Privacy Issues and the Children
Privacy Issues and the Children
’
’
s Hospital EMR
s Hospital EMR
This roundtable discussion is brought to you by the Children
This roundtable discussion is brought to you by the Children’’s Hospital Affinity Group of the Ins Hospital Affinity Group of the In--House Counsel (InHouse Counsel (In- -House) and Teaching Hospitals and Academic Medical Centers (THAM
House) and Teaching Hospitals and Academic Medical Centers (THAMC) Practice Groups, and is coC) Practice Groups, and is co--sponsored by sponsored by the Health Information and Technology (HIT) Practice Group.
the Health Information and Technology (HIT) Practice Group.
February 15, 2013 12:00-1:15 pm Eastern
Presenters
Robin L. Canowitz, Esquire,
Senior Attorney, Vorys Sater Seymour & Pease LLP, Columbus, OH, rlcanowitz@vorys.com Daniel F. Gottlieb, Esquire,
Partner, McDermott Will & Emery LLP, Chicago, IL, dgottlieb@mwe.com Moderator:
Jessica Braunstein, Esquire,
About CHAG AG
Children’s Hospital Affinity Group (CHAG AG) provides a unique and focused forum for discussion and networking about the legal and practical issues that affect children’s hospitals and other providers that furnish pediatric care. CHAG AG is affiliated with the In-House Counsel Practice Group (In-House) and Teaching Hospital and Academic Medical Center Practice Group (THAMC). If you are a member of either of those PG Groups, you may join CHAG AG by simple e-mailing pgs@healthlawyers.org. Otherwise, become a member of either or both the In-House of THAMC Practice Groups, and ask to also join CHAG AG at the same time by contacting pgs@healthlawyers.org.
The In-House and THAMC Practice Groups provide a wealth of information and address issues important to all hospitals, healthcare institutions, academic medical centers, and related entities. Children’s hospitals and the care of pediatric patients, however, present some distinctive legal issues that are not often shared by the adult hospitals and adult academic medical centers. Join CHAG AG to receive and receive the benefit of its focus on children’s hospital and pediatric provider issues.
Agenda
Data elements requiring special treatment
Internal access and external release to other providers,
health information exchange, etc.
Patient portals and patient/parent access to information
Programs to create appropriate levels of access for
hospital personnel
Tools for monitoring access and disclosure of
Data elements requiring special treatment
The HIPAA regulations provide a base line of protection
for all Protected Health Information (PHI)
State law and the federal alcohol and drug abuse
confidentiality rules provide additional protections for sensitive subcategories of PHI
Privacy and security policies should be revised to reflect:
More stringent state and federal laws
Different access rights of parents and children for different categories of information at different ages of the child
Sensitive Categories of PHI
Sensitive categories of PHI vary from state to state, but
often include:
Substance abuse treatment program information
Mental health and developmental disability information
HIV/AIDs test results
Sexually transmitted diseases
Sensitive Categories of PHI (cont’d)
In many states, unemancipated minor has the right to
consent to diagnosis and treatment for and control PHI about sensitive conditions such as:
Pregnancy
Abortion
HIV/AIDs and other sexually transmitted diseases
Sexual assault or any condition resulting from the assault
Mental illness or psychiatric condition
Alcohol consumption or drug use and/or their addiction
Some states grant physician discretion to share
Sensitive Categories of PHI (cont’d)
EHR technology presents technical challenges to
management of sensitive information
Psychiatric drugs in the medication list
HIV-positive or mental health diagnosis in the problem list
HIV test result in the structured lab data
Free text field in progress notes
Parent and child access to patient portal
Quality of care and tort law may conflict with health
information privacy law
Internal Access and External Release
Access Controls for Internal Usage
Policies on Use of records for Research
Use of technology to deter people from looking at
records they don’t have a need to view
Are there categories of information that only certain
people can see?
Some institutions have “walled off” records from their
External Release of Records
Releases – to allow information to be shared?
Issues with patient name changes – birth hospital to
specialty hospital.
Confirming who has the right to allow release of
Patient Portals and Patient/Parent Access
Proxy Access – who do you allow to have access to the
portal?
Patient/Parent/Legal Guardian – all have their own
access. Can all see the same information.
What do you do with proxy access when the patient
becomes an adult?
Do you allow minor patients to have direct access to the
portal? If so, at what age, and for what purposes?
Patient Portals
What do you allow to be posted?
At NCH – no information on AIDS, STDs and Mental
Health because of state law issues
If the site does not have complete information, there
should be a disclaimer about that.
NCH decided not to post inpatient test results because it
could create confusion.
When do you post test results?
At NCH – physicians given 72 hours to review test
Patient Portals (cont’d)
Email communication tools – how to implement?
Who will respond?
Appropriate Levels of Access
The HIPAA minimum necessary standard requires a
hospital or other covered health care provider to limit a request, use or disclosure of PHI to the minimum amount of PHI necessary for disclosure unless it is
For Treatment
Required by Law
Pursuant to patient or parent’s authorization
Within another limited exception
Hospital should develop role-based access policies for
PHI that correspond to technical capabilities of its EHR
Appropriate Levels of Access (cont’d)
PHI may be used and disclosed for academic purposes
within hospital subject to the minimum necessary standards
Faculty and students should receive training on
Tools for Monitoring Access and Disclosure
HIPAA Security Rule requires “reasonable” procedures:
Log-in monitoring
Regular review of records of information system activity, such as
audit logs, access reports, and security incident tracking reports.
Develop reasonable and practical practices to monitor
EHR’s activity logs to identify inappropriate access
Rely upon technical, automated auditing where possible
Cisco and other vendors offer sophisticated monitoring
Privacy Issues and the Children’s Hospital EMR © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.
Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.
“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar