HIPAA & HEALTH INFORMATION EXCHANGE

Similar documents
Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

HIPAA-HITECH HELPBOOK NJ Physician Practices

Data Segmentation for Privacy (DS4P)

Privacy and Consent Primer

EMPOWERING THE NEW HEATHCARE ERA

Proposed Regulations NEW YORK STATE DEPARTMENT OF HEALTH Return to Public Health Forum

HIPAA THE PRIVACY RULE

Privacy Issues and the Children s Hospital EMR

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Patient Privacy Requirements Beyond HIPAA

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

Behavioral Health Information Network of Arizona

Notice of HIPAA Privacy Practices Updates

NOTICE OF PRIVACY PRACTICES

Sharing Behavioral Health Information in Massachusetts: Obstacles and Potential Solutions. March 30, 2016

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

A general review of HIPAA standards and privacy practices 2016

NOTICE OF PRIVACY PRACTICES

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

NOTICE OF PRIVACY PRACTICES

42 CFR Part 2: Improvements and New Challenges with the Use and Disclosure of Substance Use Disorder Treatment Records

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

NOTICE OF PRIVACY PRACTICES

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

AMIA Public Policy and Government Relations Update

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

NYU Langone Health Notice of Privacy Practices

Massachusetts Department of Public Health. Privacy of Health Data

NOTICE OF PRIVACY PRACTICES

Notice of privacy practices

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

HIPAA Notice of Privacy Practices

Sharing health information electronically eliminates the need for faxing, copying and handcarrying your health record from provider to provider.

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Mental Health. Notice of Privacy Practices

Privacy & Security of Occupational, Behavioral & Deceased Patient Records Alisha R. Smith, RHIA

Agenda. New 42 CFR Part 2 Regulations and Information Sharing. Presented by: Christina Grijalva, RHIA, CHC OCHIN Compliance Specialist 4/28/2016

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

Privacy, Security and Data Exchange (PSDE) Committee

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Data Sharing Consent/Privacy Practice Summary

JOINT NOTICE OF PRIVACY PRACTICES

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Notice of Privacy Practices

Southwest Idaho Ear, Nose and Throat, P.A. Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

THE CHILDREN S INSTITUTE OF PITTSBURGH NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

The future of patient care. 6 ways workflow automation will transform the healthcare experience

Instructions for Returning these Forms

NOTICE OF PRIVACY PRACTICES This Notice is effective September 23, 2013

Consumer View of Personal Information Risks

CAPITAL SURGEONS GROUP, PLLC

Lalita Matta, MD Estrela Chaves, NP, CDE

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

PROTECTING PATIENT PRIVACY IS NOT ONLY

HITECH Act. Overview and Estimated Timeline

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Policies & Procedures Table of Contents


HIPAA Training

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

NOTICE OF PRIVACY PRACTICES

What Do Legislators Want to Know About IT?

HIPAA and Joint Commission Requirements Compared and Contrasted

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

OREGON HIPAA NOTICE FORM

NOTICE OF PRIVACY PRACTICES

Acknowledgement of Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Catholic Charities Disabilities Services 2017 Family Reimbursement Grant For Respite Funds 1 Park Place, Suite 200 Albany, NY (518)

CHI Mercy Health. Definitions

HIPAA & OPIOID RESPONSE

Notice of Privacy Practices for Protected Health Information

Associated Pediatric Dentistry Belleville, Edwardsville, O Fallon, IL

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

NOTICE OF PRIVACY PRACTICES

FCSRMC 2017 HIPAA PRESENTATION

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

NEW BRIGHTON CARE CENTER

Protecting Health Information: Health Data Security Training

HIPAA Privacy Rule and Sharing Information Related to Mental Health

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

HIPAA PRIVACY RULE. Joint Commission on Accreditation of Healthcare Organizations. Margaret VanAmringe. Vice-President, External Relations

Notice of Privacy Practices for Protected Health Information (PHI)

EHR Technology: Where Meaningful Use, Compliance, and Clinical IT Intersect Wednesday, November 18, 2015

Transcription:

HIPAA & HEALTH INFORMATION EXCHANGE (Perspective from the Private Sector) Helen Oscislawski, Esq. March 26, 2012 20 th National HIPAA Summit Washington D.C. 2012 Oscislawski LLC Where Should We Start? Privacy & Security with Health Information Exchange

HIPAA & HITECH * State Law considerations too Notice of Privacy Practices (Privacy Rule) Permitted Uses & Disclosures (Privacy Rule)* Authorization & Consent (Privacy Rule)* Patient Access Rights (Privacy Rule/HITECH)* Accounting of Disclosures (Privacy Rule/HITECH) Preemption (HIPAA/Privacy Rule) Role-Based Access (Security Rule) Authentication (Security Rule) Auditing (Security Rule) Breach Notification (HITECH)* Security Gap Assessment (Security Rule) Complaints & Sanctions (Privacy/Security Rules) HIPAA BA Agreements (Privacy/Security/HITECH) ONC Guiding Principles for HIE http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov privacy security_framework/1173 Openness & Transparency Individual Choice Collection, Use & Disclosure Limitation Safeguards Data Quality & Integrity Correction Accountability Individual Access

CROSSWALKING HIE GUIDING PRINCIPLES with HIPAA HIE Policies (1-20) 1. Compliance with National Privacy and Security Framework 2. Table of Contents and Definitions 3. Governance 4. Patient Rights 5. Patient Participation and Choice 6. Participants and Authorized Users 7. Security Risk Assessment 8. Authorization and Access 9. Authentication 10. Compliance with Laws & Policies 11. Notice of Privacy Practices 12. Permitted and Prohibited Uses and Disclosures 13. Information Subject to Special Protection 14. Minimum Necessary 15. Business Associates 16. Security Incidents & Breaches 17. Auditing 18. Data Integrity and Correction 19. Complaints 20. Enforcements and Sanctions

New Jersey Sequestration Pilot Exchange Type: Hospital-based Governance: - HIE Council - Physician Usage Committee - Privacy & Security Committee Technology: - Centralized HIE (Wellogic) - Plug-in for tagging sensitive data the sequestration safeguard (EnableCare) Consent Model: Opt-Out as baseline for hospital and basic providers Opt-In for sensitive provider-types Episodic consent for tagged/sequestered data Consent Models for HIE* No Consent Opt-Out Opt-Out, with Granularity of Choice Opt-In Opt-In, with Granularity of Choice * Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis, Department of Health Policy, School of Public Health and Health Services, George Washington University medical Center (March 23, 2010).

Approaches Considered by NJ Pilot No restrictions on sharing, including sensitive information. Concern is patient trust and comfort with a system that treats all information the same; it s not. One for All. Concerns that if the consent covers everything, still does not offer true confidentiality for patient, especially for sensitive data. Also prone to sign here blanket approach, which is not meaningful. Item-by-item restriction (granularity). Although this increases patient control, very, very difficult to administer. Also, too much choice is not always a good thing patients may forget previous preferences, may be too cumbersome for even the patient. Also not in line with current workflows where information is already being exchanged. * Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis, Department of Health Policy, School of Public Health and Health Services, George Washington University medical Center (September 29, 2010). Why Sequestration? Balances Medical Need & Privacy Interests

What on Earth is Sequestration? February 20, 2008 Letter -the National Committee on Vital and Health Statistics (NCVHS) first used the term in its letter to then-secretary of the U.S. Department of Health, Michael O. Leavitt. The Letter says on page 3: NCVHS recommends permitting an individual to sequester sensitive information based on predefined categories of information as defined below. Every individual would have the option of designating one or more categories for sequestering. If a category is selected, all of the information in that category, as the category is defined, would be sequestered. The individual would not have the option of selecting only specific items within that category to sequester (an approach discussed below that we rejected. (emphasis added). NCVHS 2008 Recommendations 1.a. Patients should be permitted to sequester specific sections of their health record in one or more pre-defined categories. 1.b. HHS should initiate an open, transparent, and public process to identify the possible categories of sensitive information for sequestration, and to defined with specificity the criteria for inclusion and exclusion within each category. 1.c. Categories of information that are sequestered should be notated that certain information is sequestered patient s request 1.d. Design should permit individuals ability to authorize selected health care providers to access sequestered information. 1.e. Emergency access should be permitted, 1.f. Audit trails must capture all break glass episodes. 1.g. Patient must be notified of break glass situations 1.h. Provider who accesses the information is responsible for ensuring that information is either re-sequestered or otherwise further disclosed only as permitted by applicable law.

HITECH Segmentation February 2009, HITECH Act (H.R. 1) includes 3002(b)(2)(B) which specifically directs the HIT Policy Committee (at ONC) to make recommendations for: technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns, in accordance with applicable law (emphasis added). HITECH on NCVHS Recommendations Section 3002(b)(8) of the HITECH Act then goes on to require that: The National Coordinator shall ensure that the relevant and available recommendations and comments from the National Committee on Vital and Health Statistics are considered in the development of policies.

NCVHS November 2010 Recommendations November 10, 2010 Letter - NCVHS issues second letter to DHHS Secretary with Recommendations Regarding Sensitive Health Information. Provides suggested categories of sensitive information: Federal law HIPAA Psychotherapy Notes HITECH Out of pocket services 42 CFR Part 2 GINA State law: HIV/AIDS; STDs; Genetic; Mental Health; Emancipated Minors Other : Mental Health Sexuality and Reproductive Health Domestic Violence NJ Pilot Defining What is Sensitive FEDERAL: 42 CFR Part 2 Records; GINA (Genetic Information and Nondisclosure Act) Services paid for out of pocket (HITECH) Psychotherapy Notes as defined under HIPAA, disclosure requires prior written authorization of the individual STATE: HIV/AIDS Information (N.J.S.A. 26:5C-8) Venereal Diseases (N.J.S.A. 26:4-41) Drug & Alcohol Rehabilitation Information (N.J.S.A. 26:2B-8) Mental Health Rehabilitation (N.J.A.C 10:37-6.79) Genetic Privacy Act of New Jersey (N.J.S.A. 10:5-43) Minor s Emancipated Treatment (N.J.S.A. 9:17B-1) Social Security Numbers. NCVHS Recommendations Reproductive Rights Domestic Violence

Initial Numbers* Total reports analyzed: 1,663,730 (all hospital and ED) Reports by Type: Anatomic Pathology: 50,011 Radiology: 636,012 ED visits 463,701 History and Physical 77,078 Discharge Summary 88,598 Consults 97,121 Operative Report 57,701 Other 193,508 (cardiology, surgery, L&D) * Based on preliminary testing and analysis. Numbers do not necessarily reflect final results. Initial Numbers*. Total with multiple sensitive flags: 1.2% Total with one sensitive category: 3.4% Total Sensitive: 4.6% Total with negated vocabulary: 3.5% (sensitive terms with negation language e.g. not, no evidence of, ) (not included in the sensitive % above) * Based on preliminary testing and analysis. Numbers do not necessarily reflect final results.

Initial Numbers*. Sensitive Data Tagged by Category (per rules): Abortion 3.8% Genetic testing/diseases 11.4% HIV 6.1% of sensitive Mental health treatment 6.9% Sexual abuse (minors) 0.2% Sexual activity (minors) 8.2% Sexually Transmitted Diseases 18.4% Substance abuse (minors) 0.7% Suicidal ideation 44.3% * Based on preliminary testing and analysis. Numbers do not necessarily reflect final results. Why Sequestration? Balancing Competing Interests Benefits of EHR Individual Control Longitudinal, comprehensive, vs. Electronic health information and interoperable EHR exchange (HIE) is a major shift presents opportunities for from decentralized, enhancing coordination of disconnected, largely paperbased care, avoiding duplication of services, and improving the health record system currently in use. There are effectiveness and efficiency significant implications for of health care. Also makes it individual privacy and possible for all health care confidentiality. If HIE networks providers who may be do not afford some level of consulted to have access to protection, privacy could be an individuals EHR from all compromised and patients current and past providers. may resist participating.

Questions? Helen Oscislawski, Esq. Principal, Attorneys at Oscislawski LLC helen@oscislaw.com 609-835-0833 HIE Blog: www.legalhie.com HIE, HIPAA & HITECH Legal Forms: www.ohcsolutions.com www.oscislaw.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback