1 Electronic Medical Records: Legal and Ethical Implications for Patients Linda A. Simunek, RN, PhD, JD Executive Director, Doctoral Success Grant and Adjunct Professor in Law in Healthcare Education, Fischler School of Education, Nova Southeastern University
2 2 Objectives 1. Describe the duty of care owed to patients in maintaining privacy, confidentiality, and security of health care information in electronic medical records (EMR) 2. Describe the parameters for EMR patient information data sharing in a reformed health care delivery system 3. Describe the elements and penalties in criminal and civil prosecution cases for breach of health information privacy, confidentiality and security
3 What are Electronic Medical Records? Electronic Medical Records (EMR) or Electronic Health Records (EHR) are electronic, machine readable versions of much of the data found in paper-based records, comprising both structured and unstructured patient data from disparate, computerized ancillary systems and document imaging systems. Clinical documentation may originate in either paper records or computerized data; however, the data are not comprehensively coded. (Dick, R.S. Steen E.B, and Detmer, D.E. (1997), The computer based patient record: an essential technology for health care. Institute of Medicine, Washington: D.C)
4 Definition of Electronic Health Record System An EHR system includes: 1. Longitudinal collection of electronic health information for and about persons, where health information is defined as information pertaining to the health of an individual or a health care provider to an individual 2. Immediate electronic access to person and population-level information by authorized, and only authorized users. (cont d).
5 Definition of Electronic Health Record System 3. Provision of knowledge and decisionsupport that enhances the quality, safety, and efficiency of patient care, and, 4. Support for efficient processes for health care delivery (Institute of Medicine (2003). Key capabilities of an HER system. Washington, D.C.)
6 6 Computer-based Documentation: Past, Present, and Future
7 7 Glossary of EMR Patients Rights-The Right to Information Privacy Specific right of an individual to control the collection, use, and disclosure of personal information (Center for Technology and Democracy), (CT&D) A state or condition of controlled access to personal information; the ability of an individual to control the use and dissemination of information that relates to self, the individual s ability to control what information is available to various users and to limit re-disclosures of information (ASTM)
8 8 The Right to Information Privacy The right of individuals to keep information about themselves from being disclosed to anyone. (Computer-Based Patient Record Institute, CPRI (1994)
9 9 The Right to Confidentiality Tool for protecting privacy (CT&D) Status accorded to data or information indicating that they are sensitive for some reason and therefore need to be protected against theft, disclosure and improper use (ASTM) The act of limiting disclosure of private matters (CPRI)
10 10 The Right to Information Security Encompasses all the safeguards in an information system (CT&D) Totality of safeguards including hardware, software, personnel policies, information practice policies, disaster preparedness and oversight of these components (ASTM) Means to control access and protect information form accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss (CPRI)
11 11 Typical Users of Health Information Patient Primary care physician Health insurance company Clinical laboratory Local retail pharmacy Pharmacy benefits manager Consulting physician
12 12 Typical Users of Health Information Local hospital State bureau of vital statistics Accrediting organization Employer Life insurance company Medical Information Bureau Managed care company Attorney State public health and family physician State agency collecting hospital discharge data Medical researcher
13 13 Common Threats to Healthcare Information Security Insider accidental disclosure Insider abuse of access privileges Insider unauthorized access Outsider intruders
14 14 Common Threats to Information Integrity Insider accidental errors Insider malicious attack Intruder accidental or malicious attack Equipment failure Software failure Strategic attack (e.g. virus)
15 15 Common Threats to Information Reliability Natural hazards, earthquakes, tornadoes, ice storms, fires, floods, electrical storms, other natural disasters Equipment and software failures-hardware breakdowns and software failures that cause unexpected systems suspension or shutdown Human error-any human error that would cause hardware or software to improperly function, causing unexpected system disruption or shutdown Theft, malice or strategic attack, purposeful theft or attack on any component of the information system with the intent of causing system disruption or shutdown
16 16 Guiding Principles Behind HIPAA Privacy Protection Setting boundaries for the use of health information and imposing a legal duty of confidentiality on those who provide and pay for health care and on other entities that receive health information form them Requiring measures for protection of health information Providing consumer control over individual information Establishing sanctions for the misuse of information Balancing individual rights with the public good
17 17 Privacy Rule and Covered Entities A major goal of the Privacy Rule is to ensure that the individual s health information is properly protected while allowing the flow of information needed to provide and promote high quality health care and to protect the public s health and well being.
18 18 Individually Identifiable Health Information Individually identifiable health information is information, including demographic, data that relates to: The past, present, or future physical or mental health or condition of an individual The provision of health care to the individual The past, present, or future payment for the provision of health care to the individual
19 19 Privacy Rule and Covered Entities Health plans Health care providers Healthcare clearinghouse Business associates
20 Signed authorization form for use and disclosure of protected health information (PHI) Description of the information to be used or disclosed Name of other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure An expiration date or event that relates to the individual or the purpose of the use or disclosure 20
21 21 Signed authorization form for use and disclosure of PHI A statement of the individual s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke it A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer protected by the privacy Rule Signature of the individual and date of authorization
22 22 Signed authorization form for use and disclosure of PHI When the authorization is signed by a personal representative of the individual, there must be a description of the representative s authority to act for the individual
23 23 Typical functions of the Chief Security Officer Security strategic planning Development of enterprise wide security policy for safeguarding the access, integrity and availability of information and information systems Development of enterprise-wide procedures for security policy implementation Coordinate the administration of security software
24 Typical functions of the Chief Security Officer Manage confidentiality agreements for employees and contractors Coordinate security procedures Coordinate employee security training Monitor audit trails to identify security violations Conduct the assessment of enterprise information systems Develop business continuity plan 24
25 25 Health Information Security Controls Administrative controls Physical controls Technical Controls Dynamic passwords Encryption Detection and intrusion systems Other security services
26 26 Health Information Security Checklist u u Ø Ø Ø Ø Audit Trail Permits audit trail analysis Automatic Activation Passwords Text/Numeric Biometric Face Voice Fingerprint
27 27 Health Information Security Checklist Electronic Signatures Role-based access Data validation Back-up Process Encryption
28 28 Health Information Risk Analysis and Assessment Identifying threat or risks to security, e.g., human error such as data entry mistake, unauthorized physical access to data, sabotage, power failures, and malfunction of software or hardware Determining how likely it is that any given threat may occur Estimation of the impact of an untoward event
29 29 Policies and procedures and documentation requirements Covered entities must have security policies and procedures documents in written format. Documentation must be retained for six years from the date of the creation or the date when it was last in effect, whichever is later.
30 30 Criminal Prosecution and Case Law Examples and Analysis Breach of Privacy Breach of Confidentiality Breach of Security
31 31 Handout-Using the Electronic Health Record Evaluation Checklist (HER) Product Name Company Evaluation Date Chart Features-Present/Absent; Esential? Point Value Medication Features Laboratory X-ray Pathology Features Telephone Call Features
32 32 Handout-Using the Electronic Health Record Evaluation Checklist (HER) Diagnosis Features Referral Features Preventive Medicine Features Clinical Encounter Patient Education Features Population Health Management Communication and Infrastructure
33 33 Handout-Using the Electronic Health Record Evaluation Checklist (HER) Communications Decision Support Data Storage and File Formats Standards Supported Interface Options Operating Systems Technology
34 34 Contact Information for Linda Simunek Linda Agustin Simunek SW 25 Court Miramar, Florida Monaco Cove, Gate Code (Cell) (NSU Office)
35 35 References Carter, J.H. (2008). Electronic health records, American College of Physicians: Pa. Department of Health and Human Services CFR Parts 160, 162, and 164. Federal Register. Vol 68, Now. 34. February 20, 2003 Horine, G. (2005) Absolute beginner s guide to Project management ISBN23: Johns, M.L. (2003). HIPAA security: Computer based training modules. Chicago Holistic Training Solutions
HIPAA Privacy Overview General HIPAA stands for a federal law called the Health Insurance Portability and Accountability Act. This law, among other purposes, was created to protect the privacy and security
ELECTRONIC HEALTH RECORDS Understanding and Using Computerized Medical Records CHAPTER TEN LESSON ONE Privacy and Security of Health Records Understanding HIPAA HIPAA: acronym for Health Insurance Portability
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. firstname.lastname@example.org www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 email@example.com use e Health care law firm fighting
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
APPENDIX 1: Frequently Asked Questions Practice Name Q: What is the HIPAA Privacy Rule? A: The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI).
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information THIS NOTICE DESCRIBES HOW PSYCHOLOGICAL
HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title
Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE
What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics
HIPAA Orientation Health Insurance Portability and Accountability Act HIPAA Federal legislation enacted in 1996 to improve the efficiency and effectiveness of electronic information transfers used in the
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
Oregon Prescription Drug Monitoring Program Terms & Conditions of Account Use Agreement Statutory Authority: The Oregon Health Authority (OHA) was given authority under ORS 431.962 to establish and maintain
DrConnect Improved Communication; Improved Care Nursing Home Facility Implementation Overview clevelandclinic.org/drconnect Cleveland Clinic 1995-2013. All Rights Reserved. Table of Contents Table of Contents...2
HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING March 2012 HIPAA Humor (North Dakota Dept of Health) 2 HIPAA-Ectomy - the
Compliance HIPAA Training Steve M. McCarty, Esq. General Counsel Sound Physicians 1 Overview of HIPAA HIPAA contains provisions that address: The privacy of protected health information or PHI The security
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability
for the 9/11 Heroes Stamp Act of 2001 File System Contact Point Elizabeth Edge US Fire Administration Federal Emergency Management Agency (202) 646-3675 Reviewing Official Nuala O Connor Kelly Chief Privacy
Northwestern Memorial Hospital DEPARTMENTAL POLICY Subject: DEPARTMENTAL ADMINISTRATION Title: 1 of 11 Revision of: NEW Effective Date: 01/09/03 I. PURPOSE: This policy defines general behavioral guidelines
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
NAMI EASTSIDE - 13 POLICY: Privacy and Security of Protected Health Information (HIPAA Policies and Procedures) DATE APPROVED: Pending INTENT: (At present, none of the activities that NAMI Eastside provides
HIPAA COMPLIANCE AND DATA PROTECTION firstname.lastname@example.org +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
HIPAA Privacy Keys to Success Updated January 2010 HIPAA Job Specific Education 1 HIPAA and Its Purpose What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title II Administrative
Introduction to The Privacy Act Defense Privacy and Civil Liberties Office dpclo.defense.gov 1 Introduction The Privacy Act (5 U.S.C. 552a, as amended) can generally be characterized as an omnibus Code
Shannon Loehr, MSW, LCSW HIPAA COMPLIANCE PROGRAM Notice of Privacy Practices I. This Notice Describes How Medical Information About You May Be Used and Disclosed and How You Can Gain Access to this Information.
HIPAA SELF STUDY TRAINING GUIDE I have received the LifeWays HIPAA SELF STUDY TRAINING GUIDE. I understand that I will be accountable for the information contained in the guide. If I have questions I may
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
APPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
September 15, 2013 Who Does it apply to? As a healthcare provider of LSUHSC-NO, you are required to follow the requirements of the HIPAA Privacy Rule. CM-53 explains all the requirements LSUHSC-NO healthcare
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc email@example.com 202-667-0016 - HIPAA Hotline Self-Study Module Requirements Read all program slides and complete test. Complete
Getting Hip to the HIPAA and HITECH Act Compliance NaNotchka M. Chumley, D.O., M.P.H. Family Medicine Physician Los Angeles, CA Integrating Global Trade & Logistic and Cybersecurity Westin St. Francis,
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
1 2 Hour CEU 2 Course Objectives The purpose of this program is to provide nurses with information about the Health Insurance Portability and Accountability Act (HIPAA), especially as it relates to protected
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered
NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA) THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
Prescription Drug Abuse and Diversion: The Role of Prescription Drug Monitoring Programs Bill Number: Hearing Date: September 23, 2004, 2:00 pm Location: SD-430 Witness: Joy L. Pritts, J.D. Health Policy
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. EFFECTIVE September 15, 2014 This Notice of
Disaster Recovery Planning Under HIPAA An Overview 1 White Paper Published October 2003 - Doug Thompson - MITG, Inc. - Quincy, IL An Overview of Disaster Recovery Planning Under HIPPA Security Rules Overview
Releasing Information There are 3 kinds of release situations now: our original Release of Information and it s uses under Colorado Law and Professional Ethical Standards; HPAA s Consent to release information
Somansa White Paper Somansa Data Security and Regulatory Compliance for Healthcare How Somansa can protect ephi- electronic patient health information and meet the requirements for healthcare compliances,
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
Sí necesita ayuda para traducir esta información, por favor comuníquese con el departamento de Servicios a miembros de Highmark Delaware al número al réves de su tarjeta de identificación de Highmark Delaware.
Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:
4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,
HIPAA Privacy September 21, 2013 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff,
1540 Sunday Drive Suite 200Raleigh, NC 27607 Office: 919-859-9040FAX: 919-859-9030 Name: Date Examined: Responsible Person: _ Birth Date: Address: Age: Sex: M F Marital Status: S M D W SSN: Home Phone:
Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 4 Policy Title: Information Security Incident Response January 26, 2016 IDENT INFOSEC4 Type of Document:
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
Your consent to our cookies if you continue to use this website.