SMU Privacy Overview 2007

50 %
50 %
Information about SMU Privacy Overview 2007

Published on May 2, 2008

Author: Gourangi


Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007 :  Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007 Founding Statement:  Founding Statement “Is it not now time to build a great humanitarian hospital, one to which men of all creeds and those of none may come with equal confidence?” Dr. George W. Truett, 1903 Co-founder of Texas Baptist Memorial Sanitarium, predecessor of Baylor Health Care System Circle of Care:  Guided by Baylor Values Integrity Servanthood Quality Innovation Stewardship Circle of Care Baylor Health Care System:  Baylor Health Care System 2007 Preliminary and Unaudited Financial Performance $2.7 Billion Net Patient Revenue $318 Million Net Operating Income (all sources) 16,600 employees 13 hospitals Significant teaching and research programs No health plan 3,500 physicians including 450 employed 128+ access points 130 mile diameter, all in Texas Confluence of Factors Impacting Healthcare Information Systems:  Confluence of Factors Impacting Healthcare Information Systems Quality indicators are universally available. Top quality is BHCS’ only option. The Board required “extraordinary” performance. The future demands a fundamental change in the underlying processes related to delivery of health care. There are limited resources and a high demand for new products, processes, and services. The healthcare consumer will have more choices Other Influential Factors:  Other Influential Factors Quality Institute of Medicine’s Study of Medication Errors (national and state implications) Leapfrog Group both nationally and locally Finance Increasing pressures from Managed Care Health Insurance Portability and Accountability Act of 1996 Balanced Budget Act of 1997 P4P (Pay for Performance) People Nursing shortage including other qualified and registered clinical personnel Technology Tolerance of complex systems Universal access (Microsoft) Infrastructure: Responsive & Reliable:  2 primary data centers 12 satellite remote campus communication centers 1 mainframe with 2 processors 44 midrange platforms 3 robotic tape silos Two with 6000 tapes per silo and 120 terabytes of spinning disk One with 50 tapes per silo 200 to 800 GB per tape 24 actual tape drives In the two primary silo’s. Disk capacity with some form of RAID 2 Storage Area Networks (80 Terabytes) Total DAS and NAS (140 terabytes) 1.1 terabytes of storage on the Mainframe 800+ application servers 22,000+ data nodes, 19,500+ voice nodes 243 FON closets with 285+ UPS, 2000+ switches and routers, 1000+ WAPs Approximately 10,000 workstations and 4,100 printers Speeds of transmission: 10/100/1000 megabits per second WAN – T1, DS-3, Optiman, GigaMAN, dedicated fiber 2 connections to our ISP scaleable to 155 megabits total on demand Nine SL-100 phone switches centrally managed 5,030 centralized voice mail users 40,000+ biomedical devices Infrastructure: Responsive & Reliable GOAL: Create the equivalent of dial tone - 6 Sigma reliability. Portal Strategy Universal Access:  Portal Strategy Universal Access Internet based, web enabled applications Physicians – Trustees – Employees – Consumers – Education – Create virtual integration Pass user’s context to applications to avoid multiple logins Pass patient context where possible Use desktop metaphor and place Icons for all available applications on desktop Allow personalization of desktop to encourage portal utilization Make security design and administration independent of application coding What are Baylor’s next steps?:  What are Baylor’s next steps? Care Model Graphic:  Care Model Graphic The Framework for the EHR:  The Framework for the EHR Radiology & PACS Laboratory Systems Common Registration Patient Accounting & Patient Management Scheduling & Surgical Management Medication Management Contract Management Supply Chain Managed Care Respiratory Therapy others... Foundation Business Operations Clinical Applications Knowledge Based Medicine Safety and Satisfaction Governance Electronic Health Record Clinical Decision Support Computerized Physician Order Entry Efficacious and Efficient Continuous Improvement Processes Information Technology Infrastructure Knowledge A Simple Definition:  A Simple Definition Integrating clinical and non-clinical process improvements with enabling technologies Hardwiring STEEEP* *IOM Model: Safe, Timely, Effective, Efficient, Equitable, Patient-centered care. *IOM Model: Safe, Timely, Effective, Efficient, Equitable, Patient-centered care. Slide14:  HIPAA A Framework for Privacy in Healthcare HIPAA – The Intent:  HIPAA – The Intent HIPAA was designed to: Ensure health insurance portability Reduce health care fraud and abuse Guarantee privacy and security of health information Provide standards for electronic exchange of health information Examples of HIPAA’s impact include: Portability. Guarantees medical coverage renewal, prohibits discrimination based on health status, and eliminates some preexisting conditions exclusions. Transaction Standards and Unique Identifiers Creates standard formats and code sets for all major transactions that are processed electronically provides national identifiers for providers, employers, and health plans. Security Rule. Provides a uniform level of protection of all electronic health information. Privacy Rule. Addresses the rights of an individual, the procedures for exercising these rights and the uses and disclosures of health information. Ensure confidential treatment of patient data. Evolution of The Privacy Rule:  Evolution of The Privacy Rule Baylor Health Care System’s (BHCS) Response: People, processes, and timelines:  Processes. HIPAA standardizes how procedures are coded and electronic bills are submitted. It also prompts health care organizations to examine processes and change how patient information is: communicated, shared, disclosed, and protected. People. HIPAA touches everyone in our organization. It requires our employees, physicians, volunteers, and contractors to be trained and follow new policies, procedures, and processes. Timeline. HIPAA sets rules for how we should act and penalties should we fail to meet the new standards. Compliance with HIPAA occurs in phases, starting in April 2003. Baylor Health Care System’s (BHCS) Response: People, processes, and timelines National Versus State Regulation – How do we approach that?:  National Versus State Regulation – How do we approach that? Many states, including Texas, passed their own versions of HIPAA. HIPAA resolved this issue by instructing that when state and federal versions differ, the more restrictive version applies. BHCS has reconciled state and federal law, and the more restrictive law is reflected in our privacy policies, which are the basis for our training. Who Is “Covered?” :  Providers. BHCS is a health care provider. As a physician, you are a provider. Providers range from large hospital systems to individual nursing homes, labs, and pharmacies. Health care providers are also doctors, nurses, dentists, psychotherapists, and others who care for patients. Plans or insurers. Examples include Cigna, United Health Care, Blue Cross/Blue Shield, and Aetna. Clearinghouses These are systems that process information for other companies such as most billing services like WebMD Envoy® . Who Is “Covered?” More terminology:  HIPAA protects the rights of individuals, not just patients. An individual is the subject of health information. This can include patients and health plan participants and their covered dependents. These same rights extend to legally authorized representatives. A covered entity's workforce includes employees, volunteers, people whose conduct is under the direct control of a covered entity, and people involved in a covered entity's training programs. Individually Identifiable Health Information (IIHI) is health information that either identifies an individual or provides a reasonable basis for identifying an individual, by virtue of containing one or more of 18 identifiers. PHI stands for Protected Health Information. This is health information—in any form—that can identify an individual. HIPAA and Texas state law defines how PHI may be used and disclosed. More terminology Protected Health Information: 18 elements:  Protected Health Information: 18 elements Identifies the individual With respect to which there is a reasonable basis to believe that the information can be used to identify the individual If the following information is removed, it is presumed to be non-identifiable information: -Name -Names of Relatives -Street Name -Names of Employers -City -Date of Birth -County -Telephone Numbers -Zip Code -Fax Numbers -Equivalent Geocodes -E-Mail Addresses -Social Security # -Medical Record # -Health Plan # -Account # -Certificate/License # -Vehicle or Device Serial # -Finger & Voice Prints -Internet Protocol Address -Photo Images Implementation: System and Entity Level:  System Create Program Management Office to coordinate all HIPAA efforts. Appoint System Privacy Officer. Local Appoint Entity Privacy Officer to ensure Privacy Program implementation at entity. System Develop and maintain training materials for the workforce. Develop courses HIPAA web site Local Train existing and new workforce members. System Develop system-level privacy-related policies through entity collaboration. Local Create entity-specific procedures and implementation plans. System Oversee standard reporting and investigation process. Local Contact manager or Entity Privacy Officer. Staffing Policies and Procedures Training Reporting Concerns Implementation: System and Entity Level Information Security Policies:  Information Security Policies Privacy Policies:  Privacy Policies Patient Rights:  Patient Rights Confidentiality is one of many patient's rights. Other rights include being able to: read and obtain copies of their health information request restrictions of the use and disclosure of PHI request that we communicate with an individual about his/her health information in a specific way or at a specific location request changes to health information, if an individual believes it's incorrect or incomplete receive an accounting of outside disclosures file a complaint if an individual believes his/her confidentiality has been violated These rights have exceptions and specific procedures that need to be followed. BHCS has developed the procedures and processes necessary to respond to patients when exercising these rights. Privacy notices must be posted. Organized Health Care Arrangement (OHCA):  Organized Health Care Arrangement (OHCA) Establish a mechanism for free exchange of PHI between each BHCS entity and its respective medical staff for a hospital-based episode of care. When a patient presents to a BHCS entity, the Notice they receive is applicable to the entity medical staff as well as the entity’s workforce. Hospital-based Episode of Care Services jointly provided to patients by a BHCS entity and members of the entity medical staff, whether it be for inpatient or outpatient services. Does not relate to services provided by the physician in his/her private practice setting. Safeguarding PHI:  Ask questions…if you see someone unfamiliar to you accessing PHI. Take precautions when discussing PHI over the telephone or voicemail…make sure that you are leaving messages for the right person. Conceal or secure PHI…so that it can’t be viewed on desks, door pockets, or in hallways. When not in use, ensure chart holders are closed. Control access…to areas that contain PHI. This means that doors will be locked, card access systems and other physical access controls will be used as necessary. The number of designated entrances will be minimized after normal business hours. Exercise care…when you have to discuss PHI in public areas such as waiting rooms or over the phone in public areas, so that others don’t accidentally hear you. Wear your badge…so that you can be easily identified as an employee, volunteer, contractor, or physician. Safeguarding PHI Safeguarding PHI:  Overhead Paging …should be limited to the patient name and specific instructions. These instructions should not identify any PHI. Waiting Rooms Only use the minimal information necessary to locate the patient or patient's family members. Message boards should contain only the patient's last name and initial of first name. Other options for locating the patient or patient’s family include using: Electronic pagers. A ‘take a number’ system. Safeguarding PHI Safeguarding PHI:  Whiteboards Should be out of public view as much as possible. When in public view, boards will only display patient last name, location, and last name of attending physician and caregivers. Patient Sign-In Sheets should not be left out for viewing by other patients Instead of sign-in sheets, consider using: Individual labels that can be removed and transferred to another sheet after each patient signs in. Individual sheets of paper that can be removed A ‘take a number’ system Patient Information Lists Include medical tests, diagnostic procedures, surgery schedule or lab tests. These lists should be protected from public view. When using clipboards, the list should be covered with a plain sheet of paper. Distribution lists will be reviewed periodically to verify that recipients have a need to know. Safeguarding PHI Safeguarding PHI:  Patient Identification on Door May contain only the patient last name, initial of first name, location, and physician name. Care-related instructions and advisories are allowable. Paper Records …must be secured in storage bins until destroyed. Methods include: Document destruction services with onsite destruction (for High Volume Areas) Onsite shredding machines (for Low Volume Areas) Destruction of documents by offsite service providers—Vendors should follow BHCS’ criteria for secure disposal and destruction Safeguarding PHI Safeguarding PHI:  Safeguarding PHI Faxes Place fax machines in secure locations Monitor fax machines that send and receive PHI Remove PHI from fax machines immediately after transmission Verify fax numbers and identity of recipients before faxing PHI Follow specific procedures when receiving or sending misdirected faxes Voicemail Listen to the entire greeting Internet Secure sites Encryption for e-mails Safeguarding PHI:  Safeguarding PHI Electronic Health Records Encrypted databases Automated inputs Controlled access Security challenges Biometrics Quick timeouts Role-based security Audit trails for every screen Active review of audit records Information Breach:  Individual The subject of health information. Information Breach Information breaches can result in the violation of an individual's privacy. An information breach occurs when PHI is: accessed by unauthorized individuals. discussed without a legitimate business purpose. revealed to those who don't have a need to know. Information Breaches:  Information Breaches Information Breaches:  Information Breaches Information Breaches:  Information Breaches It Really Happens:  It Really Happens Level 2: A psychiatrist from New Hampshire was fined $1,000 for repeatedly looking at the medical records of an acquaintance without permission. Because there was no state law making it a crime to breach the confidentially of medical records, the case was brought under a law against misusing a computer. (“Psychiatrist Convicted of Snooping in Records,” The Associated Press State & Local Wire, May 5, 1999) Level 3: Country singer Tammy Wynette's medical records were sold to the National Enquirer and Star tabloids by a hospital employee for $2,610. William Cox's position at the hospital entitled him to authorized access to several medical record databases. He retrieved medical information about Tammy Wynette and faxed it to the tabloids without her consent. In the end, Cox pleaded guilty to one count of wire fraud and was sentenced to six months in prison. ("Selling Singer's Files Gets Man Six Months," Houston Chronicle, December 2, 2000, p. A2) General Approach: Minimum Necessary:  General Approach: Minimum Necessary Minimum necessary guidelines apply to almost all uses, disclosures and requests of PHI, including: Health care operations and payment purposes. Treatment purposes (other than the provider exception as described next). Other disclosures and requests to external third parties. However, every rule does have its exceptions. Exceptions to the minimum necessary requirement include disclosures: to and requests by providers for treatment. to the individual. authorized by the individual. required by law. to HHS for compliance with the Privacy Rule. to HHS for compliance with other HIPAA requirements. Unanticipated Impacts:  Unanticipated Impacts Fundraising If patient demographic data is to be used for fundraising, the Privacy Notice must state as such No special authorization is required if only use demographic data May use business associates for fundraising but ensure business associate agreement is in place With materials sent to individuals, must include opt-out information If individual opts-out, must be able to ensure compliance Grateful patient referrals – problematic Marketing For marketing, authorizations are required; there are exceptions: If communication is face to face If communication involving products or services are of nominal value, i.e., pens, calendars Business Associate may help with marketing but ensure a Business Associate Agreement is in place Materials sent to individuals must include opt out clause If individual opts-out, must be able to ensure compliance May not sell patient’s list HIPAA allows communication of alternative services/treatment to patients. Does this apply to “mass mailings”? Not clear if Texas law offers the same latitude Places of worship Challenges from the pulpit Challenges from the congregations Privacy Standards:Permissible Uses and Disclosures without Patient Authorization:  Privacy Standards:Permissible Uses and Disclosures without Patient Authorization Public Health Reporting abuse, neglect or domestic violence Health oversight activities Judicial and administrative proceedings Law enforcement Decedents (coroners and funeral directors) Cadaveric organ, eye or tissue donation Certain research Emergency circumstances Special categories (e.g., intelligence, military) Privacy Program Organization:  Privacy Program Organization System Compliance (System Privacy Officer) System Privacy/ Security Committee Entity Privacy Officers Entity Privacy Committees Design & Develop Coordinate & Collaborate Implement & Monitor Acknowledgements:  Acknowledgements BHCS Donna Bowers, JD, RHIA VP of Health Information Management, Baylor Health Care System Office of Information Security Texas Health Resources Patricia Johnston, CHP, FHIMSS System Privacy Officer for Texas Health Resources The Center For Learning Discussion:  Discussion

Add a comment

Related presentations

Related pages

Overview | School of Law (SMU)

Overview . Overview; ... The official approval for SMU's School of Law was announced on 5 January 2007. The School proudly welcomed its first batch of 116 ...
Read more

Health Center - SMU

Overview & Mission Counseling ... SMU Student Affairs / Health Center; Health Center . HEALTH CENTER . About Us; Hours; ... Health Center Mailing Address:
Read more

Overview | School of Information Systems (SMU)

Overview . Overview; Board of ... (SMU) is created to be a ... in 2007 to address the need for attracting and developing the next generation of Technology ...
Read more

Awards & Prizes Overview | School of Information System (SMU)

SMU Main Site; People; About . Overview; Board of Advisors. Current Term; Former Term; Dean's Message; Organisation Chart; Academic Partnerships. All SIS ...
Read more

Overview of the ImageCLEF 2007 Object Retrieval Task

9-2007 Overview of the ImageCLEF 2007 Object Retrieval Task Thomas Deselaers Steven HOI Singapore Management University,
Read more

"Overview of the ImageCLEF 2007 Object Retrieval Task" by ...

We describe the object retrieval task of ImageCLEF 2007, give an overview of the methods of the participating groups, and present and discuss the results.
Read more

News | Singapore Management University (SMU)

SMU Home. Main menu. Singapore Management University (SMU) Toggle navigation. Toggle Dropdown. ... Overview; Analytics for Business, Consumer & Social ...
Read more

Privacy Research Overview - Carnegie Mellon ECE

Privacy Research Overview 18739A: Foundations of Security and Privacy Anupam Datta Fall 2007-08. Privacy Research Space What is Privacy? [Philosophy, ...
Read more

Tune In: From privacy to “ringxiety” | SMU Forum

Tune In: From privacy to “ringxiety” Posted on October 26, 2007 by Kathleen Tibbetts. ... SMU ready to celebrate at 2016 May Commencement Convocation;
Read more