PDF File: 

HCT2_wp_quinn2.pdf

Accenture

Collaboration among multiple health care organizations involves the sharing of electronicpatient information. Information sharing, especially given the speed and ease of electronictransmission and access sharing, necessarily provokes privacy and security concerns.

HIPAA: Privacy and Security’s Ironic Beginnings

In the United States, health care privacy and security issues center around HIPAA, the Health Insurance Portability and Accountability Act passed by Congress in 1996. Ironically, the legislation’s original purpose was to require payers, providers, and, in a limited sense, employers to exchange health care information in a standard format to improve the efficiency of routine business transactions between them. That is, HIPAA was designed to create the conditions – efficient information exchanges – that have made privacy and security such pressing concerns. As an afterthought, Congress directed the Department of Health and Human Services (DHHS) to create rules within the law requiring these same entities to protect the privacy of patient information through specified security measures.

HIPAA’s Goals and Privacy Standards

DHHS’s final regulations on HIPAA-required privacy were implemented and became enforceable on April 14, 2003. These regulations are designed to:

• Protect and enhance the rights of consumers by giving them access to their health information and controlling the (in)appropriate use of that information;
• Improve the quality of health care in the United States by restoring trust in the health care system; and
• Improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, organizations, and individuals.

HIPAA’s broad policy goals give rise to the following 10 key privacy concerns.

1. Access and Other Rights of Individuals

Patients have the right to access, inspect, and copy their health information. They have the right to receive notice of how a provider will use and disclose patient information; request restrictions on how their protected health information is used and disclosed; and request an amendment of their health information. Finally, they must be granted an accounting of all disclosures for purposes other than treatment, payment, and health care operations.

To comply with these requirements, providers must have written privacy policies and procedures that, among other things, explain to patients: what their rights are and how to exercise them; who has had access to protected information, how it will be used, when it will be disclosed to others; and how patients may obtain an accounting of disclosures. Providers need to develop notices that communicate their policies and procedures to their patients, and systems and/or processes by which their patients can acknowledge receiving these notices. The same systems must also record when a provider has made a reasonable effort, but failed, to receive acknowledgement.

2. Business Associate Contracts

All entities covered by HIPAA must obtain satisfactory assurances from their business associates that they will protect any private health information entrusted to them. Such assurances must be made in the form of a contract or other written agreement. Business associates include entities such as contractors, consultants, accountants, and attorneys. These contracts must specify permitted uses of protected information, safeguards for preventing impermissible uses or disclosures, requirements for reporting impermissible uses or disclosures, and the right of patients to inspect or copy their protected health information. The final changes to the privacy regulations give all covered entities a one-year extension to amend existing written agreements with their business associates to include these requirements.

3. Compliance and Enforcement

Covered entities must designate a corporate privacy officer to develop policies and procedures. This officer implements appropriate administrative, technical, and physical safeguards to protect patients’ privacy. He notifies individuals of potential uses and disclosures of protected information, of their rights, and of the entity’s duties toward them. Other responsibilities include establishing contacts and procedures for processing patient complaints, training the workforce on policies and procedures for patient information, adopting and applying employee sanctions for violating HIPAA policies, and serving as a point of contact between the covered entity and DHHS.

4. Notice of Privacy Practices and Authorization For Uses or Disclosures of Patient Information

Covered entities must notify patients of their privacy practices in plain language. Notices must describe how an entity plans to use and disclose private information, explain patient privacy rights, outline an entity’s responsibilities under HIPAA, and tell patients how to file a complaint about the entity with the DHHS secretary.

Health care providers must attempt to obtain an acknowledgment from each patient that he or she has received the provider’s notice of privacy practices. If the acknowledgment is not obtained when a service is first delivered (or as soon afterward as is practicable), the provider must document its efforts to obtain it.

A patient’s written authorization is required for all situations other than treatment, payment, and health care operations. Treatment may not be made contingent upon a patient’s signing an authorization. Authorizations must refer to specific information and the purposes for which it will be used, and it must contain the regulation’s essential provisions. A patient may revoke an authorization at any time. The final changes to HIPAA expand the circumstances in which private health information can be used without patient authorization, more clearly defining the term “marketing.” By defining marketing as “any communication about a product or service that encourages recipients to purchase or use the product or service,” and then listing specific exceptions to this definition, the law removes the concern that a physician advising a patient about one treatment over another could be accused of violating the patient’s right to protected private health information.

A covered entity’s community may have valid concerns about what constitutes marketing. This part of the law touches on the one area where an egregious violation could invite criminal prosecution with a potential jail term. The law goes on to describe marketing as “an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information in exchange for direct or indirect remuneration …” Final changes to the rules expressly limited these punishments to violations that involve payment for unauthorized uses or disclosures of a patient’s protected health information.

To comply with these provisions, providers must establish policies and procedures for notifying patients of privacy practices and securing patient authorization. Providers need to determine how to handle situations where patient acknowledgements or authorizations are not on file. For these purposes, providers must also determine the nature of their relationship to an organized health care arrangement. For example, can physicians in a centralized integrated delivery network rely on the hospital’s privacy notice for their group and private practices? Will physicians in a decentralized network operate under three notices (i.e., one for the integrated delivery network; a second one for their group practice; and a third one, possibly, for their own private practice)?

5. De-identification of Patient Information

Patient information may be stripped of identifiers, including name, phone, address, social security number, biometric identifiers, images, and full ZIP code. To comply, providers will need to have procedures in place to remove the 18 identifiable data elements from any private health information that will be publicly released or used for marketing or purposes other than treatment, payment, and health care operations. The final changes to the regulations also specify a class of information called a “limited data set” that aren’t completely de-identified, but can be used for research, public health, or health care operations.

6. Minimum Necessary Information

When a covered entity uses or discloses private information, it must make reasonable efforts to use the minimum information needed to accomplish the intended purpose. This “minimum necessary” standard doesn’t apply to information requests by providers for treatment purposes or to requests by patients themselves. The final version of the privacy regulation gives covered entities some flexibility to assess what information is necessary for particular purposes.

To comply with this provision, providers need to establish new policies and procedures on what the minimum necessary standard is for different parties. From nurses’ aides to insurance companies, anyone who is not using private information to treat, bill, and improve health care is included in this standard. Workflow space applications can automate processes in ways that expose only the information users need to accomplish specific tasks

7. Unintentional or Incidental Disclosure

During HIPAA’s comment period, many providers expressed concern about liability arising from unintentional disclosure of private information. How were they to ensure privacy on sign-in sheets? Would all rooms have to be reconfigured as private rooms? Would hospitals be forced to move X-ray light boxes to nonpublic areas? In its final form, the rule states that as long as providers take reasonable steps to establish policies and procedures ensuring privacy, they need not worry about these types of inadvertent disclosures.

8. Policies and Procedures

Organizations must adopt policies and procedures to protect private information. One such policy is designating a privacy official. Organizations must have appropriate administrative, technical, and physical safeguards to protect private information. For example, they must provide adequate notice to individuals of the possible use and disclosure of protected information and must inform individuals of their rights and of the organization’s legal duties to protect their private information. Contacts and procedures must be established for processing complaints about policies and procedures for handling information. Organizations must train their workforce on policies and procedures for working with private information, and they must apply appropriate sanctions against employees who fail to comply with them. They must mitigate any harm resulting from the wrongful use or disclosure of private information by the entity or one of its business associates. Finally, the minimum necessary requirement for using private information must be defined for every type of disclosure.

9. Pre-emption of State Laws

Unless they are more stringent, individual provisions of state laws running contrary to HIPAA regulations are pre-empted by HIPAA. If state provisions are more stringent – that is, if they provide greater protection or allow the information owner greater access to his own information – they pre-empt the HIPAA regulations. Each state may apply to the secretary of DHHS for an exception from preemption. If the secretary grants the exception, the state laws apply rather than the federal regulations. Providers should rely on legal counsel to assess their state’s privacy laws. For example, even though the final changes to the privacy rule eliminate the need for a separate consent form, most states require that a patient sign a consent document before being treated. These state requirements will persist. The pre-emption issue could generate potentially thousands of inquiries or legal actions each year to determine whether state or federal privacy laws take precedence – a particularly complicated issue for providers who practice in multiple states.

10. Research

Covered entities may use or disclose private information for research if they obtain specified documentation, regardless of the research’s funding source. This documentation must show that an alteration to, or waiver of, a patient’s authorization to reuse private information has been approved by an internal review board or a privacy board. The final changes to the regulation clarify that the development of repositories and databases for future research is itself research, and therefore requires patient authorization. Approval by an internal review board or privacy board must meet specific criteria that are enumerated in the final rules.

This rule saddles providers with new approval requirements for research projects. Providers must set policies and procedures for using private information in research and establish an internal review board for approving special cases.

Planning for Security Standards

Security is the physical and technical means of protecting privacy. Implementing and maintaining effective information security architecture is key to protecting private patient information. Nevertheless, technology alone can’t ensure security. It is properly used to automated existing clinical and administrative security processes.

As stated in HIPAA’s rules: “Security and privacy are inextricably linked. The protection of the privacy of information depends in large part on the existence of security measures to protect that information. The Security Standards define administrative, technical and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information from unauthorized access, alteration, deletion or transmission.” This requirement’s scope has been limited to patient information in electronic form.

DHHS has not delineated specific technologies for security compliance. It has stipulated only that systems must be secure. Providers will need to develop, test, implement, and monitor detailed procedures and documented policies that ensure the physical security, safety, and protection of health information throughout their enterprise. Most issues can be addressed through proven security practices and standards already used by other industries, such as the financial services industry.

The HIPAA security standards that became effective on February 20, 2003 have a compliance date of April 21, 2005 for all but HIPAA-defined “small health plans.” These small health plans have one extra year – until April 21, 2006 – to comply.

Conducting a Security Assessment

Now that the HIPAA rules are published, providers and payers can assess their information systems’ security architecture – including Internet, intranet, extranet, and remote access sites – against these standards and identify gaps where additional solutions are needed. Providers and payers should take the following steps to design a HIPAA security agenda:

• Obtain, read, and understand the requirements of the HIPAA security rules;
• Identify the security risks associated with each platform and application that processes, stores, reports, or transmits private health information;
• Assess the ability of protection mechanisms to meet HIPAA’s security requirements of confidentiality, integrity, and availability;
• Interview key personnel, including security administrators and other IS management personnel, to identify potential security problems;
• Review and assess information security policies, procedures, manuals, and records; and
• Develop, disseminate, and train employees in new security policies that incorporate HIPAA’s requirements.

An assessment’s goal should be to identify gaps in security and alternatives for achieving HIPAA compliance with the most efficient and lowest-risk security processes that also facilitate information flow. A comprehensive security assessment should cover HIPAA’s three areas of security compliance, as shown in Figure 1.

Guidelines for Implementing HIPAA-Compliant Security Measures

The following guidelines establish the foundation for a HIPAAcompliant patient privacy and security system.

• Best Practices – Follow best practices used in other industries, such as the banking and credit card industries:
• Unique sign-ons and passwords versus single sign-ons and passwords for using applications;
• Card keys or other physical access tokens;
• Validating identities with information such as the last four digits of a customer’s social security number and mother’s maiden name;
• Tokens for all remote access; and
• Firewalls.
• Employee Training – Train and advise staff in the requirements of patient information privacy and encourage their input on how these procedures and systems should be developed. An informed, committed staff is the most important security capability your health care organization can have. Continuously reinforce privacy policy by reminding employees that their access to patient information is on a need-to-know basis.
• Confidentiality Agreements – Require all employees to sign confidentiality agreements each year. This will reinforce your organization’s commitment to protecting patient information and ensure that employees know your privacy policy.
• Audit Controls – Ensure that applications have audit control functions; let employees know about these functions; monitor them regularly. Informing employees of these functions will discourage casual browsing and create a permanent record of any violations, should they be needed in legal action.
• Workstation Functionality – Program workstations to support privacy goals as follows:
• Ensure that users are signing on and off correctly;
  • Confirm that automatic logoff occurs after a specific period of inactivity. Computers in clinical wards with heavy traffic should log off in as little as five minutes;
  • Make sure screen savers force user re-authentication.
  • Position computer monitors in workstations – and in patient rooms – in a way that unauthorized users cannot view them;
  • Set up privacy screens in workstations so the general public cannot view electronic information; and
  • Make sure staff members are not sharing passwords or displaying passwords in writing.
• Termination Procedure – Deactivate terminated employees’ access to patient information immediately. Reset passwords of all employees periodically.
• Security Officer – Establish the post of chief security officer. HIPAA’s security regulations don’t specifically require a security official; responsibility for security could be handled by your privacy official. Smaller facilities might consider assigning this function to someone who is technically competent at securing private health information in a systems environment.
• Paper Records – Though the rules don’t require this, it is a good idea to monitor paper, fax, and other noncomputer records to ensure their security:
  • Ensure paper records are not left open, displayed, or accessible to unauthorized personnel;
  • Eliminate any bulletin boards or white boards with patient names viewable by unauthorized personnel;
  • When you receive a fax, make sure you are given the appropriate reason for the fax. When you send a fax, make sure you verify the information and send only what is needed to fulfill the request for information. Also, confirm use of the fax log;
  • Make sure that physicians do their dictation in a private area;
  • Prohibit unit clerks from calling out patient names over the intercom; and
  • Finally, we recommend that your legal counsel evaluate your HIPAA security solution to determine the level of risk your organization is undertaking.

Conclusion

Privacy and security are more than words for a health care marketing slogan. Both business units within an organization and collaborating organizations sharing electronic patient information with multiple organizations are governed by laws that impose civil and criminal penalties for violations. Providers, payers, and employers must all become fully conversant with the federal, state, and foreign privacy laws that apply to them and establish compliant administrative, clinical, and technological safeguards for protecting private patient information.

Endnote

1 HIPAA Final Security Rules: The Federal Register, February 20, 2003; Vol. 68, No. 34.