Image via Wikipedia I’m attending this conference for the next few days at Harvard University and will do some live blogging here as the mood or content strikes me. One of my reasons for being here is to make sure I’m up-to-date on HIPAA privacy and security requirements and to get a reality check on the emerging issues. The Harvard Faculty Club has wireless and the conference staff is very helpful. Good signs for the rest of the day.
8/18/08
7:55 am Hand out materials seem very thorough and on-line resources indicated as well. Good stuff.
8:10 am Attendees intro, impressive group of privacy compliance people from a variety of medical institutions. Some IT, HR, lawyers, consulting folks here as well.
8:15 am Course offers various certifications in HIPAA.
8:30 am HIPAA: “The right thing to do.” We are now into the overview of HIPAA as protection from discrimination as consumers of health care. Meant to guarantee privacy. It’s about policies, procedures and Business Associate Agreements.
8:35 am Now outlining the non-privacy aspects of the HIPAA law like insurance portability and health care fraud.
8:55 am Yes It was expensive to implement the transaction sets! A little HIPAA boosterism starting to surface in the presentation, a little idealism compared to the difficult reality of that experience.
9:02 am Going over national medical errors numbers, the uninsured — sort of a health care reform overview. Future is about innovation and integration of technology. Big HIPAA issue was the pushback from health care institutions. No HIPAA-in-a-box solution: must be reasonable and appropriate re the protection of health info as well as measurable and manageable.
9:20 am Really need 3 levels of ‘Business Associate Agreements’: one say for the office cleaners who have some/limited access to stuff on your desk etc – low risk level, some training and rules for them; Another level would be vendors and contractors where you store medical info for example – higher risk level, more detailed. Need a low, medium and high risk business associate agreements.
9:50 am Many states have stricter privacy standards than HIPAA. These statutes are allowable, of course, under HIPAA.
(So far presentation is going over typical HIPAA orientation material, nothing really new, but folks have a variety of questions that reveal a certain higher level sophistication of the audience. Should start getting into more depth soon.)
10:20 am Stuff still happens, but you have to do what’s “humanly possible” to protect medical information. It is “amazing” the number of people who have access to our information.
10:30 am How do you de-identify information? Remove identifiable information ( use HIPAA safe harbor method of 18 specific terms. Re-identification codes are allowed.) But there may be other items of course which would would identify the individual. So not fool proof. “Limited Data Sets” are also allowed for research.
10:45 am “Use” refers to how info flows within an organization under HIPAA. “Disclosure” refers to info transmitted outside the health care organization. Disclosures: routine, mandatory, non-routine, and incidental.
11:10 am Non-routine disclosures must be on the ‘accounting of disclosures’ available to the patient.
11:30 am I finally ask questions about the new national privacy framework now being developed in Congress, and of course my favorite topic, “privacy 2.0″. HIPAA is about ‘Privacy 1.0″ — institutions, professions and the privacy rules imposed on them. Privacy 2.0 is about social media and health information. Response is that HIPAA is a floor that has to be built upon. More to come.
11;45 am HIPAA is a process not an event. Now you are compliant . . . wait a minute . . . now you’re not. Things change everyday.
(So far we’ve only touched lightly on the more problematic aspects of HIPAA such as the risks that covered entities endure dealing with the seemingly endless ambiguity endemic to government guidance, regulations and laws.)
1;00 pm Patient can agree to get notice of privacy practices electronically in some cases.
1:40 pm HIPAA has a unique policy in regard to Psychotherapy Notes. It is not seen as a part of the medical record and has special rules for disclosure.
1:50 pm Back to Business Associate Agreements. Does Medicare Part D (Drug Benefits) trump the HIPAA rules when it comes to the the degree of monitoring of Business Associates?
2:10 pm “Hybrid Covered Entity” — may have functions that are HIPAA covered but others that are not. Can be separate procedurally but no need to separate physically. May have several regulatory agencies to answer to. HIPAA’s “Group Health Plan” designation may be one of these (employer and covered entity).
2;55 pm ‘Minimum Necessary’ HIPAA rule has pervasive effects on internal use when it comes to access management systems and job descriptions that are often more burdensome than managing external disclosures.(my comment).
3:25 pm On to HIPAA security rules!
3:50 pm Security oversees Confidentiality, Data and Source Integrity, and Availability to Authorized People.
4:00 pm HIPAA Security rules are comprehensive, technology neutral and scalable to all organizations. “One size fits all – satisfy the regs with appropriate approaches to every organization.
(Ok, good enough for today)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8a0f5933-102a-4447-a07a-20c3dbffdf91)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=aa53cd81-5f3a-4a7d-b8a6-4f80f093888f)
