Privacy and Security of Electronic Health Records
Ensuring privacy and security of health information, including information in electronic health records (EHRs), is a key component to building the trust required to realize the potential benefits of electronic health information exchange. Here, the ONC shares information about privacy and security of electronic health records and ways in which to improve the disjointed health care system. There are ways to leverage accessibility for care while protecting a patient's private information to ensure the privacy and security of electronic health records. If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences. Learn more about how we are helping ensure the privacy and security of electronic health records and the different laws in place to make this a reality.For more information, please visit http://www.healthit.gov/providers-professionals/ehr-privacy-security/resources/.
Content
Privacy and Security of Electronic Health Records: New Challenges, New Protections
Author: Joy Pritts
July 26, 2012
Health Care System Is Broken
• • • • •
Focus on “treatment” Sporadic Fragmented Uncoordinated care Inconsistent delivery of evidence-based care • Misaligned reimbursement system
2
Improving the Health System
Health Information Technology Provider Payment
Health Insurance Market Quality Improvement
3
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
• Creates financial incentives for eligible providers and hospitals to “meaningfully use” electronic health records (EHRs), including exchanging health information electronically
• Promotes development of a nationwide health information network to permit the secure exchange of electronic health information among providers.
4
Electronic Health Records (EHRs) • Onsite server, network • Cloud based solution – Third party – Off site server – Promoted as • Less expensive • Simpler
9/10/2013
Office of the National Coordinator for Health Information Technology
5
Models for Electronic Health Information Exchange • Directly between providers – E.g., Referral from one doctor directly to another • Decentralized with a record locator service • Centralized data bases • Different models raise different privacy concerns
6
HIPAA Privacy Rule • Federal baseline: scope • Applies to most health care providers, as well as to health plans and health care clearinghouses (“covered entities”) • Detailed provisions on the use and disclosure of protected health information • Treats all health information the same (except separately maintained psychotherapy notes)
7
HIPAA Security Rule • Applies to electronic protected health information • Establishes administrative, physical and technical standards for securing ePHI to ensure access only by authorized persons and entities • Scalable and flexible to meet requirements of various organizations
9/10/2013
Office of the National Coordinator for Health Information Technology
8
Meaningful Use Incentives • Eligible provider must conduct a security risk assessment per HIPAA Security Rule • Qualified E H R technology must be able to be encrypted
9/10/2013
Office of the National Coordinator for Health Information Technology
9
HITECH Improvements
• Extends HIPAA to directly cover “business associates” (entities that perform services on behalf of covered entities that need access to PHI on regular basis)
– HITECH expressly clarifies that health information exchange organizations are business associates – Cloud-based EHRs are business associates
10
Business Associates Under HITECH
• Subject to use and disclosure limits of HIPAA Privacy Rule • Must comply with substantive provisions of HIPAA Security Rule
– Access limitations – Authentication – Encryption
11
Patient Protection and Affordable Care Act (ACA)
Improve patient access to quality care through • Broader health insurance coverage
• Health benefit exchanges for individuals and small groups
• No denial of coverage for pre-existing conditions • Coordination of care
12
Accountable Care Organizations
• Network of doctors and hospitals that shares responsibility for providing care to patients.
• Manage all of the health care needs of a minimum of 5,000 Medicare beneficiaries for at least three years. • Receive bonuses when providers keep costs down and meet specific quality benchmarks, focusing on prevention and carefully managing patients with chronic diseases
13
Accountable Care Organizations
• Accountable Care Organizations Final Rule
– Federal Register, vol. 76 Page 67802 (11/02/11)
• ACOs may be business associates • Providers in ACO are eligible to receive Medicare claims data generated by other providers • Individuals may opt out of having certain identifiable information shared
14
ACA Performance Measurement • ACA requires CMS to make available to third parties (Qualified Entities) Medicare Data to be combined with other claims data for provider performance measurement.
9/10/2013
Office of the National Coordinator for Health Information Technology
15
ACA Performance Measurement • Final Rule on Availability of Medicare Data for Performance Management
• Federal Register, vol. 76, page 76542 (!2/07/11)
• Qualified entities (conduct data analytics)
• Are not considered business associates of CMS • Must have a rigorous data privacy and security program to qualify to receive Medicare data • Must sign a stringent data use agreement
Office of the National Coordinator for Health Information Technology
9/10/2013
16
Health Insurance Exchange Rule Privacy and Security • Establishment of Exchanges and Qualified Health Plans Final Rule – Federal Register, vol. 77, page 18310 (03/27/12)
• State health insurance exchanges must establish and implement privacy and security standards that are consistent with the Fair Information Practice Principles.
– 45 CFR 155.260
17
Electronic Health Information: A Balancing Act
Accessible for care
Protecting Privacy
18
Author: Joy Pritts
July 26, 2012
Health Care System Is Broken
• • • • •
Focus on “treatment” Sporadic Fragmented Uncoordinated care Inconsistent delivery of evidence-based care • Misaligned reimbursement system
2
Improving the Health System
Health Information Technology Provider Payment
Health Insurance Market Quality Improvement
3
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
• Creates financial incentives for eligible providers and hospitals to “meaningfully use” electronic health records (EHRs), including exchanging health information electronically
• Promotes development of a nationwide health information network to permit the secure exchange of electronic health information among providers.
4
Electronic Health Records (EHRs) • Onsite server, network • Cloud based solution – Third party – Off site server – Promoted as • Less expensive • Simpler
9/10/2013
Office of the National Coordinator for Health Information Technology
5
Models for Electronic Health Information Exchange • Directly between providers – E.g., Referral from one doctor directly to another • Decentralized with a record locator service • Centralized data bases • Different models raise different privacy concerns
6
HIPAA Privacy Rule • Federal baseline: scope • Applies to most health care providers, as well as to health plans and health care clearinghouses (“covered entities”) • Detailed provisions on the use and disclosure of protected health information • Treats all health information the same (except separately maintained psychotherapy notes)
7
HIPAA Security Rule • Applies to electronic protected health information • Establishes administrative, physical and technical standards for securing ePHI to ensure access only by authorized persons and entities • Scalable and flexible to meet requirements of various organizations
9/10/2013
Office of the National Coordinator for Health Information Technology
8
Meaningful Use Incentives • Eligible provider must conduct a security risk assessment per HIPAA Security Rule • Qualified E H R technology must be able to be encrypted
9/10/2013
Office of the National Coordinator for Health Information Technology
9
HITECH Improvements
• Extends HIPAA to directly cover “business associates” (entities that perform services on behalf of covered entities that need access to PHI on regular basis)
– HITECH expressly clarifies that health information exchange organizations are business associates – Cloud-based EHRs are business associates
10
Business Associates Under HITECH
• Subject to use and disclosure limits of HIPAA Privacy Rule • Must comply with substantive provisions of HIPAA Security Rule
– Access limitations – Authentication – Encryption
11
Patient Protection and Affordable Care Act (ACA)
Improve patient access to quality care through • Broader health insurance coverage
• Health benefit exchanges for individuals and small groups
• No denial of coverage for pre-existing conditions • Coordination of care
12
Accountable Care Organizations
• Network of doctors and hospitals that shares responsibility for providing care to patients.
• Manage all of the health care needs of a minimum of 5,000 Medicare beneficiaries for at least three years. • Receive bonuses when providers keep costs down and meet specific quality benchmarks, focusing on prevention and carefully managing patients with chronic diseases
13
Accountable Care Organizations
• Accountable Care Organizations Final Rule
– Federal Register, vol. 76 Page 67802 (11/02/11)
• ACOs may be business associates • Providers in ACO are eligible to receive Medicare claims data generated by other providers • Individuals may opt out of having certain identifiable information shared
14
ACA Performance Measurement • ACA requires CMS to make available to third parties (Qualified Entities) Medicare Data to be combined with other claims data for provider performance measurement.
9/10/2013
Office of the National Coordinator for Health Information Technology
15
ACA Performance Measurement • Final Rule on Availability of Medicare Data for Performance Management
• Federal Register, vol. 76, page 76542 (!2/07/11)
• Qualified entities (conduct data analytics)
• Are not considered business associates of CMS • Must have a rigorous data privacy and security program to qualify to receive Medicare data • Must sign a stringent data use agreement
Office of the National Coordinator for Health Information Technology
9/10/2013
16
Health Insurance Exchange Rule Privacy and Security • Establishment of Exchanges and Qualified Health Plans Final Rule – Federal Register, vol. 77, page 18310 (03/27/12)
• State health insurance exchanges must establish and implement privacy and security standards that are consistent with the Fair Information Practice Principles.
– 45 CFR 155.260
17
Electronic Health Information: A Balancing Act
Accessible for care
Protecting Privacy
18
