Nursing Informatics Ch.8: Legislative Aspects of Nursing Informatics: HIPAA, HITECH, and Beyond

Ace your homework & exams now with Quizwiz!

Tier 4 CMP

$50,000 to $1.5 million if the covered entity does not properly correct a violation

ONC current strategic goals:

-Advance person-centered and self-managed health -Transform health care delivery and community health -Foster research, scientific knowledge, and innovation -Enhance nation's health IT infrastructure (ONC, 2018)

HITECH ACT definitions

-Certified EHR technology -Enterprise integration -Healthcare provider -Health information technology -Qualified electronic health record

Privacy Rules (HIPAA)

-Define protected health information (PHI) -Propose that authorization by patients for release of information is not necessary when the release of information is directly related to treatment and payment for treatment. -Establish patient ownership of the healthcare record and allow for patient-initiated corrections and amendments. -Mandate administrative requirements for the protection of healthcare information. -Mandate that all outside entities that conduct business with healthcare organizations (e.g., attorneys, consultants, and auditors) must meet the same standards as those of the organization for information protection and security. -Allow PHI to be released without authorization for research studies. Patients may not access their information in blinded research studies because their access may affect the reliability of the study outcomes. -Propose that PHI may be de-identified before release in such a manner that the identity of the patient is protected. The healthcare organization may code the de-identification so that the information can be re-identified once it has been returned. -Applies only to health information maintained or transmitted by electronic means.

Protected Health Information:

-Demographics -Medical History; Lab or Tests Results -Insurance Information

HITECH Act has had a significant impact on HIPAA's Privacy and Security Rules in the following ways:

-HHS is to provide annual guidance about how to secure health information. -Notification requirements in the event of a breach in the security of health information were enhanced. -HIPAA requirements now also apply directly to any business associates of a covered entity. -The rules that pertain to providing an accounting to patients who want to know who accessed their health information were changed. -Enforcement of HIPAA was strengthened.

Outside Attacks

-Hackers -Worms, Viruses, Spam -Theft

Intentional Breaches

-Malicious Insiders -Social Media Use -Unauthorized Access

Privacy and Security rules rights

-Patients are entitled to a notice of privacy practices from their healthcare provider. -Inpatients are entitled to opt out of the facility's directory, thereby protecting disclosure of information that they are even a patient in the facility.

HIPPA factors

-The need and means to guarantee the security and privacy of health information was the focus of numerous debates. -Comprehensive standards for the implementation of this portion of the act eventually were finalized, but the process to adopt final standards took years.

Network Issues

-Unencrypted Transmissions -Firewall Failure

Unintentional breaches

-Unsecured Terminals -Loss of Devices -Unsecured Passwords

The ARRA 2 divisions

A and B

safeguards

Administrative Physical Technical

require a form for each release that specifies which information pertinent to the issue at hand is to be released. All releases of information must be formally documented and accessible to the patient on request.

All other releases of health information:

HITECH Act and Health disparities

All patients, regardless of race, ethnicity, or socioeconomic status, should receive care that is effective, safe, equitable, and timely. When the national health IT infrastructure contemplated by the HITECH Act is fully implemented, such disparities are bound to decrease. The ability to monitor for disparities and promote the delivery of appropriate care to all patients will be enhanced. Clinicians will be prompted to base their treatments on appropriate factors and avoid biased care.

it was estimated that less than 8% of U.S. hospitals used a basic EHR system in at least one of their clinical units and less than 2% of U.S. hospitals had an EHR system in all of their clinical settings

At the time the HITECH Act was enacted:

Health Insurance Portability and Accountability Act (HIPAA) Rules

Contain privacy, security, and breach notification requirements that apply to indiviudaly identifiable health information created, receievd, maintained, or transmitted by health care providers who engage in certain electronic transactions, health transactions, health plans, health care cleringhouses, and their business associates

The Office for Civil Rights (OCR)

Government agency that enforces the HIPAA Privacy Act.

Bill Clinton

HIPAA was signed into law by:

1. Improve healthcare quality by enhancing coordination of services between and among the various healthcare providers a patient may have, fostering more appropriate healthcare decisions at the time and place of delivery of services, and preventing medical errors and advancing the delivery of patient-centered care 2. Reduce the cost of health care by addressing inefficiencies, such as duplication of services within the healthcare delivery system, and reducing the number of medical errors 3. Improve people's health by promoting prevention, early detection, and management of chronic diseases 4. Protect public health by fostering early detection and rapid response to infectious diseases, bioterrorism, and other situations that could have a widespread impact on the health status of many individuals 5. Facilitate clinical research 6. Reduce health disparities 7. Better secure patient health information

HITECH (ONC) Purposes:

Title XIII of Division A of the ARRA is the:

HITECH ACT

PHI

PHI, defined as any physical or mental health information created, received, or stored by a "covered entity" that can be used to identify an individual patient, regardless of the form of the health information

need to be in place to control access whether the data and information are at rest; residing on a machine or storage medium; being processed; or in transmission, such as being backed up to storage or disseminated across a network

Safeguards:

-Research -Medical or Police Emergencies -Legal Proceedings -Collection of Data for Public Health Concerns.

Specific patient authorization is not required for:

healthcare-associated infections (HAIs)

The evolving U.S. health IT infrastructure has enabled us to track this issue for all surgical patients and thus develop evidence-based care plans to ensure that all patients within the infrastructure receive the same quality of care

-Curtail Healthcare Fraud and Abuse -Enforce Standards for Health Information -Guarantee the Security and Privacy of Health Information -Ensure Health Insurance Portability for Employed Persons

The intent of HIPPA legislation is to:

-Health Insurance Portability and Accountability ACT (HIPAA) of 1996 - Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

Two key pieces of legislation were instrumental in shaping the health information technology and nursing informatics (NI) landscape:

PHI Vulnurabilities

Unintentional Breaches Outside Attacks Intentional Breaches Network Issues

Title IV of Division B of the ARRA

addressed Medicare and Medicaid health IT and provided significant financial incentives to healthcare professionals and hospitals that adopted and engaged in the "meaningful use" of electronic health record (EHR) technology

HITECH Act of 2009

addresses the development, adoption, and implementation of health IT policies and standards and provides enhanced privacy and security protections for patient information—an area of the law that is of paramount concern in NI

Agency for Healthcare Research and Quality (AHRQ)

an agency within HHS, has been releasing a National Healthcare Quality and Disparities Report every year since 2003.

HIPPA Requirements

consequences were put into place for institutions and individuals who violate the requirements of this act

breach

considered discovered as soon as an employee other than the individual who committed the breach knows or should have known of the breach, such as unauthorized access or even an unsuccessful attempt to access information

Title IV of Division B of the ARRA:

considered part of the HITECH Act

Whenever a breach involves unsecured PHI

covered entities are responsible for alerting each affected individual by mail or email, based on the individual's preference.

CMPs

divided into four tiers

meaningful use

electronically capturing health information in a coded format, using that information to track key clinical conditions, communicating that information to help coordinate care, and initiating the reporting of clinical quality measures and public health information

civil monetary penalties (CMPs)

for violations of HIPAA became effective as soon as the HITECH Act became law in February 2009.

According to the Office of the National Coordinator for Health Information Technology (ONC):

four out of five hospitals now have at least a basic EHR with clinician notes, and, for larger acute care hospitals, nearly 96% have EHR technology certified by HHS.

Covered entities

include hospitals and other healthcare providers that transmit any health information electronically as well as health insurance companies and healthcare clearinghouses

Healthcare provider

includes hospitals, skilled nursing facilities, nursing homes, long-term care facilities, home health agencies, hemodialysis centers, clinics, community mental health centers, ambulatory surgery centers, group practices, pharmacies and pharmacists, laboratories, physicians, and therapists

protected health information (PHI)

information relating to one's physical or mental health, the provision of one's health care, or the payment for that health care, that has been maintained or transmitted electronically and that can be reasonably identified with the individual it applies to

The Federal Register has indicated that the national coordinator of the ONC does the following

interoperability of health information, as central and foundational to the core mission of HHS to enhance and protect the health and well-being of all Americans;

Compliance with the Privacy and Security Rules

is mandatory for all covered entities, and the HITECH Act extends compliance with these requirements directly to other entities that are business associates of a covered entity. Requirements include designation of privacy and information security officials to protect health information and appropriate handling of any complaints. Sanctions must be imposed if a violation of HIPAA occurs.

Qualified electronic health record

means "an electronic record of health-related information on an individual." A "qualified" EHR contains a patient's demographic and clinical health information, including the medical history and a list of health problems, and is capable of providing support for clinical decisions and entry of physician orders. It must also have the capacity "to capture and query information relevant to health care quality" and "exchange electronic health information with, and integrate such information from other sources

Health information technology

means "hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by healthcare entities or patients for the electronic creation, maintenance, access, or exchange of health information

Certified EHR technology

means that an EHR meets specific governmental standards for the type of record involved, whether it be an ambulatory EHR used by office-based healthcare practitioners or an inpatient EHR used by hospitals. The specific standards that are to be met for any such EHRs are set forth in federal regulations.

Enterprise integration

means the electronic linkage of healthcare providers, health plans, the government, and other interested parties to enable the electronic exchange and use of health information among all the components in the healthcare infrastructure

Federal HITEECH ACT

part of the American Recovery and Reinvestment Act (ARRA). The ARRA, also known as the "Stimulus" law, was enacted to stimulate various sectors of the U.S. economy during the most severe recession this country had experienced since the Great Depression

Under the Privacy Rule

patients have a right to expect privacy protections that limit the use and disclosure of their health information

breaches involving unsecured PHI of more than 500 individuals

prominent media outlet must also be notified.

insufficient contact information for 10 or more patients

provider is required to place conspicuous postings on the home page of its website or in major print or broadcast media (without identifying patients) toll-free number must be provided so that affected individuals can call for information about the breach.

Under the Security Rule

providers are obligated to safeguard their patients' health information from improper use or disclosure and maintain the integrity of the information and ensure its availability

administrative safeguards

refer to the documented formal policies and procedures that are used to manage and execute the security measures. They govern the protection of healthcare data and information and the conduct of the personnel.

physical safeguards

refer to the policies and procedures that must be in place to limit physical access to electronic information systems

To Err is Human: Building a Safer Health System

report concluded that approximately 44,000-98,000 people in the United States die each year as a result of healthcare errors. Many thousands more who do not die are seriously injured from such errors. In addition to the human pain and suffering associated with healthcare errors, the monetary costs of these errors are substantial.

Centers for Medicare and Medicaid Services (CMS)

responsible for enforcing the electronic transactions and code sets provisions of the law

HITECH Act

sought to change that situation by providing each person in the United States with an EHR. In addition, a nationwide health IT infrastructure would be developed so that access to a person's EHR would be readily available to every healthcare provider who treats the patient, no matter where the patient may be located at the time treatment is rendered

Once the HITECH Act became law

state attorneys general were authorized to pursue civil claims for HIPAA violations and collect up to $25,000 plus attorneys' fees. As of 2012, individuals who are damaged by such violations became eligible to share in any monetary awards obtained by these state officials.

Tier 3 CMP

the covered entity engaged in willful neglect that resulted in a breach, is $10,000 per incident, up to a cap of $250,000 per year

Tier 1 CMP

the covered entity had no reason to know of a violation, $100 per incident, up to a cap of $25,000 per year

Tier 2 CMP

the covered entity had reasonable cause to know of a violation, is $1,000 per incident, up to a cap of $100,000 per year

Technical safeguards

the policies and procedures used to control access to healthcare data and information

Cost of an EHR system

was a major barrier to widespread adoption of this technology in most healthcare facilities

Reducing health disparities

was another purpose of the HITECH Act. Disparities are differences in access to care and quality of care in subpopulations.

Health IT industry

was one area where lawmakers saw an opportunity to stimulate the economy and improve the delivery of health care at the same time. This explains why the title of the HITECH Act contains the phrase "for Economic and Clinical Health."

Security Requirements

went into effect on April 21, 2005, and required the covered entities to put safeguards into place that protect the confidentiality, integrity, and availability of PHI when stored and transmitted electronically.

Privacy Requirements of HIPAA

which went into effect on April 14, 2003, limited the release of PHI without the patient's knowledge and consent.

Notice of a breach must be given to HHS

within 60 calendar days of the discovery


Related study sets

Approaches to Clinical Psychology: Module 6 - Basics of Clinical Intervention

View Set

Nursing 1214 Exam #2: Code of Ethics and Chapter 13

View Set

Μηχανική στέρεου σώματος Α μέρος

View Set

Art History Chapter 20: The Reniassance

View Set

PSY 210 HUMAN GROWTH AND DEVELOPMENT

View Set

Chapter 14- Exercise in Hot and Cold Environments

View Set

Python Programming (2019FA.CSC.121.2801) Lesson 06

View Set