ILHIE Authority Data Security and Privacy Committee. Briefing Summary: Policies # 1, 3 (Panel #1) -- Patient Choice, Opt-in/Opt-out



Similar documents
How To Write A Community Based Care Coordination Program Agreement

For the purposes of this Policy and Procedure, the following definitions apply:

HIPAA Compliance and HIE

INTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment

Implementing an HMIS within HIPAA

COLLECTION, USE, AND DISCLOSURE LIMITATION

PCPCC National Briefing/Webinar

Strategies for Electronic Exchange of Substance Abuse Treatment Records

A Privacy and Information Security Guide for UCLA Workforce. HIPAA and California Privacy Laws

Florida HIE Gateway of Gateway Partners Readiness Questionnaire

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project

Memorandum. Factual Background

Sample Business Associate Agreement Provisions

Privacy and Security Challenges in Integrated Care

HIPAA Privacy Policies

An Analysis of Legal Issues Related to the Use of Electronic Health Information in Pharmacovigilance Programs

HIPAA HITECH PA Physician Practices

Laying a Foundation for the Next 10 Years of Secure, Interoperable Exchange

NOTICE OF PRIVACY PRACTICES

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers

ELECTRONIC HEALTH RECORDS. Nonfederal Efforts to Help Achieve Health Information Interoperability

ConnectVirginia EXCHANGE Onboarding and Certification Guide. Version 1.4

Medicare Program: Expanding Uses of Medicare Data by Qualified Entities. AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

Consent Options for Electronic Health Information Exchange in Texas

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

The Basics of HIPAA Privacy and Security and HITECH

BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Privacy and Confidentiality of Behavioral Health Data in EHRs

NOTICE OF PRIVACY PRACTICES

Maintaining the Privacy of Health Information in Michigan s Electronic Health Information Exchange Network. Draft Privacy Whitepaper

ACO & Medicare Shared Savings Program

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Releasing Information

BUSINESS ASSOCIATE ADDENDUM

JEWISH FAMILY SERVICE NOTICE OF PRIVACY PRACTICES

8/18/2014. Topics For Today s Program. Not All Data Initiatives Are Going As Planned TRANSITION TO ELECTRONIC RECORDS STATUS CHECK

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

HIPAA and Beyond: The Evolving Landscape of Health Privacy

Legal Work Group Developing a Model Uniform EHR-HIE Student Consent Form in Illinois

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

Business Associates under HITECH: A Chain of Trust

Health Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms

HIPAA Update Presented by:

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

HIPAA The Law Explained. Click here to view the HIPAA information.

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Amy K. Fehn. I. Overview of Accountable Care Organizations and the Medicare Shared Savings Program

HIPAA Privacy and Business Associate Agreement

HIPAA Policy Use and Disclosure of Protected Health Information November 3, 2015

BUSINESS ASSOCIATE AGREEMENT. Recitals

Case Study. Developing a Universal Consent Form: Lessons Learned from Florida Medicaid

Strategies for Electronic Exchange of Mental Health Records

Health Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012

Resthave Home of Whiteside County, Illinois Resthave Nursing Home Resthave Home Assisted Living. Notice of Privacy Practices

The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law. It establishes a floor of Federal privacy

FirstCarolinaCare Insurance Company Business Associate Agreement

Bill Moran and Betta Sherman

PRIVACY PRACTICES OUR PRIVACY OBLIGATIONS

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Expanded Support for Medicaid Health Information Exchanges

Medical Research Law & Policy Report

The Florida Senate. Interim Project Report November 2004 REVIEW OF STATUTES REGULATING ACCESS TO PATIENT MEDICAL RECORDS SUMMARY BACKGROUND

Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies

Meaningful Use Stage 2 & HIPAA: The Relationship between HIPAA and Meaningful Use Privacy & Security Regulations View the Replay on YouTube

April 3, Re: Request for Comment: ONC Interoperability Roadmap. Dear Dr. DeSalvo:

BUSINESS ASSOCIATE AGREEMENT

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records.

Health Information Privacy Refresher Training. March 2013

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

PROTECTED HEALTH INFORMATION

Health Information Technology (HIT) and the Public Mental Health System

Health Insurance Portability and Accountability Policy 1.8.4

Model Business Associate Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

The Privacy and Security Gaps in Health Information Exchanges

Provider Summit - Chicago, IL Illinois Behavioral Health Integration Project (BHIP)

BUSINESS ASSOCIATE AGREEMENT

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery

DISCLAIMER HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

NOTICE OF PRIVACY PRACTICES

Reproductive Medicine Associates of New Jersey, LLC

HIPAA Help for Social Workers

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

BUSINESS ASSOCIATE AGREEMENT

DEPARTMENT OF MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

Business Associate and Data Use Agreement

HIPAA Privacy FAQ s. 3. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

HIPAA-ACKNOWLEDGEMENT OF RECEIPT Notice of Privacy Practices

ELECTRONIC HEALTH RECORDS

Applicability: UW Medicine. Policy Title: Use & Disclosure of Protected Health Information Permitted for Law Enforcement Purposes.

Transcription:

1. Patient Choice. Should patients be granted a choice with regard to the use of a health information exchange (HIE) by clinical treatment professionals and others for the exchange of a patient s health care data? 3. Opt-in v. Opt-out. If patients are provided a choice with regard to the use of HIE for the exchange of patient data, should all patients be provided an option to affirmatively decline from HIE inclusion (an opt-out ) or the option of affirmative consent for HIE inclusion (an opt-in )? Federal Guidance The Federal HIPAA Privacy Rule currently requires patient authorization/consent for all PHI disclosures unless expressly permitted. A specific exception exists for certain disclosures for purposes of Treatment, Payment and Healthcare Operations (T-P-O) 1, for public health activities, 2 for research purposes 3 and for other legally required disclosures. A provider s solicitation of a patient consent for disclosure for T-P-O purposes is optional. U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been of the view that patient data can be transmitted through an HIE for treatment purposes without the need of a prior patient consent. 4 The granting to patients by providers and/or the HIE of a right to opt-out or opt-in to the use of HIE is optional. HHS Centers for Medicare & Medicaid Services (CMS) in 2011 issued rules regarding Accountable Care Organizations (ACO) which encourage the sharing of patient data among participants using a patient opt-out system, even for T-P-O purposes. 5 (Such T-P-O data exchange restrictions go beyond current HIPAA.) HHS Office of National Coordinator for Health Information Technology (ONC) recently issued guidance to the recipients of HIE planning grants 6 that patients should be provided a meaningful choice, either on an opt-in or opt-out basis, even for T-P-O purposes, for participation in a robust bilateral HIE which aggregates clinical data. (Such T-P-O data exchange restrictions go beyond current HIPAA.) No meaningful choice is required for simple point-to-point unilateral directed exchange (e.g. NwHIN Direct). 1 HIPAA, 45 CFR 164.506 2 HIPAA, 45 CFR 164.512(b) 3 HIPAA, 45 CFR 164.512(i) 4 OCR, Collection, Use, And Disclosure Limitation, a companion document to the 2008 ONC Framework, p. 4, FAQ #1, Individual Choice, p. 4, FAQ #2. 5 MSSP Final Rule, 79 Fed. Reg. 67803 (Nov. 2, 2011). 6 Program Information Notice 003, Privacy and Security Framework Requirements and Guidance for the State Health Information Exchange Cooperative Agreement Program, March 23, 2012. 1

HHS ONC issued on May 15, 2012 a Request for Information regarding the Governance of the national HIE (NwHIN) 7 which suggests that patients should be provided a meaningful choice, either on an opt-in or opt-out basis, but admits the prospect of making an exception to patient choice for data exchange using simple point-to-point unilateral directed exchange (e.g. NwHIN Direct), or for purposes of treatment. (Such T-P-O, or possibly just P-O, data exchange restrictions go beyond current HIPAA.) Illinois Status Quo: No Patient ent for T-P-O, Mixed Opt-in/Opt-out for General & Special PHI General PHI: no patient authorization/consent required o Disclosure for Treatment, Payment and Healthcare Operations : no patient authorization required 8 o Disclosure in emergency: no patient authorization required 9 o Disclosure required by law/ for public health reporting: no patient authorization required 10 o Disclosure for Research (data analysis): no patient authorization required 11 General PHI: opt-out o Disclosure for use in facility directories: opt-out 12 o Disclosure to patient s family/caregivers: opt-out 13 General PHI: opt-in o Disclosure for Marketing uses: opt-in 14 o ent for Experimental Research Trials: Fed FDA: Protection of Human Subjects 15 ; IL - prior informed consent for participation in research program or an experimental procedure 16 ; experimental research or medical procedure 17 Special PHI: opt-out o HIV/AIDs consent for testing: opt-out, except if for treatment or data is de-identified 18 7 Nationwide Health Information Network: Conditions for Trusted Exchange, 77 Fed. Reg. no. 94, at 28543. 8 HIPAA, 45 CFR 164.502, 164.506; 410 ILCS 50/3(d) 9 HIPAA, 45 CFR 164.512(j) 10 HIPAA, 45 CFR 164.512(a),(b) 11 HIPAA, 45 CFR 164.512(i) 12 HIPAA, 45 CFR 164.510(a) 13 HIPAA, 45 CFR 164.510(b) 14 HIPAA, 45 CFR 164.508(a)(3), 164.501 15 21 CFR 50 16 410 ILCS 50/3.1 17 20 ILCS 301/30-5 18 410 ILCS 305/4 2

o Immunization registry consent for inclusion: opt-out 19 Special PHI: opt-in o Mental health/behavioral health/developmental disability: opt-in, except therapist disclosures to staff 20 o Psychotherapy notes: opt-in 21 o Substance abuse: opt-in 22 o Genetic test data: opt-in, except if data is de-identified, or for program evaluation 23 o HIV/AIDs - consent for testing for insurance: opt-in 24 o HIV/AIDs consent for disclosure of test results: opt-in, except if data is de-identified, or for program evaluation, or for public health 25 Policy Option: Keep Status Quo Minimizes disruption to current provider workflow/practices and administrative overhead (less likely an issue at large hospitals, more likely at small provider practice level) Maximizes flow of data to HIE for T-P-O; enhances utility of HIE to providers and patients; data for research and quality reporting not skewed by selective omission of data No distinction required between HIE models (simple point-to-point unilateral directed exchange (e.g. NwHIN Direct) and robust bi-lateral HIE which aggregates clinical data). Barriers to HIE due to ambiguities in current IL statutes still not addressed Some specially-protected PHI still requires opt-in or opt-out to be disclosed HIE s secondary uses of data may still require patient authorization Patients desiring to sequester their general PHI from inclusion in HIE not accommodated; between 0% to 3% of patients (estimate) Policy Option: Patients Permitted to Opt Out of PHI delivery through HIE Patient given option to protect any information which patient considers highly confidential 19 410 ILCS 527/15(a) 20 740 ILCS 110/3, 5, 9 21 HIPAA, 45 CFR 164.508(a)(2) 22 42 CFR Part 2 23 410 ILCS 513/15, 30(a) 24 410 ILCS 50/3(c) 25 410 ILCS 305/9 3

Knowledgeable patient participation in HIE reduces prospect of patient opposition to HIE Accommodates participating providers who have voluntarily agreed to grant a specific patient request to limit disclosure of PHI Creates additional administrative procedures (and implementation cost) at point of care, but less than under opt-in Some specially-protected PHI still requires opt-in Some reduction in flow of data to HIE Expenditure by HIE required on patient education to inform patients of optout choice Arguably of little or no interest or material benefit to majority of patients Policy Option: Patients Required to Opt In to Permit PHI delivery through HIE Provides maximum legal protection by providing record of patient permission Allows maximum info sharing; all specially-protected PHI can be included in HIE Minimizes prospect of conflict with laws of other States to foster inter-state PHI exchange Patient s affirmative act of signing increases likelihood of valid consent Accommodates HIE s potential secondary uses of data beyond T-P-O Potentially significant reduction in patient participation, less data in HIE; can undermine HIE if critical mass not reached Expenditure by HIE required on patient education and recruitment to secure sufficient patient participation in HIE Creates additional administrative procedures (and implementation cost) at point of care Arguably of little or no interest or material benefit to majority of patients National Adoption Opt-Out: Opt-In: No consent: TBD: 27 States 12 States 3 States 8 States 4

Briefing Summary: Policy # 2 (Panel #1) Data Excluded From v. Hidden at HIE 2. Data Hidden v. Excluded. If a patient exercises a choice against use of the HIE, may the patient s data be collected by the HIE and not disclosed to others, except for mandatory public health reporting, or should the patient data not be forwarded to the HIE? Policy Option 1 (Data Hidden from Third Parties): In the event the patient decides NOT to permit data exchange through an HIE, the HIE can receive PHI data, but it cannot be disclosed further without patient consent Option 1a: except for mandatory reporting, e.g. public health Option 1b: except for emergency medical treatment ("break-the-glass") Option 1c: except upon receipt of patient reversal (patient joins HIE) Policy Option 2 (Data Excluded from HIE): In the event the patient decides NOT to permit data exchange through an HIE, HIE cannot receive PHI data. Policy Options 1, 1a, 1b, 1c: Data Hidden from Third Parties, with exceptions Exception 1a: allows providers to use HIE for submission of mandatory reports to public health authorities Exception 1b: allows providers to access clinical data required for emergency treatment of the patient Exception 1c: allows for the HIE to make a more complete longitudinal clinical record to be available for patient treatment once the patient desires to have PHI exchanged through HIE Patients who desire NOT to have their data exchanged through an HIE due to personal concerns over either (a) harmful potential of information technology and data aggregation, in general, or (b) harmful potential of government access to aggregated data regarding individuals, in general, would not be accommodated 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information