The Culture of Healthcare

Privacy, Confidentiality, and

Security

Lecture c
This material (Comp2_Unit9c) was developed by Oregon Health and Science University, funded by the Department of Health
and Human Services, Office of the National Coordinator for Health Information Technology under Award Number
IU24OC000015.
Privacy, Confidentiality, and Security
Learning Objectives
Define and discern the differences between privacy,
confidentiality, and security (Lecture a)
Discuss the major methods for protecting privacy
and confidentiality, including through the use of
information technology (Lecture b)
Describe and apply privacy, confidentiality, and
security under the tenets of HIPAA Privacy Rule
(Lecture c)
Describe and apply privacy, confidentiality, and
security under the tenets of the HIPAA Security Rule
(Lecture d)
2
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
HIPAA Privacy and Security
General history of law, identifier standards, and
transaction standards already described
Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Both enhanced with ARRA/HITECH legislation in
2009 (Federal Register, 2009;
http://www.hhs.gov/ocr/privacy/)
Many summaries available (ID Experts, 2009;
BridgeFront, 2009; Leyva, 2011)
Rules finalized and to go into effect in 2012
3
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
HIPAA Privacy Rule
Applies to covered entities (CEs) any entity that
bills electronically
Healthcare providers
Clinicians, hospitals, clinics, etc.
Health plans
HMOs, insurance companies, etc.
Healthcare clearinghouses
Billing services
Patient must authorize any disclosure, with the
exception of treatment, payment, or operations
(TPO), i.e., does not preclude healthcare providers
from sharing data for patient care, a not-uncommon
misunderstanding (Houser, 2007)
4
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Physician Oaths of Privacy are Not New
Oath of Hippocrates, 5
th
century BC (AAPS, nd.)
All that may come to my knowledge in the
exercise of my profession or outside of my
profession or in daily commerce with men,
which ought not to be spread abroad, I will
keep secret and never reveal.
Declaration of Geneva, 20
th
century
I will respect the secrets which are confided
in me, even after the patient has died.
(AAPS, nd.)
5
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
What is Covered?
Protected Health Information (PHI)
Collected from patient and created by covered entity
(CE)
Individually identifiable
Electronically transmitted in reality, all information
Extends to covered entities or business associates
De-identified information is not covered
Pre-emption
HIPAA trumps state law if state law is less protective
of privacy and security, but state laws that go beyond
the HIPAA protections are not nullified by HIPAA and
must be followed
6
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Identifiers Contained in Protected
Health Information (PHI)
Name
Address (street
address, city, county,
zip code)
Names of relatives
Names of employers
E-mail address
Fax number
Telephone number
Birth date
Finger or voice prints
Photographic images
Social security number
Internet protocol (IP)
address
Any vehicle or device
serial number
Medical record number
Health plan beneficiary
number
Account number
Certificate/license
number
Web URL
Any other unique
identifying number,
characteristic, or code
7
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Key Privacy Compliance Areas
Notice of privacy practices
Authorization
Business associates
Allowable disclosures
Marketing
Physician and staff training
Penalties
8
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Notice of Privacy Practices
Patient has right to
Adequate notice of privacy practices
Uses and disclosures of PHI
Description of individual rights
Covered entities legal duties
One problem is readability of NPP forms comparable to
medical journal articles and beyond 80% of US adults
(Breese, 2005)
Physicians requirements for obtaining NPP consent include
Good faith effort to obtain acknowledgement during first
provision of in-person service
Failure to obtain is not penalized (per Bush administration
revision)
9
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Other Aspects of Privacy Practices
Must be written in plain language
Practices/organizations must state they preserve
the right to change Notice of Privacy Practices
There must be a complaint process
Practices/organizations must designate a
privacy official in the office
See OHSU examples of Notice of Privacy
Practices (NPP)
http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm/
10
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Authorizations
Providers must obtain an authorization before
using PHI for purposes other than TPO
They may not condition treatment on an
individuals authorization
CEs must make reasonable safeguards to limit
the use or disclosure of PHI to the minimum
amount necessary
Non-treatment disclosure governed by
Minimum Necessary standard (HHS OCR, 2003)
11
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Authorizations Must Include
Names of authorized persons making use or
disclosure
Description of information
Expiration of date of event
Patients right to revoke and instructions on how
to do so
Purpose of use or disclosure
Signature and date
12
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Business Associates
Agents, contractors, or others doing work on behalf of a
CE and using or disclosing PHI, such as
Billing companies
Vendors (with access to PHI)
In original HIPAA, had to obtain satisfactory
assurances of privacy protections for Business
Associates (Bas), but in HITECH enhancements, BAs
now directly accountable to HHS for compliance
Each BA must sign agreement with CE
BAs subject to breach notification rules
BAs include health information exchanges, PHR
vendors who work with CEs, etc.
13
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Allowable Non-TPO Disclosures
Research
Overview: HHS, 2004
Authorization by patient is
generally required
Authorization waiver can be
provided by an Institutional
Review Board (IRB) or
Privacy Board approval
Must involve no more
than a minimal risk
Research could not be
practically conducted
without waiver and
without access to PHI
Public Health
Can be disclosed to public
health agencies for public
health activities
Also allowed for child abuse
reporting, exposure to
communicable diseases, and
workforce surveillance
Other
Law enforcement
Decedents
Cadaveric tissue donation
14
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Marketing
Defined as a communication about a
product/service that encourages recipients of the
communication to purchase/use the
product/service
Using PHI for marketing requires authorization
from the individual
Is not marketing for providers if treatment is
Therapy recommendation
Appointment notification
Prescription refills
15
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Physician and Staff Training
Practices/organizations must
Designate a Privacy Officer
Develop policies and procedures
Provide privacy training to workforce
Develop a system of sanctions for employees
who violate the privacy law
16
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Penalties
Enforced by HHS Office for Civil Rights (OCR,
http://www.hhs.gov/ocr/privacy/)
Penalties higher for willful neglect, i.e., offender
knew about violation or was recklessly indifferent
Original HIPAA criticized for modest penalties
and minimal prosecutions
HITECH increased severity of penalties
Tiered penalty structure ranging from $25,000
to $1.5M per year, with $100 to $50,000 per
violation (for each record)
17
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Does HIPAA Privacy Rule Protect
Privacy?
Reviews by NCVHS (Lumpkin, 2004) and GAO (2004) found
adherence less problematic than anticipated
Major concerns relate to difficulty in performing clinical research
Finding and accessing patients for research more difficult
(Armstrong, 2005)
Two-thirds of researchers surveyed reported more difficulty in
work while only one-quarter believed privacy enhanced (Ness,
2007)
Reports from AAHC (2008) and IOM (2009) argue for revision to
make research easier
Also concerns with implications for public health (Kamoie, 2004)
Another view calls for less emphasis on consent and more on a
framework that makes for easier sharing of TPO (with some
modifications of O) with more rigorous restrictions on other uses,
such as marketing (McGraw, 2009; McGraw, 2009)
18
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Other Modifications in HITECH
Breach notification when 500 or more patients, must
be reported to local media and HHS OCR
http://www.hhs.gov/ocr/privacy/hipaa/administrative/br
eachnotificationrule/breachtool.html
Restrictions on disclosures
Information about services paid for out of pocket must
be withheld from payers upon request
TPO disclosures must be tracked and records
maintained for three years
CEs with EHRs must provide or transmit PHI in
electronic format as directed by patient
Patients can opt out of fundraising appeals
19
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Privacy, Confidentiality, and Security
Summary Lecture c
HIPAA Privacy Rule restricts disclosure of
information not authorized by a patient; has
been enhanced in HITECH Act
Patient authorization is not required for
treatment, payment, or operations (TPO)
HIPAA Privacy Rule defines covered entities that
must adhere and defines business associates of
those entities that also must adhere
20
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Privacy, Confidentiality, and Security
References Lecture c
References
Anonymous. (2007b). Security 101 for Covered Entities. Baltimore, MD: Centers for Medicare and Medicaid
Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf
Anonymous. (2009a). 2009 HIMSS Analytics Report: Evaluating HITECHs Impact on Healthcare Privacy and
Security. Chicago, IL: HIMSS Analytics. Retrieved from
http://haprod.himssanalytics.org/docs/ID_Experts_111509.pdf
Anonymous. (2009b). Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA Privacy & Security.
Beaverton, OR: Bridgefront. Retrieved from http://www.hipaarx.net/downloads/ARRA_HIPAA_White_Paper.pdf
Armstrong, D., Kline-Rogers, E., Jani, S., Goldman, E., Fang, J., Mukherjee, D., . . . Eagle, K. (2005). Potential
impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome.
Archives of Internal Medicine, 165, 1125-1129.
Association of American Physicians and Surgeons, Inc. (nd.). Oath of Hippocrates; Declaration of Geneva of the
WMA. Retrieved Jan 2012 from: http://www.aapsonline.org/ethics/oaths.htm.
Breese, P., & Burman, W. (2005). Readability of notice of privacy forms used by major health care institutions.
Journal of the American Medical Association, 293, 1593-1594.
Houser, S., Houser, H., & Shewchuk, R. (2007). Assessing the effects of the HIPAA privacy rule on release of
patient information by healthcare facilities. Perspectives in Health Information Management, 23(4), 1. Retrieved
from http://www.pubmedcentral.nih.gov/articlerender.fcgi?pubmedid=18066351
Kamoie, B., & Hodge, J. (2004). HIPAA's implications for public health policy and practice: guidance from the
CDC. Public Health Reports, 119, 216-219.
Leyva, C., & Leyva, D. (2011). HIPAA Survival Guide for Providers: Privacy & Security Rules, Third Edition. Largo,
FL: HITECH Survival Guide.

21
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
Privacy, Confidentiality, and Security
References Lecture c (continued)
References (continued)
McGraw, D. (2009). Rethinking the Role of Consent in Protecting Health Information Privacy. Washington, DC:
Center for Democracy & Technology. Retrieved from http://www.cdt.org/healthprivacy/20090126Consent.pdf
McGraw, D., Dempsey, J., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment: building
trust into health information exchange. Health Affairs, 28, 416-427.
Nass, S., Levit, L., & Gostin, L. (Eds.). (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving
Health Through Research. Washington, DC: National Academies Press.
Ness, R. (2007). Influence of the HIPAA Privacy Rule on health research. Journal of the American Medical
Association, 298, 2164-2170.

22
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c