Chapter 8 Legislative Aspects of Nursing Informatics Hipaa Hitech and Beyond

Download as pdf or txt
Download as pdf or txt
You are on page 1of 33

LEGISLATIVE ASPECTS

OF NURSING
INFORMATICS: HIPAA,
HITECH, AND BEYOND
GROUP II - ORLANDO
GROUP 2 MEMBERS

BACUEL BERNARDO BIGORNIA CRUZ ANGCO

MANZANO ESPINAS FUTALAN SISON DUNGCA PRIETO


INTRODUCTION
● Two landmark pieces of legislation:
○ Health Insurance Portability and Accountability Act
(HIPAA) of 1996
○ Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009
HIPAA
● a law signed by US President Bill Clinton in 1996, which aimed to
(1) prevent and possible eradicate healthcare fraud and abuse
(2) ensure health insurance portability, and
(3) guarantee the security and privacy of health information

The laws/ rules under HIPAA took years to be formulated since the rules
needed to balance a patient's privacy as well as the HCP's need to
access patients' information
PRIVACY RULES (HELLERSTEIN, 2000)
● Define Protected Health Information (PHI)
● Propose that authorization by patients for release of
information is not necessary when the release of information is
directly related to treatment and payment for treatment.
● Establish patient ownership of the healthcare record and allow
for patient-initiated corrections and amendments.
● Mandate administrative requirements for the protection of
healthcare information.
● Mandate that all outside entities that conduct business with
healthcare organizations must meet the same standards as
those of the organization for information protection and
security.
● Allow PHI to be released without authorization for research
studies. Patients may not access their information in blinded
research studies because their access may affect the reliability
of the study outcomes.
● Propose that PHI may be de-identified before release in such a
manner that the identity of the patient is protected. The
healthcare organization may code the de-identification so that
the information can be re-identified once it has been returned.
● Applies only to health information maintained or transmitted
by electronic means.
PHI
● It needs an elected privacy officer which manages all privacy procedures
including:
○ Education and training of their personal about electronic patient
records the need to give informed consent about using health
information about every patient.
● Gives patients certain rights
○ right to request restrictions of access in info
○ right to request alternative mode of communication
○ right to receive paper copy of the notice of privacy practices
○ right to file a complaint when patient's rights gets violated
○ right to inspect and copy one's health record
○ right to see an account of disclosure in one's health record
October 16, 2003
- standards for electronic transactions and code sets became effective

April 21, 2005


- the security requirements went into effect and required the covered
entities to put safeguards into place that protect the confidentiality,
integrity, and availability of PHI.
OVERVIEW OF THE HITECH ACT
- Enacted on February 17, 2009 - Less than 8% of U.S. hospitals used a
- Part of the American Recovery and basic EHR system
Reinvestment Act (ARRA or the Stimulus - Less than 2% of U.S. hospitals had an
Law) EHR system
- To stimulate the U.S. economy and - Cost of an EHR system was a major
improve healthcare delivery. barrier

● Title XIII of Division A (The HITECH Act) - Nationwide health IT infrastructure


● Title IV of Division B (Part of the HITECH - According to the Office of the National
Act) Coordinator for Health Information
Technology (ONC) four out of five
hospitals now have at least a basic EHR
with clinician notes.
- For larger acute care hospitals, nearly
96% have EHR technology.
DEFINITIONS

The HITECH Act included


some important definitions
that anyone involved in NI
should know:
Certified EHR Technology Enterprise Integration
An EHR meets specific governmental standards The electronic linkage of healthcare providers,
for the type of record involved, whether it be health plans, the government, and other
an ambulatory EHR used by office-based interested parties to enable the electronic
healthcare practitioners or an in-patient EHR exchange and use of health information among
used by hospitals. The specific standards that all the components in the healthcare
are to be met for any such EHRs are set forth in infrastructure.
federal regulations.

Healthcare providers
Hospitals, skilled nursing facilities, nursing homes, long-term care
facilities, home health agencies, hemodialysis centers, clinics,
community mental health centers, ambulatory surgery centers,
group practices, pharmacies and pharmacists, laboratories,
physicians, and therapists.
Health Information Technology
"Hardware, software, integrated technologies or related licenses,
intellectual property, upgrades, or packaged solutions sold as services
that are designed for or support the use by healthcare entities or
patients for the electronic creation, maintenance, access, or exchange
of health information."

Qualified Electronic Health Record


"An electronic record of health-related information on an individual." A
"qualified" EHR contains a patient's demographic and clinical health
information, including the medical history and a list of health problems,
and is capable of providing support for clinical decisions and entry of
physician orders.
PURPOSES
● Improve healthcare quality
● Reduce the cost of health care
● Improve people's health
● Protect public health
● Facilitate clinical research.
● Reduce health disparities
● Better secure patient health information
The ONC's current strategic goals follow:

● Advance person-centered and self-managed health


● Transform health care delivery and community
health
● Foster research, scientific knowledge, and
innovation
● Enhance nation's health IT infrastructure (ONC,
2018)
How a National Health IT Infrastructure was Developed

HITECH (Health Information Technology for Economic and Clinical Health) Act established:

HHS (Health and Human Services) The 2 committees have since been replaced by
● National coordinator. the HITAC (Health Information Technology
● Developed the infrastructure. Advisory Committee)
ONC (Office of the National Coordinator) for ● Established by the 21st Century Cures Act
Health Information Technology ● Recommends “policies, standards,
● Policy Committee - makes recommendations implementation specifications, and
to the coordinator about how to implement the certification criteria, relating to the
requirements of the HITECH Act, such as the implementation of a health information
technologies to use in the infrastructure. technology infrastructure, nationally and
● Standards Committee - recommends locally, that advances the electronic access,
standards by which health information was to exchange, and use of health information”.
be electronically exchanged.
How a National Health IT Infrastructure was Developed

The Federal Register has indicated that the national coordinator of the ONC does the following:
1. Ensures the interoperability of health information, as central and foundational to the core mission of
HHS to enhance and protect the health and well-being of all Americans;
2. Ensures that health information technology initiatives are coordinated across HHS programs;
3. Ensures that health information technology policy and programs of HHS are coordinated with those
of relevant executive branch agencies (including Federal commissions and advisory committees)
with a goal of avoiding duplication of effort and of helping to ensure that each agency undertakes
activities primarily within the areas of its greatest expertise and technical capability;
4. Reviews Federal health information technology investments to ensure Federal health information
programs are meeting the objectives of the strategic plan required under Executive Order 13335, to
create a national interoperable health information technology infrastructure;
5. Provides comments and advice regarding specific Federal health information technology programs;
and
6. Develops, maintains and reports on measurable outcome goals for health information technology to
assess progress within HHS and other executive branch agencies (HHS, 2018).
How a National Health IT Infrastructure was Developed

● The HITECH Act provides monetary incentives:


- For providers who engage in meaningful use of health IT.
- For clinicians and facilities that implemented EHR systems that met the specific
standards.

The meaningful use has since been replaced by provisions outlined in


the MACRA (Medicare Access and CHIP Reauthorization Act).
How the HITECH Act changed HIPAA
HIPAA Privacy and Security Rules
● HIPAA Regulations:
○ Definition: Legislation enacted by the federal government to achieve various healthcare objectives,
including improved insurance portability and curbing fraud and abuse.
○ HIPAA paved the way for the Privacy Rule in 2003 and the Security Rule in 2005.
● Privacy Rule:
○ Definition: A component of HIPAA that ensures patients' privacy protections, including guidelines for
the use and disclosure of protected health information (PHI).
○ Ensures patients' privacy protections.
● Security Rule:
○ Definition: A component of HIPAA that mandates providers to uphold health information integrity and
availability, including guidelines for safeguarding electronic PHI.
○ Mandates providers to uphold health information integrity and availability.
● Covered Entities:
○ Definition: Healthcare providers, health plans, and healthcare clearinghouses that are required to
comply with HIPAA regulations.
○ Hospitals and insurers must comply with these regulations.
● Patient Rights:
○ Rights such as receiving a notice of privacy practices, opting out of facility directories, and authorizing
disclosure of their PHI.
○ They can also access their healthcare records, request corrections, and be informed of any
unauthorized access or loss of information.
How the HITECH Act changed HIPAA
HIPAA Privacy and Security Rules
● Office for Civil Rights (OCR):
○ Definition: A division of the Department of Health and Human Services (HHS) responsible for enforcing
HIPAA regulations and providing guidance to covered entities.
○ Oversees HIPAA enforcement and offers guidance to clinicians.
● Bring Your Own Device (BYOD) Policies:
○ Policies that allow employees to use personal devices for work purposes, which can pose challenges
for maintaining patient data security.
○ Organizations often restrict personal device usage and implement strict protocols to mitigate risks.
● HITECH Act:
○ Definition: The Health Information Technology for Economic and Clinical Health Act, which extends
HIPAA compliance requirements to business associates of covered entities and imposes stricter
penalties for non-compliance.
○ Extends HIPAA compliance requirements to business associates.
● Non-Compliance Consequences:
○ Non-compliance may lead to sanctions and penalties.
● Augmentation of HIPAA Regulations by HITECH Act:
○ The HITECH Act has significantly augmented HIPAA regulations, necessitating enhanced data
protection measures and broader compliance across healthcare entities and their partners.
The HITECH Act Enhanced HIPAA Protections
HITECH Act has had a significant impact on HIPAA's Privacy and
Security Rules in the following ways:
● HHS is to provide annual guidance about how to secure health
information.
● Notification requirements in the event of a breach in the security
of health information were enhanced.
● HIPAA requirements now also apply directly to any business
associates of a covered entity.
● The rules that pertain to providing an accounting to patients who
want to know who accessed their health information were
changed.
● Enforcement of HIPAA was strengthened.
● PHI is unsecured, the provider must take certain steps to
notify those individuals who have been affected.
● PHI protection methods include encryption, shredding, and
electronic media sanitation.
● Breach is discovered as soon as employee other than
individual who committed the breach, or should have
known of the breach
● Breach notification requirements: breach discovery
triggers notification obligations within 60 days; unsecured
PHI breaches require individual notifications, and breaches
● Business associates of covered entities must comply with HIPAA's Privacy and
Security Rules.
● HITECH Act give patients the right to access the EHR and receive an
accounting of all disclosures.
● Providers, and other covered entities were not required to include in the
accounting any disclosures that were made to facilitate treatment /payment
/operations of the entity
○ January 2011: TPO exception ended
○ January 2014
● The HITECH Act strengthened the enforcement of HIPAA.
○ HHS can conduct audits
● February 2009
○ stiffer civil monetary penalties (CMPs) for violations of HIPPA became
effective
○ they were revised in 2019
● During the COVID-19 pandemic, the secretary of health and human services
issued a limited waiver of HIPAA sanctions and penalties
IMPLICATIONS IN
NURSING
PRACTICE
❖ BEING INVOLVED AND STAYING
INFORMED
● The development and implementation of a nationwide EHR
system holds great promise for the nursing practice and
these continue to foster evidence-based practice
● Nurses, as the end users of developing technologies, cannot
afford to be left behind as changes in the EHR system are
being contemplated and policies are often reviewed and
revised
❖ PROTECTING THE NURSE
● Nurses who strive to protect the privacy and security of
patient information are protecting themselves from the
ethical lapses and violations of law
● Nurses who engage with social media need to be aware of
the potential for breaching the confidentiality of patient
information
● Nurses must understand and comply the policies of HIPAA
Privacy and Security RUles, and the HiTECH act to
determine such obligations and to avoid pitfalls of violations
❖ PROTECTING THE NURSE
USES OF SOCIAL MEDIA TO NURSING PRACTICE
● To educate and promote health behaviors to clients
● To give health-care providers a far-reaching platform that
contributes to high quality online content and amplify
positive and accurate healthcare information and
messages
● Utilizes telehealth system
❖ PROTECTING THE NURSE
Ethical Use of Social media
● Relevant data shall only be shared to other members of the healthcare team
who have a need to know the information.
● Patients' well-being could be jeopardized and patient-nurse relationships
may be destroyed by unnecessary access or disclosure of patient
information.
● Violations lead to disciplinary actions or litigations by the employers or
licensing boards. Nurses and other healthcare members should be mindful
of their obligation to report a breach in privacy or security of the PHI to their
employers.
❖ EHR AS A CONVENIENT METHOD TO
MONITOR THE PERFORMANCE OF NURSES

● The EHR system provides a wealth information that must be


monitored
● Audits are required to ensure that there are no breaches in
the systems ‘security , Thus requiring every nurse to have
proper training and must know the policies and procedures
that pertain to its use
RECENT LAW AND REGULATIONS
● Medicare Access and CHIP Reauthorization Act (MACRA):
○ Introduced in 2015 by CMS, focusing on quality care and provider payment based on
value.
○ Replaced CMS meaningful guidelines and removed Social Security numbers from
Medicare cards by April 2019.
● FDA Regulation of Medical Devices:
○ FDA released guidance in 2015 (revised in 2019) for regulating mobile medical
applications.
○ Apps intended for diagnosing, treating, or preventing diseases fall under FDA regulation.
○ Some apps, like fitness trackers, aren't regulated unless they're accessories to regulated
medical devices.
● 21st Century Cures Act (2016):
○ Aims to fund research, support medication and device development, and improve
interoperability of health information.
○ Allows FDA to regulate only health apps that diagnose or treat diseases.
○ Emphasizes interoperability through standardized APIs and a Trusted Exchange
Network, enhancing patient access to health information.
SUMMARY
THANK YOU!

You might also like