Chapter 9- Data Privacy and Confidentiality

Privacy

A social value and is the right “to be let alone”

Confidentiality

Similar to privacy

Stems from sharing of private thoughts in confidence with someone else

Use

How a healthcare organization avails itself of health information internally

Disclosure

Health information is disseminated outside a healthcare organization

Ex. Provided patient information with an insurance company

What supersedes HIPAA law?

State laws but only if they are more strict.

HIPAA Privacy Rule

Key federal regulations that govern the protection of protected health information (PHI)

Administrative Simplification

HIPAA’s attempt to streamline and standardize the healthcare industry’s non-uniform business practices, such as billing, to include the electronic transmission of data

Preemption

Federal law may supersede state law or vice versa

American Recovery and Reinvestment Act (ARRA)

Provided significant funding for health information technology and other economic stimulus funding, and it also made important changes to the HIPAA Privacy and Security Rules

Office of the National Coordinator for Health Information Technology (ONC)

First established by presidential executive order

Not recognized by the statute as an entity within the Department of Health and Human Services (HHS)

Department of Health and Human Services

Responsible for coordinating national efforts to implement and use HIT, and to promote the exchange of electronic health information

Includes: Office of Policy, Office of Standards and Technology, Office of the Chief Privacy Officer

Covered Entity (CE)

A person or organization that must comply with the HIPAA Privacy Rule

What are the three types of covered entities?

1. Healthcare providers

2. Health plans

3. Healthcare clearinghouses

Healthcare Providers

Only includes those that conduct certain transactions (Financial or administrative) electronically

Include hospitals, long-term care facilities, physicians, and pharmacies

Health Plans

Pay for the cost of medical care

Healthcare Clearinghouses

Process claims between a healthcare provider and payer

Ex. An intermediary that processes a hospital’s claim to Medicare to facilitate payment

Business Associate (BA)

A person or organization other than a member of a CE’s workforce that performs functions or activities on behalf of or for a CE that involves the use or disclosure of PHI

Include: Consultants, billing companies, transcription companies, accounting firms, and law firms, and patient safety organizations (PSO)

Business Associate Agreement (BAA)

A contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate and provide specific content requirements of the agreement

Workforce

Consists of not only of employees, but also volunteers, student interns, trainees, board of directors, and even employees of outsourced vendors who routinely work on-site in the CE’s facility

Protected Health Information (PHI)

Identifies an individual or provides a reasonable basis to believe the person could be identifies from the information given

What is the 3 part test to see if information is PHI?

1. Information must be held or transmitted by a CE or BA in any forms listed previously

2. Must be individually identifiable health information

   1. Must related to a person’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare

Individually Identifiable Health Information

The information must either identify the person or provide a reasonable basis to believe the person could be identified from the information

How long must an individual be deceased before the information loses PHI status?

50 years

Deidentified Information

Does not identify an individual because personal characteristics have been stripped from it in such a way that it cannot be later constituted or combined to reidentify an individual

What needs to be done to ensure deidentification?

• The CE can strip certain elements to ensure the patient’s information is truly deidentified

  • The CE can have an expert apply generally accepted statistical and scientific principles and methods to minimize the risks that the information might be used to identify an individual

Individual

The person who is the subject of PHI

Personal Representative

A person who has legal authority to act on another’s behalf

Must be treated the same as an individual regarding use and disclosure of the individual’s PHI

Designated Record Set (DRS)

Includes the health records, billing records, and various claims records that are used to make decisions about an individual

Broader than the legal health record, it contains more components than those that would ordinarily be produced upon request

Minimum Necessary Standard

Requires that uses, disclosures, and requests be limited to only the amount needed to accomplish an intended purpose

Does not apply to PHI used, disclosed, or requested for treatment, payments, or operation purposes

Treatment, Payment, and Operations (TPO)

An important concept because the Privacy Rule provides a number of exceptions for PHI this is being used or disclosed for these purposes

Treatment

Providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers

Includes caring for patients admitted to the hospital or coming for an appt with a physician-includes healthcare provider consultations and referrals of the patient from one provider to another

Payment

Include activities by a health plan to obtain premiums, billing by healthcare, providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review

Operations

Include quality assessment and improvement, case management, review of healthcare professionals’ qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence

What are the key goals to the Privacy Rule?

To provide greater privacy protections for one’s health information (this also serves to limit access by others)

To provide an individual with greater rights with respect to his or her health information

Right of Access

Allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record

Extends as long as the PHI is maintained

Psychotherapy notes are an exception

Psychotherapy Notes

Behavioral health notes that document a mental health professionals impressions from private counseling sessions

No opportunity to review

The PHI is psychotherapy notes

The PHI was compiled in reasonable anticipation, of, or for use in, civil or criminal litigation or administrative action

The CE is a correctional institute or provider that has acted under the direction of a correctional institute, and an inmate’s request for his or her PHI creates health or safety concerns

The PHI is created or obtained by a covered healthcare provider in research that includes treatment, and an individual receiving treatment as part of a research study agrees to suspend his or her right to access PHI temp

The PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information

The PHI is contained in records that are subject to the Federal Privacy Act if the denial of access under the Privacy Acy would meet the requirements of that law

The PHI is maintained by a CE that is subject to the Clinical Laboratory Improvement Amendments (CLIA) of 1988, which regulates the quality of laboratory testing, and CLIA would prohibit access

The PHI is maintained by a CE exempt from CLIA requirements

Right to Request Amendment

One may request that a CE amend a PHI or a record about the individual in a designated record set

What are the reasons a CE can deny a request of the health record?

• Was not created by the CE

• Is not part of the designated record set

• Is not available for inspection as noted in the regulation of access

  • Is accurate or complete as it

Right to Request Accounting of Disclosures

Right to receive an accounting of certain disclosures made by a CE

What must an accounting of disclosure include?

• Date of disclosure

• Name and address of the entity or person who received the information

• Brief description of the PHI disclosed

  • Brief statement of the purpose of the disclosure or a copy of the individual’s written authorization or request

Right to Request Restrictions

An individual can request that a CE restrict the uses and disclosure of PHI to carry out TPO

Right to Request Confidential Communications

The opportunity to request that communications of PHI be routed to an alternative location or by an alternative method

Healthcare providers must honor such a request without requiring a reason if it is reasonable

Notice of Privacy Practice

An individual has the right to a notice explaining how his or her PHI will be used and disclosed

HIPAA Consent

The patient’s agreement to use or disclose individually identifiable information for TPO

Usually obtained at the time care is provided and has no expiration date

Can be revoked as long at the revocation is in writing

Authorization

An individual is granting permission for a specific use or disclosure of his or her health information

Breach Notification

Specify victims of breaches be notified and, depending on the number of individuals affected, the federal government and media outlets also be notifiedA requirement under HIPAA that mandates individuals be informed of unauthorized access to their health information, as well as relevant parties such as federal authorities and media, when significant breaches occur.

Federal Trade Commission

A federal agency that promotes consumer protection

Breach

An unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information

What are the 3 exceptions to the breach definition?

1. Unintentional acquisitions made in good faith and within the scope of authority

2. Disclosures where the recipient would not reasonably be able to retain the information

3. Disclosures by a person authorized to access PHI to another authorized person at the CE or BA

What is the 4 factor risk assessment to determine whether PHI has been compromised?

• Nature and extent of PHI involved, including types of identifiers involved and how likely it is that reidentification can occur

• Who the unauthorized recipient of the PHI was

• Whether the PHI was actually obtained or viewed

• Degree to which the CE or BA mitigated the risk (for example, immediate destruction of the PHI)

Marketing

Communication about a product or service that encourages the recipient to purchase or use that product or service

Privacy Officer

Responsible for privacy practices within the CE

Ideally suited to the background, knowledge, and skills of the health information professional because the role includes developing and implementing privacy policies and procedures, facilitating organizational privacy and awareness, performing privacy risk assessments, maintaining appropriate forms, overseeing privacy training, participating in compliance monitoring of BAs and communicates with the Office for Civil Rights (OCR)

How much are unknowing violations charged?

$1,000 to $5,000

How much is charged if willful neglect that was corrected?

$10,000 to $50,000

How much is charged if willful neglect that was uncorrected?

$50,000

Disclosure of Health Information

Process of providing PHI access to individuals or entities that are authorized to either receive or review it

What steps do the management of disclosure follow?

• Enter the request in the disclosure of health information database

• Determine the validity of authorization

• Verify the patient’s identity

• Process the request

Medical Theft Identity

A crime that challenges healthcare organizations and the health information profession

A type of healthcare fraud

Fair and Accurate Credit Transaction Act (FACTA)

Requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft

Red Flags Rule

Consists of 5 categories of red flags that are used as triggers to alert the healthcare organization to a potential identity theft

What are the 5 categories related to the Red Flags Rule?

1. Alerts, notifications, or warnings from a consumer reporting agency

2. Suspicious documents

3. Suspicious personally identifying information such as a suspicious address

4. Unusual use of, or suspicious activity relating to, a covered account

5. Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account