Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Transcription

1 Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how they relate to one another, and how they impact meaningful use and data analytics.

2 To understand the impact Meaningful Use has on privacy and security, one must first understand HIPAA, the Health Insurance Portability and Accountability Act of HIPAA serves to ensure health insurance portability, establish standards for electronic claims and national identifiers, protect against fraud and abuse, and assure the privacy and security of protected health information (PHI). Title II of HIPAA contains the Privacy and Security Rules. The Privacy Rule was established to assure the protection of health information, and focuses on patient rights to access and control of their information, restoring trust in the healthcare system to improve the quality of care, and improve the

3 efficiency and effectiveness of healthcare delivery.

4 The Security Rule specifies procedures to protect the confidentiality, integrity, and availability of electronic PHI, or e-phi. It identifies administrative safeguards to manage the activities needed to establish security measures, physical safeguards, to identify measures to protect information systems, buildings, and equipment from natural and environmental hazards, technical safeguards, to protect ephi and control access to it, and organizational safeguards so that arrangements are made to protect ephi between organizations.

5 When HITECH was enacted to promote the adoption and meaningful use of health information technology, it established more detailed provisions and strengthened the requirements included in the HIPAA Privacy and Security Rules by establishing mandatory breach reporting requirements and several tiers of penalties for breaches, establishing new enforcement responsibilities, new privacy requirements such as new accounting requirements for the EHR, and extending requirements to the business associates of covered entities. In response, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the final omnibus rules in January of 2013 to address many of the HITECH requirements. The rule is officially titled Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rule Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rule, but is often referred to as the HITECH- HIPAA Omnibus Privacy Act. The HITECH-HIPAA Omnibus Privacy Act strengthens the privacy and security of patient health information, modifies the breach notification rule, strengthens privacy protections for genetic information by prohibiting health plans for using or disclosing such information for underwriting, makes business associates of HIPAA covered entities liable for compliance, strengthens limitations on the use and disclosure of PHI for marketing and fundraising, and allows patients increased restriction rights. The new requirements took effect on March 26, 2013, and the compliance

6 date for HIPAA-covered entities and business associates was September 23, It is important to note that this omnibus rule does not address all of the HITECH privacy requirements. For example, the requirement for accounting of disclosure, which would require facilities to track every access of health information, is not included. The OCR indicates that this will be released at a later date.

7 The HIPAA privacy and security requirements are embedded in the EHR Incentive Programs through the following stage 1 meaningful use requirements. Eligible professional core objective and measure 12 requires that patients are provided with an electronic copy of their health information upon request, and more than 50% of patients who make such requests should receive it within 3 business days. This corresponds with the HIPAA requirement that patients have the right to view and obtain a copy of their health information.

8 Eligible professional core objective and measure 15, and eligible hospital and critical access hospital core objective and measure 14 both require that appropriate technical capabilities are in place to protect health information, and is measured by conducting or reviewing a security risk analysis and implementing security updates. This corresponds with the HIPAA requirement that policies and procedures are in place to prevent, detect, contain and correct security violations. These meaningful use requirements are not intended to supersede or substitute for HIPAA compliance. Covered entities are still required to comply with the HIPAA Privacy and Security Rules.

9 Data analytics in healthcare is essential for quality care, effective and efficient processes, and decision making. With big data on the rise, and patient health information residing in multiple locations in multiple formats, maintaining the privacy and security of this sensitive, confidential data is complicated. With the HITECH-HIPAA Omnibus Privacy Act strengthening privacy and security requirements, keeping data secure remains a priority. Organizations analyzing PHI should consider the role of the patient in their data analytics process, and how they might be empowered to share their

10 data for a cause or a process they support. It is also important to be aware of the de-identification standard in the HIPAA Privacy Rule which indicates the requirements for anonymizing health data for analysis. Organizations should have a data classification policy in place to inventory their data and how that data is handled, and become familiar with the U.S. Federal Trade Commission s Fair Information Practice Principles (FIPPs) as a guide when working with large quantities of patient data.

11

12

13