Scribd Logo
Upload

Welcome to Scribd!

  • Articulo 4.2 Howell

    Uploaded by

    Ivon Castro
    11 views4 pages

    Original Title

    articulo 4.2 howell

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    11 views4 pages

    Articulo 4.2 Howell

    Uploaded by

    Ivon Castro

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    HIPAA

    BOB BROWN

    Improving the Privacy and


    Security of Personal Health
    Records
    Two New Initiatives May Help Improve the Privacy
    and Security of Online PHI Not Currently Protected
    by HIPAA

    I
    n my HIPAA article published in the May-June 2007
    issue of the Journal of Health Care Compliance, I re-
    ported on the spread of online personal health record
    (PHR) systems and the lack of any consistent mandato-
    ry or voluntary standards for protecting the privacy and
    security of individually identifiable health information
    contained in these systems. Since the publication of that
    article, the use of PHRs has accelerated, especially with
    the introduction of PHRs by such experienced Internet
    technology companies as Google and Microsoft.
    With millions more people signing up for PHRs, the
    lack of standards for protecting the sensitive personal data
    contained in these systems has become even more wor-
    risome. Two recent developments, however, may help to
    Bob Brown, PhD, is the director significantly improve the privacy and security of PHRs.
    of Health Information Technology,
    Michigan State University Kalamazoo On December 15, 2008, the Office of the National Co-
    Center for Medical Studies. ordinator for Health Information Technology (ONC) re-
    leased a document entitled “Nationwide Privacy and Se-
    curity Framework for Electronic Exchange of Individu-
    ally Identified Health Information”. The Framework is
    a short document containing eight principles designed
    to establish a consistent approach to addressing the pri-
    vacy and security challenges of online PHRs and elec-
    tronic health information exchanges (HIEs), regardless
    of whether or not the organization operating the PHR or
    HIE service is an entity covered by the Health Insurance
    Portability and Accountability Act (HIPAA) standards.
    In keeping with the voluntary self-regulation and pub-
    lic-private partnership models encouraged by the Bush
    administration, these principles are not required stan-
    dards but are rather “principles…expected to guide the
    actions of all health-related persons and entities that par-

    Journal of Health Care Compliance — March – April 2009 39


    HIPAA

    ticipate in a network for the purpose of elec- playing, and transmitting the individual’s
    tronic exchange of individually identifiable disagreement with the individually identi-
    health information.” (p. 6) The principles fiable health information in question.
    were developed after an ONC review of a
    variety of privacy and security standards, OPENNESS AND TRANSPARENCY
    best practices, guidelines, and other docu- All policies, procedures, and technologies
    ments from authoritative sources such as that are employed to collect and dissemi-
    the Organization for Economic Cooperation nate individually identifiable health infor-
    and Development, the International Secu- mation should be made available to the in-
    rity Trust and Privacy Alliance, the Federal dividual in an understandable form. Indi-
    Trade Commission, and the HIPAA privacy viduals should be able to learn how their
    and security standards. information is collected, who collects it,
    The eight principles are (1) individual who sees it, how it is used, and what con-
    access; (2) correction; (3) openness and trol they have over the information. The
    transparency; (4) individual choice; (5) col- policies and procedures governing the use
    lection, use, and disclosure limitation; (6) and disclosure of individually identifiable
    data quality and integrity; (7) safeguards; health information should be available be-
    and (8) accountability. fore any uses and disclosures occur.

    INDIVIDUAL ACCESS INDIVIDUAL CHOICE


    Individuals should be provided with easy Individuals should be provided with maxi-
    access to their online individually identifi- mum reasonable control over the use and
    able health information. This principle em- disclosure of their individually identifiable
    phasizes that one of the main purposes of health information. If possible, individuals
    a PHR or an HIE should be to provide the should be allowed to control which specific
    information to individuals that they need types or specific items of individually iden-
    to manage their health and health care. tifiable health information are disclosed to
    Even though HIPAA granted the individu- specific types of recipients or specific indi-
    al the right to access his or her individual- vidual recipients.
    ly identifiable health information, covered
    entities typically make access difficult and COLLECTION, USE, AND DISCLOSURE LIMITATION
    rarely provide online access. This principle Individually identifiable health information
    comes down clearly in favor of providing should be collected, used, and disclosed only
    easy electronic access to the full range of to the extent required to accomplish the pur-
    individually identifiable health informa- pose as specified in the policies and proce-
    tion to patients. dures associated with the use or disclosure.

    CORRECTION DATA QUALITY AND INTEGRITY


    Individuals should have access to a straight- Persons and entities collecting and trans-
    forward process for correcting what they mitting data should take reasonable steps to
    believe are mistakes in their individually ensure that individually identifiable health
    identifiable health information. There also information is complete, accurate, and up-
    should be a clear record of what was cor- to-date and that it has not been altered or
    rected and by whom. In cases in which the destroyed in an unauthorized manner.
    individual believes that the individually
    identifiable health information is incorrect SAFEGUARDS
    and the clinician who created the infor- Persons and entities collecting and transmit-
    mation does not agree to change it, there ting individually identifiable health informa-
    should be a process for documenting, dis- CONTINUED ON PAGE 68

    40 Journal of Health Care Compliance — March – April 2009


    ELECTRONIC RESOURCES (CCHIT) is an independent, voluntary,
    CONTINUED FROM 38 private-sector initiative that has been des-
    ignated by the Department of Health and
    Adverse Events in Hospitals: Case Study Human Services (HHS) as a recognized
    of Incidence Among Medicare Benefi- certification body for electronic health re-
    ciaries in Two Selected Counties (PDF) cords (EHRs) and their networks. CCHIT
    (OEI-06-08-00220): www.oig.hhs.gov/ has announced that starting in 2009 it will
    oei/reports/oei-06-08-00220.pdf. certify PHRs. CCHIT has published a draft
    Adverse Events in Hospitals: Overview of the criteria it proposes to use to certi-
    of Key Issues (PDF) (OEI-06-07-00470): fy PHRs. While the current draft incorpo-
    www.oig.hhs.gov/oei/reports/oei-06-07- rates most of the principles contained in
    00470.pdf. the Framework, CCHIT has announced
    Adverse Events in Hospitals: State Re- that it will review and revise the current
    porting Systems (PDF) (OEI-06-07- criteria to make sure they are consistent
    00471): www.oig.hhs.gov/oei/reports/ with the eight Framework principles.
    oei-06-07-00471.pdf. In the EHR market, CCHIT certifica-
    tion has established itself as a require-
    ment in the marketplace; for the most part
    HIPAA providers will not accept any EHR that is
    CONTINUED FROM 40 not CCHIT certified. Thus, it is likely that
    tion should implement reasonable adminis- CCHIT certification will become a de facto
    trative, technical, and physical safeguards requirement for PHRs as well.
    to ensure its confidentiality, integrity, and The report “Nationwide Privacy and Se-
    availability and to prevent unauthorized or curity Framework for Electronic Exchange
    inappropriate access, use, or disclosure. of Individually Identified Health Informa-
    tion” is available at www.hhs.gov/health-
    ACCOUNTABILITY it/documents/NationwidePS_Framework.
    Implementation and adherence to these pdf. Certification Commission for Health-
    principles should be verified through ap- care Information Technology draft stan-
    propriate auditing, monitoring, and other dards for PHRs is available at www.cchit.
    procedural and technical processes. Ro- org/files/comment/09/02/CCHITCriteri-
    bust comprehensive compliance monitor- aPHR09Draft02.pdf.
    ing systems should be in place to detect
    and correct problems and to mitigate harm
    caused by breaches. HEALTH INFORMATION
    Because the Framework is a guidance MANAGEMENT
    document, there is no statutory requirement CONTINUED FROM 44
    for PHR vendors and others involved in the
    collection and transmission of individually claims transactions. Intensive education of
    identifiable health information to follow the HIM coders should be in the final stages,
    principles outlined in the document. Like- and monitoring of coding accuracy and re-
    wise, there are no sanctions or enforcement imbursement also can be completed.
    mechanisms that can be applied to those Testing of claims with payers can begin
    who do not follow the principles, but there up to six months prior to implementation
    are other factors in the PHR environment and can include all components of ICD-10.
    that will likely help ensure that these prin- As part of this testing, evaluate potential di-
    ciples will be incorporated into PHRs. agnosis-related group (DRG) shifts, changes
    The Certification Commission for in case mix index, and potential changes in
    Healthcare Information Technology reimbursement. The estimated amount of

    68 Journal of Health Care Compliance — March – April 2009


    Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

    You might also like