Nursing Informatics Ch.8: Legislative Aspects of Nursing Informatics: HIPAA, HITECH, and Beyond
Tier 4 CMP
$50,000 to $1.5 million if the covered entity does not properly correct a violation
ONC current strategic goals:
-Advance person-centered and self-managed health -Transform health care delivery and community health -Foster research, scientific knowledge, and innovation -Enhance nation's health IT infrastructure (ONC, 2018)
HITECH ACT definitions
-Certified EHR technology -Enterprise integration -Healthcare provider -Health information technology -Qualified electronic health record
Privacy Rules (HIPAA)
-Define protected health information (PHI) -Propose that authorization by patients for release of information is not necessary when the release of information is directly related to treatment and payment for treatment. -Establish patient ownership of the healthcare record and allow for patient-initiated corrections and amendments. -Mandate administrative requirements for the protection of healthcare information. -Mandate that all outside entities that conduct business with healthcare organizations (e.g., attorneys, consultants, and auditors) must meet the same standards as those of the organization for information protection and security. -Allow PHI to be released without authorization for research studies. Patients may not access their information in blinded research studies because their access may affect the reliability of the study outcomes. -Propose that PHI may be de-identified before release in such a manner that the identity of the patient is protected. The healthcare organization may code the de-identification so that the information can be re-identified once it has been returned. -Applies only to health information maintained or transmitted by electronic means.
Protected Health Information:
-Demographics -Medical History; Lab or Tests Results -Insurance Information
HITECH Act has had a significant impact on HIPAA's Privacy and Security Rules in the following ways:
-HHS is to provide annual guidance about how to secure health information. -Notification requirements in the event of a breach in the security of health information were enhanced. -HIPAA requirements now also apply directly to any business associates of a covered entity. -The rules that pertain to providing an accounting to patients who want to know who accessed their health information were changed. -Enforcement of HIPAA was strengthened.
Outside Attacks
-Hackers -Worms, Viruses, Spam -Theft
Intentional Breaches
-Malicious Insiders -Social Media Use -Unauthorized Access
Privacy and Security rules rights
-Patients are entitled to a notice of privacy practices from their healthcare provider. -Inpatients are entitled to opt out of the facility's directory, thereby protecting disclosure of information that they are even a patient in the facility.
HIPPA factors
-The need and means to guarantee the security and privacy of health information was the focus of numerous debates. -Comprehensive standards for the implementation of this portion of the act eventually were finalized, but the process to adopt final standards took years.
Network Issues
-Unencrypted Transmissions -Firewall Failure
Unintentional breaches
-Unsecured Terminals -Loss of Devices -Unsecured Passwords
The ARRA 2 divisions
A and B
safeguards
Administrative Physical Technical
require a form for each release that specifies which information pertinent to the issue at hand is to be released. All releases of information must be formally documented and accessible to the patient on request.
All other releases of health information:
HITECH Act and Health disparities
All patients, regardless of race, ethnicity, or socioeconomic status, should receive care that is effective, safe, equitable, and timely. When the national health IT infrastructure contemplated by the HITECH Act is fully implemented, such disparities are bound to decrease. The ability to monitor for disparities and promote the delivery of appropriate care to all patients will be enhanced. Clinicians will be prompted to base their treatments on appropriate factors and avoid biased care.
it was estimated that less than 8% of U.S. hospitals used a basic EHR system in at least one of their clinical units and less than 2% of U.S. hospitals had an EHR system in all of their clinical settings
At the time the HITECH Act was enacted:
Health Insurance Portability and Accountability Act (HIPAA) Rules
Contain privacy, security, and breach notification requirements that apply to indiviudaly identifiable health information created, receievd, maintained, or transmitted by health care providers who engage in certain electronic transactions, health transactions, health plans, health care cleringhouses, and their business associates
The Office for Civil Rights (OCR)
Government agency that enforces the HIPAA Privacy Act.
Bill Clinton
HIPAA was signed into law by:
1. Improve healthcare quality by enhancing coordination of services between and among the various healthcare providers a patient may have, fostering more appropriate healthcare decisions at the time and place of delivery of services, and preventing medical errors and advancing the delivery of patient-centered care 2. Reduce the cost of health care by addressing inefficiencies, such as duplication of services within the healthcare delivery system, and reducing the number of medical errors 3. Improve people's health by promoting prevention, early detection, and management of chronic diseases 4. Protect public health by fostering early detection and rapid response to infectious diseases, bioterrorism, and other situations that could have a widespread impact on the health status of many individuals 5. Facilitate clinical research 6. Reduce health disparities 7. Better secure patient health information
HITECH (ONC) Purposes:
Title XIII of Division A of the ARRA is the:
HITECH ACT
PHI
PHI, defined as any physical or mental health information created, received, or stored by a "covered entity" that can be used to identify an individual patient, regardless of the form of the health information
need to be in place to control access whether the data and information are at rest; residing on a machine or storage medium; being processed; or in transmission, such as being backed up to storage or disseminated across a network
Safeguards:
-Research -Medical or Police Emergencies -Legal Proceedings -Collection of Data for Public Health Concerns.
Specific patient authorization is not required for:
healthcare-associated infections (HAIs)
The evolving U.S. health IT infrastructure has enabled us to track this issue for all surgical patients and thus develop evidence-based care plans to ensure that all patients within the infrastructure receive the same quality of care
-Curtail Healthcare Fraud and Abuse -Enforce Standards for Health Information -Guarantee the Security and Privacy of Health Information -Ensure Health Insurance Portability for Employed Persons
The intent of HIPPA legislation is to:
-Health Insurance Portability and Accountability ACT (HIPAA) of 1996 - Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
Two key pieces of legislation were instrumental in shaping the health information technology and nursing informatics (NI) landscape:
PHI Vulnurabilities
Unintentional Breaches Outside Attacks Intentional Breaches Network Issues
Title IV of Division B of the ARRA
addressed Medicare and Medicaid health IT and provided significant financial incentives to healthcare professionals and hospitals that adopted and engaged in the "meaningful use" of electronic health record (EHR) technology
HITECH Act of 2009
addresses the development, adoption, and implementation of health IT policies and standards and provides enhanced privacy and security protections for patient information—an area of the law that is of paramount concern in NI
Agency for Healthcare Research and Quality (AHRQ)
an agency within HHS, has been releasing a National Healthcare Quality and Disparities Report every year since 2003.
HIPPA Requirements
consequences were put into place for institutions and individuals who violate the requirements of this act
breach
considered discovered as soon as an employee other than the individual who committed the breach knows or should have known of the breach, such as unauthorized access or even an unsuccessful attempt to access information
Title IV of Division B of the ARRA:
considered part of the HITECH Act
Whenever a breach involves unsecured PHI
covered entities are responsible for alerting each affected individual by mail or email, based on the individual's preference.
CMPs
divided into four tiers
meaningful use
electronically capturing health information in a coded format, using that information to track key clinical conditions, communicating that information to help coordinate care, and initiating the reporting of clinical quality measures and public health information
civil monetary penalties (CMPs)
for violations of HIPAA became effective as soon as the HITECH Act became law in February 2009.
According to the Office of the National Coordinator for Health Information Technology (ONC):
four out of five hospitals now have at least a basic EHR with clinician notes, and, for larger acute care hospitals, nearly 96% have EHR technology certified by HHS.
Covered entities
include hospitals and other healthcare providers that transmit any health information electronically as well as health insurance companies and healthcare clearinghouses
Healthcare provider
includes hospitals, skilled nursing facilities, nursing homes, long-term care facilities, home health agencies, hemodialysis centers, clinics, community mental health centers, ambulatory surgery centers, group practices, pharmacies and pharmacists, laboratories, physicians, and therapists
protected health information (PHI)
information relating to one's physical or mental health, the provision of one's health care, or the payment for that health care, that has been maintained or transmitted electronically and that can be reasonably identified with the individual it applies to
The Federal Register has indicated that the national coordinator of the ONC does the following
interoperability of health information, as central and foundational to the core mission of HHS to enhance and protect the health and well-being of all Americans;
Compliance with the Privacy and Security Rules
is mandatory for all covered entities, and the HITECH Act extends compliance with these requirements directly to other entities that are business associates of a covered entity. Requirements include designation of privacy and information security officials to protect health information and appropriate handling of any complaints. Sanctions must be imposed if a violation of HIPAA occurs.
Qualified electronic health record
means "an electronic record of health-related information on an individual." A "qualified" EHR contains a patient's demographic and clinical health information, including the medical history and a list of health problems, and is capable of providing support for clinical decisions and entry of physician orders. It must also have the capacity "to capture and query information relevant to health care quality" and "exchange electronic health information with, and integrate such information from other sources
Health information technology
means "hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by healthcare entities or patients for the electronic creation, maintenance, access, or exchange of health information
Certified EHR technology
means that an EHR meets specific governmental standards for the type of record involved, whether it be an ambulatory EHR used by office-based healthcare practitioners or an inpatient EHR used by hospitals. The specific standards that are to be met for any such EHRs are set forth in federal regulations.
Enterprise integration
means the electronic linkage of healthcare providers, health plans, the government, and other interested parties to enable the electronic exchange and use of health information among all the components in the healthcare infrastructure
Federal HITEECH ACT
part of the American Recovery and Reinvestment Act (ARRA). The ARRA, also known as the "Stimulus" law, was enacted to stimulate various sectors of the U.S. economy during the most severe recession this country had experienced since the Great Depression
Under the Privacy Rule
patients have a right to expect privacy protections that limit the use and disclosure of their health information
breaches involving unsecured PHI of more than 500 individuals
prominent media outlet must also be notified.
insufficient contact information for 10 or more patients
provider is required to place conspicuous postings on the home page of its website or in major print or broadcast media (without identifying patients) toll-free number must be provided so that affected individuals can call for information about the breach.
Under the Security Rule
providers are obligated to safeguard their patients' health information from improper use or disclosure and maintain the integrity of the information and ensure its availability
administrative safeguards
refer to the documented formal policies and procedures that are used to manage and execute the security measures. They govern the protection of healthcare data and information and the conduct of the personnel.
physical safeguards
refer to the policies and procedures that must be in place to limit physical access to electronic information systems
To Err is Human: Building a Safer Health System
report concluded that approximately 44,000-98,000 people in the United States die each year as a result of healthcare errors. Many thousands more who do not die are seriously injured from such errors. In addition to the human pain and suffering associated with healthcare errors, the monetary costs of these errors are substantial.
Centers for Medicare and Medicaid Services (CMS)
responsible for enforcing the electronic transactions and code sets provisions of the law
HITECH Act
sought to change that situation by providing each person in the United States with an EHR. In addition, a nationwide health IT infrastructure would be developed so that access to a person's EHR would be readily available to every healthcare provider who treats the patient, no matter where the patient may be located at the time treatment is rendered
Once the HITECH Act became law
state attorneys general were authorized to pursue civil claims for HIPAA violations and collect up to $25,000 plus attorneys' fees. As of 2012, individuals who are damaged by such violations became eligible to share in any monetary awards obtained by these state officials.
Tier 3 CMP
the covered entity engaged in willful neglect that resulted in a breach, is $10,000 per incident, up to a cap of $250,000 per year
Tier 1 CMP
the covered entity had no reason to know of a violation, $100 per incident, up to a cap of $25,000 per year
Tier 2 CMP
the covered entity had reasonable cause to know of a violation, is $1,000 per incident, up to a cap of $100,000 per year
Technical safeguards
the policies and procedures used to control access to healthcare data and information
Cost of an EHR system
was a major barrier to widespread adoption of this technology in most healthcare facilities
Reducing health disparities
was another purpose of the HITECH Act. Disparities are differences in access to care and quality of care in subpopulations.
Health IT industry
was one area where lawmakers saw an opportunity to stimulate the economy and improve the delivery of health care at the same time. This explains why the title of the HITECH Act contains the phrase "for Economic and Clinical Health."
Security Requirements
went into effect on April 21, 2005, and required the covered entities to put safeguards into place that protect the confidentiality, integrity, and availability of PHI when stored and transmitted electronically.
Privacy Requirements of HIPAA
which went into effect on April 14, 2003, limited the release of PHI without the patient's knowledge and consent.
Notice of a breach must be given to HHS
within 60 calendar days of the discovery