Public Health IT: Privacy, Confidentiality and Security of Public Health Information

Public Health IT: Privacy, Confidentiality and Security of Public Health Information

Audio Transcript

Slide 1: Privacy, Confidentiality and Security of Public Health Information

Welcome to Component 13's lecture on Privacy, Confidentiality and Security of Public Health Health Information. In this presentation we will discuss the protection and release of patient information from a public heath perspective. The requirements to protect patient information via HIPAA, public health exceptions, the impact of the ARRA/HITECH Act, criminal and civil penalties association with violations, and proposed changes to the HIPAA privacy rule will be discussed.

Slide 2: Unit Objectives

By the end of this unit learners will be able to:

1.  Identify the privacy and security requirements for public health agencies

2.  Identify when public health agencies can receive identifiable health information to perform public health functions without patient authorization

Slide 3: Privacy

It’s important to understand the difference between privacy, confidentiality, and security. Privacy is the patient’s right to control disclosure of their information; they can place restrictions on who can see it or who it is disclosed to.

Slide 4: Confidentiality

Confidentiality refers to the healthcare provider’s responsibilities to ensure that patient data is not used or disclosed without proper authorization. Unauthorized means the patient did not give permission. There are exceptions for disclosures for public health activities which we’ll talk about later in this unit.

Slide 5: Security

Security is the means used to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability. Integrity means guarding against improper modification or destruction, and includes ensuring that the information presented by the system is authentic and comes from that system alone. Confidentiality, as covered in the previous slide, refers to the responsibility to ensure that data is not used or disclosed without authorization. Availability means ensuring timely and reliable access to and use of information.

Slide 6: HIPAA

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA (pronounced HIP-uh) was passed by Congress to protect group insurance plan holders with pre-existing conditions from being denied coverage when moving from one job to another and established standards for the electronic submission of claims data.

Slide 7: HIPAA Titles

There are two titles to HIPAA. The first title dealt with the portability and renewability of health coverage when moving from one job to another or from group-based coverage to individual coverage. The second title dealt with, among other things, the administrative simplification of the process by which providers submit claims to the government and health insurance companies for payment.

Slide 8: Administrative Simplification

When Congress passed HIPAA, they realized the importance of the privacy of health information. The administrative simplification part of the statute included a provision calling for Congress to draft comprehensive privacy legislation in the next 3 years. After 3 years, rulemaking authority would be given to the Secretary of Health and Human Services to draft comprehensive privacy protections.

Slide 9: HIPAA Privacy Rule

When Congress failed to pass privacy legislation, the Department of Health and Human Services published a proposed privacy rule in 1999. The final rule became effective in April of 2003. The Rule specifies what health information is protected under the rule. This information is called “PHI”. We will talk more about who is covered by HIPAA and what information is considered PHI in the next slides. It is especially important for public health agencies to determine when they are covered by HIPAA.

Slide 10: Covered Entity

The first step a public health agency should do to assess if they are a covered entity is determine if they are health care providers, which means that they treat patients. Generally, if the agency is a health care provider and transmits data electronically, they will be considered a covered entity.

Slide 11: Business Associate

A business associate performs functions on behalf of a covered entity; changes to HIPAA proposed by regulations authorized by Congress in the HITECH Act would allow the Office of Civil Rights to hold them directly accountable to the provisions of the Security Rule and the use and disclosure provisions of the Privacy Rule. Currently, business associates are accountable only to covered entities through a contract known as a business associate agreement.

Slide 12: PHI

Not all health information is protected by HIPAA. The health information must be created or received by covered entity or a business associate acting on behalf of the covered entity. It must relate to the past or present medical condition, provision of care for the condition, or payment for services related to the condition and the information could be used to identify the individual patient with the medical condition is protected.

Slide 13: Public Health Agencies and PHI

All Public Health Agencies likely handle PHI in one way or another. However, they may or may not be covered by HIPAA when they handle the information. There are three categories under HIPAA that a Public Health Agency could fall into. They could be a covered entity, a non-covered entity, or a hybrid entity, which performs both covered functions and non-covered functions. An example of a Public Health Agency that functions as a covered entity is one that runs STD clinics that provide diagnosis and treatment to patients. An example of a Public Health Agency that still handles PHI but is not covered by HIPAA is one that is mandated by state statute to receive PHI from providers covered by HIPAA in order to conduct an epidemiological investigation.

Slide 14: Public Health Agency as a Covered Entity

If the public health agency is a covered entity, it must follow all of the provisions of HIPAA that apply to covered entities. Namely, it must obtain from the patient an authorization for the public health agency to release PHI, unless an exception applies. The authorization must fulfill these specific requirements.

Slide 15: Public Health Agency as a Covered Entity (Cont.)

An authorization is not needed if the public health agency is required or permitted by federal, state, or tribal law to disclose the information without permission, such as for required public health reporting purposes. An authorization is also not needed for disclosures related to treatment, payment, and healthcare operations.

Slide 16: Public Health Agency as a Non-Covered Entity

It is important to note that HIPAA does not always regulate the activities of a public health agency. Often, however, the public health agency will handle PHI in these non-covered functions because covered entities are allowed to disclose the information in certain public health situations without patient authorization.

Slide 17: HIPAA Public Health Exceptions for Covered Entities

The exceptions HIPAA provides to covered entities to disclose PHI to Public Health Agencies include the prevention and control of diseases, injuries, or disabilities. However, the covered entity must ensure that the agency is authorized by federal, state, or local law to collect the information. The covered entity may also report vital events such as deaths and births to a public health agency authorized to receive such information. They may disclose PHI to public health agencies authorized to conduct public health surveillance, epidemiological investigations and interventions. Finally, the covered entity can disclose PHI to a foreign government agency that is acting in collaboration with a public health authority, as may be the case in an outbreak of a contagious disease.

Slide 18: HIPAA Public Health Exceptions for Covered Entities (cont.)

There are additional allowances in HIPAA for covered entities to disclose instances of child abuse and neglect, domestic violence, and neglect of the elderly or incapacitated. Again, state or local law must specifically authorize the public health agency to collect such information. Many states have taken the additional step of requiring child abuse reporting by covered entities. In cases of domestic violence, HIPAA additionally requires the covered entity to either seek agreement of the victim or make a determination that reporting is necessary to prevent serious harm to the individual or other potential victims. Additionally, covered entities may report PHI to drug companies or device manufacturers in the case of adverse events, product tracking, or to facilitate product recalls, repairs, replacement, and post-marketing surveillance.

Slide 19: HIPAA Public Health Exceptions for Covered Entities (cont).

These are additional public health-related exceptions to the requirement that a covered entity seek authorization before disclosure of PHI. While these exceptions might not directly involve a public health agency, they are all disclosures allowed with public health in mind.

Slide 20: Public Health Agencies as Hybrid Entities

Some public health agencies perform both the functions of a covered entity and a non-covered entity. HIPAA considers these entities to be “hybrid entities.” Hybrid entities must designate their covered functions and establish a firewall that prevents these covered components from sharing PHI with the non-covered components without patient authorization, unless an exception applies.

Slide 21: HIPAA Security Rule Requirements

Along with the Privacy Rule, HHS also promulgated the Security Rule, which requires covered entities who maintain or exchange electronic PHI to take steps to protect its data. Public health agencies that are covered entities under HIPAA and exchange electronic PHI must follow this Rule as well. One of the ways a covered entity protects itself is by understanding where it is vulnerable. A risk analysis can reveal needs for administrative, technical, or physical safeguards to protect electronic systems.

Slide 22: Administrative Safeguards

Among other requirements, a covered entitiy should ensure that policies and procedures are in place to address violations and they should be applied fairly.

Slide 23: Physical Safeguards

There are strategies that can be utilized to limit access. A worker should only have access to areas of the office that are applicable to their job.

Slide 24: Technical Safeguards

If an employee is responsible for assembling charts for one doctor they should not have access to another doctor’s patient records unless it is necessary to fulfill their job duties. A covered entity will also want to conduct an audit to assess if someone is accessing files not required for their job. The unique ID or password individuals are given to sign on can be a useful tool to evaluate the information they are accessing.

Slide 25: Technical Safeguards (cont.)

Implementing an effective password and an encryption system is important for workstations and portable devices. If a laptop with patient data is stolen, will the thief be able to access files?

Slide 26: Enforcement of HIPAA

Although both the Centers for Medicare and Medicaid Services and Office for Civil Rights are divisions of the Department of Health and Human Services each has different responsibilities regarding the enforcement of HIPAA.

Slide 27: Violation of HIPAA Privacy and Security Rules

What people may not know is individuals and health care entities can be fined and sent to jail for violating HIPAA regulations. This is why it’s extremely important that individuals that work in public health agency that is a covered-entity understand applicable laws. Individuals and covered-entities can be fined for a single violation and the date of the violation will determine the monetary penalties.

Slide 28: Violation of HIPAA Privacy and Security Rules (cont.)

The seriousness of such a violation is evident in the changes of monetary penalties when comparing those that occurred prior to 2/18/2009 and those on or after 2/19/2009.

Slide 29: Violation of HIPAA Privacy and Security Rules (cont.)

Based on the intent of the violation, fines are increased, and individuals may receive imprisonment.

Slide 30: ARRA/HITECH

The most current proposed addendums to HIPAA are from the HITECH Act, which extended direct OCR enforcement in certain areas to business associates and included a breach notification provision. As technology continues to advance, professionals need to be aware of laws that coincide with those advancements.

Slide 31: Breach Notification

The Breach Notification Rule was promulgated under the HITECH Act and applies to covered entities and their business associates. Public health agencies that are not covered by HIPAA should consult state or local to find out what is required of them in case of a breach.

Slide 32: Breach Notification Rule

The responsibilities of a covered entity regarding a breach are based on the number of individuals impacted. For example, if a breach impacted over 500 individuals, the covered entity is expected to notify the Secretary of the United States Department of Health and Human Services without reasonable delay or within 60 days. If less than 500 individuals were impacted, it must be reported annually and within 60 days of the calendar year in which the breach happened.

Slide 33: Accounting of Disclosures

The intent of the accounting of disclosures is to provide more detailed information for certain disclosures that are most likely to impact the individual. The accounting covers a three-year period and is applicable to covered entities and business associates. Covered entities must include excepted disclosures to public health agencies in their accounting, and must make it available to patients upon request.

Slide 34: Proposed Revisions to HIPAA Privacy Rule

The HITECH Act requires that covered entities and business associates be able to account for the disclosure of protected health information that was utilized for treatment, payment, and health care operations if the disclosures were made via an electronic health record. In May 2011, OCR released a notice of proposed rulemaking concerning these new accounting for disclosure requirements. A final rule has not yet been released.

Slide 35: Summary

As technology continues to evolve, the protection and accountability of protected health information must progress with it. Since the breach notification requirements were implemented, many breaches have been reported. The revision of current Acts, such as HIPAA and passage of new ones, strive to protect patient information and make covered entities and business associates accountable. This is all part of the complex process of protecting patient information while technology evolves to increase the quality, efficiency, and effectiveness of health care services.

Slide 36: References

No audio

Slide 37: References (cont.)

No audio

Health IT Workforce Curriculum Public Health IT 2

Version 3.0 / Spring 2012 Privacy, Confidentiality and Security of Public Health Information

This material (Comp13_Unit2) was developed by Columbia University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 1U24OC000003.