Docstoc

HIPAA

Document Sample
HIPAA Powered By Docstoc
					HIPAA
 Health Insurance Portability and
 Accountability Act of 1996



 Adam Cushner
Outline

 Overview of HIPAA
 Specifics of HIPAA

 Suggestions for implementation

 Effects

 Problems

 Questions
An Act

   To amend the Internal Revenue Code of 1986 to
    improve portability and continuity of health
    insurance coverage in the group and individual
    markets, to combat waste, fraud, and abuse in
    health insurance and health care delivery, to
    promote the use of medical savings accounts, to
    improve access to long-term care services and
    coverage, to simplify the administration of health
    insurance, and for other purposes.
   Signed by President Bill Clinton on July 21,
    1996
   Named because it was originally about, well,
    the portability of health insurance. Focus,
    however, is on privacy of medical records
   Passed partly because of the failure of
    congress to pass comprehensive health
    insurance legislation earlier in the decade
General Objectives
   Increase number of employees who have
    health insurance
   Reduce health care fraud and abuse
   Introduce/implement administrative
    simplifications in order to augment
    effectiveness of health care in the US
   Protect the health information of individuals
    against access without consent or
    authorization
Even More General
Objectives
   Give patients more rights over their
    private data
   Set better boundaries for the use of
    medical information
   Hold people accountable for misuse
   Encourage administrative simplification
    (in the form of digitalization of
    information) to help reduce costs
General Objectives for
Information
   Ensure privacy and security of health
    information by designating Protected
    Health Information (PHI)
    – PHI, for example, must be treated in the
      same way in which you would treat
      someone’s tissue (with regard to Privacy)
   Set standard for data using Electronic
    Data Interchange (EDI)
Dynamically HIPAA

   HIPAA’s goals, in a sense, are aimed
    to hit a moving target:
    – Technologies to help implement HIPAA
      are constantly changing
    – Attitudes towards privacy are changing
    – Also, not much empirical evidence to
      show if HIPAA is doing what it set out to
      do (e.g. reduce costs)
Outline

 Overview of HIPAA
 Specifics of HIPAA

 Suggestions for implementation

 Effects

 Problems

 Questions
What HIPAA Directly
Affects
   Covered Entities
    – Health plans
    – Health care clearinghouses
    – Health care providers who transmit health
      information in electronic form for certain
      standard
   Pending ideas:
    –   National Provider IDs
    –   National Employer IDs
    –   National Health Care IDs
    –   National Individual IDs
Security Regulations

   Contingency Plan
   Access Control
   Audit Control
   Person or Entity Authentication
Contingency Plan
(A) Data backup plan. Establish and implement procedures to
    create and maintain retrievable exact copies of electronic
    protected health information.

(B) Disaster recovery plan. Establish (and implement as needed)
    procedures to restore any loss of data.

(C) Emergency mode operation plan. Establish (and implement
    as needed) procedures to enable continuation of critical
    business processes for protection of the security of electronic
    protected health information while operating in emergency
    mode.
Access Control

   Implement technical policies and procedures
    for electronic information systems that
    maintain electronic protected health
    information to allow access only to those
    persons or software programs that have
    been granted access rights as specified in
    [164.308(a)(4)].
   Difficulties in implementation.
    – Too much or too little access.
Audit Control

   Allow reviews of usage statistics to
    check for potential misuse
Person or Entity
Authentication
   Procedures to identify users seeking
    information
Security Regulations
Wrap-up
   Essentially, use rules that any good
    company would use to protect its data
    – Difficult in health care profession because so
      many people need access to patients’
      information
   The rules and ideas for data protection are
    also mandated on the human side of things
    – E.g. Training of employees, physical protection
      of data storage facilities.
Privacy Rule

   Different types of protected data:
    – Protected Health Information (PHI)
          Previously defined
    – Individually Identifiable Health
      Information (IIHI)
    – De-identified Health Information
    – Limited Data Sets
Privacy Rule (cont)

   IIHI
    – includes any subset of health information,
      including demographic information
      collected from an individual, that:
    – Identifies the individual (or there is a
      reasonable basis to believe that the
      information can be used to identify the
      individual.)
Privacy Rule (cont)
   De-identified Health Information:
    – Health information is considered de-identified
      when it does not identify an individual and the
      covered entity has no reasonable basis to
      believe that the information can be used to
      identify an individual. Information is considered
      de-identified if 17 identifiers are removed from
      the health information and if the remaining
      health information could not be used alone, or in
      combination, to identify a subject of the
      information. Identifiers include:
Privacy Rule (cont)
(1)   names,
(2)   geographic subdivisions smaller than a state, including street
      address, city, county, precinct, zip code and equivalent
      geocodes, except for the initial three digits of a zip code to
      000,
(3)   all elements of dates (except year) for dates directly related
      to an individual, including birth date, admission date,
      discharge date, date of death, and all ages over 89,
(4)   telephone numbers,
(5)   fax numbers,
(6)   electronic mail addresses,
(7)   Social Security numbers,
Privacy Rule (cont)
(8)    medical record numbers,
(9)    health plan beneficiary numbers,
(10)   account numbers,
(11)   certificate/license numbers,
(12)   vehicle identifiers and serial numbers, including license plate
       numbers,
(13)   device identifiers and serial numbers, (14) Web Universal
       Resource Locator (URL),
(14)   biometric identifiers, including finger or voice prints,
(15)   full face photographic images and any comparable images,
(16)   Internet Protocol address numbers
(17)   any other unique identifying number characteristic or code
Privacy Rule (cont)

   Limited Data Sets may contain certain
    types of direct identifiers, while others
    must be removed:
Limited Data Sets
Direct identifiers that must be removed from the information for a limited
     data set are:
(1) name,
(2) address information (other than city, State,
         and zip code),
(3) telephone and fax numbers,
(4) e-mail address,
(5) Social Security number,
(6) certificate/license number,
(7) vehicle identifiers and serial numbers,
(8) URLs and IP addresses,
(9) full face photos and other comparable
         images,
(10) medical record numbers, health plan
           beneficiary numbers, and other account
           numbers,
(11) device identifiers and serial numbers,
(12) biometric identifiers including finger and
           voice prints.
Limited Data Sets
Identifiers that are allowed in the
  limited data set are:
(1) admission, discharge and service dates,
(2) birth date,
(3) date of death,
(4) age (including age 90 or over),
(5) geographical subdivisions such as state,
  county, city, precinct and five digit zip code.
Privacy Rule (cont)
   Deals with Individually Identifiable Health
    Information (IIHI) and Protected Health
    Information (PHI)
   Provides, for the first time ever, Federal
    protections for the privacy of protected
    health information
   Sets only a lower bound on protection –
    stricter state laws would not be trumped by
    this, but weaker ones would
   Requires notification of information practices
Privacy Rule (cont)
   Gives patients more control over their
    information
   Sets boundaries on the release of
    information
   Holds violators accountable with civil and
    criminal penalties
   Allows for data to be released if it aides
    public health (e.g. statistics about a disease,
    de-identified patient data)
Privacy Rule (cont)

   Compliance date of April 14th, 2003
    (2004 for certain small covered
    entities)
   Designed entirely to control the
    propagation and dissemination of
    electronic information
Privacy Rule (cont)

   Basically, data is allowed to be
    accessed on a need-to-know basis
    – E.g. use for health-care specific
      operations
   Fundraising, marketing, and research
    usually require separate and specific
    patient authorizations
Privacy Standards

   Must have a procedure for complaints
    to be filed
   Covered Entities cannot require
    individuals to waive their rights
    regarding HIPAA
   Deceased patients’ information still
    protected by HIPAA
Minimum Necessary
   When using or disclosing protected health
    information or when requesting protected health
    information from another covered entity, a covered
    entity must make reasonable efforts to limit
    protected health information to the minimum
    necessary to accomplish the intended purpose of
    the use, disclosure, or request
   Does not apply to:
    – Health care providers
    – Individuals concerning their own information
    – Certain legal needs
Disclosures to Business
Associates
   A covered entity may disclose
    protected health information to a
    business associate and may allow a
    business associate to create or receive
    protected health information on its
    behalf, if the covered entity obtains
    satisfactory assurance that the
    business associate will appropriately
    safeguard the information
Disclosures to Business
Associates (cont)
   A contract between a CE and a
    business associate must ensure that
    the associate will essentially comply
    with HIPAA.
Whistleblower Protection

   Disclosures by whistleblowers:
   (i) The workforce member or business
    associate believes in good faith that the
    covered entity has engaged in conduct that
    is unlawful or otherwise violates
    professional or clinical standards, or that the
    care, services, or conditions provided by the
    covered entity potentially endangers one or
    more patients, workers, or the public; and
Whistleblower Protection
(cont)
   (ii) The disclosure is to:
   (A) A health oversight agency or public health authority
    authorized by law to investigate or otherwise oversee the
    relevant conduct or conditions of the covered entity or to an
    appropriate health care accreditation organization for the
    purpose of reporting the allegation of failure to meet
    professional standards or misconduct by the covered entity;
    or
   (B) An attorney retained by or on behalf of the workforce
    member or business associate for the purpose of determining
    the legal options of the workforce member or business
    associate with regard to the conduct.
Research Privacy Rules

   Based on HHS regulations from the 1970’s
    that are now known as the “Common Rule”
   Because HIPAA applies to care and not to
    research, this rule is still largely in effect
   De-identified information can still be used
    widely, but research databases with large
    amounts of identifiable patient data cannot
Research Privacy Rules
(cont)
   Requirements for tracking and accounting of
    disclosures of patient data used in research
    where no patient authorization is obtained
   Restrictions on recruitment of patients for
    clinical studies
   Restrictions on the creation and
    maintenance of databases containing
    identifiable individual health data for
    research use
Research Privacy Rules
(cont)
   A requirement for a separate patient authorization
    for the use of health data for research
    – A consent for treatment cannot be combined with consent
      for research
   Creates substantial burden on conduct and
    oversight of human studies
    – Authorizations for research data must specify exactly
      which data can be used by whom and for what purposes
    – May be time-limited
    – Can be rescinded at any time, although not retroactively
    – Low-risk studies might not require authorization
Requirements of
Authorizations
   a description of the information to be used for research purposes;
   who may use or disclose the information
   who may receive the information
   purpose of the use or disclosure
   expiration date of authorization
   how long the data will be retained with identifiers
   individual’s signature and date
   right to revoke authorization
   right to refuse to sign authorization (if this happens, the individual may be
    excluded from the research and any treatment associated with the research)
   if relevant, that the research subject’s access rights are to be suspended while the
    clinical trial is in progress, and that the right to access PHI will be reinstated at the
    conclusion of the clinical trial.
   that information disclosed to another entity in accord with an authorization may no
    longer be protected by the rule
Dept. of Health and
Human Services (HHS)
   Privacy and security regulations created by
    HHS
   Done so because of a key provision in
    HIPAA which said that if congress did not
    specify these regulations by 1999, HHS had
    to do it
   Final privacy regulations issued in late 2000;
    final security regulations issued in February
    2003
Punishments for Wrongful
Use or Disclosure of PHI
   Up to $50,000 and 1 year in jail
   If under false pretenses, $100,000 and
    5 years in jail
   If with intent to sell, up to $250,000
    and 10 years in jail
Outline

 Overview of HIPAA
 Specifics of HIPAA

 Suggestions for implementation

 Effects of HIPAA

 Problems

 Questions
Technologies

   Application Service Providers (ASPs)
   Virtual Private Networks (VPNs)
   Biometrics
   Information Lifecycle Management
    (ILM)*


*   Actually, a collection of technologies
ASPs
   Provide backend hardware and software
   Rent their services, usually on a monthly or
    yearly schedule, as opposed to licensing
    their software
    – They take the responsibility of upgrading their
      software and hardware
    Many in the health care field rely on ASPs.
    As a result, they are affected by HIPAA
    because covered entities must ensure that
    ASPs are HIPAA compliant.
ASPs and HIPAA

   Must be cautious about scalability of
    security
   Because information is transmitted
    between the covered entities and the
    ASPs, it must be protected (by some
    sort of cryptography)
    – Good solution: use a VPN
VPNs

   Basically, a temporary, secure link
    over a public network (e.g. the
    internet)
   Cheaper than having a dedicated line
Biometrics

   Good way to uniquely identify people
    or entities
   Unfortunately, many current biometric
    technologies are easily fooled
   Not currently used very much
Information Lifecycle
Management
   A system for assessing the use of data
    and, based on usage, classifying data
    for efficiency of access and storage
   Basic principles of ILM:
    – Assessment
    – Classification
    – Automation
Outline

 Overview of HIPAA
 Specifics of HIPAA

 Suggestions for implementation

 Effects of HIPAA

 Problems

 Questions
Dates of Compliance

   10/16/2002 - Transactions and code
    sets
   4/14/2003 – Privacy Rule
   4/14/2003 – Business Associates
   4/20/2005 – Security Rule
Effects

   HIPAA caused a large number of
    commercial products supporting HIPAA
    to proliferate.
   Large financial strain on CE’s to
    implement changes to infrastructure
    capable of supporting HIPAA
Effects (cont)

   Too early to tell how effective HIPAA
    is/will be for both increasing the
    privacy and efficiency/economy of
    data information exchange.
Outline

 Overview of HIPAA
 Specifics of HIPAA

 Suggestions for implementation

 Effects of HIPAA

 Problems

 Questions
Cases in which HIPAA
caused problems
   A patient between 50 and 70 years of age (exact age and sex
    withheld in compliance with HIPAA) underwent cardiac
    transplantation at the Tufts-New England Medical Center. The
    care team was notified two days after the operation that the
    donor's blood cultures had revealed bacteremia. The
    infectious-disease consultant contacted the hospital that had
    cared for the donor to ascertain the identity of the bacterium
    so that antibiotic therapy could be properly tailored for the
    now-immunosuppressed recipient. The donor's hospital stated
    that providing such information would violate HIPAA, since
    the hospital did not have authorization (from the now-
    deceased donor), notwithstanding the fact that time was of
    the essence for the recipient. Although clinical common sense
    should make this scenario a non-issue, HIPAA impeded clinical
    care.
Cases in which HIPAA
caused problems (cont)
   A patient between 40 and 50 years of age was referred to a
    cardiologist for the urgent evaluation of chest pain after an
    exercise stress test. With the patient in the examination room,
    the cardiologist asked that the tracings from the stress test be
    faxed for his review. At that time, the patient was extremely
    anxious. The referring facility refused to fax the tracings,
    stating that using a fax would violate HIPAA, notwithstanding
    the patient's oral demand that the tracings be faxed and
    assurance that the receiving fax machine was in a secure
    location. Although the tracings were eventually received, this
    misinterpretation of the HIPAA privacy regulation added two
    full hours to this patient's evaluation. The patient became
    upset and required urgent catheterization and angioplasty the
    next day.
Life Insurance, Disability
Insurance, and Workers
Comp
   Currently, HIPAA only applies to health care
    providers, clearing houses, and plans all of
    which need access to PHI. It does not
    address, however, life insurance, disability
    insurance, and workers comp, even though
    they all require access to PHI.
   Many companies are taking a "better too
    much than not enough" approach in which
    they will often protect information relating
    to these three things.
   Still, some PHI left unprotected.
Possible detrimental
effects on:
   Research
   Care
Problem to consider

   An employee of a blood bank gets a
    call from a hospital asking what the
    transfusion history is of a patient he is
    transfusing. How do you know the
    person calling really has a right to
    know such info? How do you ID that
    person?
Outline

 Overview of HIPAA
 Specifics of HIPAA

 Suggestions for implementation

 Effects of HIPAA

 Problems

 Questions

				
DOCUMENT INFO