Privacy and the Computerized Patient Medical Record CPRS

1
Privacy and the Computerized Patient Medical
Record (CPRS)
Andrea Wilson RHIA VHA Privacy Specialist
October 10, 2007
2
Privacy Regulations

• HIPAA Privacy Rule, 45 CFR Parts 160 and 164.
• Privacy Act, 5 USC 552a
• 38 USC 7332, Confidentiality of Certain Medical
  Records
• 38 USC 5701, Confidential Nature of Claims
• Freedom of Information Act (FOIA)
• 38 USC 5705, Confidentiality of Quality Assurance
  records

3
VA Policies

• VHA Handbook 1605.1, Privacy and Release of
  Information
• VHA Handbook 1605.2, Minimum Necessary Standard
  for Protected Health Information
• VA Directive 6600, Responsibility of Employees
  and Others Supporting VA in Protecting Personally
  Identifiable Information

4
Today--Electronic Health Records are Fully
Deployed Throughout VA
5
Privacy and VA Computerized Medical Record (CPRS)

• Internal Safeguards for CPRS
• User Class -provides a mechanism for sites to
  associate users with user classes, allowing them
  to specify the level of authorization and access
  to certain information.
• Business Rules - further strengthens the ability
  to define roles and responsibilities for clinical
  documents. This authorizes specific users to
  perform specified actions on documents in
  particular statuses. (i.e., the Privacy Officer
  is the only one allowed access to amend a
  progress note
• Sensitive Alerts Employees and at special
  request by a spouse, relative or other
  individuals for various reasons.

6
Privacy and VA Computerized Medical Record (CPRS)

• HIPAA Privacy Rule.
• Classification of Personnel based on functional
  categories.
• Functional Categories- Gives guidance as to what
  each person has access to within their job duties
• Providers have full access to CPRS in order to
  treat veterans
• Engineer staff do not have access to CPRS

7
Role Based Access Controls

• Role Based Accessed Control are roles with
  different privileges and responsibilities and
  implements limited forms of access constraints
  based on the users role within an organization.
• Job specific- will only be able to access which
  is specific to the job
• Collection of permissions. Users will receive
  permissions only to the roles that they are
  assigned

8
External Safeguards for the CPRS

• Only employees with the need to know can access
  CPRS
• External sources (JCAHO) can not have access to
  CPRS (must have a driver)

9
VA and Safeguarding the Social Security Number
(SSN)

• VA has taken steps to eliminate the use of the
  SSN where it is not mission critical
• Removed the SSN from enrollment letters
• Eliminated the SSN from the Veterans
  Identification Card (VIC)
• Masked SSN in the Explanation of benefits (EOB)
  letters
• Scrambled or truncated the number when the SSN is
  needed

10
VHA Privacy Office Efforts

• VHA Privacy Office has been working to develop
  tools, policies and guidance, monitoring
  capabilities and developing facility Privacy
  Officer and staff education. These efforts will
  foster a culture where appropriate use of the SSN
  is promoted and that all personally identifiable
  information collected and used for our nations
  veterans is treated with the highest level of
  confidentiality.