. Department of Health and Human
Services
6. HIPAA Penalties
• Both civil and criminal
• Civil penalties
– $100 per infraction
– $25,000 for multiple infraction that do not include
willful intent
• Criminal Penalties
– $50,000 and up to one year in prison for willful intent
– $100,000 and up to five years in prison for false
pretenses
– $250,000 and up to ten years in prison for the
sell, transfer, commercial use, or malicious harm
7. Confidentiality and privacy provisions
of the Health Information Technology
for Economic and Clinical Health Act
• Definition of CEs expanded under HITECH to include
business associates (BAs) of CEs
• Under HIPAA termination of relationships with BAs was
the only penalty for violating BAs
• Under HITECH BAs are subject to the same penalties as
CEs
• Individuals can receive a copy of their PHI, receive
information about who has accessed their PHI (3 year
audit trail), and can request restrictions on PHI for any
reason
8. HITECH and PHI Breaches
• CEs and BAs are required to notify each
individual affected
• Methods of notification include mail, e-
mail, telephone
• If breach affects 500 or more individuals, a
prominent media outlet must be used
• Notification must occur within 60 days after
initial discovery
• HIPAA did not require individual notification
9. New Penalties Under HITECH
• Under HIPAA there was no civil penalties for
breaches that were not due to willful neglect if
the violation was corrected within 30 days of
discovery
• Under HITECH any “unknowing wrongful
disclosure” is subject to penalties that range from
$100 to $25,000
• HITECH increases violations not due to willful
neglect to $1000 to $100,000
• Penalties for repeated or uncorrected violations
can extend to $1.5 million
10. Is HIPAA and HITECH working?
• Under HIPAA in 2008, 9200 cases were resolved
by the Office for Civil Rights (OCR)
• Since HITECH started in 2009 through the end of
2011, over 19 million patient records were
involved in breaches
• Why? Lax enforcement due to lack of funds to
prosecute
• Audits required under the laws are moving at a
snail’s pace
• Failure of healthcare providers to perform risk
analysis as required by the law
11. Recommendations
• Education of patients on the provision of the law pertaining to PHI should be
increased. There is a plethora of information on the Office of Civil Rights website
that is useful in assisting patients in understanding their privacy rights.
However, this information is not readily available at the point-of-care. Materials
should be offered to patients at each encounter.
• The “minimum necessary” stipulation of shared PHI for research needs to be
replaced with exact language from HHS.
• There should be some standards for not only certifying EHRs for privacy
technology standards, but also required standards for the training and certification
of administrators and others who interface with EHRs.
• Audits by the Office of Civil Rights should be increased with appropriate funding.
These audits should have an educational rather than a punitive focus intitially.
• Providers should be conduct assessments to determine their capability of being
compliant before an audit. Small providers that do not have the trained personnel
available should consider out-sourcing the position of privacy and security officer
to a well-qualified and certified entity.
12. The Hippocratic Bargain
• The Hippocratic Oath established the tenets of privacy
and confidentiality as fundamental aspects of aspects
of medical care in ancient Greece 2400 years ago.
• What once was a two-party, physician patient
relationship has completely changed
• The original Hippocratic bargain has evolved into the
patient’s information being shared with numerous and
unknown healthcare individuals and others for a
variety of reasons.
13. The New Hippocratic Bargain
• Patient’s are apprised of who sees what and
why
• Access is based on “tiers” of minimum amount
of information needed to treat
• Providers diligently work to exchange
sufficient information for treatment without
overstepping privacy and confidentiality
boundaries
• Patients are active participants in this process
14. Sources
• References
• Anderson, H. (2010a). HIPPA audits inch closer to reality [Article]. In HealthcareInfoSecurity.com. Retrieved from http://www.healthcareinfosecurity.com/articles.php?art_id=2359
• Anderson, H. (2010b). HIPPA privacy, security updates coming [Article]. In HealthcareInfoSecurity.com. Retrieved from http://www.healthcareinfosecurity.com/articles.php?art_id=2468
• Blumenthal, D. (2009). Health IT adoption and the new challenges faced by solo and small group healthcare practices [Congressional Testimony]. In HHS.gov. Retrieved from
http://www.hhs.gov/asl/testify/2009/06/t20090624a.html
• Brown, B. (2009). Privacy provisions of the American Recovery and Reinvestment Act. Journal of Health Care Compliance, 11(3), 37-73. Retrieved from
http://ehis.ebscohost.com.jproxy.lib.ecu.edu/ehost/pdfviewer/pdfviewer?sid=6acbfad3-0a7a-46f6-a1a6-6a53f3b62a0d%40sessionmgr114&vid=4&hid=124
• EMRapproved.com. (2012). Meaningful Use Stage 2 Final Rules. Retrieved from http://www.emrapproved.com/meaningful-use-stage-2.php
• Greene, A. H. (2011). HHS Steps up HIPAA Audits... ...Now is the time to review security policies and procedures. Journal of AHIMA, 82(10), 58-59. Retrieved from
http://search.proquest.com.jproxy.lib.ecu.edu/docview/890174092/13AC1C8147A275241B1/22?accountid=10639
• Heindel, C. & Boateng, C. (2012). Your organization could be next: How to prepare for an OCR audit. Journal of Health Care Compliance, 14(4), 47-76. Retrieved from
http://ehis.ebscohost.com.jproxy.lib.ecu.edu/ehost/pdfviewer/pdfviewer?sid=4d0d3484-e684-48f2-98b9-5db58e9ebff7%40sessionmgr115&vid=4&hid=115
• Hewlett Packard. (2011). White Paper: Financing your EHR: Options to bridge the ARRA reimbursement gap. Retrieved from http://www.hp.com/sbso/solutions/healthcare/financing-
your-ehr-implementation.pdf
• Kohn, D. (2009). Impact on the enterprise content management industry: The 2009 ARRA & HITECH Acts. Infonomics, 23(5), 28-31. Retrieved from
http://search.proquest.com.jproxy.lib.ecu.edu/docview/751997596/13AC1BC61537061FA4C/19?accountid=10639
• Martin, M. (2009). HITECH increases exposure of personal care records [Article]. In Health Care News. Retrieved from
http://www.heartland.org/healthpolicynews.org/article/25293/HITECH_Increases_Exposure_of_Personal_Care_Records.html
• Miller, J. (2010). Locking down privacy. Managed Healthcare Executive, 20(3), 12-16. Retrieved from
http://search.proquest.com.jproxy.lib.ecu.edu/docview/212588887/13AC1ABC3929A1691B/13?accountid=10639
• Patton , C. (2012). Health Informatics "Hiring Spree": Demand for Health Informatics Workers Grows. Retrieved from http://www.healthinformaticsforum.com/profiles/blogs/health-
informatics-jobs-demand
• Redspin Inc. (2012). Red spin breach report 2011: protected health information. Retrieved from http://www.redspin.com/docs/Redspin_PHI_2011_Breach_Report.pdf
• Silver, J., Levin, T., & Garrison, L. (2003). Staff workshop report: technologies for protecting personal information. Report prepared from the workshop convened by the Federal Trade
Commission to examine the current and potential role of technology in protecting consumer information. Retrieved from http://www.ftc.gov/bcp/workshops/technology/finalreport.pdf
• The Future of Health Now. The Future of Health Now -. (n.d.). Retrieved from http://www.thefutureofhealthnow.com
• United States Department of Health and Human Services, Office Of Civil Rights, . (2012). 2012 HIPAA privacy and security audits report. Retrieved from
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf
• United States Department of Health and Human Services, Office of Civil Rights. (2003). Summary of the HIPPA Privacy Rule. Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
• Veazie, J. (2009). Hidden impact of the stimulus package. Health Care Collector, 23(4). Retrieved from
http://ehis.ebscohost.com.jproxy.lib.ecu.edu/ehost/pdfviewer/pdfviewer?sid=7ab09c68-e58a-4a34-b911-12824564f306%40sessionmgr111&vid=4&hid=103