|
|
|
Online Security, a global provider of computer forensics and information technology risk mitigation since 1997
|
|
Go back
| |
 |
HIPPA Privacy Overview
|
|
| |
 |
|
| |
Can physicians comply with HIPPA and still do thier job?
|
|
| |
HIPPA Privacy primer
Posted: Jun 05 2002
Hal Amens
HIPAA Privacy
This Web document contains articles about privacy in the context of the Health Insurance Protection and Accountability Act (HIPAA).
They are reprinted from past issues of The HIPAA Implementation Newsletter. As appropriate, they have been edited to keep them current.
There is an issue number following the title of each article.
Issue #1 was published March 2, 20001.
Issue #24 was published December 21, 2001.
Issue #25 was the lead issue for 2002. This version includes all articles about privacy through Issue #26.
Privacy and security sometimes overlap and they are always related. Readers are advised to also look at the companion documents HIPAA Security 1 and HIPAA Security 2. There is a similar compilation of articles about transactions and code sets. The current issue of the newsletter is at lpf.com.
Status of Privacy and Security #1
Privacy regulations were released in December 2000. Due to an "unintended oversight" by the outgoing administration, they will not be considered final until April 14 2001, and will go into effect two years after that ...
Definitions #1HIPAA's major issues are defined by:
individually identifiable health information (IIHI). The final privacy regulations provide these definitions (§ 164.501 Definitions):
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Protected health information means individually identifiable health information: 1. [Except short list of defined exceptions], that is:
i. Transmitted by electronic media;
ii. Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or
iii. Transmitted or maintained in any other form or medium. We will let the attorneys work on the definitions beyond here. The point is that almost any health care related information in almost any medium that is created or received by people in the health care industry or an employer is covered.
Data Paparazzi #5
The lack of standardization of the codes for medical information provided a form of security. Who knew what a "7" or anything else in a particular field meant. Now that there will be only one set of HIPAA codes and they are available on the Internet, we may soon see data paparazzi. Who's in what hospital? I wonder why they are there?
At least the guys with the cameras have to be at the right place at all hours of the day and night and occasionally take a fist in the nose. From a paparazzo's point of view, it is much better to sit in front of a computer well out of harm's way. Who will be the first to get a by-line in the National Enquirer on a story about the health of a star, executive or governmental official? That opportunity should raise the stakes in the hacker game.
Gramm-Leach-Bliley, The Other Privacy Law #5Nine federal agencies have responsibility for enforcing Gramm-Leach-Bliley. Five of the agencies have coordinated publication of regulations: Department of the Treasury, Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation and the Office of Thrift Supervision. The Federal Trade Commission, Commodities Futures Trading Commission and the SEC have published rules in the Federal Register. We have have not found any rules related to HIPAA published by the National Credit Union Administration.
All of the agencies that have published rules, have included something similar to the following quotation from the SEC in their final regulations. The definition of "financial information" covered by the Act, "is extremely
oad and may include, for instance, medical information and other types of information that might not commonly be thought of as financial.
We recognize that there could be areas of overlap between the rules adopted by HHS under HIPAA and the privacy rules. After HHS publishes its final rules, we will consult with HHS to avoid the imposition of duplicative or inconsistent requirements." Privacy regulations for medical information clearly extend beyond health care providers and health insurance plans. Efforts are promised to coordinate the relevant regulations across industries.
Privacy: Bush Administration Policy #7
On April 12, 2001 HHS Secretary Thompson issued the following statement:
"Today, I am pleased to announce that the President is taking a bold and definitive step to protect the rights of citizens to keep their medical records confidential. President Bush wants strong patient privacy protections put in place now. Therefore, we will immediately begin the process of implementing the patient privacy rule
The President considers this a tremendous victory for American consumers, who will continue to receive high-quality health care without sacrificing the confidentiality of their private health matters.
"Our department has received more than 24,000 written comments on this issue. We will keep these comments in mind as we continue to make sure patients receive the highest quality care and begin the process of issuing guidelines on how this rule should be implemented.
For example, to address some of the concerns raised in comments, we will make it clear through guidelines or recommended modifications that:
Doctors and hospitals will have access to necessary medical information about a patient they are treating and they will be able to consult with other physicians and specialists regarding a patient's care.
Patient care will be delivered in a timely and efficient manner and not unduly hampered by the confusing requirements surrounding consent forms. For example, pharmacists will be able to fill prescriptions over the phone and serve their customers in a timely manner."
Efforts to challenge the rules are continuing and, as noted by the Secretary, modifications will be made. That leaves providers and plans in the awkward position of meeting a specific deadline knowing that whatever they do is subject to change. On the other hand, the Bush Administration's policy on privacy is now quite clear.
Privacy: The Clock is Running #7
The bottom line: The rules became effective April 14 and the two-year clock for compliance is now running. Effective management processes are becoming increasingly important to assure the flexibility required to minimize cost and be compliant by the target dates.
Privacy Policy: An Initial Standard #10
Professor Peter Swire suggested that President Clinton defined a good starting point for privacy policies: "Do you have privacy policies you can be proud of? Do you have privacy policies you would be glad to have reported in the media? If so, your policies are far more likely to survive, and help your organization prosper in the Information Age."
Getting Started: Business Associates #10
The privacy regulations extend to consultants and others who are not providers or plans. Specifically: "business associate means, with respect to a covered entity, a person who:
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation
, management, administrative, accreditation, or financial services to or for such covered entity,
where the provision of the service involves the disclosure of individually identifiable health information
"
"A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity must document the satisfactory assurances required
through a written contract or other written agreement or arrangement with the business associate
"
From the point of view of a consultant or other business associate, if there is a possibility that you may see or use protected health information, include appropriate arrangements in your contract.
From the point of view of a provider, start by inventorying business associate relationships and contracts (include renewal dates), be certain you have contracts for all business associates, develop appropriate terms and conditions to add to contracts as they are renewed, request renegotiation for any that will not otherwise be renewed before the privacy regulations are effective. To provide scope to the issue of business associates, the AHA estimates that hospitals may have between 50 and 750 business partners.
HHS Issues First Guidance On New Patient Privacy Protections #13
"The Department of Health and Human Services (HHS) issued the first in a series of guidance materials on new federal privacy protections for medical records and other personal health information on July 6. Topics include: General Overview, Consent, Minimum Necessary, Oral Communications, Business Associates, Parents and Minors, Health-Related Communications and Marketing, Research, Restrictions on Government Access to Health Information and Payment. The guidelines are available as a single document or section-by-section.
Just When You Thought It Was Safe - Your Data #13
Drug maker Eli Lilly and Co. last week inadvertently divulged the e-mail addresses of patients with depression, bulimia or obsessive-compulsive disorder, company officials said July 3. A June 27 e-mail message listed the addresses of more than 600 people who had signed up for an Internet service provided by Lilly to routinely send them reminders about taking the company's Prozac medicine or attending to other matters. This is a real world reminder that it takes extraordinary planning and management to achieve and maintain even ordinary levels of security.
Biotech: Beware of Privacy Breaches on Healthcare Websites A video report [4.5 min]covers the story and notes there about 20 similar Web sites. A study by George Washington University found inadequate security on most of them.
Privacy: Overview & Update #14
"Privacy is the sharp stick in the eye of the emerging Internet cyclops" is the opening line from the first of four articles on medical privacy in HealthLeaders magazine. That article reports that a survey in February by Modern Healthcare / PricewatershouseCoopers found that more than 95% of hospital executives were taking some action with regard to the privacy requirements of HIPAA. However, the most frequently cited activity, 45%, was establishing a working group to monitor progress. The next largest category, just over 10%, was "assessed compliance."
The third article in the series reports that a survey of 45 independent physician associations covering 21,720 physician members with an average group size of 530 physicians indicates they are not doing as well as hospitals. Only two of the associations that participated in the survey provide a list of preferred vendors that can provide HIPAA services. Although 31% of IPAs said they outsource business functions, none provided a list of outsourcing vendors that are HIPAA compliant.
The fourth article deals with HIPAA and state laws. It includes a link to "State Laws and Proposed Changes." Links to these articles and the laws are on our Background page.
Privacy: Training #14
The second article in HealthLeaders magazine notes that, "Healthcare organizations must train all employees in privacy policies and procedures as necessary and appropriate
to carry out their function. Providers are required to document this training, and maintain that documentation for six years.
It also notes that, "For physician practices, a number of organizations and vendors are preparing to offer web-based or other training at a cost appropriate for an office practice. Be aware, however, that HIPAA requires a provider's workforce to be trained on the provider's specific policies and procedures; such training will need to be tailored to a specific organization's policies and procedures." There is another way to approach this. Most small organizations have neither the time nor expertise to develop effective policies and procedures. An alternative for some practices, and even smaller hospitals and other facilities, may be to find training material that is based on sound policies and procedures and adopt those. That way, you get the policies, procedures and appropriate training. A practice that uses this approach should look for a vendor that will update the material based on changes in regulations, technology and experience.
If you know of any vendors that offer privacy policies, procedures and raining, let us know and we will consider adding them to our "Resources" pages. [mail]
Privacy: Students #14
The more we work with HIPAA, the broader the questions become as illustrated by this article and the next. There has been an exchange of email on one of the newsletters we follow regarding HIPAA and students. One letter pointed out that the recent privacy guideline include:
"Q: Do the minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients' medical information in the course of their training?
"A: No. The definition of "health care operations" in the rule provides for conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers. Covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients' medical information, including entire medical records." This deals with student access to data, but leaves open questions about what they do with that data. Students today almost always have personal computers that are essentially insecure and frequently attached to insecure networks. To the extent that students enter or copy data to their computers for use in analysis or the preparation of class material, a patient's information is put at risk.
There are some options including: only allowing students access to anonymized data (easy to agree to, but may be hard to implement because they are often dealing with "real time" data), providing on-site computers that are secure for student use (will create scheduling problems for the students), and ...
At this point, the value is in the questions. If we ask the right questions, we are more likely to find useful answers and to recognize them when we find them. Until then, we need to keep asking questions.
Internet: Patient Communication Guidelines #15
Medem, in collaboration with over a dozen of the nation's medical societies and 30 malpractice carriers representing over 70% of the nation's insured physicians, created the eRisk Working Group for Healthcare to address the issues and concerns associated with physician-patient interaction and communication via the Web. The outcome of a work effort during the second half of 2000 is a series of documents that address potential online liability issues and help guide patient-physician communications on the Internet. One of those documents is: eRisk for Providers, March 2001. "It captures many of the important issues and conclusions reached by the group pertaining to individual physicians and their practices."
We have read eRisk for Providers from a systems point of view - we are not lawyers. Generally, we endorse the guidelines. They are well thought out and presented clearly. We would take issue with only one guideline. Not because we disagree, but because it defines the issue very narrowly and them impose a very broad response. Specifically:
Physicians and patients are increasingly using e-mail to exchange confidential health care information. [narrow definition: "confidential
health care information"] The difficulty is that adoption of new technologies is outpacing the development of standards that dictate proper use. The eRisk group supports the concept of electronic P2P [physician to patient] communications but cautions that the provider is at increased risk if he/she uses an unauthenticated, unencrypted, non-secure communications network. Most readily available e-mail clients do not meet this standard. [their emphasis] There are uses for email in physician practices that do not deal with "confidential health care information" but this guideline does not provide for them. The appropriate solution will probably be to recognize and provide guidance for a both secure and non-secure email.
Non-secure email provides an effective way to remind some of us about pending appointments, similar to the post cards several of our providers send us today. Non-secure email also provides an effective way to let us know that information is waiting for us on a secure Web site.
Privacy: Legislation #16
U.S. House Representative Cliff Stearns, chairman of the Commerce, Trade & Consumer Protection Subcommittee, recently completed a series of six hearings on information privacy. Of particular relevance to HIPAA, was the conclusion that: "Americans' information privacy concerns have rightfully been heightened with the advent of online data collection. But personal data is collected both online and offline.
Consumer information, whether collected online or offline, is aggregated into the same databases and processed by the same computers, without regard for the data's source. Any legislation intended to be responsive to the public's concerns regarding information privacy must be mindful of that fact."
Privacy: Cases and Stories #16
We have added a new section to Resources / Background with links to Web sites that list cases and stories about breaches of privacy involving health care.
Privacy: Posters #16
The American Health Information Management Association is giving away free posters supporting patient privacy. The second in a series of five is now available. [All five are now available.]
Issue #18:
The Issue After 9/11The tragic events of September 11, forced all of us to walk two paths. One to re-examine what is meaningful in our lives and the other to continue, or resume, doing what we are committed to. As time passes, the review of what is meaningful expands from a personal point of view to family and society and, for many of us, the future of our organizations. This is a time to look again at strategy and what is important for our organizations and the people we serve. It is a time to look at privacy and security for the well-being of those we serve and the private information they entrust to us. We are usually working on two or three issues of the Newsletter at a time. As we find material, we save it, update it and publish.
Issue #18
this one, has been planned for privacy, security and strategy for a number of weeks. Little did we know how timely that would be.
Privacy: Liability #18
"The key to privacy protection is enforcement says Andrew Shen, an analyst at the Electronic Privacy Information Center, a privacy and free-speech advocacy firm in Washington.
But the bar on enforcement, and hence liability, may soon rise. There are more than 50 bills in Congress that deal with privacy (www.epic.org/privacy/bill_track.html). Some pieces of legislation, like the HIPAA, include fines for failure to comply and even harsher fines for certain offenses, like profiting from harvested medical information.
"This combination of public outrage and increased regulation will lead to a rise in civil liability, contends Larry Ponemon, CEO of PrivacyRight Inc. in San Mateo, Calif.
"In the history of regulation, there have never been such wide-scale audits. Regulators know [financial privacy] is a massive problem. And once a regulator says there's a defect in your compliance practice, that opens a Pandora's box for class-action litigators who can take you to task on tort laws." Once again, we do not offer legal advice. We do report on legal matters from sources we consider reliable, in this case, Computer World.
Chief Privacy Officer #18
Healthcare organizations need a privacy officer to enforce tough new federal security regulations... "They are needed to try to help organizations prevent loss of information," said Roy Snell, CEO of the Health Care Compliance Association in an address to a security forum at NetWorld+Interop. He said a survey of 665 health care professionals found that compliance officers earn about $98,000 per year. About 80 percent of the organizations they represent have compliance programs and the budgets range from $130,000 to $690,000 "Each organization should have security policies in place and a plan for reacting to security intrusions," Snell says. "And the policy needs to be updated and reviewed periodically -- so if an organization violates the regulations, it can demonstrate that it had taken steps to prevent it." This apparently can be a double-edged sword because Snell also recommended checking with lawyers before documenting your precautions. "Consult legal counsel before measuring the effectiveness of your policy. It can be used against you," he warns.
Source: "Expert: Healthcare Groups Need Privacy Officers," Tim Greene, IDG, 9/14/01. as reported in PXNEWSFLASH from the Center for Social & Legal Research and Privacy & American Business, September 19, 2001
Chief Privacy Officer #21
"A survey of Medical Records Briefing (MRB) readers shows that most hospitals are not spending money to create new positions to meet (HIPAA) requirements. According to the survey, which included 329 MRB readers, 64% of hospitals have already appointed privacy official to meet HIPAA's requirements, but only 5.5% said that acting as privacy official is that person's only job. In most cases, the privacy official is also the health information management (HIM) director, the corporate compliance officer or a staff member from the HIM or information systems department.
"The results make sense to Joseph Piccolo, chief compliance and privacy officer at Fox Chase Cancer Center in Philadelphia, PA. He believes it is feasible to be the privacy official and hold another position in smaller organizations, although larger medical facilities will probably need to create a separate position for privacy. Piccolo was more concerned that more than one third of the hospitals surveyed have not appointed a privacy officer. "If a facility has not appointed a privacy official yet, it's probably of some concern," says Piccolo. "The privacy regulations are less than two years away, and when you start looking at the assessment of what it's going to take to comply with them, it starts with the appointment of a privacy officer. That's the person who really has to put the plan together."
Healthcare Intelligence Network, 10/15/01.
Security & Privacy: Policies & Procedures #22
"Both the final Privacy rule and the proposed Security rule require that a covered entity develop policies and procedures to implement the requirements of the rules
The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.
"The [SNIP WEDI] Policies and Procedures subgroup set the following goals for this white paper:
Identify areas in the Privacy rule and Security proposed rule specifically requiring development of policies and procedures:
Cite specific sections of the regulations and their preambles that reference the standard and the requirements for policies and procedures. Where there are numerous references from the Preamble relating to a topic, we have cited those references that are substantive and provide clarification to the text of the regulation. There may be additional references to a topic in the preamble that are not included because the group judged them to be less germane. At a future date, the workgroup may be able to provide an index that would include all references to a topic.
Provide both an explanation of the general requirements of the standard and any specific requirements regarding the policies and procedures needed to implement the standard
Create a checklist of areas requiring development of policies and procedures
Include a glossary of Privacy and Security terminology
Assemble a list of Web sites and other resources to provide additional information regarding policies and procedures
"The policies and procedures listed in the checklist reflect the workgroup's best effort to detail the areas requiring development of policies and procedures. It should not be considered to be a complete listing of all possible policies and procedures. Nor is it intended to be a comprehensive listing of "best practices" for privacy and security. Rather, the group specifically limited itself to those topics that were clearly addressed within the Privacy and Security rules."
There is a five page "Glossary of Privacy & Security Terminology" which provides a useful standard for discussions about these two topics. There are also links to nine Web sites the working group found useful for reference.
Privacy: HIPAA and the Internet #23"
... The vast majority of health Web sites are not operated by [firms that are subject to HIPAA] and that means that there will be no federal protections for those who use them. Thus, commonplace activities may not be covered by the federal rules. For example, online Americans using these kinds of sites will not have any personal information protected by the federal regulations "The Health Privacy Project conducted analysis of the new regulations, with funding and research assistance from the Pew Internet & American Life Project. The report is entitled, 'Exposed Online: Why the new federal health privacy regulation doesn't offer much protection to Internet users.
"Sixty-five million Americans have gone online for health information," says Susannah Fox, director of research at the Pew Internet Project. "These Internet users are often more concerned about getting quick and accurate advice than checking a Web site's privacy policy. They are doing their best to care for their loved ones and just hoping they won't get burned. Many probably assume that the personal information they provide to health Web sites is covered by the new regulation - and they are wrong."
The Pew Internet & American Life Project is a non-profit initiative fully funded by The Pew Charitable Trusts. The Project creates original research that explores the impact of the Internet on children, families, communities, health care, schools, the work place, and civic/political life.
Privacy: Files Posted on Internet #23
Detailed psychological records containing the innermost secrets of at least 62 children and teenagers were accidentally posted on the University of Montana Web site
"In nearly all cases, they contain complete names, dates of birth and sometimes home addresses and schools attended, along with results of psychological testing.
"A University of Montana student or technical employee may have accidentally placed these private files on the Web site, officials said. [Story re caps other security
eaches.]
COMMENTARY:
Every breach of privacy raises the public awareness of the issue, increases the pressure to maintain the current dates for effectiveness of the HIPAA privacy rule, and exposes the offending organization to lawsuits. We are not attorneys and do not give legal advice, but it looks to us like the privacy rules provide a "reasonable" standard that a plaintiff could cite as the required level of care. Failure to move toward compliance would probably make the defense against such a case much more difficult. The two preceding items and the next should be read as a set.
Status: No Delay for Confidentiality of Data #25
"'It's not a delay; it's an extension,' said William Braithwaite, who until last month was the key HHS official in charge of developing HIPAA regulations. 'And anyone who thinks they can relax and do nothing is going to be slapped upside the head.'
"One section of the just-passed legislation requires healthcare organizations to protect the confidentiality of patient data in business transactions by April 2003 whether data are transmitted in a HIPAA-compliant format or some other way.
By writing that proviso into the law, Congress underscored its resolve to resist further lobbying efforts and guarantee protection of sensitive patient data in step with electronic standards, Braithwaite said.
"Braithwaite said the extension gives healthcare organizations only six additional months to get a workable transaction system in place because of the deadline of April 2003 for testing readiness. 'They can't test until they can conduct the transactions,' he said.
"The penalty for not meeting the planning and testing deadlines is possible exclusion from the Medicare program. But the real penalty looms at the end of the extension period when Medicare accepts only HIPAA-compliant healthcare claims from providers and health plans, Braithwaite said.
"Thus they get a six-month period to test the transactions until the guillotine comes down,' he said. 'If you can't submit a claim and get it paid from Medicare, 80% of the (healthcare) system will shut down.'"
Modern Healthcare Magazine December 24,2001
Have You Talked With Your Banker? #25
If you are using a "lockbox" service provided by your bank or someone else to process payments, they may have access to EOB (explanation of benefits) data according to an article published by the Privacy Officers Association. That may trigger the privacy and security regulations of HIPAA. In issue #5, we reported the following:
"Nine federal agencies have responsibility for enforcing Gramm-Leach-Bliley. Five of the agencies have coordinated publication of regulations: Department of the Treasury, Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation and the Office of Thrift Supervision. [The agencies that regulate your bank.]
All of the agencies that have published rules have included something similar to the following quotation from the SEC in their final regulations. The definition of "financial information" covered by the Act, "is extremely broad and may include, for instance, medical information and other types of information that might not commonly be thought of as financial.
We recognize that there could be areas of overlap between the rules adopted by HHS under HIPAA and the privacy rules. After HHS publishes its final rules, we will consult with HHS to avoid the imposition of duplicative or inconsistent requirements." Privacy regulations for medical information clearly extend beyond health care providers and health insurance plans. Efforts are promised to coordinate the relevant regulations across industries.
"To the extent that your banker is dealing with medical information, their regulatory agencies will probably make them meet the privacy and security requirements of HIPAA. Your banker or any other organization you use would also appear to meet the definition of a "business associate" i.e., "A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce." Either way, it is in your best interest to deal with this issue as early as possible.
Disclaimer:
This information is provided to assist interested users in finding tools, documents and background information about privacy that may assist you in planning and managing projects to get policies, procedures, processes and systems compliant with HIPAA. Inclusion in this list is NOT an endorsement by Lyon, Popanz & Forester. Except as noted, we have relied on public information, most often material available on the Internet and our experience with other large and/or complex projects. Whether or not a tool is appropriate for your particular circumstances is a decision only you are qualified to make. Whether or not a vendor is reliable is also your responsibility. We have reviewed the material contained in the links here and, in our opinion, the material is relevant and is probably worthy of your further consideration.
Go Top
|
|
|
|
