Presentation on theme: "HIPAA -- A Primer for State Corrections CIOs Scott McPherson Chief Information Officer, Florida Department of Corrections."— Presentation transcript:
HIPAA -- A Primer for State Corrections CIOs Scott McPherson Chief Information Officer, Florida Department of Corrections
What HIPAA is NOT….
OK, smart guy, I know what HIPAA isn’t. What is HIPAA ?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Signed into Law August 21, 1996 Administrative Simplification Subtitle Congress gave itself until 1999 to enact the legislation Failing that, they gave HHS the ability to promulgate rules That happened August 26, 1999, when Congress failed to enact privacy rules HIPAA is:
HIPAA standards apply to covered entities: Health plans Health care clearinghouses Health care providers that conduct designated transactions electronically AND to those who conduct business for them (Business Associates)
HIPAA’s reach is more encompassing than anyone in the states thought it would be when the U.S. Congress passed the law in HIPAA applies to every health care provider, health plan or clearinghouse — in short, nearly anyone who bills or pays for a health service. The only ones excused are those who do not transfer any information electronically. In effect, that means that HIPAA covers just about any public program or private company dealing with health records. March, 2002
“There’s a tendency for those not really involved with HIPAA to look at it as a technology problem, as something like Y2K where you can just fix a database,” says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, known as NCHICA. “But technology is only 25 percent of the challenge. The rest is changing policies, cultures and business practices. HIPAA is a major shift in the way we do health care.”
Who is a Covered Entity? “A health care provider who transmits any health information in electronic form in connection with a transaction.” Providers get a choice; made by conducting electronic transactions (or getting a business associate to). “A health care clearinghouse.” clearinghouses get no choice. “A health plan.” Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc. Exceptions for some not primarily “health” plans. –e.g., workers comp, property & casualty.
When Washington State did an analysis of which departments would fall under HIPAA, it found that, in addition to corrections and schools, the Department of Labor and Industries was involved. Although workers’ compensation programs are specifically excluded from HIPAA, the department has other programs that aren’t, such as a program on occupational safety and health and one that provides benefits to victims of crimes.
On the government side, HIPAA clearly affects public hospitals, insurance programs for state and local employees and Medicaid. Less obviously, HIPAA extends to many agencies that one wouldn’t intuitively put in the health care column. Corrections departments, for instance, can fall under HIPAA, depending on who runs prison health services and how. Education systems are likely to be HIPAA- impacted since most schools deal with student health records, and should they so much as fax a student’s vaccination record, that would be an electronic transfer of health information.
Covered Entities Required To: Use HIPAA standards for designated transactions no later than appropriate compliance date via: –internal systems changes –clearinghouse –compliant business associate Use appropriate code sets in transactions
3 Parts to Administrative Simplification 45 CFR Subtitle A, Subchapter C PART 160 – General Administrative Requirements PART 160 –Scope, common definitions, enforcement. PART 162 – Administrative Requirements PART 162 – Transaction, code set, [and identifier] standards. PART 164 – Security And Privacy –Privacy [and security] rules.
Business Associates – Outsourced Medical Services? Transactions Rule: 45 C.F.R (c): requires a “business associate” of a covered entity to comply with all applicable requirements Privacy Rule: (e) and (e): parallel provision for privacy requirements
So why should I care about HIPAA? After all, I’m not a health care provider like other agencies are…
HIPAA and State Law Compliance: the Problem of the Lack of Federal Preemption Clark Stanton Davis Wright Tremaine LLP
Preemption Preemption is the name we give to the theory under which the law at one level (federal, or even state) eliminates or controls the power of government at other levels (state and/or local) to regulate or pass laws in a particular area of activity.
Why Do We Care? Currently, each state has a complex array of laws that affect the privacy of medical information. –Medical record confidentiality laws –Public health reporting laws –Special topics: mental health; HIV; genetic information –Litigation related laws: physician-patient privilege; notice for subpoenas –State constitutional privacy
Why Do We Care? Each state law concerning medical confidentiality has been crafted to provide privacy protections considered important to the people of that state. –California HIV confidentiality law prevents disclosure of HIV test results and even the identity of persons tested for HIV –California consumer notice law requires person seeking to subpoena medical information to give notice to subject of records prior to serving subpoena on third party
HIPAA Preemption Express Conflict based –Contrary –More stringent Exceptions Quirks –More stringent state law undercut by “back door” provisions that bring HIPAA back in
When Can You Report? National security exception Avert serious threats to health or public safety Law enforcement rules generally
National Security Exception Section 512(k)(2) May disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities” Those activities as defined in law -- what you expect as “intelligence”
Averting Serious Threats Section 512(j) permits voluntary disclosure by a covered entity Must be “consistent with applicable law and standards of ethical conduct”
Averting Serious Threats Option 1, can disclose where: –“Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”; and –“Is to a person or persons reasonably able to prevent or lessen the threat”
Averting Serious Threats Option 2, disclosure OK where: –“Is necessary for law enforcement authorities to identify or apprehend an individual” –“Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim” –That is, confessions to violent crimes
General Law Enforcement Sec. 512(f) generally requires “in response to law enforcement official’s request” Covered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement
General Law Enforcement Court order, grand jury subpoena, administrative subpoena for full file To locate or identify a suspect, fugitive, material witness, or missing person: –Name, SSN, limited other information
Greater Focus on Security Less tolerance for hackers and other unauthorized use Cyber-security and the need to protect critical infrastructures Back-up needed in case of cyber-attack, attack on payments system, electricity grid, telephone system, or other systems you need
Security and Privacy Good data handling practices become more important -- good security protects PHI against unauthorized use Audit trails, accounting become more obviously desirable -- helps some HIPAA compliance Part of system upgrade for security will be system upgrade for other requirements, such as HIPAA privacy
Employee Data New exclusion from definition of PHI for –“Employment records held by a covered entity in its role as employer.” –Limiting language in preamble. –But the regulatory text is very broad -- those records are entirely outside of the rule.
Hybrid entities Current law: –If “primarily” a covered entity, then all your operations are covered. Proposal: –Covered entity defines components that are covered Example: –If no standard transactions, could a hospital web site be outside the rule? Sell all data?
Thanks to: Professor Peter Swire Ohio State University College of Law Director D.C. program Consultant, Morrison & Foerster, with focus on medical privacy Phone: (301) Web:
EDI (Electronic Data Interchange)
Transaction and Code Sets Standards Final Regulation published in August, 2000 Original compliance date: October 16, 2002 Many sectors of health care requested additional time to build, test, and successfully implement the standards
Congress’ Response Administrative Simplification Compliance Act or ASCA (P.L ) Allows covered entities to request a one- year extension for transactions and code sets compliance Does not affect other HIPAA standards, e.g., privacy
ASCA Provisions Covered entities may receive a one-year extension (to 10/16/03) If they submit a compliance extension plan by 10/15/2002 NCVHS will study sample of plans to identify compliance barriers -- publish solutions
Compliance Extension Plan Per ASCA, the plan must include a summary of: –schedule for HIPAA implementation –work plan and budget –implementation strategy –planned use of vendors –time frame for testing (begin NLT 4/03)
How to Submit a Plan Electronically –at –strongly suggested –will receive confirmation number Via paper –model form or other format
Who Should Submit a Plan Covered entity that does not expect to be compliant by 10/16/02 –Note: providers not conducting electronic transactions are not covered entities Exception: –Small plans already have until 10/03 and cannot receive an extension
Medicaid Developed a HIPAA compliance “road map” for States –CD-based tool –Provides gap analysis, resources Facilitating cooperative working relationships among States to identify issues
Conclusions Extension provides opportunity for higher quality, lower risk Don’t rush to submit a plan Establish a reasonable plan and stick to it Begin external testing as early as possible Use resources/information available through CMS, industry groups, associations and other partners
Covered Entity To Do List Submit compliance plan if extension desired Work with IT staff and vendors Contact your business associates and trading partners Join WEDI/SNIP efforts Support SDOs Use the delay time to reach compliance
Security Requirements Covered Entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards -- –to ensure integrity and confidentiality –to protect against reasonably anticipated threats or hazards to security or integrity unauthorized uses or disclosures –taking into account technical capabilities costs, training, value of audit trails needs of small and rural providers
Security Issues Covers transmitted data plus data at rest. Involves policies/procedures & contracts with business associates. –For most security technology to work, behavioral safeguards must also be established and enforced. requires administration commitment and responsibility. Electronic signatures: –Final rule will depend on industry progress on reaching consensus on a standard.
Enforcement Philosophy Pre-emption of state law wherever feasible. not politically possible for privacy. Enforcement by investigating complaints. not HIPAA police force -- OCR not OIG. “The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance” The philosophy is to improve the health care system by helping entities comply, not by punishing unintentional mistakes.
Excuses from civil penalties (from law) NONCOMPLIANCE NOT DISCOVERED the person did not know, and by exercising reasonable diligence would not have known. FAILURES DUE TO REASONABLE CAUSE. the failure was due to reasonable cause and not to willful neglect; and the failure is corrected within 30-days (which may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.) the failure was because the person was unable to comply REDUCTION If the failure is due to reasonable cause, any penalty may be waived …
Phase 1: Current Design - Functional Decomposition Sample Functional Areas Examples ProcessesMembership and Enrollment; Claims Administration; Contract Management; Administration; Financial; Scheduling LocationsHospital; Outpatient Clinic; Off-site storage; Headquarters; Remote Sales office; Data Center IT EnvironmentWireless; WAN; LAN; Dial-up; WebServers; Workstations; Facilities; Databases ApplicationsLaboratory; Radiology; Pharmacy; Order Entry; Nurse Management; Financial; Enrollment; Billing & A/R; Provider Management; Sales Management Strategic InitiativesIntegrating the Healthcare Enterprise (IHE); Electronic Medical Records; Web-Enabling Clinical Applications; Electronic Data Interchange (EDI); Customer Relationship Management (CRM) “Framing Your Organization’s Environment”
Phase 2: Requirements Interpretation – Develop Reqt’s Categories CategoryDescription Policies and Standards Policies include senior management’s directives to create a computer security function, establish goals for the function, and assign responsibilities for the function. Standards include specific security rules for particular information systems and practices ProceduresProcedures include the activities and tasks that dictate how the policies or supporting standards will be implemented in the organization’s environment Tools / Infrastructure Tools or infrastructure include the elements that are necessary to support implementation of the requirements within the organization such as process, organizational structure, network and system related controls, and logging and monitoring devices OperationalOperational includes all the activities and supporting processes associated with maintaining the solution or system and ensuring it is running as intended. Typically, an owner is assigned to manage the execution of the activities and supporting processes. Examples of activities and supporting processes include maintenance, configuration management, technical documentation, backups, software support and user support “Logical Means of Grouping the Criteria to Measure Progress”
Phase 3: Gap Assessment – Determine Gaps Current State HIPAA Gap Analysis Use the HIPAA Security Criteria(Phase 2) to assess organization’s current state Determine gaps from the current state requirements “ Avoid the Road to Abilene by Getting Organizational Alignment ” +
Phase 4: Execution - Establish PMO Other PMO Staff TCI HIPAA Project Manager HIPAA PMO Manager Privacy HIPAA Project Manager Security HIPAA Project Manager Establish priorities Manage both organization and internal HIPAA dependencies Resolve project issues “ HIPAA Readiness is NOT an IT Project ”
Final HIPAA Rules To Come Employer Identifier Security National Provider Identifier Electronic Signature Privacy modifications
This concludes the presentation. Time for questions and comments.