Transcript HIPAA - Zoo | Yale University

HIPAA
Health Insurance Portability and
Accountability Act of 1996
Adam Cushner
Outline
Overview of HIPAA
 Specifics of HIPAA
 Suggestions for implementation
 Effects
 Problems
 Questions

An Act

To amend the Internal Revenue Code of 1986 to
improve portability and continuity of health
insurance coverage in the group and individual
markets, to combat waste, fraud, and abuse in
health insurance and health care delivery, to
promote the use of medical savings accounts, to
improve access to long-term care services and
coverage, to simplify the administration of health
insurance, and for other purposes.



Signed by President Bill Clinton on July 21,
1996
Named because it was originally about, well,
the portability of health insurance. Focus,
however, is on privacy of medical records
Passed partly because of the failure of
congress to pass comprehensive health
insurance legislation earlier in the decade
General Objectives




Increase number of employees who have
health insurance
Reduce health care fraud and abuse
Introduce/implement administrative
simplifications in order to augment
effectiveness of health care in the US
Protect the health information of individuals
against access without consent or
authorization
Even More General
Objectives




Give patients more rights over their
private data
Set better boundaries for the use of
medical information
Hold people accountable for misuse
Encourage administrative simplification
(in the form of digitalization of
information) to help reduce costs
General Objectives for
Information

Ensure privacy and security of health
information by designating Protected
Health Information (PHI)
– PHI, for example, must be treated in the
same way in which you would treat
someone’s tissue (with regard to Privacy)

Set standard for data using Electronic
Data Interchange (EDI)
Dynamically HIPAA

HIPAA’s goals, in a sense, are aimed to
hit a moving target:
– Technologies to help implement HIPAA
are constantly changing
– Attitudes towards privacy are changing
– Also, not much empirical evidence to
show if HIPAA is doing what it set out to
do (e.g. reduce costs)
Outline
Overview of HIPAA
 Specifics of HIPAA
 Suggestions for implementation
 Effects
 Problems
 Questions

What HIPAA Directly
Affects

Covered Entities
– Health plans
– Health care clearinghouses
– Health care providers who transmit health
information in electronic form for certain
standard

Pending ideas:
–
–
–
–
National Provider IDs
National Employer IDs
National Health Care IDs
National Individual IDs
Security Regulations




Contingency Plan
Access Control
Audit Control
Person or Entity Authentication
Contingency Plan
(A) Data backup plan. Establish and implement procedures to
create and maintain retrievable exact copies of electronic
protected health information.
(B) Disaster recovery plan. Establish (and implement as needed)
procedures to restore any loss of data.
(C) Emergency mode operation plan. Establish (and implement
as needed) procedures to enable continuation of critical
business processes for protection of the security of electronic
protected health information while operating in emergency
mode.
Access Control


Implement technical policies and procedures
for electronic information systems that
maintain electronic protected health
information to allow access only to those
persons or software programs that have
been granted access rights as specified in
[164.308(a)(4)].
Difficulties in implementation.
– Too much or too little access.
Audit Control

Allow reviews of usage statistics to
check for potential misuse
Person or Entity
Authentication

Procedures to identify users seeking
information
Security Regulations
Wrap-up

Essentially, use rules that any good
company would use to protect its data
– Difficult in health care profession because so
many people need access to patients’
information

The rules and ideas for data protection are
also mandated on the human side of things
– E.g. Training of employees, physical protection of
data storage facilities.
Privacy Rule

Different types of protected data:
– Protected Health Information (PHI)

Previously defined
– Individually Identifiable Health
Information (IIHI)
– De-identified Health Information
– Limited Data Sets
Privacy Rule (cont)

IIHI
– includes any subset of health information,
including demographic information
collected from an individual, that:
– Identifies the individual (or there is a
reasonable basis to believe that the
information can be used to identify the
individual.)
Privacy Rule (cont)

De-identified Health Information:
– Health information is considered de-identified
when it does not identify an individual and the
covered entity has no reasonable basis to believe
that the information can be used to identify an
individual. Information is considered deidentified if 17 identifiers are removed from the
health information and if the remaining health
information could not be used alone, or in
combination, to identify a subject of the
information. Identifiers include:
Privacy Rule (cont)
(1)
(2)
(3)
(4)
(5)
(6)
(7)
names,
geographic subdivisions smaller than a state, including street
address, city, county, precinct, zip code and equivalent
geocodes, except for the initial three digits of a zip code to
000,
all elements of dates (except year) for dates directly related
to an individual, including birth date, admission date,
discharge date, date of death, and all ages over 89,
telephone numbers,
fax numbers,
electronic mail addresses,
Social Security numbers,
Privacy Rule (cont)
(8)
(9)
(10)
(11)
(12)
(13)
(14)
(15)
(16)
(17)
medical record numbers,
health plan beneficiary numbers,
account numbers,
certificate/license numbers,
vehicle identifiers and serial numbers, including license plate
numbers,
device identifiers and serial numbers, (14) Web Universal
Resource Locator (URL),
biometric identifiers, including finger or voice prints,
full face photographic images and any comparable images,
Internet Protocol address numbers
any other unique identifying number characteristic or code
Privacy Rule (cont)

Limited Data Sets may contain certain
types of direct identifiers, while others
must be removed:
Limited Data Sets
Direct identifiers that must be removed from the information for a limited
data set are:
(1) name,
(2) address information (other than city, State,
and zip code),
(3) telephone and fax numbers,
(4) e-mail address,
(5) Social Security number,
(6) certificate/license number,
(7) vehicle identifiers and serial numbers,
(8) URLs and IP addresses,
(9) full face photos and other comparable
images,
(10) medical record numbers, health plan
beneficiary numbers, and other account
numbers,
(11) device identifiers and serial numbers,
(12) biometric identifiers including finger and
voice prints.
Limited Data Sets
Identifiers that are allowed in the
limited data set are:
(1) admission, discharge and service dates,
(2) birth date,
(3) date of death,
(4) age (including age 90 or over),
(5) geographical subdivisions such as state,
county, city, precinct and five digit zip code.
Privacy Rule (cont)




Deals with Individually Identifiable Health
Information (IIHI) and Protected Health
Information (PHI)
Provides, for the first time ever, Federal
protections for the privacy of protected
health information
Sets only a lower bound on protection –
stricter state laws would not be trumped by
this, but weaker ones would
Requires notification of information practices
Privacy Rule (cont)




Gives patients more control over their
information
Sets boundaries on the release of
information
Holds violators accountable with civil and
criminal penalties
Allows for data to be released if it aides
public health (e.g. statistics about a disease,
de-identified patient data)
Privacy Rule (cont)


Compliance date of April 14th, 2003
(2004 for certain small covered
entities)
Designed entirely to control the
propagation and dissemination of
electronic information
Privacy Rule (cont)

Basically, data is allowed to be
accessed on a need-to-know basis
– E.g. use for health-care specific
operations

Fundraising, marketing, and research
usually require separate and specific
patient authorizations
Privacy Standards



Must have a procedure for complaints
to be filed
Covered Entities cannot require
individuals to waive their rights
regarding HIPAA
Deceased patients’ information still
protected by HIPAA
Minimum Necessary


When using or disclosing protected health
information or when requesting protected health
information from another covered entity, a covered
entity must make reasonable efforts to limit
protected health information to the minimum
necessary to accomplish the intended purpose of
the use, disclosure, or request
Does not apply to:
– Health care providers
– Individuals concerning their own information
– Certain legal needs
Disclosures to Business
Associates

A covered entity may disclose
protected health information to a
business associate and may allow a
business associate to create or receive
protected health information on its
behalf, if the covered entity obtains
satisfactory assurance that the
business associate will appropriately
safeguard the information
Disclosures to Business
Associates (cont)

A contract between a CE and a
business associate must ensure that
the associate will essentially comply
with HIPAA.
Whistleblower Protection


Disclosures by whistleblowers:
(i) The workforce member or business
associate believes in good faith that the
covered entity has engaged in conduct that
is unlawful or otherwise violates professional
or clinical standards, or that the care,
services, or conditions provided by the
covered entity potentially endangers one or
more patients, workers, or the public; and
Whistleblower Protection
(cont)



(ii) The disclosure is to:
(A) A health oversight agency or public health authority
authorized by law to investigate or otherwise oversee the
relevant conduct or conditions of the covered entity or to an
appropriate health care accreditation organization for the
purpose of reporting the allegation of failure to meet
professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce
member or business associate for the purpose of determining
the legal options of the workforce member or business
associate with regard to the conduct.
Research Privacy Rules



Based on HHS regulations from the 1970’s
that are now known as the “Common Rule”
Because HIPAA applies to care and not to
research, this rule is still largely in effect
De-identified information can still be used
widely, but research databases with large
amounts of identifiable patient data cannot
Research Privacy Rules
(cont)



Requirements for tracking and accounting of
disclosures of patient data used in research
where no patient authorization is obtained
Restrictions on recruitment of patients for
clinical studies
Restrictions on the creation and
maintenance of databases containing
identifiable individual health data for
research use
Research Privacy Rules
(cont)

A requirement for a separate patient authorization
for the use of health data for research
– A consent for treatment cannot be combined with consent
for research

Creates substantial burden on conduct and
oversight of human studies
– Authorizations for research data must specify exactly
which data can be used by whom and for what purposes
– May be time-limited
– Can be rescinded at any time, although not retroactively
– Low-risk studies might not require authorization
Requirements of
Authorizations











a description of the information to be used for research purposes;
who may use or disclose the information
who may receive the information
purpose of the use or disclosure
expiration date of authorization
how long the data will be retained with identifiers
individual’s signature and date
right to revoke authorization
right to refuse to sign authorization (if this happens, the individual may be
excluded from the research and any treatment associated with the research)
if relevant, that the research subject’s access rights are to be suspended while the
clinical trial is in progress, and that the right to access PHI will be reinstated at the
conclusion of the clinical trial.
that information disclosed to another entity in accord with an authorization may no
longer be protected by the rule
Dept. of Health and
Human Services (HHS)



Privacy and security regulations created by
HHS
Done so because of a key provision in
HIPAA which said that if congress did not
specify these regulations by 1999, HHS had
to do it
Final privacy regulations issued in late 2000;
final security regulations issued in February
2003
Punishments for Wrongful
Use or Disclosure of PHI



Up to $50,000 and 1 year in jail
If under false pretenses, $100,000 and
5 years in jail
If with intent to sell, up to $250,000
and 10 years in jail
Outline
Overview of HIPAA
 Specifics of HIPAA
 Suggestions for implementation
 Effects of HIPAA
 Problems
 Questions

Technologies




*
Application Service Providers (ASPs)
Virtual Private Networks (VPNs)
Biometrics
Information Lifecycle Management
(ILM)*
Actually, a collection of technologies
ASPs


Provide backend hardware and software
Rent their services, usually on a monthly or
yearly schedule, as opposed to licensing
their software
– They take the responsibility of upgrading their
software and hardware

Many in the health care field rely on ASPs.
As a result, they are affected by HIPAA
because covered entities must ensure that
ASPs are HIPAA compliant.
ASPs and HIPAA


Must be cautious about scalability of
security
Because information is transmitted
between the covered entities and the
ASPs, it must be protected (by some
sort of cryptography)
– Good solution: use a VPN
VPNs


Basically, a temporary, secure link over
a public network (e.g. the internet)
Cheaper than having a dedicated line
Biometrics



Good way to uniquely identify people
or entities
Unfortunately, many current biometric
technologies are easily fooled
Not currently used very much
Information Lifecycle
Management


A system for assessing the use of data
and, based on usage, classifying data
for efficiency of access and storage
Basic principles of ILM:
– Assessment
– Classification
– Automation
Outline
Overview of HIPAA
 Specifics of HIPAA
 Suggestions for implementation
 Effects of HIPAA
 Problems
 Questions

Dates of Compliance




10/16/2002 - Transactions and code
sets
4/14/2003 – Privacy Rule
4/14/2003 – Business Associates
4/20/2005 – Security Rule
Effects


HIPAA caused a large number of
commercial products supporting HIPAA
to proliferate.
Large financial strain on CE’s to
implement changes to infrastructure
capable of supporting HIPAA
Effects (cont)

Too early to tell how effective HIPAA
is/will be for both increasing the
privacy and efficiency/economy of
data information exchange.
Outline
Overview of HIPAA
 Specifics of HIPAA
 Suggestions for implementation
 Effects of HIPAA
 Problems
 Questions

Cases in which HIPAA
caused problems

A patient between 50 and 70 years of age (exact age and sex
withheld in compliance with HIPAA) underwent cardiac
transplantation at the Tufts-New England Medical Center. The
care team was notified two days after the operation that the
donor's blood cultures had revealed bacteremia. The
infectious-disease consultant contacted the hospital that had
cared for the donor to ascertain the identity of the bacterium
so that antibiotic therapy could be properly tailored for the
now-immunosuppressed recipient. The donor's hospital stated
that providing such information would violate HIPAA, since the
hospital did not have authorization (from the now-deceased
donor), notwithstanding the fact that time was of the essence
for the recipient. Although clinical common sense should make
this scenario a non-issue, HIPAA impeded clinical care.
Cases in which HIPAA
caused problems (cont)

A patient between 40 and 50 years of age was referred to a
cardiologist for the urgent evaluation of chest pain after an
exercise stress test. With the patient in the examination room,
the cardiologist asked that the tracings from the stress test be
faxed for his review. At that time, the patient was extremely
anxious. The referring facility refused to fax the tracings,
stating that using a fax would violate HIPAA, notwithstanding
the patient's oral demand that the tracings be faxed and
assurance that the receiving fax machine was in a secure
location. Although the tracings were eventually received, this
misinterpretation of the HIPAA privacy regulation added two
full hours to this patient's evaluation. The patient became
upset and required urgent catheterization and angioplasty the
next day.
Life Insurance, Disability
Insurance, and Workers
Comp



Currently, HIPAA only applies to health care
providers, clearing houses, and plans all of
which need access to PHI. It does not
address, however, life insurance, disability
insurance, and workers comp, even though
they all require access to PHI.
Many companies are taking a "better too
much than not enough" approach in which
they will often protect information relating
to these three things.
Still, some PHI left unprotected.
Possible detrimental
effects on:


Research
Care
Problem to consider

An employee of a blood bank gets a
call from a hospital asking what the
transfusion history is of a patient he is
transfusing. How do you know the
person calling really has a right to
know such info? How do you ID that
person?
Outline
Overview of HIPAA
 Specifics of HIPAA
 Suggestions for implementation
 Effects of HIPAA
 Problems
 Questions
