MHI 581: Chapter 6

Chapter 6 Notes

List things that exists to foster trust?

laws

rules

regulations

contracts

contracts

establish expected behaviors in given situations and acts as a mechanism to enforce behaviors or apply penalties if a party does not behave as required by the contract

as parties behave according to the contract over time, more trust is established

laws/administrative rules/regulations

work in the same way as contracts; carry with it enforcement penalties to which regulated parties will be subject if they do not comply with the law

penalties create accountability for HIPAA-protected entities and as parties comply with the law or regulation over time more trust is established across society

How are the concepts of privacy, security, confidentiality, and risk established?

through contracts, laws, and regulations

they represent situations in which parties must develop a high degree of certainty around how other parties will act in order for an HIE initiative to be successful

What helps establish the trust necessary for successful HIE?

the combination of contracts, laws, and regulations that define expected behaviors around privacy, security, confidentiality, and risk

privacy

the freedom to choose what information is shared or not shared with other parties (i.e. an individual’s right to not disclose their genetic predisposition to cancer on an employment application)

confidentiality

the obligation to keep secret information with which one is trusted (i.e. the obligations imposed under HIPAA by prohibiting covered entity healthcare providers from disclosing protected health information to the media without a patient’s authorization)

often mislabeled as privacy obligations (i.e. the HIPAA Privacy Rule should be labeled as the Confidentiality Rule since it imposes obligations upon covered entities not to make certain disclosures of information

security

the combination of administrative, technical, and physical safeguards that ensure confidentiality and promote privacy

comprises the safeguards that prevent inappropriate uses and disclosures of information (i.e. strong passwords, encryption, and door locks)

accountability

refers to the norms, processes, and structures that make the population legally responsible for their actions and imposes penalties when laws are broken

a key privacy principle implemented throughout HIE to varying degrees and in different ways

privacy risk

the likelihood that individuals will experience problems as a result of data processing

can lead to breaches that impact individuals (i.e. authorized EHR user accessing PHI for someone who is not their patient)

can impact society as when when they are exposed they reduce trust

“rules of the road” for HIE

defined by a combination of laws and regulations at both state and federal levels as well as contracts among HIE participants

federal and state laws establish a baseline while HIE participants create additional rules through contracts among HIE participants (contracts cannot override or conflict with federal or state laws and regulations but they may detail obligations above and beyond federal or state laws and regulations)

“sensitive data”

mental and behavioral health data, communicable disease data, genetic information, and sexually transmitted disease data

state laws generally impose more stringent patient consent requirements on the disclosure of these types of data

HIPAA and federal law generally do not provide additional protections or consent requirements upon communicable or sexually transmitted diseases

What primary pieces of federal regulation govern privacy, security, and confidentiality in the healthcare space?

HIPAA & HITECH

created the federal floor of laws and regulations that impact use and disclosure of PHI across an HIE network

they establish how healthcare entities (e.g. HIE network participants) will act in given situations

covered entity

a healthcare provider that engages in certain electronic transactions (essentially any healthcare provider that accepts insurance of any kind will engage in covered electronic transactions)

a health plan

a healthcare clearing house (an entity that converts health information into standard formats required by HIPAA)

business associate

a person or entity (other than a member of a covered entity’s workforce) that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity

HIOs and HIE networks are considered business associates under HITECH

PHI

individually identifiable health information transmitted or maintained in any form or medium

excludes certain education records ad student medical records

Privacy Rule lists 18 specific identifiers that results in PHI when paired with some type of health information

individually identifiable health information

health information including demographic information, created or received by a covered entity that relates to the past, present or future physical or mental health or condition of an individual or could reasonably be used to identify the individual

de-identified PHI & de-identified information

may be used by covered entities and their business associates with permission from their covered entity

can raise privacy concerns as individuals may feel that third parties should not profit from the use of their de-identified data

can be used by researchers looking to promote public health or analyze the efficacy of various treatments

Privacy Rule

establishes permissible uses and disclosures of PHI and

Security Rule

establishes the baseline security controls that are required or addressable by covered entities and business associates

establishes a number of general requirements that apply to all covered entities and business associates and then describes a number of implementation specifications that are either “required” or “addressable” by covered entities and business associates

Privacy Rule

covered entities and business associates may only use or disclose PHI if the Privacy Rule permits the particular use or disclosure or if the person who is the subject of the PHI authorizes the use or disclosure

designed to to allow sharing of health data among healthcare providers and health plans in the interest of patient treatment, improving quality, and population health management

“use” of PHI

the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintain such information

“disclosure” of PHI

the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information

Under the Privacy Rule, what are the primary uses and disclosures of PHI that are permitted without a patient’s authorization?

to the individual to whom the PHI relates

for treatment, payment, or healthcare operations

for public health activities

as required by law

for certain research activities where a privacy board or an institutional review board has waived the authorization requirement

Provide an example of HIE use cases for treatment purposes

providing data at the point of care

delivering a clinical laboratory result

Provide an example of HIE use cases for public health purposes

delivering immunization reports to public health authorities

providing data for public health syndromic surveillance

Provide an example of HIE use cases for healthcare operations purposes

conducting quality assessment and improvement activities (outcome evaluations, development of clinical guidelines, etc)

population-based activities relating to improving health or reducing healthcare costs

related functions that do not include treatment

When is a covered entity obligated to grant a patient’s request that covered entities not make certain uses or disclosures of their information?

when the patient pays out-of-pocket in full for healthcare and requests that their healthcare provider not share information relating to such healthcare with the patient’s health plan

Privacy Framework

enhances customer trust by helping organizations to prioritize privacy and communicate existing privacy protections and outcomes to their clients

uses a set of core functions aimed to help an organization determine how they are considering privacy risks at every stage of development

HITECH Act

established a national requirement for individuals to be notified in the event of a breach of their PHI

generally increased the penalties for HIPAA violations

empowered State Attorneys General to bring HIPAA enforcement actions

calls for the sharing of HIPAA violation penalties with individuals harmed by violations

requires that HHS conduct HIPAA audits of covered entities and business associates

HITECH Breach Notification Rule

requires that a covered entity notify an individual of a breach of the individual’s “unsecured” PHI

covered entities must notify individuals and business associates must notify covered entities after performing a risk assessment

unsecured PHI

PHI that has not been encrypted or destroyed in accordance with guideline issued by the Secretary of HHS

illustrates the value and importance of encrypting PHI

Under the breach notification rule, what is presumed to be a breach?

an impermissible acquisition, access, use, or disclosure of unsecured PHI unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment

What factors may be used during a risk assessment to determine the probability of compromised PHI?

the nature and extent of the PHI involved including types of identifiers and the likelihood of reidentification

the unauthorized person who used the PHI or to whom the disclosure was made

whether the PHI was actually acquired or viewed

the extent to which the risk to the PHI has been mitigated

What must the notice to individuals (or from a business associate to a covered entity) include?

brief description of what happened (includes date of breach and the date of the discovery of the breach)

description of the types of unsecured PHI that were involved in the breach

any steps individuals should take to protect themselves from potential harm resulting from the breach

brief description of what covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches

contact procedures fro individuals to ask questions or learn additional information

media must be notified if breach affects more than 500 individuals and HHS must be notified of all breaches (immediately for breaches over 500 and annually for breaches less than 500)

Information Blocking Regulations (IBRs)

represent a substantial milestone toward healthcare information interoperability that are best understood in tandem with HIPAA and other federal privacy and security laws

implements a complementary framework that effectively requires actors to make EHI available for access, exchange, or use in response to a request for EHI (failing to respond to a request may result in regulatory enforcement unless the actor lacked the necessary intent or a regulatory exception applies to the request)

List the 8 distinct exceptions that function similar to regulatory safe harbors that IBR specifies

practices that are reasonable and necessary to prevent harm to a patient or another person

practices to protect the individual’s privacy

practices to protect the security of electronic health information

the request is infeasible to fulfill (e.g. uncontrollable events like natural disasters, or EHI cannot be unambiguously segmented)

practices reasonable and necessary to make health information temporarily unavailable (e.g. routine IT system maintenance)

actors may limit the content or manner in responding to a request

actors may charge fees, including a reasonable profit margin

actors may require certain conditions for the license or interoperable elements

List the 3 contracting structure categories used in an HIE

party-to-party/point-to-point agreements - direct agreement between individual parties exchanging data with each other; no HIE entity involved; e.g. jurisdiction by jurisdiction agreements with the CDC or biosurveillance

challenges: the number of point-to-point agreements will always be N - 1

two-party HIE participation agreements - individual agreement between HIE entity and a participant; HIE participants do not have direct contractual privity with each other; involvement of an HIE entity; e.g. “one-off”/individual agreements with different entities that participate in HIE network

challenges: the variation among agreements the HIO signs creates challenges for the HIO in administering data exchange

multiparty agreement - common set of terms and conditions to which an HIE entity and all participants agree; HIE network and all participants are in direct contractual privity with each other; involvement of an HIE entity; e.g. DURS governing eHealth or TEFCA

challenges: challenging to implement as all HIE network participants and the HIO must agree to the same terms

privity

contractual relationship

What role do state laws play in the area of sensitive data?

they can be enacted to add additional requirements on the use and disclosure of health information (in the area of patient consent)