Consumer View of Personal Information Risks

Similar documents
Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

FCSRMC 2017 HIPAA PRESENTATION

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

Advanced HIPAA Communications and University Relations

HIPAA Education Program

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

CIO Legislative Brief

MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

A self-assessment for GxP and HIPAA concerns

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Sharing health information electronically eliminates the need for faxing, copying and handcarrying your health record from provider to provider.

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

HITECH Act. Overview and Estimated Timeline

2018 Employee HIPAA Orientation (EHO) Handbook

CLINICIAN S GUIDE TO HIPAA PRIVACY

The future of patient care. 6 ways workflow automation will transform the healthcare experience

HCCA Institute Privacy Officer Round Table Discussion

Status Check On Health IT

EMPOWERING THE NEW HEATHCARE ERA

Privacy and Consent Primer

Unique Health Safety Identifier. Across The Continuum of Care

THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

HIPAA & HEALTH INFORMATION EXCHANGE

Behavioral Health Information Network of Arizona

Unleash Healthcare Information Technology for Successful Sites, Investigators and Subjects

Comparison of Health IT Provisions in H.R. 6 (21 st Century Cures Act) and S (Improving Health Information Technology Act)

Privacy & Security: What You Need to Know

Notice of Privacy Practices

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

HIE & Interoperability: Roadmap to Continuum of Care Michael McPherson MU Coordinator KDHE

Protecting Health Information: Health Data Security Training

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS

Health Information Technology and Coordinating Care in Ohio

CHI Mercy Health. Definitions

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

The HIPAA privacy rule and long-term care : a quick guide for researchers

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Last Chance to Review Your Security Risk Analysis

A general review of HIPAA standards and privacy practices 2016

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

NOTICE OF PRIVACY PRACTICES

Medicare and Medicaid EHR Incentive Program. Stage 3 and Modifications to Meaningful Use in 2015 through 2017 Final Rule with Comment

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

Parental Consent For Minors to Receive Services

HITECH Act, EHR Adoption, Meaningful Use Criteria, ARRA Grants, and Adoption Alternatives. The MARYLAND HEALTH CARE COMMISSION

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

MCCP Online Orientation

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Patient Privacy Requirements Beyond HIPAA

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Privacy & Security of Occupational, Behavioral & Deceased Patient Records Alisha R. Smith, RHIA

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Your Role in Protecting Patient Privacy 2018

Meaningful Use Update: Stage 3 and Beyond. Carla McCorkle, Midas+ Solutions CQM Product Lead

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Information Privacy and Security

Peek-A-Boo: EHR Access and Compliance

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

DUTIES OF A CUSTODIAN

Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

American Health Lawyers Association State Law Landscape for Health Information Technology

1/21/2011. Cindy C. Parman, CPC, CPC H Coding Strategies, Inc.

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

Mobile Device Use: Increasing Privacy and Security Awareness for Nurse Practitioners

Data Sharing Consent/Privacy Practice Summary

NOTICE OF PRIVACY PRACTICES

MEANINGFUL USE 2015 PROPOSED 2015 MEANINGFUL USE FLEXIBILITY RULE

Navpreet Kaur IT /16/16. Electronic Health Records

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Meaningful Use Stage 2

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Medicaid EHR Incentive Program Health Information Exchange Objective Stage 3 Updated: February 2017

Thank you, and enjoy the webinar.

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

SAMPLE. Release of Information in California: E-book Series, 12 of 12. Published by:

OREGON HIPAA NOTICE FORM

HIPAA Policies and Procedures Manual

ExecTech. The following examples help explain why the US Government created the HIPAA Privacy Rule.

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

HIT Usability and Data Breaches. Ritu Agarwal University of Maryland

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

6/27/2014. THE NEW TECHNOLOGY LANDSCAPE Presentation Objectives. The Landscape Drives Metrics. Issues: Responding to Need. AZ Drivers/Priorities

Meaningful Use: Today and in the Future VMGMA Spring Conference Richmond, VA March 21, 2016

HIPAA Are You As Compliant as You Think?

EHR Incentive Programs for Eligible Professionals: What You Need to Know for 2016 Tipsheet

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Overview of Privacy Legislation in Ontario

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Health Information Privacy Policies and Procedures

Understanding the Privacy and Security Regulations

MEANINGFUL USE & RISK ASSESSMENT

Final Meaningful Use Objectives for

Transcription:

Navigating the ephi Minefield Meaningful Consent Meets the Restriction Requirements of the HIPAA Omnibus Rule Timothy Kelly, MS, MBA Standard Register Healthcare Consumer View of Personal Information Risks 40 million customers with compromised credit and debit card information 70 million with compromised email and mailing address information Harris EA, Perlroth N. Target missed signs of a data breach. The New York Times. March 13, 2014. 86 th AHIMA Convention & Exhibit San Diego, CA Page 1

Consumer View of Personal Information Risks 1.2 billion user name and password combinations 500 million email addresses Perlroth N, Gelles. Russian hackers amass over a billion internet passwords. The New York Times. August 5, 2014. Consumer View of Personal Information Risks 56 million customers compromised Vinton K. With 56 million cards compromised, Home Depot's breach is bigger than Target's. Forbes. September 18, 2014. 86 th AHIMA Convention & Exhibit San Diego, CA Page 2

Notable PHI Data Breaches $3.3 million fine New York Presbyterian PHI for 6,800 patients accessible by Google $1.73 million Concentra Theft of an unencrypted laptop with records of 148 patients (third incidence of a stolen laptop) $1.7 million WellPoint Disclosure of ephi for 612,000 individuals Source: Health & Human Services, Health Information Privacy http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ (accessed 7/17/14) Notable PHI Data Breaches 206 hospital system Data on 4.5 million patients Names, Social Security numbers, physical addresses, birthdays and telephone numbers Pagliery J. Hospital network hacked, 4.5 million records stolen. CNN Money. August 18, 2014. 86 th AHIMA Convention & Exhibit San Diego, CA Page 3

Health Information Exchange Health Information Exchange (HIE) System that allows for the secure, electronic transfer of a patient s vital medical information Advantages include: Speed Availability of information Fewer errors Automatic integration of data into the EHR 86 th AHIMA Convention & Exhibit San Diego, CA Page 4

HIE Implementation Status Directed and query exchanges are both available Only directed exchange is available Only query exchange is available Source: HealthIT.gov http://www.healthit.gov/policy researchersimplementers/state hie implementation status/ (accessed 7/17/14) HIE Participation Options No consent. Health information of patients is automatically included patients cannot opt out Opt out. Default is for health information of patients to be included automatically, but the patient can opt out completely Opt out with exceptions. Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included Opt in. Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out Opt in with restrictions. Default is that no patient health information is made available, but the patient may allow a subset of select data to be included 86 th AHIMA Convention & Exhibit San Diego, CA Page 5

Meaningful Use Meaningful Use $25.1 billion paid through August 2014 to hospitals and eligible providers Stages of Meaningful Use 2016 2017 86 th AHIMA Convention & Exhibit San Diego, CA Page 6

Stage 2 Objective View, Download, and Transmit to 3rd Party Must satisfy both of the following requirements: More than 50 percent of all patients who are discharged from the inpatient or emergency department have their information available online within 36 hours of discharge More than 5 percent of all patients who are discharged from the inpatient or ED view, download or transmit to a third party Meaningful Use Final Stage 2 2014 Edition Objective. HIPAA Omnibus Final Rule 86 th AHIMA Convention & Exhibit San Diego, CA Page 7

HIPAA Omnibus Final Rule Published in the Federal Register January 25, 2013 Went into effect on September 23, 2013 45 CFR Parts 160 and 164 137 pages HIPAA Omnibus Final Rule Much has changed in health care since HIPAA was enacted over fifteen years ago. The new rule will help protect patient privacy and safeguard patients health information in an ever expanding digital age. HHS Secretary Kathleen Sebelius January 17, 2013 86 th AHIMA Convention & Exhibit San Diego, CA Page 8

HIPAA Omnibus Final Rule This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. HHS Office for Civil Rights Director Leon Rodriguez January 17, 2013 HIPAA Omnibus Final Rule Key Provisions 86 th AHIMA Convention & Exhibit San Diego, CA Page 9

Patients may request a copy of their electronic medical record in electronic form Patient Access Sharing Restrictions Patients who pay for tests or services outof pocket may restrict sharing of that information with: Their Health Plan Medicare 86 th AHIMA Convention & Exhibit San Diego, CA Page 10

Definition of Breach Expanded to include limited data sets of information 54 data breaches of 500 or more patient records reported in the first 6 months of 2014 U.S. Department of Health and Human Services' Office for Civil Rights (OCR) Limits on Sharing of Information New limits on permissible uses for marketing and fundraising No sales of PHI without the patient s permission 86 th AHIMA Convention & Exhibit San Diego, CA Page 11

State Law Minors State Law In California, a minor may consent to medical or dental care if all of the following are true: Minor 15 years of age Minor is living apart from parent or guardian Minor is managing the minor s own financial affairs California Legislative Code. 6922(a). 86 th AHIMA Convention & Exhibit San Diego, CA Page 12

Manner/Method of Communication In California Can request manner specify address Can request mechanism phone, US mail, email State Law Patient Education 86 th AHIMA Convention & Exhibit San Diego, CA Page 13

Goals of Patient Education Patient must understand: What an HIE is What information can be accessed via an HIE Who can access that information How that information is secured His or her consent options The benefits of allowing access to health information Tools for Patient Education Substantial resources are available on the HealthIT.gov website http://www.healthit.gov/p rovidersprofessionals/patientconsent electronic healthinformationexchange/econsent toolkit 86 th AHIMA Convention & Exhibit San Diego, CA Page 14

Special Situations Providers must be prepared to address patients with unique issues: Patients who require a surrogate decision maker Patients with disabilities or impairments Patients with limited health literacy Patients with limited English proficiency Implementation 86 th AHIMA Convention & Exhibit San Diego, CA Page 15

Form a Review Group Membership: IT, clinical leadership, legal counsel, patient relations and typical patients Design procedures from the patient s perspective Address any applicable state statutes Review other consent scenarios as appropriate (e.g. consent for treatments and procedures, consent for participation in clinical trials) Determine the Approach(es) An Opt in approach is recommended Opt out strategies may bear a higher burden of proving adequate patient education Determine the exceptions that must be supported and how those exceptions can be honored 86 th AHIMA Convention & Exhibit San Diego, CA Page 16

Set an Education Standard Consider a designing a Consent Time Out to be employed, as appropriate, to evaluate the patient s ability to understand information and to provide consent Develop all materials: Patient education materials Consent documents Provider script Develop a FAQ document Create a Documentation Process Determine how to document consent and any exceptions Determine how opt in/opt out and any exceptions are flagged in other systems Consider comprehension verification strategies (e.g. teach back) and documentation of such Address how to handle future changes to previous direction 86 th AHIMA Convention & Exhibit San Diego, CA Page 17

The ephi Minefield Benefits of the HIE Better care coordination Faster diagnosis Improved health [Attain Meaningful Use Objectives] Potential Landmines Patient understanding Exceptions to sharing ephi Handling changes Maintaining patient wishes 86 th AHIMA Convention & Exhibit San Diego, CA Page 18

Success Factors Patient education Provider training Leveraging HIT systems to support policies Further Reading Rozovsky F, Kelly T. Mitigating the risks of 'meaningful consent' for HIE participation. Healthcare IT News. April 3, 2014. http://www.healthcareitnews.com/blog/miti gating risks meaningful consent hieparticipation 86 th AHIMA Convention & Exhibit San Diego, CA Page 19

Questions? Timothy.Kelly@standardregister.com 86 th AHIMA Convention & Exhibit San Diego, CA Page 20

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback