privacy and security tiger team
DESCRIPTION
Privacy and Security Tiger Team. Today’s Discussion: Virtual Hearing on Accounting of Disclosures August 8, 2013. Agenda. Planning for Virtual Hearing on Accounting of Disclosures. - PowerPoint PPT PresentationTRANSCRIPT
Privacy and Security Tiger Team
Today’s Discussion:Virtual Hearing on Accounting of Disclosures
August 8, 2013
2
Agenda
• Planning for Virtual Hearing on Accounting of Disclosures.
• The HHS Office of Civil Rights (OCR) has been investigating the accounting of disclosures issue and has asked the Tiger Team to conduct a hearing on the matter, soliciting feedback from various stakeholders.
3
Purpose
• Explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information. Such exploration should also help facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an “accounting” of disclosures include disclosures for “treatment, payment and operations” when such disclosures are made through “an electronic health record.”
4
Regulatory Background
• HIPAA Privacy Rule required covered entities to make available, upon request, an accounting of certain disclosures of an individual’s PHI made during the six years prior to the request.– Accounting should include date, name of requester, brief
description of the PHI disclosed and purpose of disclosure.– Original Privacy Rule provisions applied to disclosures of both
paper and electronic PHI, regardless of whether such information was in a designated record set (DRS).
– A DRS is a group of records maintained for or by the covered entity to make decisions about the individual, such as medical bills and billing records.
5
Regulatory Background
• Exemptions included disclosures to carry out treatment, payment or operations (TPO), to the individuals who the PHI is about, under an authorization, as part of a limited data set under a data use agreement and disclosures made prior to the compliance date.
6
Regulatory Background
• The HITECH Act brought changes to the Accounting of Disclosures provisions:– The exemption for disclosures to carry out TPO no longer
applied if made through an EHR. – Individuals now have a right to receive an accounting of
disclosures made during the three years prior to the request, as opposed to six.
– Covered entities must provide either an accounting of a business associate’s disclosures or a list and contact information of all business associates to the individual requesting the accounting.
– Also requires the adoption of an initial set of standards, implementation specifications and certification criteria for accounting of disclosures in EHR technology.
7
2010 HHS Request for Information (RFI)
• On May 3, 2010, HHS published an RFI seeking further information on people’s interests in learning of disclosures, burdens on covered entities and technological capabilities.
• Nine questions were asked requesting information on potential benefits, burdens, awareness of rights, uses, information in the disclosures, technological capabilities and timing. (Refer to backup slides for questions and responses)
8
OCR Notice of Proposed Rulemaking (NPRM)
• After receiving the feedback from the RFI, the HHS Office of Civil Rights (OCR) released an NPRM to change the Privacy Rule’s Accounting of Disclosures requirement.
• Proposed regulation provides individuals with two rights: An accounting of disclosures and an “access report”.
9
OCR Notice of Proposed Rulemaking (NPRM)
• An accounting of disclosures made of an individual’s PHI in both paper and electronic form by covered entities and business associates. The NPRM provides a list of disclosures to be included in the accounting.
• These include disclosures public health, judicial and administrative proceedings, law enforcement activities, military and veterans activities, situations to avert a serious threat to health or safety, State Department medical suitability determination, Government programs providing public benefits and workers’ compensation.
• Right to an “access report” that indicates who accessed an individual’s PHI maintained in a DRS. Proposed rule requires revisions to Notice of Privacy Practices to inform individuals about their right to an access report. Must contain the following:
• Date and time of access• Name of person or entity accessing PHI• Description of information and user action (creation, modification, deletion).
10
HIPAA Omnibus Rule and Certification
• OCR did not address accounting of disclosures in the final HIPAA Omnibus Rule, issued in January 2013.
• Regarding certification, ONC has made accounting of disclosures as an optional certification criteria for EHRs in its 2014 edition of the criteria.
• Intention is to leave complete EHR and EHR module developers with the flexibility to innovate in this area and to develop new solutions to address the needs of their customers. Certification capability will not be required**.
**Test Procedure for §170.314(d)(9) Optional – Accounting of disclosures
11
Goals
Gain a greater understanding of :1) What patients would like to know about uses and disclosures of
their electronic protected health information (PHI).2) The capabilities of currently available, affordable technology that
could be leveraged to provide patients with greater transparency re: access/disclosure of PHI.
3) How record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs).
4) Other issues raised as part of the initial proposed rule to implement HITECH changes.
5) The difficulty in making the distinction between “uses” and “disclosures”.
12
Hearing Date, Time and Format
• September 6, 2013• Scheduled for 11:30am to 5:30pm EST
• Panel format, divided into functional groups• Will ask panelists to testify based on questions they will
receive ahead of time.• Followed by Q&A period.• They have the option to submit written testimony and a
slide presentation prior to the hearing.• Would like to invite HITSC Privacy and Security
Workgroup to take part in the Q&A.
13
Possible Testifiers• Providers
– Johns Hopkins Health System– John Muir Health– Henry Ford Health System– Health Partners– Kaiser Permanente (can also provide a payer’s perspective)– Health Information Exchanges– AHIMA (representing health information professionals in provider
organizations)• Vendors
– FairWarning– Meditech– Athena Health– Siemens– WEDI– Health IT Now Coalition
14
Possible Testifiers
• Patients or Patient Advocacy Groups– E-Patient Dave
• Payers– Blue Cross Blue Shield– UnitedHealth Group– Magellan Health Services
15
BACK-UPQuery/Response
16
2010 HHS Request for Information (RFI)
1) What are the potential benefits to individuals from receiving an accounting of disclosures, particularly an accounting that included disclosures for treatment, payment and health care operations? Majority said little or no benefit, while incurring substantial administrative, staffing and monetary burden.
2) How aware are individuals of their rights to receive an accounting of disclosure, how do covered entities ensure individuals are aware of their accounting rights and what is the number of accounting requests? (rule lists this as both questions 2 and 3.) Most covered entities responded that individuals are aware of their accounting right from the notices of privacy practices covered entities provide to individuals.
17
2010 HHS Request for Information (RFI)
3) What are the individual uses and satisfaction with the information they received in accountings of disclosures? Most covered entities that received accounting requests were not aware of how they were actually used by individuals or if it was useful to them. Consumer advocates were divided on this topic.
4) Should accounting for treatment, payment and healthcare operations disclosure include the following elements; to whom the disclosure was made and the reason or purpose for the disclosure. If yes, then why? 60% (Covered entities and industry) said recipient information should not be included, citing concerns about employee privacy, security and safety. Also stated the purpose should not be included. The other 40% (consumers, covered entities and industry) felt information would be vital in addressing inappropriate disclosures. 20% said purpose should be included, as the accounting would be useless without that information.
18
2010 HHS Request for Information (RFI)
5) Is EHR technology capable at this time is able to distinguish between use and disclosure at this time? Majority stated that current EHR systems are unable to distinguish between “use” and a “disclosure”, are decentralized and cannot automatically generate accountings.
6) What is your feeling about the feasibility of the HITECH act compliance timelines? Most commenters stated that the January 1, 2011 deadline was impossible to meet. Fewer than 10 early adopters of EHRs (before 2009) stated they would need longer than 2014 for compliance.
7) What is the feasibility of an E.H.R. modules that is exclusively dedicated to accounting for disclosures? Not an ideal solution, given the low number of requests for an accounting for disclosures
8) Any info that would be helpful. Commenters expressed concern about burden over the requirement, citing increased health care costs, reducing patient care time, etc. There were requests for clarification on the scope of EHRS, disclosures and disclosures through an EHR.
19
Other Accounting of Disclosure provisions
• The following are accounting of disclosure provisions found outside the domain of healthcare:
• Privacy Act of 1974:– Each agency must keep a record of the date, nature and
purpose of each disclosure of a record to any person or another agency and the name and address of the person or agency to whom the disclosure is made. Not needed for intra-agency or FOIA disclosures.
– Must be kept for five years and available to the individual upon request.
20
Other Accounting of Disclosure provisions
• Fair Credit Report Act– Requires that consumer reporting agencies (CRA) provide
consumers with a free credit report per year, which was amended to allow consumers to request and obtain a free credit report once every twelve months from each of the three nationwide credit reporting agencies.
– CRAs required to provide a central source website for consumers to request reports.
– If medical information is provided in a credit report, should be limited to transactions, accounts or balances related to debts arising from the receipt of medical services, products or devices. This information is restricted or only reporting using coding to not identify specific healthcare services.