HCCA PRIVACY COMPLIANCE FOCUS GROUP

Transcription

1 HCCA PRIVACY COMPLIANCE FOCUS GROUP Industry Immersion Session 2005 Annual Institute New Orleans April

2 DISCUSSION LEADERS Betsy Hall Jodi Innocent Marti Arvin April

3 AGENDA 1:45 to 3:15 HIPAA and Research 3:15 to 3:30 Break 3:30 to 4:30 JCAHO standards and HIPAA 4:30 to 5:00 HIPAA and the Minor 5:00 to 5:45 Open Q & A Forum April

4 Research and HIPAA April

5 Objectives Research Privacy Breaches Human Subjects Research Common Rule & FDA Regs Research under HIPAA State Law Pre-emption HIPAA Security Federal Penalties Where to Go for Help

6 Names of Donors Accidentally Included in letter to Kidney Patients University of Minnesota researchers violated the confidentiality of organ donors when they mailed surveys to 1,200 transplant recipients participating in a study and revealed the names of those who had donated their kidney to the recipients. A software upgrade was cited as the reason for the breach, apparently because it altered a feature that was supposed to suppress the donors names. ~ Minneapolis Star Tribune, January 15, 2002

7 Complaints Shut Down Research The federal Office for Protection from Research Risks suspended more than 1,000 studies at Virginia Commonwealth University, for violating privacy by failing to gain the consent of research subjects and failing to adequately safeguard data. ~ The Washington Post, January 12, 2000 Research Leads to Disclosure Robin Kaigh of New Jersey reported her father, a physician, agreed to allow slides of his cancer cells to be used in research. He was promised anonymity, but his name was entered into a computer associated with the slides, and colleagues quickly began calling to offer condolences. ~ National Journal, April 18, 1998

8 Human Subjects Research What is research? A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. The definition is identical under HIPAA (45 CFR 160, 164) and the Common Rule (45 CFR 46) What is a human subject? a living individual about whom an investigator who is conducting research obtains: data through intervention or interaction with the individual, or identifiable private information. Common Rule (45 CFR 46) April

9 Your Actions Are Research When You plan to publish your results You plan to present your results at a conference Your actions are intended to improve upon medical device, pharmaceutical product, or diagnostic aid Your actions are intended to compare patient outcomes Your actions require collecting patient information April

10 Your Actions Are Not Research When Making Public Health Disclosures to the FDA, local and state health departments and government authorities Reporting adverse events Tracking FDA-regulated products Recalling, repairing or replacing products Conducting post-marketing surveillance Related to safety, quality or effectiveness of FDAregulated product Does not permit disclosures to drug/device manufacturers to evaluate effectiveness of marketing Minimum Necessary applies April

11 How Does HIPAA Affect Research? HIPAA impacts how researchers and IRBs conduct their business IRB oversight responsibilities increased Subject recruitment, getting PHI from providers impacted New paperwork, forms required Disclosure tracking required Relationship with sponsors affected

12 HIPAA Privacy Rule vs. the Common Rule & FDA Regulations The HIPAA Privacy Rule builds upon existing Federal protections the Common Rule and FDA Regulations and creates equal standards of privacy protection for: Human Subjects Research governed by existing Federal human subject regulations Human Subjects Research not funded by Federal Agencies. April

13 Documentation Requirements: HIPAA: HIPAA vs. Common Rule Maintain records written or electronic of any communication, action, activity or designation required by the Privacy Rule for 6 years Common Rule: Maintain records for 3 years after completion of study (including data analysis) April

14 Research under HIPAA 6 ways to obtain patient information for research: HIPAA Research Authorization Partial Waiver/Waiver of Authorization De-identified Data Limited Data Set & Data Use Agreement Preparatory Decedents

15 Research Authorization HIPAA Research Authorization allows researchers to access protected health information of a specific patient Blanket authorizations for research to be conducted in the future are not permitted Each new use requires a specific authorization Accounting of Disclosures not required April

16 Research Authorization Must contain required elements Obtain in addition to IRB/Common Rule informed consent (Some IRBs combine consent and authorization) Exception for pre-existing written consent (see transition) Revocable Can condition treatment related to research on an Authorization in connection with the study Expiration date or an expiration event that relates to the use of disclosure ( end of study, none is sufficient)

17 Research Authorization Research-related situations when a HIPAA Research Authorization is not required: Approved waiver Decedent research Preparatory to research Limited data set Treatment, Payment and Healthcare Operations (TPO) When required by law April

18 Waiver of Authorization Ideal for retrospective medical record or identifiable database research where authorization is impractical If used for recruitment, authorization must be obtained upon enrollment Waiver granted by IRB pursuant to criteria under normal or expedited review Different than informed consent waiver Minimum Necessary Rule applies Accounting of Disclosures required

19 Partial Waiver of Research Authorization Ideal for participant screening and recruitment Requires IRB approval Does not eliminate researcher s responsibility to obtain informed consent or authorization from the subject prior to enrollment. The use or disclosure of protected health information involves no more than minimal risk to the individuals. The research could not practicably be conducted without the waiver or alteration. The research could not practicably be conducted without access to and use of the protected health information. April

20 De-identified Data Allows release of information without authorization Ideal for database research Not useful for longitudinal, epidemiological or outcomes studies Does not identify individual De-identification accomplished one of two ways: Statistical expert determines and documents risk is very small the information could be used to identify individual 18 identifiers removed ( safe harbor ), including dates (e.g., date of birth, admission, discharge, service) and geocode information No Accounting of Disclosures required De-identification satisfies HIPAA requirements and not IRB requirements. IRB oversight is required for de-identified data.

21 De-identification of Data: Remove all 18 identifiers below: 1. Names 2. All geographic subdivisions smaller than a state 3. All elements of dates 4. Telephone numbers 5. Fax numbers 6. addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. URLs 15. IP addresses 16. Biometric identifiers 17. Full face photographic images and comparable images 18. Any other unique identifying number, characteristic, or code April

22 De-identification of Data Code allowed for re-identification of PHI if: Code or other means of identification is not derived from or related to information about the individual and cannot be used to identify the individual; AND The covered entity does not use/disclose the code for any other purpose; AND The covered entity does not disclose the reidentification code. April

23 Limited Data Sets (LDS) Requires Data Use Agreement - Assures CE that information will only be used for: Research, public health, or health care operations, Disclosed to business associates Used/disclosed for limited purposes by the recipient April

24 Limited Data Set Limited data set for research, public health and health care operations Can include: ZIP codes, geocodes, date of birth, date of admission/discharge/service, nonexcluded identifiers Excludes: name, postal address (other than state, city, precinct, ZIP code, geocode), telephone #, fax #, address, social security number, certificate #, license #, vehicle ID/serial number, URLs, IP address, full face or comparable images, medical record #, prescription #, health plan beneficiary #, account #, medical device identifiers and serial numbers, biometric identifiers, fingerprints, voiceprints Minimum Necessary Rule applies No Accounting of Disclosures required Requires Data Use Agreement

25 Data Use Agreement Similar to Business Associate Agreement Defines who can use or receive data Defines for what purpose the data may be used Recipient agrees not to reidentify data or contact data subject Recipient agrees to report improper uses/disclosures Recipient agrees to pass on privacy obligations to contractors Assures data will be safeguarded and not used for unauthorized purposes

26 Preparatory Ideal for designing a research study, assessing the feasibility of doing a study, and planning recruitment activities Allows researchers to access PHI without authorization from the subject Researcher must provide covered entity written representation that the use/disclosure of PHI is solely to prepare a research protocol or for similar purposes preparatory to research and that the access is necessary to conduct the research Researcher may not remove, download, print or copy any PHI from the covered entity Identifying and contacting potential subjects is not permissible under this provision. Minimum Necessary Rule applies Accounting of Disclosures required

27 Research on Decedents Not subject to the Common Rule (45 CFR 46) Subject to HIPAA (45 CFR 164) To access PHI of decedents, the researcher must provide the covered entity with written assurances that: the use/disclosure is solely for research on PHI of decedents; the subject(s) is deceased (death certificate) the PHI is necessary for the research. Minimum Necessary Rule applies Accounting of Disclosures required April

28 Minimum Necessary Standard Minimum Necessary Standard Does not apply to research conducted pursuant to an Authorization Applies to: Research conducted pursuant to a Waiver Research involving PHI of decedents Use of PHI preparatory to research Limited data set research

29 HIPAA and Subject Recruitment HIPAA impacts how potential research subjects are identified and recruited: Researchers who are employed by the covered entity may use the preparatory research provision to contact prospective subjects. Researchers who are not employed by the covered entity may not use the preparatory research provision. Outside researchers could obtain contact information through a partial waiver of authorization. General Rules: No authorization required: Clinicians may discuss enrolling in a study with their own patients Authorization or waiver required: Clinicians disclosure to a third party for purposes of recruitment April

30 Databases & Tissue Repositories Is patient authorization or waiver required for this? No, if for treatment or health care operations; Yes, if for research When such databases/banks are used for research purposes, require authorizations or waivers; and IRB approval Review existing internal databases to determine whether sole purpose is research, or whether treatment or health care operations purposes exist April

31 Transition Provisions Transition Provisions: CE may use/disclose PHI that was created or received for research, either before or after the compliance date, if the CE obtained any ONE of the following prior to the compliance date: Authorization or other legal permission from an individual to use or disclose PHI for the research; Informed consent of the individual to participate in the research; or Waiver by an IRB in accordance with the Common Rule or an exception under FDA s human subject protection regulations at 21 CFR

32 Accounting of Disclosures Accounting Required Partial Waiver or Waiver Preparatory Work Decedents No Accounting Required Authorization Limited data set under a data use agreement To an individual about himself or herself

33 Accounting of Disclosures The Privacy Rule allows three methods for accounting for researchrelated disclosures: Standard Multiple-disclosures Alternative for disclosures involving 50 or more individuals. Accounting reports to individuals may include results from more than one accounting method.

34 Standard Accounting Standard accounting includes, for each disclosure, the following information: Date of disclosure. The name and, if known, address of the person or entity receiving the PHI. A brief description of the PHI disclosed. A brief statement of the reason for the disclosure.

35 Multiple Disclosures Accounting Permitted when the CE has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections (a)(2)(ii) or For each disclosure, the following must be included: Date of initial disclosure. The name and, if known, address of the person or entity receiving the PHI. Brief description of the PHI disclosed. Brief statement of the reason for the disclosure. Frequency, periodicity, or number of the disclosures made during the accounting period. Date of the last disclosure during the accounting period.

36 Alternative Accounting Accounting may be limited to the following if the CE has disclosed PHI of 50 or more individuals for a research project under (i): Name of the protocol or research activity. Plain-language description of the research protocol or activity, purpose of the research, and criteria for selecting particular records. Description of the type of PHI disclosed. Date or period of time during which the disclosure(s) occurred or may have occurred, including the date of the last disclosure during the accounting period. Name, address, and phone number of the entity that sponsored the research and the researcher who received the PHI. A statement that the individual's PHI may or may not have been disclosed for a particular protocol or research activity.

37 Rule of 50 If the CE uses the Rule of 50, it must, if requested to by the individual, assist the individual in contacting the research sponsor and the researcher. Such assistance, however, is limited to those situations in which there is a reasonable likelihood that the individual's PHI was actually disclosed for the research protocol or activity.

38 Research & State Law Pre-emption Be mindful of state law requirements for use/ disclosure of PHI for research Some state laws may be more stringent, such as Kentucky Some state laws may be less stringent, such as Indiana

39 Kentucky Law Example Kentucky law more protective regarding physician s patients KRS (9) states: "unethical, or unprofessional conduct" shall include but not be limited to... (4) any departure from, or failure to conform to the principles of medical ethics of the American Medical Association or the code of ethics of the American Osteopathic Association. For the purposes of this subsection, actual injury to a patient need not be established.

40 Kentucky Law Example The following or excerpts from the AMA Ethics Opinions: The physician should not reveal confidential communications or information without express consent of the patient unless required to do so by law...e-5.05 Physicians must seek to protect patient privacy in all forms Such respect for patient privacy is a fundamental expression of patient autonomy and is a prerequisite to building the trust that is at the core of the patient-physician relationship. E The record is a confidential document involving the patientphysician relationship and should not be communicated to a third party without the patient s prior written consent, unless required by law or to protect the welfare of the individual or the community E-7.02

41 Kentucky Law Example This does not preclude the use of information under the preparatory to research exemption if the records are reviewed by the physician or an employee of the physician. This does appear to prevent physicians from making disclosures to those outside of their practice under either a waiver or under the preparatory to research exemption.

42 Indiana Law Examples IC Sections 5-7 Cancer Registry Research Purposes IC Sections Birth Problems Registry Research Purposes HIPAA pre-empts these Indiana laws which allowed researchers access to PHI of individual patients and to use the names of those patients to request further information Source: Hall, Render, Killian, Heath and Lyman, P.S.C. HIPAA Pre-emption Matrix April

43 Research and HIPAA Security Researchers must take steps to develop appropriate safeguards to protect PHI Examples of safeguards include: Having researchers sign confidentiality agreements stating they will not share computer Ids and passwords Passwords on computers (setting computers to go into protected standby mode when left on and unattended) Securing data in databases, handhelds, Web sites Using locked file cabinets to store data Not leaving identified data in plain sight Shredding PHI April

44 Research and HIPAA Security Security Rule requires audits Build HIPAA audits into research compliance billing and regulatory audits Authorizations Partial Waivers/Full Waivers Documentation of deceased individuals Data Use Agreements Accounting of Disclosures documentation April

45 Federal HIPAA Penalties Federal Civil and Criminal Penalties Civil: $100 per violation, up to $25,000 per person, per year, for each requirement or prohibition violated Criminal (knowing violations): Up to $50,000 and one year in prison Under false pretenses up to $100,000, and up to five years in prison Intent to sell, transfer or use up to $250,000 and up to 10 years in prison

46 Private Right of Action HIPAA has no private right of action You can be sued under state law for alleged privacy breaches Kentucky example Texas example

47 Improper Disclosures Reporting improper uses or disclosures to patient not required under HIPAA unless accounting of disclosures requested Reporting improper uses or disclosures to OCR not required under HIPAA Reporting improper uses or disclosures for research may be required to other federal agencies OHRP, ORI, FDA - as well as the research sponsor and IRB of oversight Common Rule (45 CFR Part 46) requires institutions to report noncompliance to OHRP

48 For More Information NIH - Clinical Research - IRBs - Privacy Boards - Research Repositories and Databases - Rule Booklet - HIV/AIDS - Public Health - HHS - PRIM&R - ARENA - April

49 Research and HIPAA: Conflicts and Controversy in Sponsored Research April

50 HIPAA and the Clinical Trial Agreement The issue: Resolution of the conflicting interest between the researcher, the research institution and the research sponsor over the future use of data and/or tissue and blood specimens. April

51 SCENARIOS Number 1: Sponsor wishes to sponsor clinical trial and collect data solely for the purpose of that clinical trial Number 2: Sponsor wishes to sponsor clinical trial and use data and/or some of the specimens collected for possible unspecified future research Number 3: Sponsor wishes to sponsor clinical trial and in the process of collecting specimens for the clinical trial asks researcher to collect additional sample to include in tissue/blood repository for future unspecified research April

52 Researcher s goals Conduct quality research for the greater good Obtain sponsorship for research Possible commercial benefit Personal recognition Comply with regulations April

53 Institution s goals Conduct quality research for the greater good Obtain sponsorship for research Possible commercial benefit Institutional recognition Compliance with applicable regulations April

54 Sponsor s goals Non commercial sponsors Conduct quality research for the greater good Commercial sponsors Conduct quality research for the good of the organization Commercial benefit Compliance with applicable regulations April

55 What is the problem? Researcher s interest is in the research, not focused on compliance Researcher may consider sacrificing compliance if he/she feels the research is important Researcher does not always understand intricacies of the agreements they wish to enter April

56 What is the problem? The institution has to consider all applicable regulations. What is beneficial to the researcher and the sponsor might not be possible. Applicable regulations differ according to the player. Institutional Review Board must consider ethical as well legal issues. April

57 What is the problem? Sponsor is generally not a covered entity thus there may be no desire to comply with HIPAA privacy or security regulations. Sponsor might push to have language in CTA that permits future unspecified uses of data and/or specimens. April

58 Scenario 1 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has no problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected April

59 Scenario 2 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has not problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected However.... April

60 Scenario 2 Additional issues: Is the institution obligated to inform the subject that their data will be included in the sponsor s research database for uses and/or disclosures unrelated to the current clinical trial? Is the institution obligated to ask the sponsor what, if any, additional uses or disclosures will occur from the data collected for the current trial? What if the sponsor wants to use it for purposes unrelated to research? Has the institution met its HIPAA obligation if the authorization informs the subjects that the sponsor will receive their data and if the sponsor is not a covered entity the data is no longer protected? April

61 Scenario 3 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has no problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected However.... April

62 Scenario 3 Additional issues: If participation in the underlying clinical trial is conditioned on the subject signing the authorization but provision of the additional blood or tissue specimen is not, a second authorization may be required. If the second authorization is solely for the purpose of collecting the blood or tissue specimen for the sponsor to include in a repository for future unspecified research, how can the researcher/research institution craft a valid authorization? April

63 Scenario 3 The specificity requirements of an authorization will not permit an authorization for future, unspecified research. According to current guidance, the research purpose must be study or protocol specific. April

64 Scenario 3 Possible solutions Get sponsor to treat research database or specimen repository as if they are a covered entity Data comes out as limited data set with data use agreement Submit future protocols to IRB Don t engage in research with sponsors who will not treat data as if they are a covered entity Prepare an authorization that informs the subject that their data and/or specimen is being collected for inclusion in the sponsors database/repository without addressing the intended future uses or disclosures. April

65 JCAHO and HIPAA: A Crosswalk to Compliance April

66 Objectives Understand the JCAHO Accreditation Process Compare/Contrast JCAHO standards and the HIPAA Privacy Rule Discuss Self-Assessment and Tracer Methodologies required by JCAHO April

67 Understanding the JCAHO Accreditation Process JCAHO surveys for compliance with stated standards and performance expectations Standard = goal Compliant or non-compliant Elements of Performance = steps needed to achieve the standard April

68 Elements of Performance ( EP s ) EPs are evaluated on the following scale: 0 insufficient compliance 1 partial compliance 2 satisfactory compliance N/A Non-applicable April

69 Patient Rights JCAHO Standard RI.2.20: Patients receive information about their rights. Elements of Performance for RI.2.20 Information on rights is provided to each patient HIPAA: (a)(1) Notice of Privacy Practices April

70 RI.2.20: Patient Rights EP s (cont d) The patient has the right to access, request amendment to and receive an accounting of disclosures regarding his or her own health information as permitted under applicable law. HIPAA: Right to Access PHI Right to Amend Right to Accounting of Disclosures April

71 Photography/Filming Consent JCAHO Standard RI.2.50: Consent obtained for recording or filming made for purposes other than identification, diagnosis or treatment Elements of performance 1) When used only for internal organizational purposes: Must document consent Can be part of a general consent for treatment 2) External purposes documentation of a specific, separate consent including the circumstances of use April

72 Photography/Filming (cont d) HIPAA (b) & (c) Consent for TPO internal vs. external When an authorization is required (a)(3) Marketing (c) Victims of abuse (forensic photographs for victims of child-abuse) (i)(1) Research April

73 Informing Others of Care and Treatment JCAHO Standard RI.2.90: Patients, and when appropriate, their families are informed about the outcomes of care, treatment and services HIPAA: (b) uses and disclosures for involvement in the individual s care JCAHO outcomes vs. HIPAA specific circumstances April

74 Complaint Management JCAHO Standard RI.2.120: The hospital addresses the resolution of complaints from patients and their families. HIPAA: Complaints to the Secretary (b)(1)(vi) Complaint Process (d)(1) Documentation of Complaints April

75 Complaint Management (cont d) JCAHO EP s for RI Patients can freely voice complaints without being subject to coercion, discrimination, reprisal, or unreasonable interruption of care and treatment HIPAA: (g) covered entity must refrain from intimidating or retaliatory acts against individuals who file a complaint, participate in an investigation April

76 Patient Privacy Needs JCAHO Standard RI The hospital respects the needs of patients for confidentiality, privacy and security HIPAA (c) & (a)(1) Right to Request Restrictions (h) & (b)(1) Confidential Communications (a) Facility Directory Opt Out Notice of Privacy Practices HIPAA Security Standards April

77 Research JCAHO Standard RI.2.180: The hospital protects research subjects and respects their rights during research, investigation, and clinical trials involving human subjects. HIPAA: (i) Research Purposes Waiver of authorization Preparatory to research activities April

78 Correctional Institutions JCAHO Standard LD.3.150: The hospital plans for the appropriate care, treatment and services for patients under legal or correctional restrictions. Elements of performance for LD.3.150: Administrative and clinical decisions are coordinated as to disclosing PHI to correctional institutions and/or officers. April

79 Correctional Institutions HIPAA (k)(5) disclosures to correctional institutions and law enforcement HIPAA (a)(3) NPP exception for inmates April

80 Environment of Care JCAHO Standard EC.1.20: The hospital conducts environmental tours to identify.and unsafe practices (including privacy and security concerns) Must conduct environmental tours at least once every six months in all areas where individuals are served Must conduct environmental tours at least annually in areas where individuals are not served. April

81 Environment of Care (cont d) HIPAA : no specific comparable regulation in Privacy Rule BUT. HIPAA auditing best practices would include such environmental tours or walkthroughs AND HIPAA Security Rule April

82 Information Management JCAHO Standard IM.1.10 the hospital plans and designs information management processes to meet internal and external information needs April

83 Information Management (cont d) Elements of Performance for IM.1.10 consider who is requesting the information and what is being requested: licensing, accrediting and regulatory bodies purchasers, payors, and employers participation in national research and databases patient safety reviews quality assessments April

84 Information Management (cont d) HIPAA Notice of Privacy Practices HIPAA (e)1; (e)1: Business Associate Agreements April

85 Information Management (cont d) uses and disclosures for which an authorization or opportunity to object is not required Disclosures required by law Public health activities Health oversight (a) de-identification of data April

86 Confidentiality and Security JCAHO Standard IM.2.10: Information privacy and confidentiality are maintained Elements for performance for IM.2.10: Hospital has written processes that address the privacy and confidentiality of information All HIPAA policies April

87 Confidentiality and Security EP for IM.2.10: Policy has been effectively communicated to applicable staff HIPAA Training: (b)(1) EP for IM.2.10: Process to monitor compliance with its policy HIPAA Auditing and Monitoring April

88 Confidentiality and Security EP for IM.2.10: Individuals about whom PHI may be maintained/collected are made aware of what uses and disclosures of the information will be made HIPAA NPP, authorizations For uses and disclosures of health information, the removal of personal identifiers is encouraged to the extent possible, consistent with maintaining the usefulness of the information (a) de-identification of data April

89 Confidentiality and Security Elements for Performance of IM.2.10 Protected health information is used for the purposes identified or its required by law and not further disclosed without patient authorization HIPAA uses and disclosures for which an authorization is required April

90 Confidentiality and Security Elements for Performance for IM.2.10 The hospital preserves the confidentiality of data and information identified as sensitive and requires extraordinary means to preserve patient privacy. HIPAA Policy manual (a)(2) Psychotherapy notes Minimum Necessary Rule Limited data sets April

91 Managing the JCAHO Self- Assessment Need hard data concrete and verifiable Audit data, not just that policies and procedures are in place Privacy Grid what documented data will show compliance? April

92 JCAHO and Tracer Methodology JCAHO tracks real patients' experiences as they move through the hospital Your audits should mirror this methodology Pull random samples and see how PHI was accessed, used and disclosed throughout the hospital stay April

93 The Self-Assessment: Getting Started Assemble a Team Privacy Officer Information Security Officer Internal Auditor Systems Administrators Administration External sources April

94 Identify Tools Employee work schedules, attendance records, clock in/out Medical records Paper documentation related to area of review s and faxes Phone records land lines and cell Internal system-generated audits from computer systems Specific computer systems: registration (facility blocks); Disclosure Tracking April

95 Identify Systems Locate all computer systems Determine audit functionality with vendor Obtain list of all User Ids for each system employees, contractors, physicians, office staff, medical students, etc. Create crosswalk of audit codes for each system Obtain list of computer terminal Ids and locations April

96 System Audit by User System-generated audits focused on a User ID generally provide: List of patients accessed by name and medical record number Date, time, duration of access Computer terminal ID IP address of computers off site Details about info accessed, such as care provider list, results, contraindications, orders, charges, demographics, and financial Whether info was printed April

97 System Audit by Medical Record System-generated audits focused on a patient s medical record generally provide: List of users who accessed the record Date, time, duration of access Computer terminal ID used on campus IP address of computer used off campus Details about info accessed, such as care provider list, results, orders, demographics, and financial Whether info was printed April

98 Potential Areas of Focus Inappropriate Access Walkthroughs Garbage Patient Rights PHI with Special Protections (drug, alcohol, HIV) April

99 Potential Areas of Focus Research Policies/Procedures Training and Education databases and logs April

100 Inappropriate Access Athletes, VIPs, celebrities, politicians, public figures, other patients featured in the media Employees Co-worker access Self access Residents, Physicians, Physician Office staff Complaints, Hotline calls, Administrative requests Patients involved in lawsuits, sentinel events Special populations April

101 Walk Throughs PHI visible in open, public areas PHI left unattended on fax, copy machines PHI transported unsecured Shredding bins overflowing or unlocked Fax cover sheets being used PHI being discussed in elevators, cafeteria Is Notice of Privacy Practices posted appropriately April

102 Garbage Check for improper disposal of PHI in: Bags of trash that have not been compacted Trash cans in patient rooms Trash cans in clinical areas Trash cans in administrative areas that process health information Trash cans in doctors lounges, sleep rooms April

103 Patient Rights Check medical records for appropriate documentation of: Notice of Privacy Practices acknowledgement Authorizations Access requests Amendment requests Accounting of Disclosures Restriction requests Confidential Communications requests Opt Out requests April

104 Other PHI Check medical records for documentation of appropriate release of information for: Psychotherapy notes HIV/Aids Subpoenas/Orders of Court Victims of a crime Research Accounting of Disclosures April

105 Research Check research patient medical records for proper documentation of: Informed consent and HIPAA authorization Accounting of disclosures Partial and full waivers Preparatory to research/screening Decedents April

106 Policies & Procedures Review policies, procedures and processes to determine whether: they are accurate and consistent they are being followed as written Use sample audits to get concrete data revisions are required because of changes in federal and/or state law April

107 Evaluate Results Was PHI accessed/used/disclosed appropriately? Sample data What caused the inappropriate access, use or disclosure? How can the inappropriate access, use or disclosure be prevented? April

108 Report Results Report conclusions to business process owners Present recommendations to business process owners Draft a corrective action plan April

109 Examples: Sanctions Recommendations Revise policies Re-educate, plan awareness campaign Revoke access privileges Assign new passwords Remove generic IDs and IDs of those who left the organization or no longer have business with it April

110 Mitigation Follow through: Document improper disclosures in accounting of disclosures Implement recommendations Reinforce policy Re-audit Re-audit Re-audit April

111 Improper Disclosures Reporting to patient not required unless accounting of disclosures requested Reporting improper disclosure to OCR not required under HIPAA Reporting improper disclosure for research may be required to other federal agencies OHRP, ORI, FDA - as well as the research sponsor and IRB of oversight ***Discuss with your legal counsel April

112 Minor Child Issues Under HIPAA April

113 Patient Rights Regarding Medical and Billing Records Right to receive hospital s Notice of Privacy Practices The Divorced Parents The Foster Parent The guardian Obtaining acknowledgement No parent or guardian present April

114 Patient Rights: Access to PHI Access to PHI State minor consent laws Foster parents Child and Family Services Other county agencies The abusive parent Care providers April

115 Patient Rights: Access to PHI Access to billing records Parent vs. Guarantor April

116 Telephone Disclosures Difficulty in using social security numbers for children Inpatient: telephone disclosure code Outpatients: birthdate and current address The ED for security and operational purposes does not release any information over the telephone April

117 Release of PHI Without an Authorization People involved in care or payment for care Designated by patient/parent Present during discussion Assumed by circumstances and in our best judgment this would be permitted by patient/parent April

118 Disclosure of PHI: The HIPAA Authorization Components of a Valid Authorization HIPAA requires several new components April

119 Requests for PHI by the Patient/Parent/Guardian Requests from the patient/parent/ guardian for disclosure of PHI, including copies of medical records, must be on a HIPAA Authorization Form or other form or in writing Copy fees can be charged in amounts in accordance with PA law April

120 Requests By Minors Emancipated Minor PA Medical Consent of Minor Law April

121 Requests By Minors Under Pennsylvania law, a minor has right to consent to medical treatment for him/herself or his/her child without parental consent if the minor: is or has been pregnant; has graduated from High School; April

122 Requests By Minors is married; is in the military; or is seeking testing or treatment for Pregnancy Sexually transmitted or other reportable diseases April

123 Requests By Minors Drug and alcohol abuse If 14 years or older, for mental health voluntary or involuntary inpatient treatment or involuntary outpatient treatment A minor that has been emancipated by order of court shall produce a copy of such order prior to the release of PHI. April

124 Patient Rights Regarding Medical And Billing Records Patient Request for Confidential Communications Adolescent medicine Patient Request for an Accounting of Disclosures Counting requests when dealing with multiple parents What is once per year April

125 Accounting of Disclosures of PHI Child Abuse Are such requests included? State preemption April

126 CONTACT INFORMATION Betsy Hall (502) Jodi Innocent (412) Marti Arvin (502) April

127 QUESTIONS April