HIPAA Compliance and Health IT Joel Benware Anne Cramer, Esq. Jim Sheldon-Dean 1
Joel Benware Compliance Officer at Northwestern Medical Center (NMC) in St. Albans, Vt. o o Reports directly to the NMC Board of Directors for Compliance matters. Certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA) Works with a Compliance team to develop an Annual Compliance Work Plan. o Plan is developed from the OIG Annual Plan and our own internal audits and education efforts from the previous year. Privacy and Security Officers report to Vice President of Information Systems and Compliance o o Review all matters of HIPAA, privacy and security Conduct HIPAA Security Risk Assessments Establish a culture of Compliance from the Board level through management to all employees, volunteers and Business Associates. 2
Anne Cramer Lawyer, representing broad spectrum of Vermont health care providers Anne and her firm, Primmer, advise VITL Began giving privacy law training to hospitals in the late 80s Worked on Vermont legislation to rework and consolidate patient privacy protection law in the 90s the multi-year effort failed Assists hospitals, physicians, mental health agencies, nursing homes, home health agencies and others with HIPAA privacy and security policies, trainings, compliance and breach analysis and reporting Advises on reconciling 42 CRF Part 2 compliance with need for treating providers to collaborate and communicate about patients 3
Jim Sheldon-Dean Focused on HIPAA compliance since before the rules were enforceable Providing HIPAA compliance services to a variety of entities in Vermont and nationwide An Engineer s approach to compliance: Break it down, understand the pieces and how they interact, and put it all together again Background is technology, policy, implementation Strong belief in education and self-audits We re all still learning about HIPAA and what it means today New technologies are testing the limits of HIPAA 4
Keeping Track of Paper Despite EHR s a lot of patient information is still provided on paper. Giving the wrong printout to the wrong patient is a HIPAA violation. Papers must always be double-checked before handing to the patient or putting in an envelope. Even a small breach may be a reportable breach. 1. What are some best-practices and proper protocols for using shared printers at registration and checkout stations? 2. What should I do if I gave Ms. Jones information to Mr. Smith? 5
Use of Messaging (Texting) Systems Smartphones and Handheld devices have capabilities that on the surface appear to be beneficial in treating patients: o Camera o Texting o Voice recording Security of PHI involved with Mobile Devices and Apps is a major, current issue, getting worse every day 1. When is it allowable to send text messages to another provider about a patient? 2. What about pictures? 3. How can I ensure the information stays safe? 6
Clearly Defined Designated Record Set Information that is not obtained by direct observation of the patient should not be included in their record. For instance, information relayed to a mental health provider by patient s family, regarding observation of dangerous behavior with one of their children. Since this data was not obtained directly by observation of the patient, it should not have been scanned in to the record. Information relied upon to make decisions about the patient s care should be part of the HIPAA Designated Record Set. 1. How does HIPAA define the Designated Record Set? 2. What are some guidelines for scanning data into a patient s medical record? 3. If not the medical record, then where can I store this information? 7
Use of Business Associates Minimum Necessary Disclosure Tailoring a BAA For example, after lost laptop of contractor was recovered, it was found to have much more PHI than necessary for their work with the Covered Entity. Third party evaluations and attestations of good practices 1. What is meant by Minimum Necessary Disclosure? 2. What are some tips and best practices in working with Business Associates? 8
Creating the Proper Culture Employees have to feel safe in speaking up if they made a mistake themselves, or if they believe someone else in their office has made a mistake. The entire staff should feel like an extension of the Privacy and Security Officer. Organizational culture and personal responsibility are key to success in compliance. 1. What are some tips on creating the right kind of culture? 2. What is at risk if I don t speak up? 9
Data Ownership A patient returned from treatment at a community hospital. Within a week, the patient received a marketing call offering a cream to help with their recent pain issues. Marketing requires an authorization from the patient, while Healthcare Operations (such as providing continuing care) does not require authorization. 1. Is this Marketing, or Healthcare Operations, or a breach? 2. Who s responsible for this data breach? 3. How can we track data through all the possible intermediaries? 4. What if it was the Pharmacy that inadvertently disclosed the patient s medical condition? 10
Patient Generated Data It seems like everyone wears a health tracking device these days Vital sign monitoring equipment in the home also has the capability of recording information Devices can upload data represented as the patient s data 1. What is patient generated data? 2. When can I accept patient generated data into a patient s record? 3. What if the device is lost or stolen? 11
Crossroad of Privacy and Transparency Employees at health care organizations cannot and must not access their own data, or that of family members. Employees should be encouraged to use the organization s patient portal for this type of information. Compliance must be verified through internal audits. De-identification of PHI is difficult. 1. How can I give an effective demonstration of an IT system without disclosing real patient information? 2. When is it OK to use real-patient data if I blur-out some of the information? 12