CURRENT COMPLIANCE, PRIVACY AND SECURITY ISSUES Tim Timmons GOBHI Corporate Integrity Officer CCEP, CHP, CHSS 1 COMMON HIPAA PRIVACY QUESTIONS 2 HIPAA Privacy Q&A Question #1: May health care providers share protected health information with developmental disability agencies without the client’s authorization? Answer: Developmental disability agencies are not health care providers and therefore are not HIPAA covered entities. So authorization is necessary unless otherwise permitted by the Privacy Rule or other federal or state law. 3 HIPAA Privacy Q&A Question #2: Health care providers can share personal health information with public health agencies without the client’s authorization. Answer: Public health agencies meet the definition of “health care providers” under HIPAA, so all the disclosure exceptions in the Privacy Rule apply. 4 HIPAA Myths and Misunderstandings Question #3: Under the Privacy Rule, does the minimum necessary standard apply to the use and disclosure of PHI for treatment purposes. Answer: Under the Privacy Rule, the minimum necessary standard does not apply to the disclosure of PHI to a health care provider for treatment, but technically, does apply to the use of PHI for treatment. 5 HITECH Imposes Additional Restrictions HITECH limits covered entities’ discretion for determining what constitutes the minimum necessary and requires a two tiered approach to limit the use, disclosure or request of PHI Disclosure should, to the extent practicable, be restricted to a limited data set or, if needed, To the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. 6 HITECH Imposes Additional Restrictions The Privacy Rule allows the disclosing party to rely on the professional judgment of other health care professionals requesting PHI to determine how much information they need. According to HITECH, however, the entity disclosing the PHI (as opposed to the requester) is responsible for making the minimum necessary determination. 7 Determining Who Should Have Access to PHI You should develop role based access controls to determine who should have access to all PHI, regardless of whether it’s electronic or paper based. This is a requirement in the HIPAA Security Rule as well. 8 HIPAA Privacy Q&A Question #4: A covered entity may disclose PHI for health care operations with the patient/client’s authorization for health care operations 9 HIPAA Privacy Q&A Answer: The exception to the requirement for an authorization applies to disclosures for treatment only if: Each entity either has or had a relationship with the individual who is the subject of the information, The protected health information pertains to the relationship; and The disclosure is for a quality-related health care operations activity or for the purpose of health care fraud and abuse detection or compliance 10 HITECH STATUS ON THE FINAL RULES 11 Final Rules Implementing the 2009 HITECH Act Susan McAndrew, OCR deputy director for health information privacy, said the omnibus rules were accepted for clearance by the Office of Management and Budget on March 24 and are expected to be released after a review of up to 90 days 12 Final Rules Implementing the 2009 HITECH Act Harm standard will be addressed Breach risk assessment highlighted Responsibility and liability of business associates Sample BA agreement Protection for marketing and fundraising 13 Final Rules Implementing the 2009 HITECH Act Ban on sale of PHI with list of exceptions Prohibition of use of genetic information for underwriting Will require the development of a new NPP outlining patient rights and responsibilities 14 Final Rules Implementing the 2009 HITECH Act Lifting of protections for deceased individuals after 50 years in proposed rule will be addressed More liberal provisions for family members to obtain records of decedents 15 Final Rules Implementing the 2009 HITECH Act Guidance on minimum necessary More liberal access to records of decedents for family members involved in the care of the decedent immediately prior to death 16 Are Small Organizations Safe From Privacy Sanctions? Complaint lodged against a small Phoenix cardiac surgical practice OCR investigation revealed Surgical appointments posted online with patient names Emails containing PHI using personal email accounts No HIPAA training Role of privacy officer uncertain Few privacy policies and procedures 17 Are Small Organizations Safe From Privacy Sanctions? Result: $100,000 fine Corrective action plan with the OCR Damage to the practice’s reputation All it takes is one complaint, prompting an OCR investigation – Just ask Michael Kurtz 18 PRIVACY OF DRUG AND ALCOHOL RECORDS 42 CFR Part 2 19 Who is Covered under Part 2 An individual or entity must be federally assisted and hold itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment (42 CFR § 2.11). 20 What are the Restrictions on Disclosure The Part 2 regulations “impose restrictions upon the disclosure and use of alcohol and drug patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program.” (42 CFR § 2.3(a)) The restrictions on disclosure apply to any information disclosed by a Part 2 program that “would identify a patient as an alcohol or drug abuser …” (42 CFR §2.12(a) (1)) 21 What Does Disclosure Mean “Disclose or disclosure” means the “communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the records of a patient who has been identified.” 22 What is Considered PHI Under Part 2 “Patient identifying information” means the “name, address, social security number, fingerprints, photographs of similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.” 23 When May PHI be Shared Unlike HIPAA, which generally permits the disclosure of protected health information without patient consent or authorization for the purposes of treatment, payment, or health care operations, Part 2, with limited exceptions (i.e., medical emergencies and audits and evaluations), requires patient consent for such disclosures (42 CFR §§ 2.3, 2.12, 2.13). 24 When May PHI be Shared Some types of exchange, however, may take place without patient consent when a qualified service organization agreement (QSOA) exists or when exchange takes place between a Part 2 program and an entity with administrative control over that program. 25 What is a Qualified Service Organization A qualified service organization (QSO) means a person or organization that: Provides services to a [Part 2] program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and 26 What is a Qualified Service Organization A qualified service organization (QSO) means a person or organization that: Has entered into a written agreement with a program under which that person acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and if necessary, will resist in judicial proceedings any efforts to obtain access to patient records, except as permitted by these regulations. 27 STATUS OF OPT OUT REQUIREMENT FOR THE DISCLOSURE OF ePHI 28 Status of Opt Out Requirement Question: Does the HITOC Subcommittee recommend an indefinite deferral or have any affirmative recommendation on whether consent should be required for the disclosure of all electronic PHI? Answer: The Subcommittee has expressed concern, which it strongly reiterated in its last meeting, that an opt-out policy, at this time, could harm the development of coordinated care organizations (CCOs) and/or their use of health IT. 29 Status of Opt Out Requirement SB 1580 provides that information transfer within a CCO does not require patient authorization. Question: How can one reconcile an opt-out consent model with SB 1580? Answer: The Subcommittee did not see a feasible way to do so at this time. 30 Senate Bill 1580 SECTION 16. (1) Notwithstanding ORS 179.505, a health care provider that is a participant in a coordinated care organization, as defined in ORS 414.025, shall disclose protected health information: (a)To other health care providers participating in the coordinated care organization for treatment purposes, and to the coordinated care organization for health care operations and payment purposes, as permitted by ORS 192.558; and 31 Senate Bill 1580 SECTION 16. (1) Notwithstanding ORS 179.505, a health care provider that is a participant in a coordinated care organization, as defined in ORS 414.025, shall disclose protected health information: (b) To public health entities as required for health oversight purposes. 32 Senate Bill 1580 (2) The disclosures described in subsection (1) of this section may be provided without the authorization of the patient or the patient’s personal representative. (3) Subsection (1) of this section does not apply to psychotherapy notes, as defined in ORS 179.505. 33 Senate Bill 1580 (2) The disclosures described in subsection (1) of this section may be provided without the authorization of the patient or the patient’s personal representative. (3) Subsection (1) of this section does not apply to psychotherapy notes, as defined in ORS 179.505. 34 CURRENT PRIVACY AND SECURITY CHALLENGES 35 Current Privacy Challenges Use of social media by staff containing PHI Facebook Twitter Off-site “friending” and “tweets” Medical identity theft World Privacy Forum pegged growth at 3% to 7% a year AHIMA reported that a purloined medical identity has a street value of about $50 compared to $1 for a Social Security number 36 Current Privacy Challenges Sharing PHI in integrated care without patient/client authorization Disclosure of PHI for QA/QI purposes if the patient/client doesn’t have an established relationship with all parties within the CCO Consent restrictions for A&D providers Absence of policies and procedures to comply with the HIPAA Security Rule 37 Current Privacy Challenges Business associate compliance with the Privacy Rule and HITECH Breach notification is still the covered entity’s responsibility, according to HHS Breach responsibilities should be spelled out in the BA agreement What do you do when the BA wants you to use its BA agreement and it doesn’t contain all the necessary assurances you need, and the BA is vital to your operation? 38 QUESTIONS?? 39