Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
The Law HIPAA: Health Insurance Portability & Accountability Act HITECH: Health Information Technology Economic & Clinical Health Act
HIPAA is Eleven Parts And what were you doing on July 30, 2004?
Six Parts Are Set 1. T & C 2. Privacy 3. Standard Unique Identifier for Employers 4. Security 5. Standard Unique HC Provider Identifier (NPI) 6. Enforcement Rule
HIPAA Information HIPAA covers: Oral Written (and beyond the medical record) Electronic [key: can the individual be identified] You will hear the term PHI- patient health information
Keep in Mind Minimum Necessary [45CFR (b)(1)] Emergency Situation [45CFR (3)] ∙ Incidental Disclosure [45CFR (a)(1)(iii)]
Are You HIPAA or Not? YES NO
Covered Entity Status Health Plan: individual or group plan that provides or pays the cost of medical care Healthcare Clearinghouse: public or private entity that does billing, repricing, community health management or information systems, etc. functions
Covered Entity Status Healthcare Provider: transmits any health information in electronic form in connection with a transaction covered by HIPAA
Sample HIPAA Transactions Health care claims or equivalent encounter information Health care payment and remittance advice Coordination of benefits Health care claims status
Who Do You Treat Students (and how are they defined; ie. LOA) Non-Students For organizations under FERPA, student records are under FERPA (loophole) even with transactions, but non student records are under HIPAA, so you are a covered entity. But most strict law generally takes precedent
You Are HIPAA If… You are one or more of the three covered entities You conduct one or more of the eleven transactions You treat non-students
College Assessment Also look at these areas: Student, Faculty, and Employee Training *Nursing *Pharmacy *Allied Health *Music Therapy *Business (I.T.)
College Assessment Health Services & Related Clinics Institutional Review Board; research Human Resources Athletics Vendors as business associates
Hybrid Entity A single legal entity whose business activities include both covered and non- covered functions (ie. education & healthcare provider or health plan
Creating a Culture of HIPAA Are the policies and procedures set? Are they enforced or do they ‘sit on the shelf”
Compliance Officer Role Privacy Officer [45CFR (a)(1)(i)] Security Officer [45CFR (a)(2)] The Federal Government mandates that covered entities have both a privacy officer and a security officer If the same person, generally titled, Compliance Officer
1. HIPAA Committee Representatives from records, information technology, student services and management.
2. Policies & Procedures For the six HIPAA Rules to date, develop policies from the law, not secondary sources Do not take from the Internet
3. Training & Awareness Live or on-line Staff meeting awareness Integrate awareness to daily activities
4. Documentation Establish a system, on- site or off-site. Documentation must be retained for six years
5. Risk Assessments & Audits Quarterly Authentication: most likely passwords Data integrity checks Act on the findings
6. Complaint Process Omsbudsman for confidentiality Post process to file complaints Complaints are only to be HIPAA related Act on the complaints
7. Sanction Process Sanction only for the HIPAA violation Internal investigation or OCR Civil and criminal penalties per Enforcement Rule & HITECH Follow-up on the sanction and charge
8. Web Site If the covered entity has a web site, the Notice of Health Information Privacy Practices must be prominently displayed on the web site. Keep the web site updated
9. Formage Develop forms from the laws. May or may not be able to use from other covered entities (ie. addressable Security Rule policies) Educate staff on the formage
10. Business Associate Agreements Assess all those external to the workforce who have access to the covered entity’s PHI Both the Privacy Rule and the Security Rule mandate BAA’s
11. Research Play an integral role with the covered entity’s Institutional Review Board Ensure minimum necessary standards for data used in research
Determination of HIPAA Research Status Does the research involve the collection, use, or dissemination of PHI? Is the PHI from a healthcare provider, clearinghouse, or healthcare plan? Does the healthcare provider, clearinghouse, or healthcare plan perform one of the eleven covered electronic transactions? If yes to these, then HIPAA
Privacy Rule Notice & Notice Verification Internet Notice Amend Records Authorization Accounting Information Destruction Business Associate Agreements
The Notice Tells the rights of the organization and the rights of the patient Document that is considered the guideline.
Security Rule Technical Security Administrative Security Physical Security Disaster Manual Access Controls Log-in Audit Warning Termination of Access
Faculty & Staff Access Have access to minimum necessary information to accomplish the intended purpose of the request given their role Must have an established need to know prior to requesting the information Ex. How long absent, but not the condition as it would not change the situation
Advising Faculty, Staff, & Students Is the condition directly academically related such as ADHD But must always only request what is minimum necessary Have the student only submit and talk on what is minimum necessary Ex. Operating room reports, procedures notes, consultation reports, prescriptions Ensure who student allows one to talk to
Summary Follow the Law Keep it simple Thank you