Navigating the ephi Minefield Meaningful Consent Meets the Restriction Requirements of the HIPAA Omnibus Rule Timothy Kelly, MS, MBA Standard Register Healthcare Consumer View of Personal Information Risks 40 million customers with compromised credit and debit card information 70 million with compromised email and mailing address information Harris EA, Perlroth N. Target missed signs of a data breach. The New York Times. March 13, 2014. 86 th AHIMA Convention & Exhibit San Diego, CA Page 1
Consumer View of Personal Information Risks 1.2 billion user name and password combinations 500 million email addresses Perlroth N, Gelles. Russian hackers amass over a billion internet passwords. The New York Times. August 5, 2014. Consumer View of Personal Information Risks 56 million customers compromised Vinton K. With 56 million cards compromised, Home Depot's breach is bigger than Target's. Forbes. September 18, 2014. 86 th AHIMA Convention & Exhibit San Diego, CA Page 2
Notable PHI Data Breaches $3.3 million fine New York Presbyterian PHI for 6,800 patients accessible by Google $1.73 million Concentra Theft of an unencrypted laptop with records of 148 patients (third incidence of a stolen laptop) $1.7 million WellPoint Disclosure of ephi for 612,000 individuals Source: Health & Human Services, Health Information Privacy http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ (accessed 7/17/14) Notable PHI Data Breaches 206 hospital system Data on 4.5 million patients Names, Social Security numbers, physical addresses, birthdays and telephone numbers Pagliery J. Hospital network hacked, 4.5 million records stolen. CNN Money. August 18, 2014. 86 th AHIMA Convention & Exhibit San Diego, CA Page 3
Health Information Exchange Health Information Exchange (HIE) System that allows for the secure, electronic transfer of a patient s vital medical information Advantages include: Speed Availability of information Fewer errors Automatic integration of data into the EHR 86 th AHIMA Convention & Exhibit San Diego, CA Page 4
HIE Implementation Status Directed and query exchanges are both available Only directed exchange is available Only query exchange is available Source: HealthIT.gov http://www.healthit.gov/policy researchersimplementers/state hie implementation status/ (accessed 7/17/14) HIE Participation Options No consent. Health information of patients is automatically included patients cannot opt out Opt out. Default is for health information of patients to be included automatically, but the patient can opt out completely Opt out with exceptions. Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included Opt in. Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out Opt in with restrictions. Default is that no patient health information is made available, but the patient may allow a subset of select data to be included 86 th AHIMA Convention & Exhibit San Diego, CA Page 5
Meaningful Use Meaningful Use $25.1 billion paid through August 2014 to hospitals and eligible providers Stages of Meaningful Use 2016 2017 86 th AHIMA Convention & Exhibit San Diego, CA Page 6
Stage 2 Objective View, Download, and Transmit to 3rd Party Must satisfy both of the following requirements: More than 50 percent of all patients who are discharged from the inpatient or emergency department have their information available online within 36 hours of discharge More than 5 percent of all patients who are discharged from the inpatient or ED view, download or transmit to a third party Meaningful Use Final Stage 2 2014 Edition Objective. HIPAA Omnibus Final Rule 86 th AHIMA Convention & Exhibit San Diego, CA Page 7
HIPAA Omnibus Final Rule Published in the Federal Register January 25, 2013 Went into effect on September 23, 2013 45 CFR Parts 160 and 164 137 pages HIPAA Omnibus Final Rule Much has changed in health care since HIPAA was enacted over fifteen years ago. The new rule will help protect patient privacy and safeguard patients health information in an ever expanding digital age. HHS Secretary Kathleen Sebelius January 17, 2013 86 th AHIMA Convention & Exhibit San Diego, CA Page 8
HIPAA Omnibus Final Rule This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. HHS Office for Civil Rights Director Leon Rodriguez January 17, 2013 HIPAA Omnibus Final Rule Key Provisions 86 th AHIMA Convention & Exhibit San Diego, CA Page 9
Patients may request a copy of their electronic medical record in electronic form Patient Access Sharing Restrictions Patients who pay for tests or services outof pocket may restrict sharing of that information with: Their Health Plan Medicare 86 th AHIMA Convention & Exhibit San Diego, CA Page 10
Definition of Breach Expanded to include limited data sets of information 54 data breaches of 500 or more patient records reported in the first 6 months of 2014 U.S. Department of Health and Human Services' Office for Civil Rights (OCR) Limits on Sharing of Information New limits on permissible uses for marketing and fundraising No sales of PHI without the patient s permission 86 th AHIMA Convention & Exhibit San Diego, CA Page 11
State Law Minors State Law In California, a minor may consent to medical or dental care if all of the following are true: Minor 15 years of age Minor is living apart from parent or guardian Minor is managing the minor s own financial affairs California Legislative Code. 6922(a). 86 th AHIMA Convention & Exhibit San Diego, CA Page 12
Manner/Method of Communication In California Can request manner specify address Can request mechanism phone, US mail, email State Law Patient Education 86 th AHIMA Convention & Exhibit San Diego, CA Page 13
Goals of Patient Education Patient must understand: What an HIE is What information can be accessed via an HIE Who can access that information How that information is secured His or her consent options The benefits of allowing access to health information Tools for Patient Education Substantial resources are available on the HealthIT.gov website http://www.healthit.gov/p rovidersprofessionals/patientconsent electronic healthinformationexchange/econsent toolkit 86 th AHIMA Convention & Exhibit San Diego, CA Page 14
Special Situations Providers must be prepared to address patients with unique issues: Patients who require a surrogate decision maker Patients with disabilities or impairments Patients with limited health literacy Patients with limited English proficiency Implementation 86 th AHIMA Convention & Exhibit San Diego, CA Page 15
Form a Review Group Membership: IT, clinical leadership, legal counsel, patient relations and typical patients Design procedures from the patient s perspective Address any applicable state statutes Review other consent scenarios as appropriate (e.g. consent for treatments and procedures, consent for participation in clinical trials) Determine the Approach(es) An Opt in approach is recommended Opt out strategies may bear a higher burden of proving adequate patient education Determine the exceptions that must be supported and how those exceptions can be honored 86 th AHIMA Convention & Exhibit San Diego, CA Page 16
Set an Education Standard Consider a designing a Consent Time Out to be employed, as appropriate, to evaluate the patient s ability to understand information and to provide consent Develop all materials: Patient education materials Consent documents Provider script Develop a FAQ document Create a Documentation Process Determine how to document consent and any exceptions Determine how opt in/opt out and any exceptions are flagged in other systems Consider comprehension verification strategies (e.g. teach back) and documentation of such Address how to handle future changes to previous direction 86 th AHIMA Convention & Exhibit San Diego, CA Page 17
The ephi Minefield Benefits of the HIE Better care coordination Faster diagnosis Improved health [Attain Meaningful Use Objectives] Potential Landmines Patient understanding Exceptions to sharing ephi Handling changes Maintaining patient wishes 86 th AHIMA Convention & Exhibit San Diego, CA Page 18
Success Factors Patient education Provider training Leveraging HIT systems to support policies Further Reading Rozovsky F, Kelly T. Mitigating the risks of 'meaningful consent' for HIE participation. Healthcare IT News. April 3, 2014. http://www.healthcareitnews.com/blog/miti gating risks meaningful consent hieparticipation 86 th AHIMA Convention & Exhibit San Diego, CA Page 19
Questions? Timothy.Kelly@standardregister.com 86 th AHIMA Convention & Exhibit San Diego, CA Page 20