Privacy Issues and the Children’s Hospital EMRPrivacy Issues and the Children’s Hospital EMR This roundtable discussion is brought to you by the Children’s Hospital Affinity Group of the In-House Counsel (In-House) and Teaching Hospitals This roundtable discussion is brought to you by the Children’s Hospital Affinity Group of the In-House Counsel (In-House) and Teaching Hospitals and Academic Medical Centers (THAMC) Practice Groups, and is co-sponsored by the Health Information and Technology (HIT) Practice Group.and Academic Medical Centers (THAMC) Practice Groups, and is co-sponsored by the Health Information and Technology (HIT) Practice Group.

February 15, 2013 12:00-1:15 pm Eastern

Presenters

Robin L. Canowitz, Esquire, Senior Attorney, Vorys Sater Seymour & Pease LLP, Columbus, OH, rlcanowitz@vorys.com

Daniel F. Gottlieb, Esquire,

Partner, McDermott Will & Emery LLP, Chicago, IL, dgottlieb@mwe.com

Moderator:

Jessica Braunstein, Esquire,Associate General Counsel, Children’s Healthcare of Atlanta, Atlanta, GA, jessica.braunstein@choa.org

1

About CHAG AG

Children’s Hospital Affinity Group (CHAG AG) provides a unique and focused forum for discussion and networking about the legal and practical issues that affect children’s hospitals and other providers that furnish pediatric care. CHAG AG is affiliated with the In-House Counsel Practice Group (In-House) and Teaching Hospital and Academic Medical Center Practice Group (THAMC). If you are a member of either of those PG Groups, you may join CHAG AG by simple e-mailing pgs@healthlawyers.org. Otherwise, become a member of either or both the In-House of THAMC Practice Groups, and ask to also join CHAG AG at the same time by contacting pgs@healthlawyers.org.

The In-House and THAMC Practice Groups provide a wealth of information and address issues important to all hospitals, healthcare institutions, academic medical centers, and related entities. Children’s hospitals and the care of pediatric patients, however, present some distinctive legal issues that are not often shared by the adult hospitals and adult academic medical centers. Join CHAG AG to receive and receive the benefit of its focus on children’s hospital and pediatric provider issues.

2

Agenda

Data elements requiring special treatment Internal access and external release to other providers,

health information exchange, etc. Patient portals and patient/parent access to information Programs to create appropriate levels of access for

hospital personnel Tools for monitoring access and disclosure of

information

3

Data elements requiring special treatment

The HIPAA regulations provide a base line of protection for all Protected Health Information (PHI)

State law and the federal alcohol and drug abuse confidentiality rules provide additional protections for sensitive subcategories of PHI

Privacy and security policies should be revised to reflect: More stringent state and federal laws Different access rights of parents and children for different

categories of information at different ages of the child

4

Sensitive Categories of PHI

Sensitive categories of PHI vary from state to state, but often include: Substance abuse treatment program information Mental health and developmental disability information HIV/AIDs test results Sexually transmitted diseases Genetic testing information

5

Sensitive Categories of PHI (cont’d)

In many states, unemancipated minor has the right to consent to diagnosis and treatment for and control PHI about sensitive conditions such as: Pregnancy Abortion HIV/AIDs and other sexually transmitted diseases Sexual assault or any condition resulting from the assault Mental illness or psychiatric condition Alcohol consumption or drug use and/or their addiction

Some states grant physician discretion to share information and/or encourage parental involvement

6

Sensitive Categories of PHI (cont’d)

EHR technology presents technical challenges to management of sensitive information Psychiatric drugs in the medication list HIV-positive or mental health diagnosis in the problem list HIV test result in the structured lab data Free text field in progress notes Parent and child access to patient portal

Quality of care and tort law may conflict with health information privacy law

How should the conflict be navigated?

7

Internal Access and External Release

Access Controls for Internal Usage Policies on Use of records for Research Use of technology to deter people from looking at

records they don’t have a need to view Are there categories of information that only certain

people can see? Some institutions have “walled off” records from their

substance abuse treatment programs

8

External Release of Records

Releases – to allow information to be shared? Issues with patient name changes – birth hospital to

specialty hospital. Confirming who has the right to allow release of

information.

9

Patient Portals and Patient/Parent Access

Proxy Access – who do you allow to have access to the portal?

Patient/Parent/Legal Guardian – all have their own access. Can all see the same information.

What do you do with proxy access when the patient becomes an adult?

Do you allow minor patients to have direct access to the portal? If so, at what age, and for what purposes?

How do you turn access on and off?

10

Patient Portals

What do you allow to be posted? At NCH – no information on AIDS, STDs and Mental

Health because of state law issues If the site does not have complete information, there

should be a disclaimer about that. NCH decided not to post inpatient test results because it

could create confusion. When do you post test results? At NCH – physicians given 72 hours to review test

results before they are automatically posted. 11

Patient Portals (cont’d)

Email communication tools – how to implement? Who will respond? What is the expectation of the patient?

12

Appropriate Levels of Access

The HIPAA minimum necessary standard requires a hospital or other covered health care provider to limit a request, use or disclosure of PHI to the minimum amount of PHI necessary for disclosure unless it is For Treatment Required by Law Pursuant to patient or parent’s authorization Within another limited exception

Hospital should develop role-based access policies for PHI that correspond to technical capabilities of its EHR

Send periodic reminders about appropriate access

13

Appropriate Levels of Access (cont’d)

PHI may be used and disclosed for academic purposes within hospital subject to the minimum necessary standards

Faculty and students should receive training on appropriate use of PHI for educational purposes

14

Tools for Monitoring Access and Disclosure

HIPAA Security Rule requires “reasonable” procedures: Log-in monitoring Regular review of records of information system activity, such as

audit logs, access reports, and security incident tracking reports.

Develop reasonable and practical practices to monitor EHR’s activity logs to identify inappropriate access

Rely upon technical, automated auditing where possible Cisco and other vendors offer sophisticated monitoring

tools that identify deviations from baseline activity

15

Privacy Issues and the Children’s Hospital EMR © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.

Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.

“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association

16