Privacy of Health Information: The New Y2K Challenge.Just when healthcare providers thought they would be returning to their usual information system concerns, several new federally mandated rules will now require significant operation and systems changes over at least the next 24 months. These rules, mandated by the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), are establishing standards to protect the privacy and confidentiality of patient medical record information and to safeguard the security of all electronic healthcare data. Although these rules are complex and sometimes confusing, all healthcare organizations will have to implement them over the next two years. Ironically, the delay that many long-term care facility long-term care facility n. See skilled nursing facility. operators experienced in acquiring new information systems to respond to Y2K problems Y2K problem or Y2K bug: see Year 2000 problem. (Year 2000 problem) The inability of older hardware and software to recognize the century change in a date. might prove to be highly beneficial in this context. During the past two years, substantial technical improvements have been made in the capability to securely store and transmit electronic data, including using secure Internet applications. In fact, the major needs of long-term care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. providers in making decisions on networking and communications, on new financial and clinical software and on meeting the new privacy rules can now be linked together and evaluated in terms of Web-based Internet technology. The increasing capability to obtain and organize data from previously incompatible computer systems and transmit these data over the Internet only encourages the development of information systems solutions that both integrate clinical and administrative information and meet the new privacy rules. (An upcoming column will cover Internet applications and support for long -term care providers. Meanwhile, see the January issue's material on Application Services See ASP and Web services. Providers.) The proposed rule that was scheduled to receive comments until February 17 covers almost all organizations in the healthcare industry that hold or send electronic health information. The rule, which might be published in its final form in a few months, also covers the "business partners" of healthcare providers by requiring that they also conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" privacy rules under contractual arrangements with healthcare organizations covered under the rule. All covered healthcare organizations must make reasonable efforts not to use or disclose any more than the minimum amount of health information needed to accomplish the intended purpose of the use or disclosure. It appears from the proposed rule that complex and costly administrative security procedures are required, although the American Health Information Management Association The American Health Information Management Association (AHIMA) is a non-profit association for health information management professionals. The organization was founded in 1928, and has 51,000 members. believes that many requirements of the privacy rule will be met by existing information systems and security procedures without significant additional expense. Individuals whose information is used or disclosed will have the right to sue. Existing state confidentiality laws, many of which are more stringent than the proposed rule, would remain in place, thus (unfortunately) assuring nonuniformity of privacy rules among states. Specifically, HIPAA requires rules for both "privacy" and "security" of healthcare data and information. (Privacy rules determine how healthcare data are used; security rules determine the integrity of the data.) In addition, HIPAA also requires rules to establish standard electronic claims formats and a national payer identifier, as well as standards for electronic transactions, coding, and provider and employer identifiers. All of these rules will continue to be formulated during 2000 and 2001, with implementation occurring between 2002 and 2006. The proposed rule has a large scope covering the retention, use and disclosure of "protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the " by "covered entities," defined as health plans, healthcare clearinghouses, healthcare providers and any person or organization that furnishes, bills or is paid for healthcare services or supplies. "Protected health information" is information that is received or created by a covered entity that relates to an individual's physical or mental health condition or provision of care; identifies an individual; and is electronically transmitted or maintained at some point during the period the information is retained. (Note: There is current discussion about extending privacy protection under the rule to include some paper records.) This includes information on or about a person's health, healthcare treatment or payment, as well as information stored in electronic form or sent electronically or as hardcopy printouts from any computerized system. The "protected health information" cannot be disclosed or us ed without proper authorization, except in cases of treatment, payment or healthcare operations. Other exceptions to "proper authorization" include information for: oversight of the healthcare system; public health or emergencies affecting life or safety; research (assuming certain approval procedures have been followed); law enforcement and judicial proceedings judicial proceedings n. any action by a judge re: trials, hearings, petitions, or other matters formally before the court. (See: judicial) ; providing information to next of kin The blood relatives entitled by law to inherit the property of a person who dies without leaving a valid will, although the term is sometimes interpreted to include a relationship existing by reason of marriage. Cross-references Descent and Distribution. ; government health data systems; and financial institutions involved in processing payments for healthcare. There are no other exceptions. This means, for example, that an organization must disclose to patients if it intends to use patient information for marketing or survey purposes; patients will have the right to refuse to permit such disclosures. There are several preliminary steps I would suggest to prepare for these changes, and I'll offer them shortly. But once these rules are in effect, covered healthcare entities should anticipate implementing numerous administrative policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to assure the security of protected health information--for example: (1) developing a written policy regarding information practices and providing this policy to patients and health plan subscribers; (2) allowing individuals to inspect and copy (cost-based fees may be charged) their protected health information; (3) developing a procedure to account for all disclosures of protected health information for purposes other than treatment, payment and healthcare operations; (4) allowing individuals to request amendments or corrections to their protected health information, if information created by providers or health plans is erroneous or incomplete; (5) designating a privacy officer; (6) providing training on the organization's privacy policies and procedures fo r all staff with access to protected health information; (7) establishing administrative, technical and physical safeguards to protect health information from unauthorized access or use; (8) establishing policies to allow complaints about privacy violations; (9) establishing sanctions for employees violating the organization's privacy policies; (10) maintaining documentation on compliance with the privacy rules; (11) developing contracts to assure that business partners protect the privacy of identifiable health information; and (12) maintaining policies for responding to and verifying requests for protected health information that does not require patient consent, such as for public health, healthcare oversight and judicial actions. With regard to requirements to assure that business partners conform to privacy rules, the proposed rule requires covered entities to have a written agreement with each business partner specifying that the partner will use and disclose protected health information only in accordance with the privacy rule and stating that individuals whose health information is being used or disclosed are "third-party beneficiaries third-party beneficiary n. a person who is not a party to a contract, but has legal rights to enforce the contract or share in proceeds because the contract was made for the third party's benefit. to the business partner agreement," which gives them standing to sue if privacy rules are violated. There are also serious penalties for violation. The proposed rule provides that the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (DHHS DHHS Department of Health & Human Services (US government) DHHS Dana Hills High School (Dana Point, California) DHHS Deaf and Hard of Hearing Services DHHS Deaf and Hard of Hearing Services ) may bring enforcement actions against covered entities and impose civil fines of up to $100 per person per violation and up to $25,000 per person for violations of a single standard in a calendar year. DHHS may refer an alleged violation to the Department of Justice for criminal prosecution with criminal penalties not to exceed $50,000 and/or imprisonment Imprisonment See also Isolation. Alcatraz Island former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218] Altmark, the German prison ship in World War II. [Br. Hist. of not more than one year. Further penalties of up to $100,000 in fines and up to five years' imprisonment can be levied if criminal violations are made under false pretenses False representations of material past or present facts, known by the wrongdoer to be false, and made with the intent to defraud a victim into passing title in property to the wrongdoer. . Because of the large volume of protected health information that organizations use and transmit using information systems, the potential of violating the privacy rule is significant. All entities (except small health plans with annual receipts of $5 million or less) must be in compliance with the rule no later than 24 months after its effective date (which, again, is anticipated around midyear mid·year n. 1. The middle of the calendar or academic year. 2. a. An examination given in the middle of a school year. b. midyears A series of such examinations. ). As promised, here are some important preparatory steps to take now in response to the new privacy rule: * Develop a written policy that controls the release of patient data (including authorizations required); communicate this policy to staff and make the policy available to any patient requesting this information. * Review the key provisions of the proposed rule, and begin to formulate relevant organizational policies. * Maintain an automated log of all releases of patient data, showing what information was released, when and to whom. * Maintain logs of all computer access to obtain patient information, including using an alert procedure to detect multiple successful and unsuccessful attempts to access patient information. * Identify all sources of electronic patient information contained in clinical, financial and administrative software packages, databases, data repositories See repository. and data communication packages and develop appropriate policies and procedures to conform these to the proposed privacy rule. * Review agreements with all business partners to identify potential privacy liability issues and to develop privacy protection provisions that conform to the requirements of the proposed rule. To allay al·lay tr.v. al·layed, al·lay·ing, al·lays 1. To reduce the intensity of; relieve: allay back pains. See Synonyms at relieve. 2. possible further confusion about the substance of this rule, I offer the following definitions: * Electronically transmitted information is information exchanged with a computer using electronic media, including the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, extranet, leased lines A private communications channel leased from a common carrier. Most digital lines require four wires (two pairs) for full-duplex transmission. (communications, networking) leased line , dial-up lines A two-wire line as used in the dial-up telephone network. Contrast with leased line. , private network, telephone voice response and fax-back systems. * Electronically maintained information is information stored by computer or on any electronic medium from which information can be retrieved by computer, such as electronic memory chips, magnetic tape, magnetic disk or compact disk optical media. * The definitions do not include paper faxes, personal telephone calls, video conferencing See videoconferencing. (communications) video conferencing - A discussion between two or more groups of people who are in different places but can see and hear each other using electronic communications. or voice mail messages. A transmission meets the definitions when the source or destination of the transmission is an electronic computer or related data transmission or storage device. NH Malcolm H. Morrison, PhD, is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Morrison Informatics Same as information technology and information systems. The term is more widely used in Europe. , Inc., a healthcare information technology consulting Information technology consulting (IT consulting or business and technology services) is a field that focuses on advising businesses on how best to use information technology to meet their business objectives. company specializing in post-acute care. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion