HIPAA in DPH€¦ · HIPAA in DPH Health Insurance Portability and Accountability Act (HIPAA ......

September 2003 Division of Public Health 1

HIPAA in DPH

HIPAA in the Division of Public Health

September 2003


HIPAA in DPHHealth Insurance Portability and Accountability Act (HIPAA)

• Public Law 104-191, August 21, 1996

• Amends Internal Revenue Service Code of 1986

Purpose of HIPAA

• Guarantees health coverage when job changes• Combats waste, fraud, and abuse in health insurance and health care

industry• Promotes use of medical savings accounts• Improve access to long-term care services and coverage• Simplifies the administration of health insurance - this is where we are!


HIPAA in DPH

Standards for Electronic Transactions and Code Sets• Standardizes the data content and format of 10 financial or administrative

transactions related to health care (e.g., claims, payments) • Standardizes medical codes (ICD-9, CPT-4) and other codes sets• Compliance deadline: October 16, 2003 (extended from 10/16/02 if

compliance plan filed with CMS• Requires all Medicare claims be electronic after 10/16/03• Health Care Providers and Payers currently use many different forms and formats

for billing and claims processing–Confusing–Inefficient–Expensive

• Standardized Transactions and Codes–Consistency–Accuracy–Reduced paperwork


HIPAA in DPH

Standards for Identifiers

• National Employer Identifier – Adopt Employer Identification Number as standard

• Compliance deadline: 7/30/04• National Provider Identifier (Final Rule was projected July 2003)• National Health Plan Identifier (Proposed rule was projected August

2003)• National Identifier for Individuals - on hold indefinitely • Compliance deadline: 2 years after final rules published


HIPAA in DPH

Standards for Privacy of Individually Identifiable Health Information

Compliance deadline: April 14, 2003

• Regulates uses and disclosures of individually identifiable healthinformation

• Provides patient rights with respect to their health information • Establishes requirements to assure privacy of patient IIHI • Applies to paper/oral/electronic records • Sets boundaries on the Use and Disclosure of health information• Gives “patients” more control over their own health information• Establishes safeguards for protecting the privacy of health information• Holds providers and payers accountable for violations of privacy

requirements


HIPAA in DPHStandards for Security

• Proposed Standards for Security and Electronic Signatures− Adopts standards for security of health information in electronic format − Compliance deadline: April 20, 2005− Electronic Signature Standards Final Rule –

• Applies to electronic records only• Privacy Rule addresses security of all records and communications• Requirements for providers and payers to assure that electronic health

information pertaining to individuals remains secure• Technology-neutral• Scalable• Addresses administrative, technical and physical safeguards


HIPAA in DPH

Enforcement Rule

• First installment: Civil Money Penalties (Enforced by CMS)• Coming: Criminal Money Penalties (Enforced by US Dept of Justice)• Establishes procedures for imposing penalties for violation of

Administrative Simplification Regulations• Civil Money Penalties:

− $100 per violation− $25,000 cap per year/per violation

• Enforcement initially complaint driven:− Office Of Civil Rights is responsible for Privacy enforcement, CMS

responsible for TCS, Identifiers, Security enforcement.


HIPAA in DPHWhat is the Impact of Not Complying?

• Possible litigation• Potential withholding of federal Medicaid and Medicare funds• Penalties:

− Civil monetary for violation of each standard− Criminal for intentional wrongful disclosure of protected health information.

Why Comply with HIPAA?

• Protecting the confidentiality of our clients’ health information is criticalto maintaining trust and confidence in the healthcare and public healthsystems.

• Protecting client health information− Is the right thing to do! − Is required by law!


HIPAA in DPH

Who is Affected by HIPAA?

• Professionals who provide services or activities through a contractualagreement with a health care provider/plan

• Individuals/professionals who work directly for a health careprovider/plan

• Patients who seek services from a health care provider or health care plan


HIPAA in DPHWho is covered by HIPAA - Covered Entities?

• Health plans− Provides or pays for the cost of health care services− Includes Medicaid, Medicare, HealthChoice, Veterans Health Program, Military

Health Plan, Indian Health Service, others− Excludes most all other government-funded programs

• Health care providers who conduct any of the HIPAA-regulated transactions electronically

DPH Program Participants, such as local health departments, public and private health care providers, and community-based organizations are coveredentities if they electronically process any of the transactions, even if they use abilling service to file their claims.

• Health care clearinghouses (billing services)


HIPAA in DPH

Who is covered in DHHS?

• DHHS is a “hybrid entity” whose primary purpose is not to provide health care,but has components that perform covered functions (health plan, health care providers services). The areas within DHHS that perform HIPAA coveredfunctions are called covered health care components. Health care componentsmust comply with HIPAA fully.

• Business Associates of Health Care Components - A business associate performsfunctions specified by HIPAA on behalf of a covered entity (or health carecomponent) that involves access to or exchange of health information Examplesare claims processing or billing, accounting, consulting, legal, data analysis, data processing, quality assurance, utilization review.


HIPAA in DPHWho is covered in DPH?

• DPH is part of the DHHS hybrid entity. DPH also has area that are covered health care components and that are business associates of other covered entitiesor DHHS/DPH covered health care components. A hybrid within a hybrid..

• Most program areas within DPH are not HIPAA-covered health care components:− DPH provides program funding via grants, which are not considered health

plans.− DPH in most cases does not provide direct health care services, but program

(health care and program oversight), technical consultation, case consultation.− When DPH provides direct health care services, in most cases, they do not conduct

electronic standard transactions (e.g., billing)− DPH performs public health activities, such as vital records, communicable disease

surveillance, public health prevention and intervention, etc.


HIPAA in DPH

Health Care Components in the Division of Public Health • State Laboratory of Public Health (Indirect Treatment Provider) • Development Evaluation Centers - 13 state owned and operated (Provider)

Business Associates in the Division of Public Health • Administrative, Local, and Community Support Section

• IT (Lab and DECs)• HSIS Business Liaison (local health depts, Lab, DECs)• Local Technical Assistance and Training (local health depts)• Medicaid Reimbursement and Liaison (DMA)

• State Center for Health Statistics (DMA) - Health Data Analysis Team (DMA) - pending

• Children and Youth Branch - Specialized Services Unit -Children’s Special Health Services (DMA)


HIPAA in DPH

Privacy Regulation - Key Concepts• The Privacy Regulation establishes a federal floor of safeguards to protect the

confidentiality of health information

• The HIPAA Privacy Regulation does not preempt state laws that provide greater protections (e.g., mental health, HIV/AIDS).

• The HIPAA Privacy Regulation applies to covered entities (or to covered health care components within a hybrid entity).

• Privacy Requirements affect:– Medical records– Billing records– Other records/documents with health information– Paper records– Electronic records– Oral communications.


HIPAA in DPH

Privacy Regulation - Key Concepts

• Applies to Protected Health Information (PHI), which is:− Individually identifiable health information− Transmitted or maintained in any form or medium (electronic, written, oral)

• IIHI is any information, including demographic information collected from an individual, that:

a) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and;

b) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of the provision of health care to an individuals, and; that (i) Identifies the individual, or (ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual


HIPAA in DPH

Privacy Regulation Key Concepts• Individual Identifiers:

• Names• All geographic subdivisions smaller

than a state, including street address, city, county, precinct, zip code……….

• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death……..

• Telephone numbers

• Fax numbers

• Electronic mail addresses

• Social Security numbers

• Medical record numbers

• Health plan beneficiary numbers

Account numbersCertificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web Universal Resource Locators (URLs)

Internet Protocol (IP) address numbers

Biometric identifiers, including finger and voice prints

Full face photographic images and any comparable images…..

Any other unique identifying number or characteristic…..


HIPAA in DPH

Privacy Regulation - Key Concepts

• Requires identification of members of the workforce who need access to IIHI and the types (categories) of information to which access is needed

• Requires training of staff members who have access to IIHI

• Requires appropriate administrative, technical, and physical safeguards to protect health information

• Requires policies and procedures to address privacy protections and an individual’s access rights


HIPAA in DPHPrivacy Regulation - Key Concepts

• Establishes new rights for individuals regarding access to their personal health information

• Ensures individuals have more control over when and how their personal health information is used

Individual Rights• Right to be informed of about protections on and use of their health

information through a notice of privacy practices• Right to inspect, copy, and review their record• Right to request amendments to their record• Right to request restrictions on use and disclosure of health information• Right to request reasonable personal communications• Right to an accounting of disclosures of their health information• Right to file a complaint against covered entity


HIPAA in DPH

Privacy

Privacy is the right of an individual to keep his/her individual health information from being used or disclosed inappropriately for non-health related purposes.

DPH Privacy Policies

• Many DPH privacy policies apply only to covered health care components and business associates.

• Certain DPH privacy policies apply to all areas that create, maintain, or receive individually identifiable health information during their regular course of business. This extends privacy protections beyond HIPAA covered health care components.


HIPAA in DPH

What Privacy polices apply to all all DPH workgroups?

• Privacy Official

• Workforce

• Minimum Necessary

• Privacy Complaints (and Incidents)

• Privacy Safeguards

• Client Authorizations


HIPAA in DPH

Privacy Official

• Agency Privacy Official supports agency activities required to comply withDHHS department policies regarding the use and disclosure of individuallyidentifiable health information, in accordance with state and federal laws and bestbusiness practices.

• Responsibilities:– Serve as primary agency contact for privacy issues and concerns

regarding the use and disclosure of health information and forappropriate client accessibility to health information

– Serve as the agency liaison to the DHHS Privacy Officer for privacy-related activities

– Coordinate and facilitate efforts to support the agency in theaccomplishment of its privacy compliance activities.


HIPAA in DPH

Workforce

• Provide basic and specific privacy training to all staff (permanent employees, contractors, temps, volunteers, etc.).

• Obtain signed Confidentiality Agreements from all agency staff.• Develop and issue appropriate sanctions if staff do not comply with

privacy policies • Not discriminate against, intimidate, threaten, coerce, or take any

retaliatory actions against staff who report questionable privacy activities.


HIPAA in DPH

Minimum Necessary

• When using any PHI, a covered entity must make all reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

• Need to Know Principle:− Necessary for your job− How much do you need to know?− How much do other people need to know?− The key is to balance the privacy of health information against the need

for information.


HIPAA in DPH

Safeguards

• Identify and develop appropriate safeguards that protect the IIHI that is maintained by the agency.

• Implement reasonable measures to safeguard IIHI from intentionalor unintentional use or disclosure.

• Provide training to ensure staff are made aware of acceptable practices and procedures that safeguard information to which staff have access.

• Monitor and document any violations of the agency’s safeguard procedures.


HIPAA in DPHGuidelines for Safeguarding Health Information

• Do not leave any records containing IIHI where others can see them or accessthem.

• Keep medical test results and all other medical information private.• Do not share IIHI in public areas. • Do not leave copies of IHI at copy machines, printers, or fax machines. Pick up

printouts immediately.• Verify and double check fax numbers before sending, and verify receipt of fax

wherever possible.• Do not send sensitive and confidential information via email.• Do not leave IIHI exposed in mail boxes or conference rooms.• Secure IHI when no one is in the area, either in locked file cabinets or locked in

your office.• Always safeguard IIHI when records are in your possession.• Return all records containing IIHI to their appropriate location when you no

longer require them.


HIPAA in DPH

Guidelines for Safeguarding Health Information

• Do Not:− Share computer passwords or leave them visible.− Leave computer files open when leaving unlocked or shared work areas.− Leave IIHI in any public wall file trays unless enclosed in an interoffice envelope.− Discuss topics involving IIHI in front of other employees or visitors except on a“need to know” basis.

− Leave diskette boxes or Rolodex files containing IHI accessible in unlocked areas.− Reuse, share, or dispose of hard drives, floppy disks, CDs, etc., without propercleansing.

− Leave IIHI for shredding in unlocked/undesignated area.− Leave records opened and unattended.− Copy IIHI to your “personal” computer for use outside of authorized work areas.− Leave door, cabinet, or card keys unattended or share combination lock codes.


HIPAA in DPH

Privacy Complaints

• Designate a contact person to resolve complaints concerning agency privacy practices.

• Develop a process to review, resolve, and respond to privacy complaints via Privacy Official.

• Internal procedure being developed to report, review, and resolve privacy incidents.


HIPAA in DPH

Authorizations

• Requires DPH workgroups that serve clients– To disclose IIHI only upon authorization by the client (or personal

representative), unless state or federal law allows for specific exceptions. – Authorizations obtained or received by DPH workgroups for disclosure of

IIHI must contain all the elements in the DHHS Authorizations Form (available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5).

– Note that an authorization permits, but does not require, us to to disclose IIHI.


HIPAA in DPH

When an Authorization is NOT Required

• Disclosure is required by law

• Disclosure is for public health purposes

• When required for program monitoring and evaluation

• To avert serious threat to health or safety

• To report child abuse and/or neglect

• When used in judicial/administrative proceedings

• When required in certain situations for law enforcement purposes

• Others also (medical examiner, organ donation).


HIPAA in DPH

What are the other HIPAA impacts on DPH?

• There is a risk that health care providers may resist providingindividually identifiable health information to DPH citing HIPAAas reason to withhold

• Public Health Exemption − HIPPA permits disclosures without authorization for health information required

by law. Must follow state laws for public health reporting− HIPAA permits disclosures without authorization to “public health authorities”

for public health activities and purposes− HIPAA permits disclosures without authorization to a health oversight agency

for oversight activities− HIPAA does not preempt state statutes that are more stringent than HIPAA (e.g,

NC communicable disease statutes)− HIPAA does not preempt state laws related to public health activities.− HIPAA does not require public health disclosures.


HIPAA in DPH

HIPAA’s Public Health Exemption Provisions

Public Law 104-191 (Health Insurance Portability and Accountability Act or HIPAA) carved out a specific provision to avoid impeding certain public health laws:

“Public Health. --Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.” (P.L. 104-191, Sec. 1178(b)).

45 CFR Part 160§ 160.203 General rule and exceptions.

“A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met: …

(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”


HIPAA in DPH


45 CFR Part 162§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. …

(b) Standard: uses and disclosures for public health activities.…“(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to:

(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions;…”


HIPAA in DPH


45 CFR Part 162§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. …

(d) Standard: uses and disclosures for health oversight activities. …“(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

(i) The health care system; (ii) Government benefit programs for which health information is relevant to beneficiary eligibility; (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.”


HIPAA in DPH

Public Health Exemption Guidelines

• Be knowledgeable about your program’s/function’s legal basis for collectingindividually identifiable health information

• Restrict request for health information to that required by law or to that which is minimally necessary to accomplish purpose

• Question and validate requests for disclosures from external entities beforedisclosing health information

• Remember that public health data is still protected and its use is for public health purposes

• Other protections beside HIPAA govern health information within publichealth:

− Federal Laws− NC General Statutes − NC Administrative Codes − Professional Standards


HIPAA in DPH

Privacy Steps to Compliance (now to April 14, 2003):

• HIPPA-related requests from outside DPH

− Status of DHHS, DPH, or program area HIPAA coverage− Request to sign their business associate agreement

Do not respond directlyDo not signContact DPH Privacy Official/Implementation Support


HIPAA in DPHUseful Links:

HIPAA Regulations (federal site)http://aspe.os.dhhs.gov/admnsimp/

Office of Civil Rights (privacy)http://www.hhs.gov/ocr/hipaa

Center for Medicare and Medicaid Serviceshttp://www.cms.hhs.gov/hipaa/

DPH HIPAA Officehttp://dhhs.state.nc.us/dph/

DHHS HIPAA Officehttp://dirm.state.nc.us/hipaa/

Institute of Governmenthttp://www.medicalprivacy.unc.edu/

Local Health Departmentshttp://sph.unc.edu/hipaa


HIPAA in DPH

Contact

DPH HIPAA Office

[email protected]

(919) 715-0411


HIPAA in DPH

Questions and Answers

HIPAA in DPH€¦ · HIPAA in DPH Health Insurance Portability and Accountability Act (HIPAA ......

Documents

Transcript of HIPAA in DPH€¦ · HIPAA in DPH Health Insurance Portability and Accountability Act (HIPAA ......