|
|
| (115 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| [[File:HIPAA Screenshot.png|right|350px]]
| | {{Saved book |
| <br />
| | |title=Introduction to Quality and Quality Management Systems |
| '''HIPAA'''
| | |subtitle= |
| | |cover-image=Time-Quality-Money.png |
| | |cover-color=#fffccc |
| | | setting-papersize = A4 |
| | | setting-showtoc = 1 |
| | | setting-columns = 1 |
| | }} |
|
| |
|
| The [[Health Insurance Portability and Accountability Act]] (HIPAA) is a set of U.S. federal regulatory requirements that attempts to modernize the flow of healthcare information, stipulate how personally identifiable information (PII) (often referred to as "protected health information" or "PHI") maintained by healthcare providers and insurers should be protected from fraud and theft, and address limitations on healthcare insurance coverage in the U.S. HIPAA spans five sections or "titles," mandating health care information access, portability, privacy, and security, as well as stipulations on medical savings accounts, group health insurance requirements, and other tax- and legal-status-related issues.
| | ==''Introduction to Quality and Quality Management Systems''== |
| | {{ombox |
| | | type = content |
| | | style = width: 500px; |
| | | text = This book should not be considered complete until this message box has been removed. This is a work in progress. |
| | }} |
| | The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems. |
|
| |
|
| Normally, HIPAA regulations would put strict requirements on how and when PII can be managed, used, shared, and stored. However, the COVID-19 pandemic has seen a relaxation of some of those requirements by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR). The HHS is currently maintaining a list of announcements, notifications, guidance documents, bulletins, and other resources as they relate to HIPAA and the public health emergency. Important notes pulled from that information reveal<ref name="HHS_HIPAA20">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html |title=HIPAA and COVID-19 |publisher=Department of Health and Human Services |date=11 May 2020 |accessdate=18 May 2020}}</ref>:
| | ;1. What is quality? |
| | :''Key terms'' |
| | :[[Quality (business)|Quality]] |
| | :[[Quality assurance]] |
| | :[[Quality control]] |
| | :''The rest'' |
| | :[[Data quality]] |
| | :[[Information quality]] |
| | :[[Nonconformity (quality)|Nonconformity]] |
| | :[[Service quality]] |
| | ;2. Processes and improvement |
| | :[[Business process]] |
| | :[[Process capability]] |
| | :[[Risk management]] |
| | :[[Workflow]] |
| | ;3. Mechanisms for quality |
| | :[[Acceptance testing]] |
| | :[[Conformance testing]] |
| | :[[Clinical quality management system]] |
| | :[[Continual improvement process]] |
| | :[[Corrective and preventive action]] |
| | :[[Good manufacturing practice]] |
| | :[[Malcolm Baldrige National Quality Improvement Act of 1987]] |
| | :[[Quality management]] |
| | :[[Quality management system]] |
| | :[[Total quality management]] |
| | ;4. Quality standards |
| | :[[ISO 9000]] |
| | :[[ISO 13485]] |
| | :[[ISO 14000|ISO 14001]] |
| | :[[ISO 15189]] |
| | :[[ISO/IEC 17025]] |
| | :[[ISO/TS 16949]] |
| | ;5. Quality in software |
| | :[[Software quality]] |
| | :[[Software quality assurance]] |
| | :[[Software quality management]] |
|
| |
|
| * Family, friends, and others identified by the patient as being involved in their care may receive PHI from a covered health care provider, particularly when they deem that sharing in the patient's best interest. Additionally, "[a] covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death."
| | <!--Place all category tags here--> |
| | |
| * "Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency." This exercising of enforcement discretion will last until OCR provides a notice otherwise. Telehealth should optimally be performed in a private setting, whenever possible, using non-public facing communication technologies. Providers should opt to use the most secure services possible, "but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the public health emergency."
| |
| | |
| * The OCR extended its enforcement discretion to include business associates of covered health care providers, allowing them to share PHI data "without risk of a HIPAA penalty." The OCR adds that "[s]ome HIPAA business associates have been unable to timely participate in these efforts [to ensure the health and safety of the public] because their BAAs do not expressly permit them to make such uses and disclosures of PHI." Like the enforcement discretion of telehealth provision by covered health care providers, the business associate must still make a good-faith effort in the "use or disclosure of the covered entity’s PHI" for public health and health oversight activities. Similarly, this exercising of enforcement discretion will last until OCR provides a notice otherwise.
| |
| | |
| * The OCR also extended its enforcement discretion to include covered health care providers and business associates operating community-based COVID-19 testing sites (CBTS)—"which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public"—during the public health emergency. This enforcement discretion, however, "does not apply to covered health care providers or their business associates when such entities are performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS."
| |
| | |
| * Additionally, the OCR [https://www.hhs.gov/about/news/2021/01/19/ocr-announces-notification-enforcement-discretion-use-online-web-based-scheduling-applications-scheduling-covid-19-vaccination-appointments.html extended its enforcement discretion] to "covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications ... for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency."
| |
| | |
| * "[T]he HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities1 without the individual’s HIPAA authorization, in certain circumstances." OCR provides [https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf numerous examples], including: "when the disclosure is needed to provide treatment," "when such notification is required by law," when a public health authority must be notified "to prevent or control spread of disease," "when first responders may be at risk of infection," when preventing or lessening "a serious and imminent threat to the health and safety of a person or the public," and when responding to a law enforcement inquiring concerning a lawfully detained inmate or other individual.
| |
| | |
| * "The HIPAA Privacy Rule permits HIPAA covered entities (or their business associates on the covered entities’ behalf) to use or disclose PHI for treatment, payment, and health care operations, among other purposes, without an individual’s authorization." ICR provides [https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.pdf more details] in its guidance, noting however that reasonable effort must still be made to protect PHI, and that this does not apply to activities that constitute marketing.
| |
| | |
| * Similarly, the HIPAA Privacy Rule "permits covered entities or their business associates to disclose PHI to [a health information exchange (HIE)] for the HIE to report PHI to a [public health authority (PHA)] conducting public health activities" in a variety of circumstances. For more on those circumstances, see the [https://www.hhs.gov/sites/default/files/hie-faqs.pdf December 2020 guidance]].
| |
| | |
| * The public health emergency does not change restrictions on disclosing PHI to the media. This includes the prohibition of media crews in, for example, emergency departments where COVID-19 patients are being treated, as PHI is found everywhere in that setting. Only when every patient who is or will be in a potentially filmed area has signed a HIPAA authorization form can this be done.
| |
| | |
| | |
| '''CLIA'''
| |
| | |
| The [[Clinical Laboratory Improvement Amendments]] (CLIA) are a set of U.S. federal regulatory requirements applied to all non-research-based clinical laboratory testing performed on humans. These requirements are intended to further ensure a higher standard of quality in clinical laboratory testing, focusing in on improving the accuracy, reliability, and timeliness of tests. (The implications of these requirements on U.S. clinical labs and their ability to test for COVID-19 are discussed later, in the next section.)
| |
| | |
| CLIA uses seven different criteria to gauge and assign one of three complexity levels to laboratory devices and [[assay]]s: high, moderate, and waived.<ref name="CDCTestCom">{{cite web |url=https://www.cdc.gov/clia/test-complexities.html |title=Clinical Laboratory Improvement Amendments (CLIA): Test complexities |author=Centers for Disease Control and Prevention |date=06 August 2018 |accessdate=09 April 2020}}</ref><ref name="FDAIVDReg">{{cite web |url=https://www.fda.gov/medical-devices/ivd-regulatory-assistance/clia-categorizations |title=CLIA Categorizations |publisher=U.S. Food and Drug Administration |date=25 February 2020 |accessdate=09 April 2020}}</ref> Additionally, CLIA mandates clinical laboratories handling specimens originating from the U.S. and its territories to apply for a CLIA certificate that is appropriate for the type of testing it performs. Labs using complex devices and assays would have to apply for a high complexity certificate, and so on. Waived tests are recognized as simple to perform with a low risk of erroneous results and include among others urinalysis for pregnancy and drugs of abuse, blood glucose and cholesterol tests, and fertility analysis.
| |
| | |
| Anything but waived testing requires meeting "the CLIA quality system standards, such as those for proficiency testing, quality control and assessment, and personnel requirements. The standards for moderate and high complexity testing differ only in the personnel requirements."<ref name="CDCTestCom" /> As the Centers for Medicare and Medicaid Services (CMS) points out in a frequently asked questions (FAQ) document—and as can be verified on the FDA's EUA page<ref name="FDAEmerg20">{{cite web |url=https://www.fda.gov/medical-devices/coronavirus-disease-2019-covid-19-emergency-use-authorizations-medical-devices/vitro-diagnostics-euas#individual-serological |title=In Vitro Diagnostics EUAs |publisher=U.S. Food and Drug Administration |date=20 August 2020 |accessdate=23 August 2020}}</ref>—a huge majority of COVID-19 tests are only authorized for moderate or high complexity testing, and thus labs certified to do that sort of testing.<ref name="CMSFAQ">{{cite web |url=https://www.cms.gov/files/document/frequently-asked-questions-faqs-clia-guidance-during-covid-19-emergency-updated-12-17-2020.pdf |format=PDF |title=Frequently Asked Questions (FAQs), CLIA Guidance During the COVID-19 Emergency |author=Centers for Medicare and Medicaid Services |date=17 December 2020 |accessdate=07 September 2021}}</ref> As of September 2021, only 14 of 260 FDA EUAed molecular diagnostic tests are approved to be performed in a CLIA-waived laboratory setting.<ref name="FDAEmerg20" />
| |
| | |
| CMS' FAQ, as well as their March 2020 guidance document, provides additional insight in regards CLIA and COVID-19<ref name="CMSFAQ" /><ref name="WrightClinical20">{{cite web |url=https://www.cms.gov/files/document/qso-20-21-clia.pdf-0 |format=PDF |title=Clinical Laboratory Improvement Amendments (CLIA) Laboratory Guidance During COVID-19 Public Health Emergency |author=Wright, D.R. |publisher=Centers for Medicare and Medicaid Services |date=26 March 2020 |accessdate=18 May 2020}}</ref>:
| |
| | |
| * CLIA regulations remain firmly in effect during the U.S.-declared public health emergency; a Section 1135 waiver, under the Social Security Act, that modifies or suspends CLIA requirements is not within the authorizing jurisdiction of the CLIA program. Additionally, CMS in general does not have the authority "to grant waivers or exceptions that are not established in statute or regulation."
| |
| | |
| * Laboratories choosing to use temporary testing sites for remotely (from home or another temporary location) viewing and reporting on cytology slides and images may do so if certain defined conditions are met. (Consult [https://www.cms.gov/medicareprovider-enrollment-and-certificationsurveycertificationgeninfopolicy-and-memos-states-and/clinical-laboratory-improvement-amendments-clia-laboratory-guidance-during-covid-19-public-health the memo] for those defined conditions.)
| |
| | |
| * Proficiency testing (PT) is still required if a CLIA-certified lab is still performing testing and issuing patient results. However, should a PT provider need to postpone, suspend, or cancel a proficiency testing event, "[l]aboratories will not be penalized for lack of PT results ... so long as the cancelation is documented (including the notification from the PT program), and PT is conducted in a timely manner after the public health emergency ends. However, labs should consider performing their own self-assessment to ensure reliable testing."
| |
| | |
| * Alternate specimen collection devices (e.g., viral transport media, flocked nasopharyngeal swabs) used outside the manufacturer's instructions still require the establishment of performance specifications and assay validation prior to patient use. The FDA provides [https://www.fda.gov/medical-devices/emergency-situations-medical-devices/faqs-testing-sars-cov-2 additional guidance] on this topic.
| |
| | |
| * Laboratories performing laboratory developed tests (LDTs) are still required to be CLIA-certified and meet the requirements for high complexity testing. However, if the state government of such a laboratory has opted to take responsibility for authorizing an LDT (in order to expedite COVID-19 testing), then engagement with the FDA is not required.
| |
| | |
| * "CMS will temporarily exercise enforcement discretion under CLIA for the duration of the COVID-19 public health emergency for the use of authorized SARS-CoV-2 molecular and antigen POC tests on asymptomatic individuals outside of the test’s authorization."<ref name="CMSPOCAgTest20">{{cite web |url=https://www.cms.gov/files/document/clia-sars-cov-2-point-care-test-enforcement-discretion.pdf |format=PDF |title=Updated CLIA SARS-CoV-2 Molecular and Antigen Point of Care Test Enforcement Discretion |publisher=Centers for Medicare and Medicaid Services |date=07 December 2020 |accessdate=07 September 2021}}</ref>
| |
| | |
| * As of May 2021<ref name="CAPResponds21">{{cite web |url=https://www.cap.org/laboratory-improvement/news-and-updates/cap-responds-to-your-covid-19-questions |title=CAP Responds to Your COVID-19 Questions |publisher=College of American Pathologists |date=2021 |accessdate=07 September 2021}}</ref>, a CLIA specialty or subspecialty has not yet been assigned to COVID-19 testing authorized under the EUA pathway. Testing may be performed by laboratories based on intended use and by CMS specialty and subspecialty assigned to similar FDA-cleared or -approved tests with similar characteristics to the EUA being used.
| |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |
