1 / 26

Public Health Concurrent Session II

Public Health Concurrent Session II. Jill Moore, JD, MPH March 2018. HIPAA highlights: entity. Hybrid entity. A HIPAA-covered entity that has both covered functions and non-covered functions

dusty
Download Presentation

Public Health Concurrent Session II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public Health Concurrent Session II Jill Moore, JD, MPH March 2018

  2. HIPAA highlights: entity

  3. Hybrid entity • A HIPAA-covered entity that has both covered functions and non-covered functions • In other words, the entity has some programs/services/ activities/functions that have to comply with HIPAA and some that don’t

  4. Definitions

  5. What goes in the designation of the health care component? • Required: • Covered functions: The functions or activities that make the entity a covered entity • Business associate-like functions: Functions or activities that would create a business associate relationship if performed by a separate legal entity • Optional: • The agency may include functions or activities that do not meet either of the above criteria if it chooses

  6. What is a business associate? • A person or entity that • creates, receives, maintains, or transmits PHI on behalf of a covered entity, for a HIPAA covered function or activity • provides certain services involving PHI (legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial)

  7. What is the “entity” that counts? County Agency If the agency is a legal entity that is separate from a single county, then the agency is the covered entity District health department Public health authority The agency itself may be a hybrid entity • If the agency is a county department, then the county is the covered entity • County health department • County consolidated human services agency • The county should be a hybrid entity, and the agency may be a hybrid within a hybrid

  8. PH OR CHS AGENCY • Health care component (covered by HIPAA): • Functions and activities that meet the definition of covered entity • Business associate-like functions or activities within the agency • Other functions/activities that agency chooses to include

  9. COUNTY PH or CHS agency Covered & BA-like functions BA-like county functions (finance, legal, etc.) EMS

  10. What to do with the hybrid entity designation • Document it • No templates or required forms, but there are specifications in the rule: see 45 CFR 164.105(a) • Retain it • No requirement to file it with anyone, but should know where to find it • Use it: • To inform HIPAA policies and procedures • To ensure appropriate workforce training • To help answer questions about uses and disclosures of information, breaches, etc.

  11. FAQs with answers that depend in part on what the hybrid entity designation says Do we need a business associate agreement? What are the rules for disclosing information? Who has to have HIPAA training? Information may have been disclosed improperly! Do we have to do HIPAA breach notification?

  12. Time for a reboot? • LHDs are encouraged to revisit their hybrid entity designations, especially if: • New consolidated agency • Programs/services added or ended • Current designation more than a couple years old

  13. Workforce Who they are Covered entity’s obligations Take workforce into account in developing HIPAA policies/procedures Train workforce in HIPAA policies/procedures Sanction workforce members who don’t comply • Employees, volunteers, trainees, and other persons whose conduct in the performance of work is under the direct control of a covered entity or business associate

  14. Hipaa highlights: breach

  15. What is a breach? • Acquisition, access, use, or disclosure of protected health information (PHI) that: • Is not authorized by the HIPAA privacy rule, and • Compromises the privacy and security of the PHI. • Breach is presumed unless: • A specific exception in the rule applies, or • A risk assessment shows a low probability that PHI was compromised.

  16. What are the exceptions? • PHI could not reasonably be retained • Access is unintentional and by a workforce member or business associate acting in good faith • Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI

  17. Risk assessment What it is: Minimum factors: Nature and extent of PHI, including types of identifiers & likelihood of re-identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated • Analysis you undertake to demonstrate low probability that PHI was compromised • Demonstrated low probability of compromise defeats the presumption that unauthorized acquisition, access, use, or disclosure was a breach

  18. Safe harbor • Don’t have to notify if: • PHI was encrypted, or • PHI was disposed in keeping with HHS guidance on secure disposal

  19. Did acquisition, access, use, or disclosure involve PHI? STOP No Yes • Was it encrypted or disposed per rules (safe harbor)? • Notification required Yes STOP Yes Yes No No • Does an exception apply? • Low probability of compromise per risk assessment? No

  20. Notification prep: date check • If required to notify, must do so “without unreasonable delay” – no later than 60 days after breach discovered • Breach deemed discovered even if no actual knowledge, if reasonable diligence would have revealed it

  21. Notification Timeframes

  22. Notice Content • What happened? • Description of incident • Description of types of PHI involved (e.g., name, address, record number, DOB, diagnosis, etc.) • When did it happen? When did you realize it happened? • Description of incident must include dates of breach and of discovery of breach • What should people do? • Steps individuals should take to minimize potential harm from the breach • What is the covered entity doing? • Brief description of CE actions to investigate and mitigate the breach, and protect against future breaches • What if I want to know more? • Contact information and procedures for individuals to ask questions or learn more about breach

  23. State law on breaches • Breach: unauthorized access to or acquisition of records or data with “personal information,” which means name plus something that could be used to commit ID theft or threaten finances (SSN, DL number, financial account numbers, etc.) • State law requires breach notification, if: • Illegal use of the information has occurred, or • Illegal use of the information is reasonably likely to occur, or • The incident creates a material risk of harm to a consumer.

  24. What else should you do? • Investigate the circumstances • Mitigate harm to individuals • Account for disclosures (include in accounting log or other mechanism you use to provide accounting to individuals who request it) • Follow-up with employees – apply sanctions, review training

  25. hot and late-breaking topics

  26. Questions?

More Related