The PDDQ Framework module is intended to support health systems, large practices, health information exchanges, and payers in improving their patient demographic data quality.
The PDDQ Framework module is intended to support health systems, large practices, health information exchanges, and payers in improving their patient demographic data quality.
The Office of the National Coordinator (ONC) for Health Information Technology has updated content in the Health IT Playbook.
The Health IT playbook was originally released in September 2016. It was developed from extensive research to answer many of the questions that providers ask when implementing and using health IT.
The update includes additional content on workforce training and improved usability. Workforce webinars can be found under the Transformation Support Section.
The Centers for Medicare & Medicaid Services (CMS) has released an Application Program Interface (API) for the Medicare Quality Payment Program (see press release).
The InnovateNYP: Pediatric App Challenge is the first of its kind and will award $50,000 in prizes to winning applications.
The 10-week long Challenge will kick off on the weekend of March 12 with the InnovateNYP: Pediatric Appathon.
On February 11, 2016 the HHS Office for Civil Rights posted new guidance on their mHealth Developer Portal to provide scenarios where the Health Insurance Portability and Accountability Act (HIPAA) regulations might apply to mobile health applications.
The mHealth Developer Portal was launched last fall and is targeted at answering developer's questions about HIPAA.
The ONC has launched a new 4-part micro-blog to help explain that HIPAA doesn't prevent the use of PHI for patient care. The first blog post is titled "The Real HIPAA Supports Interoperability."
They cite the misconception that HIPAA "makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health" as the reason to clear up the confusion.
In their words:
What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care.
I believe that this misconception has been widely spread because the focus of HIPAA training and enforcement efforts have largely been related to the privacy and security components of HIPAA.
Organizations in general, and healthcare in particular, are very good at risk management and avoidance. On the flip side, they are generally bad at sharing because of time, cost, security, and risk considerations. So it shouldn't be any surprise that even though "Portability" comes before "Accountability" in HIPAA the portability part has been neglected in comparison to the accountability part.
We have been involved in many interoperability discussions, including with non-healthcare organizations, and security and risk are always major constraints. Sometimes there is the concern of being able to legally share the information, which this series should help put to rest.
However, many times it is related to concerns over securely sharing the data over a large distributed public network. Cybersecurity knowledge is still hard to come by and costs can be relatively high. Better "safe harbour" guidance and protection would go a long way to help in this area.
We feel that patient privacy and confidentiality have become a headline items that don't get the detailed level of attention they deserve. Trust is a cornerstone of the customer experience. A patient-centered organization must exceed the privacy and confidentiality expectations of the patient to gain their trust and fully engage them. Even if you are one of those organizations that doesn't believe in the value of patient-centered care or the customer experience, patient privacy and confidentiality are still extremely important because they are the basis of many laws and professional ethical standards.
The AHIMA Code of Ethics includes the following applicable principles “I. Advocate, uphold, and defend the individual's right to privacy and the doctrine of confidentiality in the use and disclosure of information” and “III. Preserve, protect, and secure personal health information in any form or medium and hold in the highest regards health information and other information of a confidential nature obtained in an official capacity, taking into account the applicable statutes and regulations” (AHIMA Code of Ethics).
Protected health information (PHI) is protected by federal and state statutes and regulations. At the federal level HIPAA and the HITECH Act contain many rules that apply. They are the Privacy rule, the Security rule, the Enforcement rule, the Omnibus rule, and the Breach Notification rule (HIPAA for Professionals). Most states also have additional protections for sensitive PHI such as “alcohol and drug abuse, genetics, domestic violence, mental health, and Human Immunodeficiency Virus (HIV)/Acquired Immune Deficiency Syndrome (AIDS)” (U.S. Guide to Privacy and Security).
The Standards for Privacy of Individually Identifiable Health Information, or Privacy rule, established “a set of national standards for the protection of certain health information” (U.S. Summary of HIPAA). A major goal of the rule is to assure the protection of PHI “while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being” (U.S. Summary of HIPAA).
The U.S. Department of Health & Human Services summarizes individually identifiable health information, or PHI, as (U.S. Summary of HIPAA):
Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy rule protects all PHI “held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral” (U.S. Summary of HIPAA) from unauthorized disclosure. Unauthorized disclosure is any disclosure that is outside the scope of the permitted uses and disclosures. The Privacy rule identifies six categories of permitted uses and disclosures. They are “(1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations” (U.S. Summary of HIPAA).
The Privacy rule doesn’t require every risk of unauthorized disclosure to be eliminated because it is “not intended to prohibit the treatment team from talking to each other and/or to their patients” (HIPAA - Incidental) and others may be in the same area and overhear the conversation. It “permits certain incidental uses and disclosures that occur as the by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard […] with respect to the primary use or disclosure” (U.S. Covered Entities).
Administrative requirements associated with the Privacy rule include privacy policies and procedures, privacy personnel, workforce training and management, mitigation, data safeguards, complaints, retaliation and waiver, and documentation and record retention (U.S. Summary of HIPAA).
Data safeguards require that the facility “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure” (U.S. Summary of HIPAA). The “safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities” (U.S. The Nationwide Privacy).
The Security rule addresses “administrative, technical and physical safeguards specifically as they relate to electronic PHI” (HIPAA Privacy). It also includes organizational standards and policies, procedures, and documentation requirements (HIPAA Security).
Administrative safeguards required include “security management functions”, “assigning security responsibility”, “workforce security”, “information access management”, “security awareness and training”, “security incident procedures”, “contingency planning”, “evaluation”, and “BA contracts and other arrangements” (HIPAA Security).
Physical safeguards include “facility access controls”, “workstation use”, “workstation security”, and “device and media controls” (HIPAA Security).
Technical safeguards include “access control”, “audit controls”, “integrity”, “person or entity authentication”, and “transmission security” (HIPAA Security).
Additional details on the security standards can be found in the “Security Standards Matrix” on page 10 of the “Security 101 for Covered Entities” paper from the U.S. Department of Health and Human Services (HIPAA Security).
According to HHS “a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the CE or BA demonstrates (based on a risk assessment) that there is a low probability that the PHI has been compromised” (U.S. Guide to Privacy).
The Breach Notification Rule was last updated as part of the Omnibus rule in 2013 and it replaced the risk of harm standard with an objective risk assessment based on (1) “the nature and extent of the protected health information involved, including the types of identifiers and the likelihood that PHI could be re-identified”, (2) “the unauthorized person who used the PHI or to whom the disclosure was made”, (3) “the likelihood that any PHI was actually acquired or viewed”, and (4) “the extent to which the risk to the PHI has been mitigated” (U.S. Guide to Privacy).
Unless the risk assessment demonstrates a low probability that the disclosure compromised the PHI or the data has been encrypted rendering it “unusable, unreadable, or indecipherable” (U.S. Guide to Privacy) the breach needs to be reported. The “who and when” of the reporting depends upon how many individuals were impacted.
“Affected individuals must be notified without unreasonable delay, but in no case later than 60 calendar days after discovery” (Legal Alert Breach). If more than 500 residents of a state or smaller jurisdiction are affected then “a prominent media outlet that is appropriate for the size of the location with affected individuals” (Legal Alert Breach) must be notified. If more than 500 individuals are impacted then HHS must be notified at the same time as the individuals (Legal Alert Breach). If less than 500 individuals are impacted then HHS must be notified within 60 days after the end of the calendar year (Legal Alert Breach).
Many states have additional breach notification reporting requirements and timelines. For example, in the State of Florida the Florida Information Protection Act of 2014 also covers PHI. Breaches must be reported within 30 days of discovery with a possible extension of 15 days. If the breach affects 500 or more persons notice must also be made to the Florida Department of Legal Affairs (Legal Alert New Florida).
The Office for Civil Rights (OCR) initiates investigations based on complaints, breach reports, periodic audits, and other sources. The penalties vary for each of four levels of violation. The levels are “violations that the entity did not know about and would not have known by exercising reasonable diligence”, “violations due to reasonable cause”, “violations due to willful neglect that are corrected within 30 days”, and “violations due to willful neglect that are not corrected within 30 days” (U.S. Guide to Privacy).
The Office of the National Coordinator for Health Information Technology suggests a “seven-step approach for implementing a security management process” (U.S. Guide to Privacy). The seven steps are “Step 1: Lead Your Culture, Select Your Team, and Learn”, “Step 2: Document Your Process, Findings, and Actions”, “Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)”, “Step 4: Develop an Action Plan”, “Step 5: Manage and Mitigate Risks”, “Step 6: Attest for Meaningful Use Security-Related Objective”, and “Step 7: Monitor, Audit, and Update Security on an Ongoing Basis” (U.S. Guide to Privacy). Some of the key areas that help avoid willful neglect claims are training, developing “a culture of protecting patient privacy and securing patient information” (U.S. Guide to Privacy), risk management and mitigation, monitoring and auditing, and documentation.
The first phase of the OCR audits included 115 covered entities and took place during 2011 and 2013. The second phase has just begun and will continue into 2016. Sixty one of the covered entities were healthcare providers. More than 98% had at least one negative finding regarding Security rule compliance. The breakdown of the findings were 60% related to the Security rule, 30% related to the Privacy rule and 10% related to the Breach Notification rule. Within the Privacy rule findings 26% involved lack of or inadequate training. In fact, “HHS officials who spoke at” a HHS-NIST conference “indicated their belief that inadequate workforce training was a key factor in yielding these audit findings” (Solove). Additionally, in 30% of the findings the root cause was “entity unaware of the requirement” (Solove). As Daniel Solove says “essentially, the conclusion is that non-compliance wasn’t due to confusion or misunderstanding of the rules. The rules were clear.” (Solove).
"AHIMA Code of Ethics." AHIMA Code of Ethics. AHIMA HIM Body of Knowledge, 2 Oct. 2011. Web. 20 Dec. 2015.
"HIPAA for Professionals." HHS.gov. United States Department of Health & Human Services, Jan. 2013. Web. 18 Dec. 2015.
"HIPAA - Incidental Disclosures of PHI." HIPAA - Incidental Disclosures of PHI. University of Chicago: HIPAA Program Office, Oct. 2006. Web. 19 Dec. 2015.
"HIPAA Privacy & HIPAA Security." West Virginia State Privacy Office. State of West Virginia, n.d. Web. 17 Dec. 2015.
"HIPAA Security Rule Overview (Updated)." Journal of AHIMA 84.11 (2013): 1-6. Nov.-Dec. 2013. Web. 19 Dec. 2015.
"Legal Alert Breach Notification Standard Changed by HIPAA Omnibus Final Rule." Breach Notification Standard Changed by HIPAA Omnibus Final Rule: "Risk of Harm" Standard Replaced with More Objective Test. N.p., 22 Jan. 2013. Web. 17 Dec. 2015.
"Legal Alert New Florida Information Protection Act Expands Data Breach Notification Requirements." McGUIREWOODS. N.p., 3 July 2014. Web. 17 Dec. 2015.
"New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities." Duane Morris LLP. N.p., 25 Jan. 2013. Web. 17 Dec. 2015.
"Safeguarding Visual PHI from Prying Eyes." HIPAA Security & Privacy STAFF TRAINER (2004): 1-8. Brownstone Publishers, Inc., Oct. 2004. Web. 18 Dec. 2015.
Solove, Daniel. "The Most Alarming Fact of the HIPAA Audits - TeachPrivacy." TeachPrivacy. Teach Privacy, 03 Nov. 2014. Web. 20 Dec. 2015.
United States. Department of Health and Human Services. Center for Medicare & Medicaid Services. 1 Security 101 for Covered Entities. Center for Medicare & Medicaid Services, Mar. 2007. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. Covered Entities and Business Associates. HHS.gov, Jan. 2013. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. Summary of the HIPAA Privacy Rules. HHS.gov, Jan. 2013. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework). HHS.gov, Jan. 2013. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of National Coordinator for Health Information Technology. Guide to Privacy and Security of Electronic Health Information. HealthIT.gov, Apr. 2015. Web. 17 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. WellPoint Pays HHS $1.7 Million for Leaving Information Accessible over Internet. HHS.gov, 11 July 2013. Web. 18 Dec. 2015.
A case study analysis by Keri Fogg, that was completed as part of a Health Informatics class assignment, has been published.
If you are thinking about implementing a new EHR and want to achieve meaningful use it provides a number of elements that need to be considered and addressed.
This is not being published as a resource for students who may also be assigned that same case study (it was submitted via TurnItIn so beware of large scale borrowing).
The U.S. Dept. of Health and Human Services “actively collaborates with many federal agencies and other individuals in the public and private sector interested in UX to produce content and share industry trends and ideas” on usability.gov.
Usability.gov is the leading resource for user experience (UX) best practices and guidelines, serving practitioners and students in the government and private sectors. The site provides overviews of the user-centered design process and various UX disciplines. It also covers the related information on methodology and tools for making digital content more usable and useful.
United States. United States Department of Health and Human Services. “The Research-Based Web Design & Usability Guidelines, Enlarged/Expanded edition.” U.S. Government Printing Office, 2006. Web. 27 Nov. 2015.