Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this


  1. 1. HIPAA in the Land Of RHIOs 18 th Annual Summer Institute in Nursing Informatics University at Maryland School of Nursing Presented by Tak Nobumoto Director of Operations, UB|MD Privacy and Security Officer, UB|MD
  2. 2. Who am I? <ul><li>IT background </li></ul><ul><li>MSO – billing and accounting </li></ul><ul><li>HIPAA compliance </li></ul><ul><ul><li>EDI compliance </li></ul></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>NPI </li></ul></ul><ul><li>UB practice plan operations </li></ul>
  3. 3. What You Will Learn <ul><li>HIPAA history and fundamentals </li></ul><ul><li>Real world HIPAA incidents </li></ul><ul><li>Health Information Exchange(HIE) in Western New York (WNY) </li></ul><ul><li>Privacy and Security concerns with HIE </li></ul>
  4. 4. Topics of Discussion <ul><li>HIPAA Components </li></ul><ul><ul><li>Privacy Rule </li></ul></ul><ul><ul><li>Security Rule </li></ul></ul><ul><ul><li>Penalties for disclosure </li></ul></ul><ul><ul><li>Who implements HIPAA </li></ul></ul><ul><ul><li>Examples of what you will encounter </li></ul></ul><ul><ul><li>Other laws that may apply </li></ul></ul><ul><li>Clinical Data Exchange </li></ul>
  5. 5. Purpose of HIPAA <ul><li>Portability of health insurance </li></ul><ul><li>Streamline the healthcare system </li></ul><ul><li>Reduce costs </li></ul><ul><li>Encourage the use of electronic technology </li></ul><ul><li>Protect the security, confidentiality and integrity of health information </li></ul><ul><li>Protect against threats or hazards that jeopardize patient care </li></ul>
  6. 6. HIPAA’s Vision <ul><li>Single set of information for all payers </li></ul><ul><li>Standard coding rules </li></ul><ul><li>Standard responses from payers </li></ul><ul><li>Little reliance on human intervention for billing, remittance, posting, eligibility inquiries, coordination of benefits </li></ul><ul><li>Secure data-privacy protected </li></ul><ul><li>Medical records securely exchanged between providers </li></ul>
  7. 7. What is HIPAA? Transactions Health Insurance Portability and Accountability Act of 1996 Administrative Simplification National Prov ID Privacy Security <ul><li>Standardize healthcare transactions </li></ul><ul><li>400 formats into 1 std </li></ul><ul><li>1 std with 400 interpretations </li></ul><ul><li>Unique provider ID </li></ul><ul><li>ID available in 2005 </li></ul><ul><li>Compliance by 2007 </li></ul><ul><li>Compliance by 4/2005 </li></ul>More to follow
  8. 8. Who is Covered under HIPAA? <ul><li>Covered Entities (CE’s) </li></ul><ul><ul><li>Providers </li></ul></ul><ul><ul><li>Health Plans </li></ul></ul><ul><ul><li>Clearinghouses </li></ul></ul>
  9. 9. Who Implements HIPAA? <ul><li>Covered entity (hospital, practice plan, physician office, health plan) in possession of Protected Health Information is responsible for: </li></ul><ul><ul><li>Developing policies/procedures and full implementation to meet all requirements of HIPAA regulations </li></ul></ul><ul><ul><li>Training of its workforce (anyone conducting treatment, payment or operations activities on its behalf). </li></ul></ul><ul><ul><li>Sanctioning violators and responding to complaints from the public of the Secretary of health and Human Services </li></ul></ul>
  10. 10. What is PHI? <ul><li>PHI is defined as individually identifiable health information transmitted or maintained in any form or medium. </li></ul><ul><li>PHI relates to a past, present, or future physical or mental condition of a person, the provision of healthcare to a person or the payment for health care of a person. </li></ul><ul><li>PHI excludes health information in school education records and health records held by an employer. </li></ul>
  11. 11. HIPAA continued <ul><li>Privacy- Individual’s right to ensure that personal information is kept confidential </li></ul><ul><ul><li>Requires policies, procedures, and practices </li></ul></ul><ul><li>Security-Protection of a system from unauthorized access by external and internal users </li></ul><ul><ul><li>Security is viewed as a subset of privacy </li></ul></ul>
  12. 12. <ul><li>“A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.” </li></ul>
  13. 13. Privacy <ul><li>Protects individual’s right to ensure that personal information is kept confidential </li></ul><ul><li>Requires policies, procedures, and practices </li></ul><ul><li>Privacy violation as a standard of care for negligence ( http://www.duanemorris.com/alerts/alert2417.html ) </li></ul>
  14. 14. Privacy Rule <ul><li>Applies to protected health information in any format (oral, written, electronic) </li></ul><ul><li>Gives patients control over their health information </li></ul><ul><li>Sets boundaries on use and release </li></ul><ul><li>Establishes safeguards to protect privacy </li></ul><ul><li>Holds violators accountable </li></ul><ul><li>Balances public responsibility </li></ul>
  15. 15. HIPAA Privacy: Uses and Disclosures <ul><li>General Rule: A covered entity may not use or disclose protected health information… </li></ul><ul><li>EXCEPT: </li></ul><ul><ul><li>To the individual in compliance with NYS laws </li></ul></ul><ul><ul><li>For treatment, payment or operation (164.506) </li></ul></ul><ul><ul><li>Pursuant to valid authorization (164.508) </li></ul></ul><ul><ul><li>Required by law/abuse/judicial/law enforcement </li></ul></ul><ul><ul><li>Research (7 release mechanisms) </li></ul></ul>
  16. 16. HIPAA Privacy: Patient Rights <ul><li>Access to protected health information </li></ul><ul><li>Request a copy of their health record </li></ul><ul><li>Request an amendment of PHI </li></ul><ul><li>Accounting of disclosures </li></ul><ul><li>Notice of privacy practices </li></ul>
  17. 17. Security <ul><li>Protection of a system from unauthorized access by external and internal users </li></ul><ul><ul><li>- Viewed as a subset of privacy </li></ul></ul>
  18. 18. Three Components of Security <ul><li>Technical security </li></ul><ul><li>Physical security </li></ul><ul><li>Administrative safeguards </li></ul><ul><li>  </li></ul>
  19. 19. Top Security Issues <ul><li>User authentication </li></ul><ul><ul><li>Username and password </li></ul></ul><ul><li>Encryption </li></ul><ul><li>Audit trails </li></ul><ul><li>Email and other internet usage </li></ul><ul><li>Remote access </li></ul>
  20. 20. Penalties <ul><li>General Penalty: Each violation- $100. Maximum penalty for each violation $25,000. Over 50 distinct violations possible under Privacy alone. </li></ul><ul><li>Wrongful disclosure: $50,000 and/or imprisonment for 1 year </li></ul><ul><li>Offense under false pretenses: $100,000 and/or 5 year imprisonment </li></ul><ul><li>Offenses with intent to derive personal benefit (sell) information: $250,000 and/or 10 years imprisonment </li></ul>
  21. 21. Laws, Rules and Regulations <ul><li>Education law </li></ul><ul><ul><li>Title VIII </li></ul></ul><ul><ul><li>Article 193 – Nursing </li></ul></ul><ul><li>Rules of the Board of Regents </li></ul><ul><ul><li>Part 29 – Unprofessional conduct </li></ul></ul><ul><li>Commissioner's Regulations </li></ul><ul><ul><li>Part 52.12 – Registration of Curricula </li></ul></ul><ul><ul><li>Part 64 – Nursing </li></ul></ul><ul><li>http:/www.op.nysed.gov/nurse.htm </li></ul>
  22. 22. Laws, Rules and Regulations <ul><li>The definition of Unprofessional Conduct in NYS Regents Rules, Part 29, includes, “revealing of personally identifiable facts, data or information obtained in a professional capacity without the prior consent of the patient or client, except as authorized or required by law” </li></ul><ul><li>The definition of Professional Misconduct in NYS Education Law, Article 130, Subarticle 3, includes, “committing unprofessional conduct, as defined by the board of regents in its rules” </li></ul><ul><li>Article 28 New York State facilities (these include hospitals and nursing homes) are required to report as professional misconduct licensed health care professionals who do not protect the confidentiality of patient information . No intent of malice or to do harm is required. </li></ul>
  23. 23. Other NYS laws and rules <ul><li>New York State Public Health Law Section 18, Access to Patient Information - §18(3)(b) – states, in part, “Upon receipt of a written request by a qualified person to inspect patient information maintained by a facility, the facility shall inform the treating practitioner of the request. The treating practitioner may review the information requested.” </li></ul><ul><li>10 New York Codes, Rules and Regulations Section 58-1.8 , states, in part, “No person shall report the result of any test, examination or analysis of a specimen submitted for evidence of human disease or medical condition except to a physician, his agent, or other person authorized by law . . . Reports shall not be issued to the patients concerned except with the written consent of the physician or other authorized person . . .“ </li></ul>
  24. 24. Information Subject of Special Protections <ul><li>HIV-related Information – New York State Public Health Law, Article 27-F </li></ul><ul><ul><li>Disclosures must be accompanied by the confidentiality notice required by §2782(5)(a). </li></ul></ul><ul><li>Mental Health Information </li></ul><ul><ul><li>A patient’s clinical mental health record at a New York State, Office of Mental Health (OMH)-licensed “facility” or an Office of Mental Retardation and Developmental Disabilities (OMRDD)-licensed “facility” must not be released without the patient’s consent except under limited circumstances. (MHL §33.13(c)) </li></ul></ul><ul><li>Alcohol and Substance Abuse Information </li></ul><ul><ul><li>Federal regulations govern the confidentiality of alcohol and substance records. (42 CFR Part 2) </li></ul></ul><ul><ul><li>Substance abuse treatment programs may not use or disclose any information about any patient unless the patient has consented in writing (on a form that meets the requirements established by the regulations) or unless another very limited exception specified in the regulations applies. (42 CFR §§2.31 and 2.33) </li></ul></ul>
  25. 25. HIPAA: Reality? <ul><li>Minimum necessary: …limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request… </li></ul><ul><ul><li>Does not apply to treatment or disclosures to individual to which it pertains. </li></ul></ul><ul><ul><li>Examples of violations: </li></ul></ul><ul><ul><li>Staff discuss a patient they know other than for treatment purposes. </li></ul></ul><ul><ul><li>Look up friend/family/self on HIS </li></ul></ul><ul><ul><li>Disclose sensitive PHI not required </li></ul></ul>
  26. 26. HIPAA Reality? <ul><li>HIPAA will not impede healthcare </li></ul><ul><ul><li>Patient </li></ul></ul><ul><ul><li>Personal representative </li></ul></ul><ul><ul><li>Professional judgment </li></ul></ul><ul><ul><li>Privacy regulations </li></ul></ul><ul><ul><ul><li>T(reatment) – P(ayment) – O(perations) </li></ul></ul></ul><ul><ul><ul><li>Exceptions as outlined </li></ul></ul></ul>
  27. 27. HIPAA in the News <ul><li>NEW YORK (CNN) -- More than two dozen employees at Palisades Medical </li></ul><ul><li>Center have been suspended after accessing the personal medical records of </li></ul><ul><li>actor George Clooney, who was taken to the North Bergen, N.J., hospital last </li></ul><ul><li>month after a motorcycle accident. </li></ul><ul><li>George Clooney was injured when his motorcycle was in collision with a car. </li></ul><ul><li>Clooney was injured, along with his companion Sarah Larson, when the </li></ul><ul><li>motorcycle they were riding collided with a car in Weehawken, N.J. Clooney </li></ul><ul><li>suffered a broken rib and skin abrasions and Larson broke her foot. </li></ul><ul><li>Hospital spokesman Eurice Rojas said late Tuesday that 27 employees were </li></ul><ul><li>suspended for a month without pay, after an internal investigation. Accessing a </li></ul><ul><li>person's medical records without authorization is a violation of the Health </li></ul><ul><li>Insurance Portability and Accountability Act (HIPAA) -- a federal law that </li></ul><ul><li>protects the privacy of patients. </li></ul>
  28. 28. HIPAA in the news
  29. 29. HIPAA in the local news <ul><li>InfoClique is a web-based system designed to provide the staff of Kaleida Health and referring/consulting physician offices a secure central access point for patient information. Patient information available through InfoClique includes: </li></ul><ul><ul><li>Demographics – basic patient info </li></ul></ul><ul><ul><li>Dictated reports (H&P, Op reports, Discharge summary and consultations) </li></ul></ul><ul><ul><li>Results (lab/rad/orders) </li></ul></ul><ul><ul><li>Medications </li></ul></ul>
  30. 30. HIPAA in the local news <ul><li>Kevin Everett of the Buffalo Bills was a patient at Kaleida Health from September 9 through 21. During his 12 day admission, 60 individuals accessed his InfoClique record. Of those, 32 individuals accessed it without an authorized reason to do so. These individuals included physicians, nurses and office support staff. Two individuals had their employment terminated by their employers as a result of their unauthorized access. </li></ul>
  31. 31. Examples of Privacy Complaints <ul><li>Patient asked caregiver a question. Caregiver responded in front of patient’s family. Response included reference to patients HIV status. Some family members did not know about patient’s HIV diagnosis. </li></ul><ul><li>Caregiver spoke about an interesting patient with her daughter, who told her friend, who told her cousin, who was the daughter of the patient. Patient called the Privacy Officer. </li></ul>
  32. 32. How Can We Comply? <ul><li>Violations will be subject to disciplinary action up to and including termination of employment or contract. </li></ul><ul><li>Anyone who knows or has reason to believe that another person has violated the confidentiality of a patient’s PHI should report the matter to a supervisor. </li></ul>
  33. 33. What can we do? <ul><li>Report violations, incidents and bad practices to your clinical instructor or someone in charge </li></ul><ul><li>Exercise good professional judgment and seek expert advice </li></ul><ul><li>Remind others of privacy and security responsibilities </li></ul><ul><li>Take HIPAA seriously </li></ul>
  34. 34. HIPAA: The final word <ul><li>It’s all about people </li></ul><ul><li>Right to privacy </li></ul><ul><li>Use good judgment </li></ul><ul><li>Seek good advice </li></ul><ul><li>Speak up </li></ul>
  35. 35. Health Information Technology _________________________ Clinical Data Exchange
  36. 36. National Health Information Network <ul><li>“ A set of technologies, standards, applications, systems, values and laws that support all facets of individual health, healthcare, and public health.” </li></ul>
  37. 37. National Health Information Network (NHIN) <ul><li>National framework </li></ul><ul><li>Statewide networks </li></ul><ul><li>Regional networks </li></ul><ul><li>Local networks </li></ul><ul><li>Institutional networks </li></ul>
  38. 38. WNY clinical data exchange projects <ul><li>WNY HealtheNet </li></ul><ul><li>WNY HealtheLink </li></ul><ul><li>BAPHIE </li></ul><ul><li>Lifetime Care – Hospice – Advanced Directives Network </li></ul><ul><li>UNYTS </li></ul>
  39. 39. NYS Information Security and Privacy Collaboration <ul><li>Issued White Paper to address privacy and security for emerging RHIOs in NYS </li></ul><ul><li>Comment period </li></ul><ul><li>Awaiting finalization </li></ul>
  40. 40. RHIO responsibilities <ul><li>Access and use policies </li></ul><ul><li>Authentication of identity </li></ul><ul><li>Authorization for access </li></ul><ul><li>Consumer and provider identification </li></ul><ul><li>Transmission security </li></ul><ul><li>Date integrity </li></ul><ul><li>Audit trails for clinicians and consumers </li></ul><ul><li>Administrative and physical security </li></ul><ul><li>Enforcement and protections </li></ul>
  41. 41. Affirmative Consent <ul><li>Each participant in a RHIO must obtain an </li></ul><ul><li>affirmative consent from the consumer prior </li></ul><ul><li>to accessing his/her personal health </li></ul><ul><li>information </li></ul><ul><li>‘one-to-one’ exception </li></ul><ul><li>‘break the glass’ with attestation </li></ul><ul><li>Providers may upload without consent </li></ul>
  42. 42. Uses of Health Information <ul><li>Level One – benefit to the consumer </li></ul><ul><ul><li>Treatment </li></ul></ul><ul><ul><li>Quality improvement </li></ul></ul><ul><ul><li>Disease management </li></ul></ul><ul><li>Level Two </li></ul><ul><ul><li>Research </li></ul></ul><ul><ul><li>Marketing </li></ul></ul>
  43. 43. Sensitive Information <ul><li>Single consent to access all PHI (exception </li></ul><ul><li>for substance abuse covered under Fed) </li></ul><ul><li>Filter data to exchange </li></ul><ul><li>Consumer awareness of exchange access </li></ul>
  44. 44. Data trustworthiness <ul><li>What is the authoritative source? </li></ul><ul><li>How to reconcile data conflicts? </li></ul><ul><li>Do we trust all providers? </li></ul><ul><ul><li>Data integrity </li></ul></ul><ul><ul><li>Baseline privacy and security </li></ul></ul>
  45. 45. Other points <ul><li>Durability and revocability </li></ul><ul><li>Consumer engagement and access </li></ul><ul><li>Audit and transparency </li></ul><ul><li>Impact to malpractice </li></ul>
  46. 46. One final, final thought… <ul><li>Patient centricity </li></ul><ul><li>Market driven </li></ul><ul><li>Consumer focus </li></ul>
  47. 47. Questions <ul><li>??? </li></ul><ul><li>Tak Nobumoto </li></ul><ul><li>[email_address] </li></ul><ul><li>(716)929-4682 </li></ul>