Beruflich Dokumente
Kultur Dokumente
Version 1.2 060112 The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
Guide to
Version 1.2 060112 The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
Good patient care means safe record-keeping practices. Do not forget that an EHR represents a unique and valuable human being: it is not just a collection of data that you are guarding its a life.
Protecting patients privacy and securing their health information is a core requirement for the Medicare and Medicaid Electronic Health Record (EHRs) Programs1. The Medicare and Medicaid EHR Incentive Programs are referred to as the Meaningful Use Programs throughout this document. Further, effective privacy and security measures Adopting an EHR and protect your clinical practice from civil and criminal penalties2. Currently, electronically sharing your practice may have some privacy and security measures in place, such as patient health information private exam rooms, a notice of privacy practices, or a secure way to transmit with other providers creates patient information for billing. Ensuring privacy and security of health information, including information in electronic health records (EHR), is the key component to building the trust required to realize the potential benefits of electronic health information exchange. If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences.
both new risks and new ways to secure information. Updating your privacy and security practices can be manageable and affordable, but it will require a sustained effort.
Your practice, not your EHR vendor, is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in your EHR and comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and CMS3 Meaningful Use Requirements.
1 http://www.cms.gov/EHRIncentivePrograms/Downloads/EP-MU-TOC.pdf 2 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html 3 http://www.cms.gov/EHRIncentivePrograms/Downloads/EP-MU-TOC.pdf
Guide to
Version 1.1 022312 The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
These Meaningful Use requirements are not intended to supersede or substitute for compliance required under HIPAA. If you are a covered entity, you are still required to comply with the HIPAA Privacy and Security Rules. This guides references to HIPAA requirements pertain to pre-Health Information Technology for Economic and Clinical Health Act (HITECH) final rulemaking.
4 5 6 7 https://www.cms.gov/EHRIncentivePrograms/Downloads/EP-MU-TOC.pdf https://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp http://www.cms.gov/EHRIncentivePrograms/Downloads/12ElectronicCopyofHealthInformation.pdf http://www.cms.gov/EHRIncentivePrograms/Downloads/15_Core_ProtectElectronicHealthInformation.pdf
Stage 1 Measure
More than 50 percent of all patients who request an electronic copy of their health information are provided it within three business days.
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
The Centers for Medicare & Medicaid Services has also launched a new comprehensive tool, An Introduction to the Medicare EHR Incentive Program for Eligible Professionals8, to help guide eligible professional through all of the phases of the Medicare EHR Incentive Programfrom eligibility and registration to attestation and payment.
Core Measure 12
Assure You Comply with MU Privacy Requirements
CMS operates the Meaningful Use Programs. Please refer to the official requirements for the Meaninguful Use Programs when structuring your compliance program. The information and tips below are some suggested ways of approaching these areas. As you adopt an EHR, make time to identify any gaps in how your practice fulfills its responsibilities for both the HIPAA Privacy Rule and other applicable laws. Privacy is the focus of the 4-step process discussed below, which complements the security risk analysis process that is emphasized in the 10-Step Plan9 for meeting Meaningful Use.
4. Anticipate and Address Patient Privacy Concerns: Be sure to anticipate the privacy concerns your patients may have as you digitize their health information. Reassure them that your EHR will help you safeguard their privacy. Patient relations on privacy and security issues should be an integral part of your overall patient engagement strategy Learn more about communicating with patients11 about health information privacy.
Core Measure 15
Assure You Comply with MU Security Requirements
CMS operates the Meaningful Use Programs. Please refer to the official requirements for the Meaninguful Use Programs when structuring your compliance program. The information and tips below are some suggested ways of approaching these areas. The figure to the right depicts a high-level security risk analysis process, the focus of the Meaningful Use Core Measure 15. The risks that you will be analyzing and managing refer to: Security vulnerabilities (e.g., user access controls are not properly configured, allowing staff to inappropriately view patient health information). Threats to protected health information (e.g., theft of portable device that stores or can access patient information).
This means that you must perform a security review of your electronic health care system and correct any practice that might make your patients information vulnerable. A security update could be updated software, changes in workflow processes or storage methods, new or updated policies and procedures, staff training, or any other
11 http://www.healthit.gov/patients-families
The HIPAA Security Rule requires covered entities to conduct a risk analysis to identify risks and vulnerabilities to electronic protected health information (e-PHI). Risk analysis is the first step in an organizations Security Rule compliance efforts. Following HIPAA risk analysis guidelines will help you establish the safeguards you need to implement based on the unique circumstances of your health care practice. Risk analysis is an ongoing process that should provide your medical practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. HIPAA requires that covered entities implement policies and procedures to prevent, detect, contain, and correct security violations by conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization]. Providers should develop a risk analysis that addresses these criteria by evaluating the impact and likelihood of potential breaches, implementing security features, cataloguing security features, and maintaining security protections. For more information, view OCRs guidance on risk analysis12. As a covered health care provider, you ultimately retain responsibility for HIPAA compliance, including the security risk analysis. You have several options for completing your risk analysis, including enlisting the assistance of REC staff, hiring an outside professional, or doing it yourself, but whichever method you choose, you can expect that the security risk analysis will require your direct involvement.
12 http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html
10
Fact
False. All providers who are covered entities under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted. False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice managers mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment. False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EPs year of participation in the program.
A checklist will suffice for the risk analysis requirement. There is a specific risk analysis method that I must follow. My security risk analysis only needs to look at my EHR.
I only need to do a risk analysis once. Before I attest for an EHR incentive program, I must fully mitigate all risks. Each year, Ill have to completely redo my security risk analysis.
To learn more, visit the Privacy and Security Resources page for more information. 11
Examples
Your facility and other places where patient data is accessed Computer equipment Portable devices Designated security officer Workforce training and oversight Controlling information access Periodic security reassessment Controls on access to EHR Use of audit logs to monitor users and other EHR activities Measures that keep electronic patient data from improper changes Secure, authorized electronic exchanges of patient information Written policies and procedures to assure HIPAA security compliance Documentation of security measures Breach notification and associated policies Business associate agreements
Administrative Safeguards
Written protocols on authorizing users Record retention Agreement review and updates
For any single risk, a combination of safeguards may be necessary because there are multiple potential triggers. For example, assuring continuous access to patient information may require adding a power surge protection strip, putting the server in a locked room, and being meticulous about backups. Learn more about these requirements through the HHS HIPAA Security Rule Educational Paper Series13 and the Cybersecurity Video14. For tools to assist you today, please visit the Privacy and Security Resources15.
12
For more information on how to use this checklist, contact your local REC17.
16 http://healthit.hhs.gov/pdf/cybersecurity/Basic-Security-for-the-Small-Healthcare-Practice-Checklists.pdf 17 http://www.healthit.gov/providers-professionals/regional-extension-centers-recs
13
Guide to
Version 1.2 060112 The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
14
15
Explore HIPAA security requirements with your EHR vendor. What security functions does the EHR/Health IT product offer? If you have implemented an EHR, what are the current settings of those functions? What is the vendors pricing for training staff on those functions, developing relevant policies and procedures, and correcting security-setting deficiencies in the EHR system? Select a qualified professional to assist you with the security risk analysis. Your security risk analysis must be done well, or you will lack the information necessary to effectively protect patient information. Note that doing the analysis in-house may require an upfront investment developing a staff members knowledge of HIPAA and electronic information security issues. Use this opportunity to have your staff learn as much as possible about health information security. You however, can conduct the risk analysis yourself. Just as you contract with professionals for accounting, taxes, and legal counsel, so, too, outsourcing the security risk analysis function can make sense. RECs often provide this direct support. Another source of assistance may be your state or local medical association, or other professional medical association. If you need to, outsource this to a professional, a qualified professionals expertise and focused attention will yield quicker and more reliable results than if your staff does it piecemeal over several months. The professional will suggest cost-effective ways to mitigate risks so you do not have to do the research yourself and evaluate options. You are still ultimately responsible for the security risk analysis even if you outsource this function. Talk to several sources of potential assistance. If you contract with a professional, ONC recommends that you use a professional who has relevant certification, and direct experience tailoring a risk analysis to medical practices with a similar size and complexity as yours.
Use a checklist as a security risk preview. Have your security officer or security risk professional performing the risk analysis use a checklist to get a preliminary sense of potential shortcomings in how your practice protects patient information. A single checklist does not fulfill the security risk analysis requirement, but the checklist will help everyone get ready for needed improvements.
16
Over time, protecting privacy will become ingrained into all aspects of your practice operations. Further, your patients will feel and sense that you are safeguarding their health information.
Also, your REC or your membership associations may know of training resources. Training may be available through your local community college. The Privacy and Security Resources page provides some useful education materials.
17
24 http://www.healthit.gov/providers-professionals/achieve-meaningful-use/core-measures/protect-electronic-health-information 25 http://www.healthit.gov/providers-professionals/achieve-meaningful-use/core-measures/protect-electronic-health-information
18
What to Expect
Each step will require bringing your security team together and deciding who will be responsible for what component. You will finish the risk analysis, but then need to use the information to create and implement an action plan. Periodically at least annually you will need to return to the risk analysis report and reassess. The risk analysis can produce murky results. However, you will be able to see where you are meeting, not meeting, or exceeding HIPAA requirements. The risk analysis process is ongoing. There is no simple checklist that you can use to know that your security process is done or sufficient. Federal, state, and privacy and security requirements will continue to evolve.
Follow a specific process in conducting the risk analysis so that you consider all potential threats and vulnerabilities. The process does not need to be formal (e.g., that you used a specific tool), but it should be systematically approached so it covers all security risks. Make sure your risk analysis examines risks specific to your situation, including if your EHR is based in your office or Internet-based. The latter you may also know as cloud computing or application service provider (ASP).
19
Internet-Hosted EHR
The vendor controls many security settings, the adequacy of which may be hard to assess. Your data may be stored outside the U.S. Other countries have different health information privacy & security laws that may apply to data mantained in such country. You are more dependent on the reliability of your Internet connection. In the future, the vendor might request extra fees to update your EHR for compliance as federal, state, and private information security requirements evolve
Free do-it-yourself tools for the security risk analysis are available on the Privacy and Security Resources26 page, and some RECs27 provide this service or can provide additional tools. Look for tools that are suitable to your practice in terms of scale and terminology. Some commercial security risk analysis products are now available; before buying one, seek out an independent review from a health information security expert. Be sure to involve your EHR vendor, beginning with some basic questions. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EPs year of participation in the program. A risk analysis should also be done when a major change occurs to your practice or electronic system, such as your decision to participate in a health information exchange (HIE)28. Annual reassessments will take less time and effort than the original full risk analysis. Review and update the prior analysis for changes in risks. Reassessments will take less time and effort than the original full risk analysis. Review and update the prior analysis for changes in risks.
20
The goal is to protect patient information through ongoing efforts to identify, assess, and manage risks. Above all, integrate information security into your practice routines and create a culture of continually safeguarding patient information.
Is your server in a room only accessible by authorized staff? Do you keep the door locked? Are your passwords easily found (e.g., taped to a monitor)? Easy to guess? Do you have a fire extinguisher that works? Where, when, and how often do you back-up? Is at least one back-up kept offsite? Can your data be recovered from the back-ups? How often is your EHR server checked for viruses? Who has keys to your building? Any former employees or contractors? What is your plan for what to do if your server crashes and you cannot directly recover data? Do you have documentation about what kind of server it was, what software it used, etc.?
29 http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy_and_security/1147 30 http://healthit.hhs.gov/CHPL
21
Once your written policies and procedures are in place, HIPAA requires that you: Train staff (see Step 7) on what is required and how to implement the policies and procedures. HIPAA requires that your workforce be specifically trained on your medical practices policies and procedures for breach notification.
31 https://www.cms.gov/EHRIncentivePrograms/Downloads/EP-MU-TOC.pdf
22
23
How Often?
Your practice may formally educate and train your workforce at least once a year and when your practice changes policies or procedures. It is particularly important that your staff be trained on how to respond to security incidents or an unauthorized disclosure of protected health information (PHI).
32 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ 33 http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html
24
Patient relations on privacy and security issues should be an integral part of your overall patient engagement strategy34. Consumer communications should be culturally appropriate. Consider language, communication needs, and the level of trust that seems to exist between different patient populations and health care providers. If a population has some distrust of the medical establishment, then take extra steps to reassure them that you are safeguarding their information. For concerned patients and their caregivers, be ready to guide them through the change. For ideas, see the Privacy & Security Informational Resources35, which provides other materials for you and your patients. Fulfill Your Responsibilities for Patients Health Information Rights In the future, expect more patients to ask how you handle their electronic health information. More patients will ask for their medical records, and some will want changes to their records. To prepare for patient requests, ask your EHR vendor and REC consultant about ways to use your system to help you fulfill individual patient rights. A good place to start is focusing on the EHR incentive program objective of giving patients a copy of their electronic health information upon request. For example, walk through the steps of saving a patients record on a mobile device such as a disc or jump/USB drive (which should be password protected or encrypted) as well as how to print out a patients record. Ask your vendor to provide step-by-step instructions that include screen shots on how to perform these actions. Once you have established a process and procedure on how patients can get a copy of their EHR, develop procedures for patients to ask you to modify their health information, restrict disclosure, and obtain a report about prior disclosures. (Patients Individual Rights and Your Responsibilities section in Chapter 4 explains these legal rights.) Online Communications with Patients If you plan to interact with patients via online platforms (e.g., e-mail, a patient portal for your EHR, or social media) adhere to HIPAA requirements for protected health information. Check the Privacy & Security Resources36 page for more information.
34 35 36 37 38
25
39 http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/introduction.pdf 40 http://www.cms.gov/EHRIncentivePrograms/Downloads/15ProtectElectronicHealthInformation.pdf
26
Guide to
Version 1.2 060112 The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
27
41 http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
28
Related Topics
Complying with Privacy & Security Requirements
Resources
HIPAA Requirements in detail (OCR) The Privacy Rule, in detail (OCR) The Security Rule, in detail (OCR) Customized, on-the-ground assistance to providers Privacy and Security Resources
42 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html 43 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
29
Designated Record Set A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care providers medical records and billing records, and a health plans enrollment, payment, claims adjudication, and case or medical management record systems. For more information about what a designated record set is, please see OCRs Health IT Guidance on Access44.
44 http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_access_medical_records/311.html 45 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
30
Do I need to inform my patients about how I use or disclose their health information?
Under the HIPAA Privacy Rule, covered entities must provide patients with a Notice of Privacy Practices48 that specifies an individuals legal rights and the covered entitys legal duties with respect to the use and disclosure of PHI. In addition to providing this notice to patients at the initial visit, a covered provider must make its notice available to any patient upon request. Your practice has likely been using a Notice of Privacy Practices for several years now. If you need a template of an acceptable privacy practice, your REC or state or county medical association may be able to suggest some templates that comply with HIPAA requirements. Note that state and private sector requirements may necessitate adding other information to your notice. Plan to reassess your notice once OCR issues the final rule for the Health Information Technology for Economic and Clinical Health Act (HITECH) changes to HIPAA. Please refer to OCRs website to learn more about the notice49.
46 47 48 49
31
If you do not generally use e-PHI, you will likely need to make changes in the above areas to comply with HIPAA and Meaningful Use requirements. Fortunately, properly configured, certified EHRs50 can provide more protection to patient health information than that provided by paper: Unique passwords and user names help prevent unauthorized access to the system. User and role based access controls prevent inappropriate or unauthorized access to both patient information and system controls. Backup and recovery is essential to ensuring availability of patient information to providing consistency in care.
Encryption protects patient health information in transmission and on mobile devices, and is often a limit on liability for breach purposes under HIPAA. Appropriate and properly installed wireless capability provides firewalls and encryption functionality to keep your practice network secure.
32
People
Information
Technology
Facilities
The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical.
Administrative safeguards
These safeguards establish standards and specifications for your health information security program that include the following: Security management processes to identify and analyze risks to e-PHI and implementing security measures to reduce risks Staff training to ensure knowledge of and compliance with your policies and procedures Information access management to limit access to electronic health records to protect health information, including the information in EHRs Contingency plan to respond to emergencies or restore lost data
Physical safeguards
These safeguards control physical access to your office and computer systems. Examples of required physical safeguards include: Facility access controls, such as locks and alarms, to ensure only authorized personnel have access into facilities that house systems and data Workstation security measures, such as cable locks and computer monitor privacy filters, to guard against theft and restrict access to authorized users Workstation use policies to ensure proper access to and use of workstations
52 http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 53 http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
33
Please visit the OCR website for a full overview of security standards and required protections for e-PHI under the HIPAA Security Rule.
34
Definition of Cybersecurity
Cybersecurity: The protection of information and systems that connect to the Internet. It is in fact protecting
your personal information or any form of digital asset stored in your computer or in any digital memory device. It includes detection and response to a variety of cyber (online) attacks.
The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technologys (ONCs) Cybersecurity Checklist54 shows you 10 simple best practices that should be taken to reduce the most important threats to the safety of EHRs. For a full overview of security standards and required protections for e-PHI under the HIPAA Security Rule55, visit OCRs website.
Definition of e-PHI
Electronic Protected Health Information (e-PHI): The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule. This subset of information is referred to as e-PHI. e-PHI is all PHI a covered entity maintains or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI). PHI includes information: That relates to the individuals past, present, or future physical or mental health or condition; to the provision of health care to an individual; or to past, present, or future payment for the provision of health care to the individual; and That identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual.
54 http://healthit.hhs.gov/pdf/cybersecurity/Basic-Security-for-the-Small-Healthcare-Practice-Checklists.pdf 55 http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
35
36
Oversight
The Office for Civil Rights, within the U.S. Department of Health and Human Services (HHS) administers and enforces the HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general may also enforce provisions of the HIPAA Rules. The Centers for Medicare and Medicaid Services within HHS oversees the EHR incentive programs. The Office of the National Coordinator for Health Information Technology provides support for the adoption and promotion of EHR and health information exchange (HIE) to improve health care in the United States.
Breach notification rule and reporting
Civil Penalties
OCR is responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules and conducts complaint investigations, compliance reviews, and audits. Penalties may be imposed for failure to comply with the HIPAA Rules. The civil penalties, especially for intentional disclosure of PHI are substantial, which makes compliance with the HIPAA Privacy and Security Rules essential. State attorneys general may also enforce provisions of the HIPAA Rules. Learn more about OCRs HIPAA enforcement62, the HIPAA Privacy & Security Audit Program63, or the HIPAA Enforcement Rule64.
Criminal Penalties
The U.S. Department of Justice prosecutes criminal violations of HIPAA. Under the HIPAA statute, criminal penalties can be imposed for the knowing misuse of unique health identifiers, and for knowingly and impermissibly obtaining or disclosing individually identifiable health information. The HIPAA identifier regulations specify the appropriate use of identifiers, and the HIPAA Privacy Rule identifies what is an impermissible obtaining or disclosing of individually identifiable health information.The Department of Justice investigates and prosecutes HIPAA criminal cases, and criminal penalties are applied upon conviction.
37
Laws/ Requirements
Key Points
Some laws and frameworks recognize that particular health conditions may put individuals at a higher risk for discrimination or harm based on that condition. Federal and some state laws require special treatment and handling of information relating to alcohol and drug abuse, genetics, domestic violence, mental health, and HIV/AIDs. Federal laws: - 42 CFR Pt. 2: Confidentiality of Alcohol and Drug Abuse 67 - Family Education Rights and Privacy Act (FERPA)68 - Genetic Information Nondiscrimination Act (GINA)69 - Title X of Public Health Service Act - Confidentiality70
State and federal laws generally authorize parent or guardian access to minors health information. Depending on age and health condition (e.g., reproductive health, child abuse, mental health), and applicable state law, minors also have privacy protections related to their ability to consent for certain services under federal or state law. Federal laws: - Family Education Rights and Privacy Act - Genetic Information Nondiscrimination Act - Title X of Public Health Service Act A contracting health plan or payer may require additional confidentiality or safeguards.
Private-Sector Requirements
38
39
40
Guide to
Version 1.2 060112 The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
41
Technical Assistance
Regional extension centers (RECs) offer competent technical assistance with expertise in directly assisting providers in solo or small practice with all phases of adopting an electronic health record (EHR). Find your local REC, or your state or county medical association and other professional associations for additional assistance. You can also look up the closest REC by zip code.
o OCRs Summary of the HIPAA Privacy Rule. Summary of key elements of the Privacy Rule, including who is covered, what information is protected, and how information can be used and disclosed. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html o OCRs Summary of the HIPAA Security Rule. Summary of key elements of the Security Rule, including who is covered, what information is protected, and what safeguards must be in place. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html o Are You a Covered Entity? The Office for Civil Rights describes to whom the Administrative Simplification standards adopted by HHS under HIPAA apply. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html o Breach Notification Rule. U.S. Department of Health and Human Services. (2009) Describes the interim final breach notification regulations, issued in August 2009, implementing section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Available at: http://www.hhs. gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ OCRs Guidance on the HIPAA Privacy Rule and Health IT Toolkit. These guidance documents discuss the HIPAA Privacy Rule and how it can facilitate the electronic exchange of health information. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/ OCRs Guidance on Risk Analysis under the HIPAA Security Rule. This guidance clarifies OCRs expectations for organizations working to meet the risk analysis requirements of the HIPAA Security Rule. Available at: http:// www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
42
43