Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Similar presentations


Presentation on theme: "Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014."— Presentation transcript:

1 Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014

2 HIPAA Highlights Hybrid entitiesDealing with breachesPHI and public health

3 Protected health information (PHI) Individually identifiable health information created, received or maintained by a HIPAA-covered entity that relates to: Health status or condition Provision of health care Payment for provision of health care

4 Information Confidential information PHI covered by HIPAA

5 HIPAA Highlights Hybrid entitiesDealing with breachesPHI and public health

6 Who is covered by HIPAA? Covered entity Health care provider that transmits health information electronically in connection with a HIPAA transaction Health plan Health care clearinghouse Business associate Creates, receives, maintains, or transmits PHI on behalf of a covered entity (for a HIPAA covered function or activity), or Provides services involving PHI (legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial)

7 What is a hybrid entity? A covered entity with both covered and non- covered functions can be a hybrid entity. Covered functions are: Activities or functions that, standing alone, would meet the definition of covered entity Activities or functions that would create a business associate relationship if they were carried out by a separate entity

8 What is a hybrid entity? The entity must designate its covered component. The covered component must include covered functions and may include non-covered functions. The covered component must comply with HIPAA. The non-covered component is not required to comply with HIPAA (though it may be subject to other confidentiality laws).

9 Covered because meets covered entity definition Covered because performs BA-like functions Covered by local option Not covered Hybrid entity

10 Where you are in the entity affects … Policies for sharing information Obligations such as distributing the notice of privacy practices Training requirements Management of breaches And more

11 Hybrid entity resources HIPAA regulations: 45 CFR (a) US DHHS resources for covered entities and business associates: understanding/coveredentities/

12 HIPAA Highlights Hybrid entitiesDealing with breachesPHI and public health

13 What is a breach? Breach: unauthorized acquisition, access to, use of, or disclosure of PHI, which compromises the privacy and security of the information. HIPAA requires notifying individuals and certain others of breaches, unless: –A specific exception in the breach rule applies, or –A risk analysis shows a low probability that PHI was compromised, or –The PHI was encrypted or had been disposed securely.

14 Safe Harbor Don’t have to notify if: –PHI was encrypted, or –PHI was disposed in keeping with HHS guidance on secure disposal

15 When is notification not required? Specific exceptions PHI could not reasonably be retained PHI access is unintentional and by a workforce member or business associate acting in good faith Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re-identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated

16 Affected individuals – within 60 days US DHHS – if > 500 individuals involved, contemporaneous notice; otherwise annual report Media, if > 500 involved – within 60 days. Recipients & timing of notice Description of incident, PHI involved, advice to individuals to minimize harm, actions you’ve taken to investigate and mitigate, contact information for more info. Content of notice Written letter (standard); if prior agreement to notification obtained; telephone if urgent (but also send written) Method of notice

17 Breach: unauthorized access to or acquisition of records or data with “personal information,” which means name plus something that could be used to commit ID theft or threaten finances (SSN, DL number, financial account numbers, etc.) State law requires breach notification, if: –Illegal use of the information has occurred, or –Illegal use of the information is reasonably likely to occur, or –The incident creates a material risk of harm to a consumer. State Law on Breaches

18 Checklist for breach follow-up Determine if notification required under HIPAA and/or state law. Mitigate harm caused by the breach. Note disclosure in accounting log. If workforce member involved, apply sanctions policy. Consider whether incident points to a need for changes in safeguards, policies, training, etc.

19 HIPAA regulations: 45 CFR 164, subpart D (sections – ) US DHHS resources: breachnotificationrule/ Breach resources

20 HIPAA Highlights Hybrid entitiesDealing with breachesPHI and public health

21 MythHIPAA reality A LPHA program or activity is not subject to HIPAA if it is a core (or essential) public health activity. Whether a LPHA program or activity is subject to HIPAA depends on whether it’s a covered component, and that goes back to the hybrid entity designation. When does HIPAA apply to local public health? If LPHA program/activity meets the covered entity definition or performs BA-like functions for a HIPAA covered component, it must be covered. Sometimes a program/activity is covered by local option for administrative or programmatic reasons.

22 Immunizations HIPAA changed but state law did not—this is causing confusion In NC, health care providers must disclose immunization information to schools on request; neither written authorization nor oral permission is required

23 HIPAA’s de-identification standard and the small numbers problem If information is de-identified, it is no longer subject to HIPAA’s restrictions on use and disclosure. See 45 CFR (a). But a HIPAA covered component may consider information de-identified only if one of two conditions are met:

24 HIPAA: De-identification of PHI Expert determination Person with knowledge of & experience with statistical methods for making information non-identifiable determines that the risk that the info could be used (alone or in combination with other info) to identify the individual is very small. Specific identifiers stripped Remove all: Names & addresses Geographic subdivisions smaller than a state* Dates related to individual-- birth, treatment, other dates Telephone & fax numbers , URLs, IP address SSN, medical record number, other numbers And more—see rule

25 If the information is PHI, to de-identify satisfactorily for HIPAA purposes: –Must strip geographic identifiers including county, or –Must have statistical expert determine that the risk an individual could be identified is very small If PHI cannot be de-identified, the entity must follow HIPAA’s rules regarding use and disclosure. –Note that this does not mean the information may not be used or disclosed. However, it does mean that uses or disclosures are limited to those permitted by HIPAA. County-level data and the small number problem

26 The small numbers concern does not mean a LPHA can’t make, use, or disclose maps using PHI. It does mean that if PHI that has not been de-identified will be used for the map, you have to apply HIPAA’s rules for using or disclosing PHI to the making, use, or disclosure of the map. What about maps?

27 Immunizations: –US DHHS guidance: coveredentities/studentimmunizations.html –SOG bulletin on immunizations & NC law: De-identification: –HIPAA regulation: 45 CFR –HHS guidance on de-identification methods: coveredentities/De-identification/guidance.html Public health resources

28 Jill Moore UNC School of Government


Download ppt "Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014."

Similar presentations


Ads by Google