Slide 1

Slide 2 Series 1: Meaningful Use for Behavioral Health Providers 9/2013 From the CIHS Video Series Ten Minutes at a Time Module 10: HIPAA Privacy & Security and 42 CFR Part 2 (Confidentiality) Slide 3 Overview Differences between privacy, security and confidentiality Meaningful Use and HIPAA Privacy and Security Understanding and applying 42 CFR Part 2 in Meaningful Use Resources for implementation Slide 4 HIPAA and 42 CFR Part 2 are intended to support (not impede) the appropriate exchange of patient information Exchange of patient information is central to Meaningful Use Ensure understanding of the data sets to be exchanged (Module 9) and what the rules REALLY say about when and how personal health information may be shared among providers What HIPAA really says: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ usesanddisclosuresfortpo.html What 42 CFR Part 2 really says: http://www.lac.org/index.php/lac/webinar_archive A Note on Sharing Patient Information Slide 5 Privacy, Security and Confidentiality Privacy and Security Health Information Protection and Accountability Act (HIPAA) Privacy rules identify national standards (45 CFR Part 160 and Subparts A and E of Part 164)Part 160Part 164 Security rules operationalize these standards (Subparts A and C of Part 164)Part 164 Patient information protected by HIPAA can be exchanged between covered entities in the coordination of patient care without additional consent Protected by DHS Office of Civil Rights, increased penalties in Stage 1 Confidentiality Confidentiality of Alcohol and Drug Abuse Patient Records Act (42 CFR Part 2)42 CFR Part 2 Identifies and operationalizes standards Patient information cannot be exchanged without patient consent Protected be federal law, otherwise, no penalties Slide 6 Core Objective/Measure #15 http://www.healthit.gov/providers-professionals/ehr-privacy-security More about this Objective Slide 7 When Conducted CMS Guidance says EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review Stage 1, Year 1 Acquire, Implement, Use for 90 days conduct during this 90 days To meet the grant requirement prior to health information exchange Slide 8 Starting Points HIPAA and Meaningful Use Core Measure 15 - Protect Electronic Health Information comprehensive ONC resource (National Learning Consortium) www.healthit.gov/providers-professionals/achieve-meaningful-use/core- measures/protect-electronic-health-information Health Information Privacy and Security 10 Step Plan http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan Nationwide Privacy and Security Framework http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_privacy_securi ty_frame-work/1173 Workflow redesign templates http://www.healthit.gov/providers- professionals/workflow-redesign-templateshttp://www.healthit.gov/providers- professionals/workflow-redesign-templates Slide 9 Confidentiality Ensure HIPAA Privacy and Security Objective has been met Apply 42 CFR Part 2 only to patient information that emerges from a treatment provider (record should be flagged in EHR) To meet the Meaningful Use standard for the grant, apply strategy to PBHCI enrollees Majority of states cannot use state HIEs to exchange patient record that contains confidential information Almost all states are using Nationwide Health Information Network Direct as part of their statewide HIE plan Slide 10 SAMHSA- Federal Initiatives Related to Data Sharing http://www.samhsa.gov/co-occurring/topics/data/data-sharing.aspx Office of the National Coordinator for Health Information Technology Behavioral Health Roundtable http://www.healthit.gov/sites/default/files/bh-roundtable-findings- report_0.pdf Center for Integrated Health Solutions (includes links to SAMHSA 42 CFR Part 2 FAQs) http://www.integration.samhsa.gov/operations-administration/hit Starting Points 42 CFR Part 2 and Meaningful Use Slide 11 Summary Privacy, Security and Confidentiality mean different things, especially in Behavioral Health Meet the Objective 15 Measure sooner rather than later to ensure a baseline of quality in the exchange of patient information Privacy and Security allow the exchange of patient information for the coordination of care between HIPAA covered entities without additional consent check state regulations and then policies and procedures to ensure this barrier to integration are not in place For the exchange of confidential patient health information use Nationwide Health Information Network (NwHIN) Direct NwHIN Direct can be used to meet all HIT-related grant requirements (see Module 8) Slide 12 We Have Solutions for Integrating Primary and Behavioral Healthcare Contact CIHS for all types of primary and behavioral health care integration technical assistance and training needs 1701 K Street NW, Ste 400 Washington DC 20006 Web: www.integration.samhsa.govwww.integration.samhsa.gov Email:integration@thenationalcouncil.orgintegration@thenationalcouncil.org Phone:202-684-7457 Prepared and presented by Colleen ODonnell, MSW, PMP, CHTS-IM for the Center for Integrated Health Solutions