computerized networking of hiv providers workshop data security, privacy and hipaa: focus on privacy...
TRANSCRIPT
![Page 1: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/1.jpg)
Computerized Networking of HIV Computerized Networking of HIV Providers WorkshopProviders Workshop
Data Security, Privacy and Data Security, Privacy and HIPAA: Focus on Privacy HIPAA: Focus on Privacy
Joy L. Pritts, J.D.Joy L. Pritts, J.D.Assistant Research ProfessorAssistant Research Professor
Health Policy Institute, Georgetown UniversityHealth Policy Institute, Georgetown University
[email protected]@georgetown.edu
![Page 2: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/2.jpg)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
“Administrative simplification”– Encourage electronic health care information
infrastructure
– Protect security/privacy of health information
BackgroundBackground
![Page 3: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/3.jpg)
Who Is CoveredWho Is Covered
Covered entitiesCovered entities
Health plans
Health care clearinghouses
Health care providers who transmit health claims-type information electronically
![Page 4: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/4.jpg)
What Is CoveredWhat Is Covered
Protected Health InformationProtected Health Information
Information in any format about a person’s:
Health, health care, or payment of health care;
Which identifies or reasonably could be used to identify the person; and
Was created or received by a covered health care plan or provider
![Page 5: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/5.jpg)
What is What is NOTNOT Covered Covered
De-identified information
Qualified statistician has determined only very small chance of identifying person from information; or
All listed identifiers have been removed– Name– Dates associated with person (other than year)– Social Security Numbers– Etc.
![Page 6: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/6.jpg)
General StructureGeneral Structure
Restricts how covered entities can use and disclose protected health information
Grants patients rights (e.g., see, copy, amend own health information)
Imposes “administrative” requirements
![Page 7: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/7.jpg)
General Rules
![Page 8: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/8.jpg)
Uses & Disclosures: In General
Prohibits using and disclosing health information unless
Specifically permitted by regulation or
Authorized by patient
![Page 9: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/9.jpg)
If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you must get the patient’s authorization.
![Page 10: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/10.jpg)
Business AssociatesBusiness Associates
Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information
Can disclose to “business associates” if certain conditions are met
![Page 11: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/11.jpg)
Business AssociatesBusiness Associates
Contract or other arrangement that
Establishes permitted uses/disclosures
Provides that business associate will use appropriate safeguards to protect info.
Makes health information available to patients pursuant to access rights
Meets other requirements
![Page 12: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/12.jpg)
Minimum Necessary RuleMinimum Necessary Rule
Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose
45 C.F.R. § 164.502(b)
![Page 13: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/13.jpg)
Rules for Specific Purposes
![Page 14: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/14.jpg)
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Regulatory permission to use and disclose for these purposes
Obtaining patient’s consent is permitted
![Page 15: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/15.jpg)
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Patient has right to request restrictions
Provider does not have to agree to request
![Page 16: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/16.jpg)
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Minimum necessary rule does not apply to disclosures for treatment purposes
![Page 17: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/17.jpg)
“National Priority” Purposes
Required by Law Public Health Health Oversight Law Enforcement Research To Avert Serious Threats to Health or
Safety Workers’ compensation Others
![Page 18: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/18.jpg)
“National Priority Purposes”
No patient authorization required
Additional conditions generally imposed varying with the purpose
![Page 19: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/19.jpg)
Patient Authorization
Required for uses/disclosures not expressly permitted by regulation
Must conform with standard format
![Page 20: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/20.jpg)
Patient Rights
Right to notice of privacy practices
Right to see, copy, and amend record
Right to an accounting of disclosures– Excludes disclosures made for treatment,
payment, & health care operations
Right to request restrictions
![Page 21: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/21.jpg)
Administrative Duties
Provide notice of privacy practice
Designate privacy officer & contact person for complaints
Implement safeguards
Develop sanctions for privacy violations
Maintain documentation
![Page 22: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/22.jpg)
Issues for Centralized Health Information Networks
![Page 23: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/23.jpg)
Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?
![Page 24: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/24.jpg)
Health PlansHealth Plans
HMOs Fee for service health insurers Most group health plans Medicaid programs State high risk pools Any individual or group plan that provides or
pays for the cost of medical care
(45 C.F.R. § 160.103)
![Page 25: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/25.jpg)
Health Plans
Ryan White CARE funded programs generally are not considered to be health plans, but
May meet the definition of health care provider
65 Fed. Reg. 82479
![Page 26: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/26.jpg)
Health Care Clearinghouses
Person/entity that translates health information into/out of standard format
Central database that just stores/transfers information is not a clearinghouse
![Page 27: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/27.jpg)
Covered Health Care Providers
Health Care Provider
Practitioners Facilities Those who furnish drugs, devices
pursuant to prescriptions
![Page 28: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/28.jpg)
Covered Health Care Covered Health Care ProvidersProvidersMust engage in:
Standard transactions– Claims submission/encounter reports– Verification of eligibility– Referrals – Others
![Page 29: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/29.jpg)
Covered Health Care Providers
(cont’d) Electronically
– Use of computer – Fax excluded
![Page 30: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/30.jpg)
Impact
It is likely that someone on network will be covered by HIPAA.
If someone is covered, some client-level data will be protected by HIPAA.
![Page 31: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/31.jpg)
Impact
Every class of disclosure to central data base must either
Come within permitted disclosures of HIPAA or
Be authorized by patient
![Page 32: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/32.jpg)
What Provisions Justify Sharing Health Information With Central Database?
![Page 33: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/33.jpg)
Business Associate
If covered entity enters data for treatment purposes
Business associate provisions permit organization that maintains database to store and share with others for treatment purposes
![Page 34: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/34.jpg)
Business Associate
Does not permit organization to use or disclose for other purposes
Info. for Treatment
Business Associate
Info
. f
or T
reat
men
t
Use
Provider
Provider
![Page 35: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/35.jpg)
“ “Required by Law”Required by Law”
Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.
![Page 36: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/36.jpg)
Disclosures “Required by Law”Disclosures “Required by Law”
When is a use or disclosure “required by lawrequired by law”?
Mandate is contained in law that compelscompels use or disclosure; and
Is enforceable in court of law
![Page 37: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/37.jpg)
Health OversightHealth Oversight
Permission of individual who is
subject of information notnot required to disclose protected health information to a public health agency for oversight activities authorized by law.
![Page 38: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/38.jpg)
Health OversightHealth Oversight
Public Health Authority Public Health Authority includes
Federal, state, or regional entity authorized to oversee
Health care system or
Govt. programs for which health information is necessary to determine eligibility or compliance
![Page 39: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/39.jpg)
Health Oversight
Overseeing health care system includes
Oversight of health care and health care delivery;
Analysis of trends in health care costs, quality, delivery, and access to care;
Other functions
![Page 40: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/40.jpg)
Public Health
May disclose without authorization to public health authority that is authorized by law to collect or receive such information
![Page 41: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/41.jpg)
Some Other Considerations
Business associate
Business associate or similar agreements
Patient right of access to information held by business associates
![Page 42: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/42.jpg)
Some Other Considerations
Minimum necessary rule applies to disclosures for health oversight and public health
![Page 43: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/43.jpg)
Some Other Considerations
State Law HIPAA does not preempt stronger
state law
Most states have laws related to HIV that are in some respects stronger than HIPAA
![Page 44: Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e755503460f94b75e71/html5/thumbnails/44.jpg)
Some Resources HHS, (ASPE)
http://aspe.hhs.gov/admnsimp/Admin. Simp. History
HHS, Office of Civil Rightshttp://www.hhs.gov/ocr
Text of Privacy Regs.Guidance
CMS http://www.cms.hhs.gov/hipaa/hipaa2/default.asp
Evaluation tool