Privacy & Security in 2011

Transcription

1 Privacy & Security in 2011 Sarah Meshak, JD Vice President & General Council Linda Minghella Vice President & Chief Information Officer 1

2 Agenda HITECH Act New Accounting Rules Meaningful Use Other Notices of Proposed Rulemaking Colorado Regional Health Information Organization (CORHIO) Hot Topics OCR Enforcement 2

3 HITECH Update Accounting of Disclosures Proposed Rule History 2009 HIPAA HITECH Gives individuals right to receive an accounting of disclosures of PHI in an electronic health record 3

4 Current Accounting Rule Account for all disclosures except specified exclusions No accounting for treatment, payment, health care operations Applies to paper and electronic PHI, regardless of whether in designated record set Includes disclosures to, from and by a business associate Includes disclosures for 6 years prior to request 4

5 Proposed Rule Revises Creates two separate rights: Right to Accounting of disclosures Right to Access Report Both rights limited to 3 years prior to request 5

6 Right to Accounting Provides information on disclosures of designated record set information to persons outside the covered entity or its business associates for specific purposes Applies to both paper and electronic PHI 6

7 Right to Access Report Provides information on who has accessed an individual s electronic PHI in a designated record set 7

8 Accounting Applies only to PHI in a designated record set group of records maintained by or for a covered entity to make decisions about individuals medical and billing records health, plan enrollment, payment, claims adjudication and case management records 8

9 Disclosures Subject to Accounting Old rule = inclusive, specifies exceptions New rule = more limited, specifies disclosures Includes disclosures by business associates for PHI held by the BA in a designated record set 9

10 Disclosures Required for Accounting Public health activities (except child abuse reports) Judicial/Administrative proceedings Law enforcement activities Avert serious threat to health or safety Military veterans activities State Department medical suitability determination Government programs providing public benefits Workers compensation Impermissible disclosures that do not rise to level of breach 10

11 Exceptions to Accounting Proposed rule maintains all existing exceptions including exception for treatment, payment and healthcare operations disclosures New exception for disclosures that constitute a breach under the breach notification rule disclosure is made through required notification 11

12 Content of Accounting Allows for approximate date or range if actual date unknown Name of person receiving PHI not required if disclosure of name would disclose PHI about another individual May give patients option to limit scope of accounting 12

13 Provision of Accounting to Patients Response time decreased from 60 to 30 days Provided in a form requested by the individual May require the request to be in writing First request in 12 month period, free; costbased charges for subsequent requests. 13

14 Documentation Requirements Decrease time for retaining accounting documentation from 6 years to 3 years Maintain copy, not original of accounting 14

15 Access Report Applies to all uses and disclosures of electronic PHI in a designated record set Applies to all covered entities and business associates that maintain electronic designated record set PHI Excludes patient safety work product 15

16 Access Report: Business Associate Covered entity must include information in access report from business associates that handle electronic designated record set PHI Cannot simply provide list of business associates 16

17 Content of Access Report Date/time of access Name of person (if available) or entity that accessed PHI Description of PHI accessed Description of action by user, if available (e.g., view, create, modify, delete) Individual may limit scope of access report 17

18 Provision of Access Report Same timing as for accounting 30 days In format requested by individual No charge for first report in 12 month period Must provide notice of fee to be charged for subsequent reports May require request for report to be in writing 18

19 Documentation of Access Report Retain documentation to produce access report for 3 years Retain copies of access reports provided to individuals for 6 years 19

20 Other Provisions Proposed rule does not require full accounting of TOP disclosures through an EHR when disclosures received by another electronic system Covered entity must include right to access report in privacy notice 20

21 HITECH Updates Systems Perspective on New Accounting Rules 21

22 HITECH Updates College for Health Information Management Executives (CHIME) 1400 members CIO s and/or Senior Health IT Professionals Concerns Variability in interpretation and understanding of the designated record set Unrealistic expectation that providers can aggregate access events in an automated fashion which include providers, covered entities and business associates Administrative and financial burden 22

23 HITECH Updates Access Reports Issues Will require new/expensive software (which doesn t exist today) No ANSI standards exist to aggregate information across multiple systems A single patient over three years can have thousands of access events Can take >12 hours to compile current limited data Will increase disk storage (and cost) to keep so much detail 23

24 HITECH Updates Access Reports CHIME Recommendations Remove Access Report Requirement in final rule If not removed, Convene stakeholders to determine what is feasible Limit the data gathered through certified EHRs (not the full designated record set) 24

25 HITECH Updates Accounting Disclosures Issues Will require one or more customized report The proposed rule did not define the type data element Data collected prior to the final rule may not meet requirements pulling retroactive data will be incomplete Aggregating information across multiple information systems and business associates will take longer than 30 days 25

26 HITECH Updates Accounting Disclosures CHIME Recommendations Define the data element type in a simple and straightforward way and give covered entities some flexibility in reporting type information Keep the 60 day timeline for responding Make the data collection requirement start date after the final rule is effective 26

27 HITECH Updates Meaningful Use Requirements Stage 1 Objective: Protect electronic health information created or maintained by the certified EHR technology through implementation of appropriate technical capabilities Measure: Conduct or review a security risk analysis per 45 CFR (a)(1) and implement security updates as necessary to correct identified security deficiencies as part of it s risk management process 27

28 HITECH Updates Meaningful Use Requirements Stage 1 EHR Certification Criteria Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency Terminate an electronic session after a pre-determined period time of inactivity Record actions related to electronic health information in accordance with the standard (action = created, modified, accessed, or deleted) 28

29 HITECH Updates Meaningful Use Requirements Stage 1 EHR Certification Criteria (Continued) Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard Electronically transmitted PHI Create a message digest Verify that exchanged health information has not been altered Detect the alteration of audit logs Verify that the person or entity seeking access to electronic health information is the one claimed and is authorized to access such information Encrypt and decrypt electronic health information when exchanged 29

30 NPRM Updates HHS Inter-Division Task Force Office of the National Coordinator IT Strategic Plan Develop an updated approach to health IT privacy & security issues Address the individual s choice to exchange information electronically (NPRM on Metadata) NPRM on Lab Results Directly to the Patient Changes to CLIA and HIPAA Privacy Rule Labs would be required to provide direct patient access to their completed test reports at a patient request Removes the existing exception to an individual s right to access to his or her test reports Acknowledges state s rights to have different policies but federal regulations would preempt state laws 30

31 CORHIO HIPAA Regulations Rules to know for CORHIO Changes for Privacy Notice Consent Authorizations Special Populations Mental Health HIV Status 31

32 CORHIO BCH Implementation Opting In/Out Colorado is an Opt In State Patients must take specific action to Opt Out Change in Consent Process Provide patients with information about CORHIO Have Opt In/Out forms available Process to handle Opt In/Out Auditing 32

33 Hot Topics Social Media Form of electronic communication (as Web sites for social networking and microblogging) where users create online communities to share information, ideas, personal messages, and other content (as videos) Legal Issues/Concerns Policy Considerations Allow vs. Don t Allow Reduce/eliminate connections to employer Prohibit personal relationships with patients/families Include Enforcement 33

34 OCR Enforcements Medical Record Copy Fees Other 34