4 OK, smart guy, I know what HIPAA isn’t. What is HIPAA ?
5 HIPAA is:The Health Insurance Portability and Accountability Act of 1996 (HIPAA)Signed into Law August 21, 1996Administrative Simplification SubtitleCongress gave itself until 1999 to enact the legislationFailing that, they gave HHS the ability to promulgate rulesThat happened August 26, 1999, when Congress failed to enact privacy rules
6 HIPAA standards apply to covered entities: Health plansHealth care clearinghousesHealth care providers that conduct designated transactions electronicallyAND to those who conduct business for them (Business Associates)
7 March, 2002HIPAA’s reach is more encompassing than anyone in the states thought it would be when the U.S. Congress passed the law in 1996.HIPAA applies to every health care provider, health plan or clearinghouse — in short, nearly anyone who bills or pays for a health service.The only ones excused are those who do not transfer any information electronically.In effect, that means that HIPAA covers just about any public program or private company dealing with health records.
8 “There’s a tendency for those not really involved with HIPAA to look at it as a technology problem, as something like Y2K where you can just fix a database,” says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, known as NCHICA.“But technology is only 25 percent of the challenge. The rest is changing policies, cultures and business practices. HIPAA is a major shift in the way we do health care.”
9 Who is a Covered Entity?“A health care provider who transmits any health information in electronic form in connection with a transaction.”Providers get a choice; made by conducting electronic transactions (or getting a business associate to).“A health care clearinghouse.”clearinghouses get no choice.“A health plan.”Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc.Exceptions for some not primarily “health” plans.e.g., workers comp, property & casualty.
10 When Washington State did an analysis of which departments would fall under HIPAA, it found that, in addition to corrections and schools, the Department of Labor and Industries was involved. Although workers’ compensation programs are specifically excluded from HIPAA, the department has other programs that aren’t, such as a program on occupational safety and health and one that provides benefits to victims of crimes.
11 On the government side, HIPAA clearly affects public hospitals, insurance programs for state and local employees and Medicaid. Less obviously, HIPAA extends to many agencies that one wouldn’t intuitively put in the health care column.Corrections departments, for instance, can fall under HIPAA, depending on who runs prison health services and how. Education systems are likely to be HIPAA-impacted since most schools deal with student health records, and should they so much as fax a student’s vaccination record, that would be an electronic transfer of health information.
12 Covered Entities Required To: Use HIPAA standards for designated transactions no later than appropriate compliance date via:internal systems changesclearinghousecompliant business associateUse appropriate code sets in transactions
13 3 Parts to Administrative Simplification 45 CFR Subtitle A, Subchapter CPART 160 – General Administrative RequirementsScope, common definitions, enforcement.PART 162 – Administrative RequirementsTransaction, code set, [and identifier] standards.PART 164 – Security And PrivacyPrivacy [and security] rules.
14 Business Associates – Outsourced Medical Services? Transactions Rule: 45 C.F.R (c): requires a “business associate” of a covered entity to comply with all applicable requirementsPrivacy Rule: (e) and (e): parallel provision for privacy requirements
16 So why should I care about HIPAA? After all, I’m not a health care provider like other agencies are…
17 HIPAA and State Law Compliance: the Problem of the Lack of Federal Preemption Clark Stanton Davis Wright Tremaine LLP
18 PreemptionPreemption is the name we give to the theory under which the law at one level (federal, or even state) eliminates or controls the power of government at other levels (state and/or local) to regulate or pass laws in a particular area of activity.
19 Why Do We Care?Currently, each state has a complex array of laws that affect the privacy of medical information.Medical record confidentiality lawsPublic health reporting lawsSpecial topics: mental health; HIV; genetic informationLitigation related laws: physician-patient privilege; notice for subpoenasState constitutional privacy
20 Why Do We Care?Each state law concerning medical confidentiality has been crafted to provide privacy protections considered important to the people of that state.California HIV confidentiality law prevents disclosure of HIV test results and even the identity of persons tested for HIVCalifornia consumer notice law requires person seeking to subpoena medical information to give notice to subject of records prior to serving subpoena on third party
21 HIPAA Preemption Express Conflict based Exceptions Quirks Contrary More stringentExceptionsQuirksMore stringent state law undercut by “back door” provisions that bring HIPAA back inHIPAA 1178(a), 264(c)(2)Reg ffExcepted are--state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery systemstate laws for public health reporting, surveillance, investigation or interventionstate laws that address controlled substancesHIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally
23 When Can You Report? National security exception Avert serious threats to health or public safetyLaw enforcement rules generally
24 National Security Exception Section 512(k)(2)May disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities”Those activities as defined in law -- what you expect as “intelligence”
25 Averting Serious Threats Section 512(j) permits voluntary disclosure by a covered entityMust be “consistent with applicable law and standards of ethical conduct”
26 Averting Serious Threats Option 1, can disclose where:“Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”; and“Is to a person or persons reasonably able to prevent or lessen the threat”
27 Averting Serious Threats Option 2, disclosure OK where:“Is necessary for law enforcement authorities to identify or apprehend an individual”“Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim”That is, confessions to violent crimes
28 General Law Enforcement Sec. 512(f) generally requires “in response to law enforcement official’s request”Covered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement
29 General Law Enforcement Court order, grand jury subpoena, administrative subpoena for full fileTo locate or identify a suspect, fugitive, material witness, or missing person:Name, SSN, limited other information
30 Greater Focus on Security Less tolerance for hackers and other unauthorized useCyber-security and the need to protect critical infrastructuresBack-up needed in case of cyber-attack, attack on payments system, electricity grid, telephone system, or other systems you need
31 Security and PrivacyGood data handling practices become more important -- good security protects PHI against unauthorized useAudit trails, accounting become more obviously desirable -- helps some HIPAA compliancePart of system upgrade for security will be system upgrade for other requirements, such as HIPAA privacy
32 Employee Data New exclusion from definition of PHI for “Employment records held by a covered entity in its role as employer.”Limiting language in preamble.But the regulatory text is very broad -- those records are entirely outside of the rule.
33 Hybrid entities Current law: Proposal: Example: If “primarily” a covered entity, then all your operations are covered.Proposal:Covered entity defines components that are coveredExample:If no standard transactions, could a hospital web site be outside the rule? Sell all data?
34 Thanks to: Professor Peter Swire Ohio State University College of Law Director D.C. program Consultant, Morrison & Foerster, with focus on medical privacy Phone: (301) Web:
36 Transaction and Code Sets Standards Final Regulation published in August, 2000Original compliance date: October 16, 2002Many sectors of health care requested additional time to build, test, and successfully implement the standards
37 Congress’ ResponseAdministrative Simplification Compliance Act or ASCA (P.L )Allows covered entities to request a one-year extension for transactions and code sets complianceDoes not affect other HIPAA standards, e.g., privacy
38 ASCA ProvisionsCovered entities may receive a one-year extension (to 10/16/03)If they submit a compliance extension plan by 10/15/2002NCVHS will study sample of plans to identify compliance barriers -- publish solutions
39 Compliance Extension Plan Per ASCA, the plan must include a summary of:schedule for HIPAA implementationwork plan and budgetimplementation strategyplanned use of vendorstime frame for testing (begin NLT 4/03)
40 How to Submit a Plan Electronically Via paper at www.cms.hhs.gov/hipaa strongly suggestedwill receive confirmation numberVia papermodel form or other format
41 Who Should Submit a Plan Covered entity that does not expect to be compliant by 10/16/02Note: providers not conducting electronic transactions are not covered entitiesException:Small plans already have until 10/03 and cannot receive an extension
42 Medicaid Developed a HIPAA compliance “road map” for States CD-based toolProvides gap analysis, resourcesFacilitating cooperative working relationships among States to identify issues
43 ConclusionsExtension provides opportunity for higher quality, lower riskDon’t rush to submit a planEstablish a reasonable plan and stick to itBegin external testing as early as possibleUse resources/information available through CMS, industry groups, associations and other partners
44 Covered Entity To Do List Submit compliance plan if extension desiredWork with IT staff and vendorsContact your business associates and trading partnersJoin WEDI/SNIP effortsSupport SDOsUse the delay time to reach compliance
46 Security Requirements Covered Entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards --to ensure integrity and confidentialityto protect against reasonably anticipatedthreats or hazards to security or integrityunauthorized uses or disclosurestaking into accounttechnical capabilitiescosts, training, value of audit trailsneeds of small and rural providers
47 Security Issues Covers transmitted data plus data at rest. Involves policies/procedures & contracts with business associates.For most security technology to work, behavioral safeguards must also be established and enforced.requires administration commitment and responsibility.Electronic signatures:Final rule will depend on industry progress on reaching consensus on a standard.
48 Enforcement Philosophy Pre-emption of state law wherever feasible.not politically possible for privacy.Enforcement by investigating complaints.not HIPAA police force -- OCR not OIG.“The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance”The philosophy is to improve the health care system by helping entities comply, not by punishing unintentional mistakes.
49 Excuses from civil penalties (from law) NONCOMPLIANCE NOT DISCOVEREDthe person did not know, and by exercising reasonable diligence would not have known.FAILURES DUE TO REASONABLE CAUSE.the failure was due to reasonable cause and not to willful neglect; andthe failure is corrected within 30-days (which may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.)the failure was because the person was unable to complyREDUCTIONIf the failure is due to reasonable cause , any penalty may be waived …
54 Phase 1: Current Design - Functional Decomposition “Framing Your Organization’s Environment”Sample Functional AreasExamplesProcessesMembership and Enrollment; Claims Administration; Contract Management; Administration; Financial; SchedulingLocationsHospital; Outpatient Clinic; Off-site storage; Headquarters; Remote Sales office; Data CenterIT EnvironmentWireless; WAN; LAN; Dial-up; WebServers; Workstations; Facilities; DatabasesApplicationsLaboratory; Radiology; Pharmacy; Order Entry; Nurse Management; Financial; Enrollment; Billing & A/R; Provider Management; Sales ManagementStrategic InitiativesIntegrating the Healthcare Enterprise (IHE); Electronic Medical Records; Web-Enabling Clinical Applications; Electronic Data Interchange (EDI); Customer Relationship Management (CRM)
55 Phase 2: Requirements Interpretation – Develop Reqt’s Categories “Logical Means of Grouping the Criteria to Measure Progress”CategoryDescriptionPolicies and StandardsPolicies include senior management’s directives to create a computer security function, establish goals for the function, and assign responsibilities for the function. Standards include specific security rules for particular information systems and practicesProceduresProcedures include the activities and tasks that dictate how the policies or supporting standards will be implemented in the organization’s environmentTools / InfrastructureTools or infrastructure include the elements that are necessary to support implementation of the requirements within the organization such as process, organizational structure, network and system related controls, and logging and monitoring devicesOperationalOperational includes all the activities and supporting processes associated with maintaining the solution or system and ensuring it is running as intended. Typically, an owner is assigned to manage the execution of the activities and supporting processes. Examples of activities and supporting processes include maintenance, configuration management, technical documentation, backups, software support and user support
56 Phase 3: Gap Assessment – Determine Gaps “ Avoid the Road to Abilene by Getting Organizational Alignment ”Current State+HIPAAGapAnalysisUse the HIPAA Security Criteria(Phase 2) to assess organization’s current stateDetermine gaps from the current state requirements
57 Phase 4: Execution - Establish PMO “ HIPAA Readiness is NOT an IT Project ”HIPAA PMO ManagerSecurityHIPAAProjectManagerPrivacyHIPAAProjectManagerOther PMOStaffTCIHIPAAProjectManagerEstablish prioritiesManage both organization and internal HIPAA dependenciesResolve project issues
58 Final HIPAA Rules To Come Employer IdentifierSecurityNational Provider IdentifierElectronic SignaturePrivacy modifications
59 This concludes the presentation. Time for questions and comments.