Limits on Private-sector Collection and Use of Data - Medical (2 of 5) Flashcards
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A US law passed to create national standards for electronic healthcare transactions, among other purposes. Requires HHS to promulgate regulations to protect the privacy of PHI. The basic rule is that patients have to opt in before their information can be shared with other organizations – although there are important exceptions such as for treatment, payment, and healthcare operations
Protected Health Information (PHI)
Individually identifiable information related to a persons’ health status and collected by a HIPAA-covered entity.
Electronic PHI (ePHI)
Any protected health information that is stored or transmitted by digital means.
HIPAA Covered Entities
- Healthcare providers who engage in certain electronic transactions
- Health plans
- Health information clearinghouses
Business associate agreements (BAAs) extend HIPAA to the business partners of covered entities.
HIPAA Exceptions
- Employer records
- Education records covered by FERPA
- Deidentified records
HIPAA Privacy Rule
Establishes US national standards to protect individuals’ medical records and other PHI. Requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
Key Provisions: o Notice of privacy practices o Permitted uses of PHI o Minimize use and disclosure of PHI o Right to review records o Controls to protect confidentiality and integrity of PHI
HIPAA Security Rule
Requires administrative physical and technical safeguards for electronic PHI records. Established the minimum-security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form.
Key provisions:
o Applies to only ePHI
o Controls to protect confidentiality, integrity, and availability
o Identify and protect against threats
o Protect against impermissible uses or disclosure
o Ensure workforce compliance
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromise its security or privacy.further addresses privacy and security issues involving PHI as defined by HIPAA.
HITECH Act Breach Notification Requirements
- Notify individuals within 60 days
- Notify the media of breaches affecting more than 500 individuals
- Notify covered entities of breaches by nosiness associates
- Notify HHS of all data breaches
- Business associates must comply with the provisions of HIPAA in their own right
- Increased penalties for HIPAA violations.
- Strengthened privacy protections (e.g., prohibiting marketing usage of data without consent)
HITECH Act Breach Notification Exceptions
Exceptions:
o Encrypted information
o Unintentional access by employees
o Inadvertent disclosures between authorized individuals
o Disclosures to individuals who would not be able to retain the information
The 21st Century Cures Act of 2016
Key Provisions:
i. Introduces penalties for information blocking practices
ii. Allows the compassionate sharing of mental health and substance abuse treatment information with families and caregivers
iii. Introduces privacy provisions to facilitate biomedical research
Detail:
Gives medical researchers the ability to review certain data to develop research protocols remotely and also requires certain steps from OCR in connection with mental health patients. The law asserts that “There is confusion in the health care community regarding permissible practices [under HIPAA]” and that “This confusion may hinder appropriate communication of health care information or treatment preferences with appropriate caregivers.” There is a “sense of Congress” that “clarification is needed regarding the privacy rule … regarding existing permitted uses and disclosures of health information by health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.” The law requires OCR to issue new guidance on these issues (which will mainly serve to explain professional discretion that is built into the rule today), creates some new working groups on these issues, and even sets aside federal money for model training programs.
Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2)
Summary:
- Confidentiality of Substance Use Disorder Patient Records regulations
- Covers treatment records that could identify a patient
- Applies to any substance abuse treatment program accepting federal funding
- Violations are criminal offenses ($500 for first; $5000 fines for subsequent)
- Disclosures require written patient consent
Detail:
This notice of proposed rulemaking proposes changes to the Confidentiality of Substance Use Disorder Patient Records regulations. These proposals were prompted by the need to continue aligning the regulations with advances in the U.S. health care delivery system, while retaining important privacy protections for individuals seeking treatment for substance use disorders (SUDs). SAMHSA strives to facilitate information exchange for safe and effective substance use disorder care, while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. Within the constraints of the statute, these proposals are also an effort to make the regulations more understandable and less burdensome.
42 CFR Part 2: Consent Exceptions
o Medical emergencies o Research o Audits and evaluations o Qualified service organizations o Child abuse and neglect o Reporting on-premises crimes and crimes against personnel o Court ordered disclosure.
