1 / 42

HIPAA - PRIVACY RULES HOW TO OPERATIONALIZE

HIPAA - PRIVACY RULES HOW TO OPERATIONALIZE. Presentation for NCHIMA - BEHAVIORAL HEALTH SECTION September 27, 2001 Presented By: Sarah Brooks, MPA, RHIA. PRIVACY REGULATION STATUS. Compliance Date Unchanged Must Comply by April 14, 2003. SECURITY REGULATION STATUS.

vidar
Download Presentation

HIPAA - PRIVACY RULES HOW TO OPERATIONALIZE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA - PRIVACY RULESHOW TO OPERATIONALIZE Presentation for NCHIMA - BEHAVIORAL HEALTH SECTION September 27, 2001 Presented By: Sarah Brooks, MPA, RHIA NC DHHS - HIPAA PMO

  2. PRIVACY REGULATION STATUS Compliance Date Unchanged Must Comply by April 14, 2003 NC DHHS - HIPAA PMO

  3. SECURITY REGULATION STATUS FINAL RULE NOT PUBLISHED • Speculation About Final Security Rule • Substantial content changes are not anticipated • US DHHS is trying to more closely align Security Regulations with the final Privacy Regulations • Anticipated Date - UNKNOWN NC DHHS - HIPAA PMO

  4. PRIVACY AND SECURITY OFFICERS • Required Under HIPAA • Should Report to Upper Level Management • Agencies Must Determine if Full-time Positions Are Needed, Joint Positions or Assign Responsibilities to Current Staff NC DHHS - HIPAA PMO

  5. PRIVACY AND SECURITY OFFICERS (continued) • Begin Process for Establishing These Positions NOW to: • Provide leadership in the planning, design and evaluation of Privacy and Security related projects • Establish sense of ownership and responsibility as result of early involvement NC DHHS - HIPAA PMO

  6. PRIVACY OFFICER ROLES • Leadership Role for Implementing Privacy Regulations • Collaborative Role for Security Implementation • Education Role for Privacy Awareness and Training • Liaison with Agency and Legal Authorities • Consultant Role to Business Associates • Compliance Role for State/Federal Requirements NC DHHS - HIPAA PMO

  7. PRIVACY OFFICER RESPONSIBILITIES • Develop Privacy Program to: • Analyze current Privacy practices • Establish and implement Privacy policies and procedures • Address training requirements • Implement monitoring system for agency compliance and Business Associates accountability • Handle complaints • Establish Internal Privacy Audit Program • Provide Maintenance of Privacy Program NC DHHS - HIPAA PMO

  8. SECURITY OFFICER ROLES AND RESPONSIBILITIES • Responsible for Initial and Ongoing Security Awareness Training • Develop and Implement Security Policies/Procedures • Focal Point for Security Incidents • Responsible for Ensuring Disaster Recovery Plans Are Adequate • Ensure Physical Security of Buildings • Ensure Final Disposition of Electronic Data Is Properly Handled NC DHHS - HIPAA PMO

  9. JOB DESCRIPTIONS • NC DHHS PMO Is Developing Drafts of Privacy & Security Officer Job Descriptions - Availability Unknown • Refer to Following Web Site URL for NC Healthcare Information and Communications Alliance, Inc. (NCHICA): http://www.nchica.org/HIPAA/HIPAAjobs.html NC DHHS - HIPAA PMO

  10. PMO DELIVERABLES • EDI Assessment Tools http://dirm.state.nc.us/hipaa/newsite/focusgroup/edi/edi.html • Information Flow Assessment Questionnaire (IFA), IFA User Guide and Facilitator Training http://dirm.state.nc.us/hipaa/newsite/focusgroup/operation/ IFA.html • Attorney General Opinions • Frequently Asked Questions on NC DHHS Web Site • HIPAA Awareness Presentations NC DHHS - HIPAA PMO

  11. PMO DELIVERABLES (continued) • Core Privacy Training (under development) • Privacy Toolkit (under development) - Assessment and Gap Analysis Tool • Security Assessment (under development) NC DHHS - HIPAA PMO

  12. NCHICA DELIVERABLES • NCHICA Web Site contains: http://www.nchica.org/HIPAA/HIPAA_intro.html • Presentations • HIPAA EarlyView™ tool (Security available; Privacy under development) • The Following Deliverables Are Under Development: • Security Policy and Procedures Matrix • Security Training Modules - Core Level in test • Privacy Models (Notice, Consent, Authorization, Business Associate Agreement) NC DHHS - HIPAA PMO

  13. NCHICA DELIVERABLES (continued) • Minimum Necessary Decision Tree • Review of NC Statutes • HIPAA Privacy Checklists • Relationship Between NCHICA and NC DHHS Deliverables • DHHS Staff are working with NCHICA Focus Groups • DHHS PMO and Divisions will review and revise various deliverables to better meet DHHS needs • AG Office review when necessary NC DHHS - HIPAA PMO

  14. WHAT TO DO NOW? • Determine if Your Agency is a Covered Entity, Hybrid Entity, Business Associate and/or Trading Partner by Using These Resources: • Information Flow Assessment Questionnaire • EDI Assessment • Consultation with Agency Attorney NC DHHS - HIPAA PMO

  15. COVERED ENTITY • Health Plan (provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus). • Health Care Clearinghouse (routes electronic data between payers & providers - e.g., billing services). • Health Care Provider Who Transmits Any Health Information in an Electronic Transaction(e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health). NC DHHS - HIPAA PMO

  16. HYBRID ENTITY • Applies to Privacy Regulations only as they relate to Uses and Disclosures (164.504) • Defined as, “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” • Need to identify those health care components within the Hybrid Entity that perform covered functions and othercomponents that would normally be a Business Associate NC DHHS - HIPAA PMO

  17. BUSINESS ASSOCIATES • Definition: Person who performsa function or activity on behalf of a Covered Entity, involving the use and/or disclosure of PHI. • Excludes person who is part of the Covered Entity’s workforce(e.g., Employees, Physicians with Staff Privileges) • Excludes Covered Entities who disclose PHI to providers for treatment purposes NC DHHS - HIPAA PMO

  18. BUSINESS ASSOCIATES (continued) • Must protect PHI and help a Covered Entity comply with its obligations under the Privacy Rule • DO NOT have to comply with HIPAA Privacy Rules such as: • Appointment of a Privacy Officer • Develop Policies and Procedures for use and disclosure of PHI NC DHHS - HIPAA PMO

  19. BUSINESS ASSOCIATES(continued) • Are Covered Entities Held Liable for Privacy Violations of Business Associates? • Covered Entities are not required to actively monitor Business Associates • Contracts must obligate Business Associate to advise Covered Entity when violations have occurred • If a Covered Entity is aware of violations or breach of Business Associate obligations, Covered Entity must take ‘reasonable steps’ to cure the breach or end the violation NC DHHS - HIPAA PMO

  20. WHAT TO DO NOW? • Thorough Review of Privacy Regulations • Establish internal workgroup • Involve Legal Counsel • Complete Privacy Assessment/Gap Analysis • Slow Process • Don’t Make Hasty/Costly Decisions • Reasonableness • Scalability NC DHHS - HIPAA PMO

  21. WHAT TO DO NOW? • Continuous Education and Review of HIPAA Information • Review potential changes to Privacy Regulations • Phone-in Prescriptions filled before getting consent • Referral Appointments for 1st time patients before getting patient’s consent • Broaden Allowable Communications for quick and effective health care • Change Minimum Necessary Scope • Monitor HIPAA Web Sites • http://dirm.state.nc.us/hipaa/newsite/resource.html NC DHHS - HIPAA PMO

  22. WHAT TO DO NOW? (continued) • Complete Information Flow Assessment and EDI Assessment • Inventory EDI, Security, Privacy Policies and Procedures • Readily available when assessments are done • Identify policies and procedures that may need to be remediated NC DHHS - HIPAA PMO

  23. WHAT TO DO NOW?(continued) • Review Privacy Guidance Documents from HHS • http://aspe.os.dhhs.gov/admnsimp/final/pvcguide1.htm • First in a series issued July 6, 2001 • Explains and clarifies important provisions of the privacy regulations relative to the following areas: NC DHHS - HIPAA PMO

  24. PRIVACY GUIDANCE DOCUMENT • Consent • Consent is required before using or disclosing PHI for Treatment, Payment, or health care Operations (TPO) • Consent grants general permission to use or disclose PHI for TPO • Authorization is limited to purposes and parties specified in the authorization • Health care provider needs to obtain consent only once - rather than annually - and it can cover multiple visits and different medical conditions NC DHHS - HIPAA PMO

  25. PRIVACY GUIDANCE DOCUMENT (continued) • Minimum Necessary • Agencies need to take reasonable steps to comply with the minimum necessary standard • Each agency will need to identify and classify who within the agency needs access to PHI and establish policies/procedures for the use and disclosure of PHI • Does not apply when PHI is: • Disclosed to provider for treatment • Disclosed directly to patient at their request • Used or disclosed with patient authorization • Used or disclosed to comply with EDI transaction standards • Disclosed to HHS for enforcement purposes • Used or disclosed when required by other laws NC DHHS - HIPAA PMO

  26. PRIVACY GUIDANCE DOCUMENT (continued) • Oral Communications • Final Privacy regulations cover paper, electronic and oral communications of PHI • Health care providers must be free to discuss PHI with each other in treatment settings • Calling out patient names in waiting rooms is permitted • Some agencies are changing current practices however (e.g., separate sign in sheets rather than log; page patients by number rather than name) NC DHHS - HIPAA PMO

  27. PRIVACY GUIDANCE DOCUMENT (continued) • Business Associate Contracts • Health care organizations: • are not automatically legally responsible for Business Associate Privacy violations • are not required to actively monitor the conduct and practices of Business Associates • must include provisions in their Business Associate Contracts requiring the Business Associate to notify them of any Privacy violations • must take reasonable steps to stop or fix any known Privacy violation or breach by their Business Associates • are out of compliance only if they fail to take such steps NC DHHS - HIPAA PMO

  28. PRIVACY GUIDANCE DOCUMENT (continued) • Parents and Minors • Agency may not be required to disclose a child’s PHI to the parent when: • Parent agrees to confidential relationship between child & health care provider of the child • Provider believes child has been abused or neglected by parent • Disclosing information to parent could endanger the child • State law controls disclosure or non-disclosure of minor’s PHI to a parent (e.g., state law may allow minors to consent to mental health treatment without parental consent) NC DHHS - HIPAA PMO

  29. PRIVACY GUIDANCE DOCUMENT (continued) • Health-Related Communications and Marketing • Generally, authorization is required when using or disclosing PHI for marketing purposes • Examples that are not considered marketing: • Describing the participating plans or providers in its network • Identifying a pharmacy that accepts a particular drug coverage • Describing services offered by a provider • Recommending brand name or over the counter drug • Making referrals • Sending appointment reminders NC DHHS - HIPAA PMO

  30. PRIVACY GUIDANCE DOCUMENT (continued) • Medical Research • Allow use or disclosure of PHI for medical research purposes without authorization under certain circumstances: • PHI has been de-identified • Institutional Review Board or Privacy Board grants a waiver of such authorization • PHI may continue to be used or disclosed under certain circumstances for an ongoing research project as long as the patient gave legal permission (such as consent or authorization) prior to the compliance date NC DHHS - HIPAA PMO

  31. PRIVACY GUIDANCE DOCUMENT (continued) • Government Access to PHI • Government operated health plans and providers, such as Medicare and Medicaid, are subject to the same HIPAA requirements as all other health care organizations • Office of Civil Rights is granted access to PHI, but only for investigative or enforcement purposes, and the information OCR requests will be limited and protected • Regulations allow certain disclosures to be made for law enforcement purposes but any state law that has tighter limits on such uses and disclosures of PHI will control NC DHHS - HIPAA PMO

  32. PRIVACY GUIDANCE DOCUMENT (continued) • Payment • Explains conditions under which PHI may be used or disclosed for payment purposes • Billing and Collection • Determining health plan eligibility • Disclosures to consumer reporting agencies • Limited disclosure of PHI to consumer reporting and debt collection agencies • Appears to be no conflict between privacy regulations and the Fair Credit Reporting or Fair Debt Reporting Acts • Clarifies that a collections agency hired by a health care organization would be a Business Associate NC DHHS - HIPAA PMO

  33. WHAT TO DO NOW? • Begin development of HIPAA Workplan NC DHHS - HIPAA PMO

  34. HIPAA COMPLIANCE PROCESS Understanding HIPPA Baselining the Organization Planning Compliance Strategies Remediating the Organization Validating Compliance Maintaining Compliance • What is HIPPA • Why do HIPPA • What are the HIPPA requirements? • Where do we stand vs.. these requirements? (i.e., what needs fixing?) • How do we close the gaps? • Let’s go fixing • How do we know we’re compliant? • How do we stay compliant? • Key considerations • Ongoing training • Educating future new DHHS employees • Will need ongoing auditing & certification practices • Change Management • Key considerations • Who needs what information? • Develop SME’s on HIPAA • Compliance plans needed • Who is doing what? • Key considerations • Who’s covered? • Which policies? • Which procedures? • Which tools and systems? • Which people? • Key considerations • Enterprise vs.. local fixes • Risk and cost/benefit analysis • $how me the money • Key considerations • Enterprise strategies • Thorough testing • Mandated deadlines • Key considerations • Self-certification techniques • Certification of EDI transactions • Security certifications • Process and Tools • Enterprise & Individual Compliance Strategies • Technical infrastructure • Change management process & procedures • Roles & responsibilities • Scope matrix • Detailed Work-plans • Process and Tools • HIPAA Web Site • Awareness training • Participation in external organizations • Expansion Budget • Strategic Plan • Process and Tools • Master Plan • Roles & Responsibilities • BIFA • EDI/TCI assessments • Security/Privacy assessments • Process and Tools • Testing Strategies • Privacy related business templates • Enterprise privacy & security policies/proc • Privacy & security related policy/proc templates • Process and Tools • Self-certification Techniques • 3rd party certifications • quality assurance reviews • Process and Tools • Security/privacy maintenance plans • Enterprise Training Plans • Templates NC DHHS - HIPAA PMO

  35. Key Considerations Who needs what information? Develop SME’s on HIPAA Compliance plans needed Who is doing what? Process and Tools HIPAA Web Site Awareness training Participation in external organizations Expansion Budget Strategic Plan UNDERSTANDING HIPAA • What is HIPPA • Why do HIPPA • What are the HIPPA Requirements? NC DHHS - HIPAA PMO

  36. Key Considerations Who’s covered? Which policies? Which procedures? Which tools and systems? Which people? Process and Tools Master Plan Roles & Responsibilities BIFA EDI/TCI assessments Security/Privacy assessments BASELINING THE ORGANIZATION Where Do We Stand vs.. These Requirements (i.e., What Needs Fixing)? NC DHHS - HIPAA PMO

  37. Key Considerations Enterprise vs. Local Fixes Risk and Cost/Benefit Analysis $how Me the Money Process and Tools Enterprise & Individual Compliance Strategies Technical Infrastructure Change Management Process & Procedures Roles & Responsibilities Scope Matrix Detailed Workplans PLANNING COMPLIANCE STRATEGIES How Do We Close the Gaps? NC DHHS - HIPAA PMO

  38. Key Considerations Enterprise Strategies Thorough Testing Mandated Deadlines Process and Tools Testing Strategies Privacy Related Business Templates Enterprise Privacy & Security Policies/Procedures Privacy &Security Related Policy/Procedure Templates REMEDIATING THE ORGANIZATION Let’s Go Fixing NC DHHS - HIPAA PMO

  39. Key Considerations Self-Certification Techniques Certification of EDI Transactions Security Certification Process and Tools Self-Certification Techniques 3rd Party Certifications Quality Assurance Reviews VALIDATING COMPLIANCE How Do We Know We’re Complaint? NC DHHS - HIPAA PMO

  40. Key Considerations Ongoing Training Educating Future New DHHS Employees Will Need Ongoing Auditing & Certification Practices Change Management Process and Tools Security/Privacy Maintenance Plans Enterprise Training plans Templates MAINTAINING COMPLIANCE How Do We Stay Complaint? NC DHHS - HIPAA PMO

  41. HIPAA WORKPLAN • Phase • Based on Compliance Model • Activity • High level activity to be planned • Task • Primary tasks to be accomplished • Subtasks associated with primary tasks • Anticipated and Actual Start/Finish • Resources NC DHHS - HIPAA PMO

  42. QUESTIONS ? ? NC DHHS - HIPAA PMO

More Related