Download Privacy and Social/Behavioral Determinants Data

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts
no text concepts found
Transcript 
Privacy and Social/Behavioral
Determinants Data
Deven McGraw
JD, MPH
1
Overarching Considerations
• Can health care providers collect, use and
disclose this information – and if so, under what
conditions/protections? (legal)
• Should health care providers collect, use and
disclose this information – and if so, under what
conditions/protections? (ethical)
• Goals should be: (1) trusted data sharing
ecosystem, and (2) ideally no surprises for
patients (what would the reasonable person
expect)
2
Compliance with Law
• HIPAA will govern health care providers using
Certified EHR Technology – sets requirements
for identifiable health information.
• State laws also may apply – white paper will
focus on HIPAA.
• Other laws may govern what personally
identifiable information may be collected,
used or shared by a government agency with a
health care provider.
3
HIPAA
• Does not place limits on the collection of
identifiable health information by health care
providers; instead, regulations govern how
they use and disclose identifiable health
information.
• Presentation focuses on HIPAA – but is not an
exhaustive review of all of HIPAA’s provisions.
4
Are SDH data “health information”?
• Broadly defined:
– Health information “relates to the past, present or future
physical or mental health or condition of an individual; the
provision of health care to an individual;” or payment for
care.
– Health care “means care, services or supplies related to
the health of an individual.” Includes, “but is not limited
to,” preventive, diagnostic, therapeutic, rehabilitative,
maintenance or palliative care, counseling service,
assessment or procedure [w/r/t] the physical or mental
condition, or functional status, of an individual or that
affects the structure or function of the body…”
• If being collected in CERHT, harder to argue it’s not.
5
HIPAA Permitted uses/disclosures of
Identifiable Health Information
• Unambiguous: With the prior authorization
(written, specific) of the individual. Opt-in.
• HIPAA provides for a number of categories of
uses and disclosures permitted without the
need to first obtain patient authorization – but
less clear that these categories would
encompass uses and disclosures of at least
certain types of SDH information.
6
TPO (Treatment, Payment, Operations)
• Treatment is “the provision, coordination or
management of health care and related
services by one or more health care
providers,” including coordinating or
managing health care with a third party.
7
Operations
• Includes “population-based activities relating
to improving health or reducing health care
costs…case management and care
coordination…contacting [providers] and
patients with information about treatment
alternatives…and related functions that do not
include treatment.”
8
Expressly permitted disclosures (1)
• Expressly required by law.
• To public health authorities “authorized by law to
collect or receive such information for the purpose of
preventing or controlling disease, injury or disability.”
• To public health or other authorities “authorized by law
to receive reports of child abuse or neglect.”
• To report report abuse, neglect or domestic violence to
an entity authorized by law to receive such reports.
• To certain entities/individuals for workplace safety
matters.
• To avert a serious and imminent threat to health or
safety.
9
Definition of “Public Health Authority”
• Public health authority is an agency or
authority of the [U.S.], a state or territory (or a
political subdivision thereof), or an Indian
tribe, “or a person or entity acting under grant
of authority from or under contract with such
public agency…that is responsible for public
health matters as part of its official mandate.”
10
Does this definition cover other SDHrelated government agencies?
• Broad HIPAA definitions of health and health
care suggest there might be room for this
interpretation.
– But other parts of HIPAA cover the sharing of
health information for “government benefit”
programs.
• Note that definition of public health authority
allows for others to act on behalf of those
authorities.
11
Expressly Permitted Disclosures (2)
• Health oversight activities
– Providers may disclose identifiable health information to a
health oversight agency for health oversight activities
authorized by law, including appropriate oversight of
government benefit programs for which health information is
relevant to beneficiary eligibility.
• Note this is for “oversight” – presumption is that applications for
benefits will include an express authorization from patient to share
any relevant information.
• Further note: government health plans may share information
with other government public benefit programs if such sharing is
expressly authorized by statute or regulation or if necessary to
coordinate the programs or improve their administration and
management
12
Bottom Line(s)
• HIPAA may permit use and sharing of SDH
data without prior written authorization of
patient in some circumstances
– Note that HIPAA allows providers to seek consent
for such uses and disclosures; because
authorization is not required, could also use “optout”
• Prior written authorization provides clear
authority under HIPAA.
13
Other considerations
• Minimum necessary – applies to uses and
disclosures except those for treatment.
• Don’t surprise the patient by collecting, using
or sharing potentially sensitive data about her
without her at least being aware of it
– And don’t bury information about such data
collection, uses and disclosures in the standard
HIPAA Notice of Privacy Practices.
14
Other considerations (cont)
• Don’t collect data that isn’t going to be used
• Respect the potential sensitivity of the data
– Limit exposure to those with a need to know (rolebased access controls, audits)
– Take precautions to avoid insensitivity (treating
patients different due to SDH data)
– Note that the ability of CEHRT to segment
sensitive data today does not exist in most widely
used CEHRT
15
Be aware of the
• Potential for law enforcement access – less
protection than offered by original data
source?
• Rights of minors
• Re-disclosure prohibitions on data covered by
42 CFR Part 2 (governing federally funded
substance abuse treatment programs)
16
Related documents
040203HIPAA_COHEN - National Governors Association
040203HIPAA_COHEN - National Governors Association
answer key
answer key
HIPAA
HIPAA
Authorization for Use and\or Disclosure of Patient Health Information
Authorization for Use and\or Disclosure of Patient Health Information
Claim vs. Reality – HIT and Privacy in the Economic Recovery Package
Claim vs. Reality – HIT and Privacy in the Economic Recovery Package
Confidentiality of Alcohol and Drug Abuse Patient Records
Confidentiality of Alcohol and Drug Abuse Patient Records
HIPAA Privacy The Morning After Panel
HIPAA Privacy The Morning After Panel
DOC - Rhoads Orthodontic Specialist
DOC - Rhoads Orthodontic Specialist
What is Practice Partner? - McGraw Hill Higher Education
What is Practice Partner? - McGraw Hill Higher Education