HIPAA and Patient Access of Information - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA and Patient Access of Information

Description:

This Webinar will help health information professionals understand what they have to do, when, and what to keep in mind as they move forward, in order to be in compliance with the regulations. It will provide a comprehensive look at the emphasis on the rules on access and prepare attendees for the process of incorporating any necessary changes into how they do business in their facilities. – PowerPoint PPT presentation

Number of Views:3
Slides: 15
Provided by: confpanel5
Category: Other
Tags:

less

Transcript and Presenter's Notes

Title: HIPAA and Patient Access of Information


1
HIPAA and Patient Access of Information Primary
Enforcement Focus for HHS
  • Jim Sheldon-Dean
  • Director of Compliance Services
  • Lewis Creek Systems, LLC
  • www.lewiscreeksystems.com

2
Agenda
  • Present Patient Rights for Access of PHI under
    HIPAA
  • Review Guidance and New Proposed Changes to
    Access Rights
  • Discuss how to handle patient access and
    communications of Protected Health Information,
    including E-mail and Texting
  • Identify guidance from HHS for business
    associates, patient access and communications,
    and recent court decisions
  • Discuss rights for access of laboratory
    information and electronic copies of electronic
    records
  • Identify HIPAA policies that may need to be
    changed
  • Look at COVID-19 impacts and special
    considerations
  • Learn about being prepared for enforcement and
    auditing
  • Learn how to approach compliance
  • QA session

3
HIPAA Privacy, Security, Breach Rules
  • Privacy Rule
  • 45 CFR 164.5xx Enforceable since 2003
  • Establishes Rights of Individuals
  • Controls on Uses and Disclosures
  • Access of PHI is THE hot button issue for HHS
  • Security Rule
  • 45 CFR 164.3xx Enforceable since 2005
  • Applies to all electronic PHI
  • Flexible, customizable approach to health
    information security
  • Uses Risk Analysis to identify and plan the
    mitigation of security risks
  • Breach Notification Rule
  • 45 CFR 164.4xx Enforceable since February 2010
  • Requires reporting of all PHI breaches to HHS and
    individuals
  • Extensive/expensive obligations
  • Provides examples of what not to do on the HHS
    Wall of Shame https//ocrportal.hhs.gov/ocr/bre
    ach/breach_report.jsf

4
Rules Have Been Stable
  • Last major update in 2013, result of HITECH Act
  • NEW Proposed Update to Privacy Rule many small
    changes to improve access and ease information
    sharing and coordination of care
  • Shorter (by half!) timeline to respond to access
    requests
  • Proposed change to Requirement to Obtain an
    Acknowledgement of the Receipt of a Notice of
    Privacy Practices
  • Still no update to Accounting of Disclosures, as
    required by HITECH
  • May be a change to rules under TCPA (re calling
    or messaging cell phones)
  • Guidance on HIPAA compliance liability of
    Business Associates
  • Information Blocking rules intersect HIPAA, being
    enforced
  • Inadequate coverage for new technologies and
    patient information

5
Proposed Changes Codify Guidance
  • Individual Access is THE major Privacy Rule issue
    today
  • 2016 Guidance has not led to compliance
  • Enforcement considers the Guidance
  • Putting the Guidance into the Rules
  • Tightening up time lines
  • Clarifying requirements

6
HIPAA Right of Access
  • 164.524(a) Standard Access to protected health
    information
  • (1) Right of Access. Individual has right to
    access, inspect, and copy of PHI in the
    Designated Record Set, except for
  • (i) Psychotherapy Notes
  • (ii) Information compiled in reasonable
    anticipation of, or for use in, a civil,
    criminal, or administrative action or proceeding
  • (iii) Section Removed in 2013 CLIA exemption
    removed Now individuals may access test results
    directly from laboratories

7
Communication with Family Friends of Patients
  • Privacy Rule 164.502(g) and 164.510(b)
  • The Privacy Rule allows a health care provider or
    health plan to share information with a patients
    family or friends if
  • They are involved in the patients health care or
    payment for health care,
  • The patient tells the provider or plan that it
    can do so,
  • The patient does not object to sharing of the
    information, or
  • If, using its professional judgment, a provider
    or plan believes that the patient does not object
  • The Privacy Rule does not require a health care
    provider or health plan to share information with
    a patients family or friends, unless they
    are personal representatives of the patient
  • https//www.hhs.gov/hipaa/for-individuals/family-m
    embers-friends/index.html
  • https//www.hhs.gov/hipaa/for-professionals/privac
    y/guidance/personal-representatives/

8
What is a HIPAA Breach?
  • 164.402 Breach is any acquisition, access, use,
    or disclosure in violation of the Privacy Rule,
    except if
  • Unintentional internal use, in good faith, with
    no further use
  • Inadvertent internal use, within job scope
  • Information cannot be retained (returned intact,
    unopened, unviewed)
  • Not Reportable if
  • Secured (encrypted) per HHS guidance, or
    destroyed
  • Otherwise Reportable unless there is a low
    probability of compromise based on a risk
    assessment, examining at least
  • what was the info, how well identified was it,
    and is its release adverse to the individual
  • to whom it was disclosed
  • was it actually acquired or viewed
  • the extent of mitigation

9
Telemedicine and HIPAA
  • Using HIPAA-compliant fully encrypted services
    under a HIPAA Business Associate Agreement is
    fully compliant for telemedicine use
  • Skype for Business, Updox, VSee, Zoom for
    Healthcare, Doxy.me, and Google G Suite Hangouts
    Meet
  • Can follow the usual processes for Risk Analysis
    and secure implementation, including a HIPAA BAA
  • HIPAA has allowances for emergencies and life
    threatening situations
  • Patients and providers LOVE Telemedicine! It
    will be with us after the emergency

10
Telemedicine, HIPAA and COVID-19
  • HHS has issued an enforcement advisory on
    telemedicine during the COVID-19 emergency
    Relaxed enforcement for using services that are
    non-public facing but may not meet HIPAA
    requirements (such as a providing a BAA)
  • Apple FaceTime, Facebook Messenger video chat,
    Google Hangouts video, or Skype
  • BUT Do NOT use public-facing services that are
    not private
  • Facebook Live, Twitch, TikTok, and similar
  • And Once the emergency is over you will need to
    use HIPAA compliant services, under a Business
    Associate Agreement, according to a HIPAA
    Security Risk Analysis
  • See https//www.hhs.gov/hipaa/for-professionals/s
    pecial-topics/emergency-preparedness/notification-
    enforcement-discretion-telehealth/index.html

11
New Technologies
  • New technologies in health care every day
  • Some new technologies will be very useful
  • Some new technologies will be a privacy and
    security nightmare
  • You cant deny new technologies
  • New Technologies should be addressed head-on
  • If you ignore them they dont go away
  • Encourage dialog on new technologies and find
    ways to use them productively, securely
  • Education addressing new technologies is
    essential
  • Prevent improper uses
  • Train in appropriate usage

12
New Technologies and HIPAA
  • HIPAA can handle new technologies for PHI
  • Security Rule is very flexible, adaptable
  • New kinds of information, apps, devices, and
    various uses outside the formal HIPAA definition
    of Protected Health Information
  • With medical devices, consumer-driven data
    collection and transmission would be under FTC
    rules, not HIPAA, but with the same device, if
    prescribed by a provider, the same data are PHI
    protected under HIPAA
  • Proposed HIPAA Privacy Rule changes would address
    many issues more clearly
  • Dont be surprised if new laws and regulations
    result
  • State laws may also be in the works
  • Expansion of existing state breach rules

13
Your to-do list
  • Dont be in denial willful neglect costs more
    than compliance
  • Accommodate individual rights of access and
    choices
  • Review and update your communications policies
    and procedures per the rules, and to allow for
    Emergency considerations
  • Be ready for the end of the Emergency and
    compliance requirements
  • Establish your processes for Risk Analysis and
    Documentation
  • Train staff in new policies and procedures
  • Document, document, document!
  • Conduct drills in audit and breach response
  • Make corrections based on results
  • Always have a plan for moving forward, and follow
    it!

14
Thank you!
  • Any Questions?
  • For additional information, please contact
  • Jim Sheldon-Dean
  • Lewis Creek Systems, LLC
  • 5675 Spear Street, Charlotte, VT 05445
  • jim_at_lewiscreeksystems.com
  • www.lewiscreeksystems.com

REGISTER NOW
Write a Comment
User Comments (0)
About PowerShow.com