How DHHS Privacy Policies Affect You PRIVACY TRAINING How DHHS Privacy Policies Affect You Prepared by: NC DHHS HIPAA Office April 2003 NC DHHS

Training Goals To increase your knowledge and understanding of privacy and individually identifiable health information (IIHI), where IIHI could be found in this agency, what threats may exist to privacy in this agency, and why information you access must be kept private. To promote awareness of your role in helping this agency follow Privacy Procedures implemented according to DHHS Privacy Policies. To provide information about to whom you can go with questions about privacy. To inform you about your reporting responsibilities when privacy violations occur. To alert you to the possible penalties for violation of agency Privacy Procedures and DHHS Privacy Policies for both you and this agency. To understand that privacy also protects you. Slide 2 NC DHHS HIPAA Office

BACKGROUND NC DHHS

HIPAA Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191 Is a Federal Law That Provides Health Insurance Portability - Guarantees health insurance when employees change jobs. Accountability - Protects health data integrity, confidentiality, and availability. Reduces fraud and abuse. Gives patients more control over their health information. Administrative Simplification - Reduces paperwork and associated administrative costs. Data Standardization - Establishes standards for transmission of electronic transactions (EDI, Code Sets, and Identifiers). Privacy and Security - Requires reasonable measures to protect individuals’ health information. Slide 4 NC DHHS HIPAA Office

HIPAA HIPAA Is Comprised of Five Titles (Sections). This Training Addresses One of the Components of Title II - Administrative Simplification. Slide 5 NC DHHS HIPAA Office

HIPAA HIPAA Administrative Simplification Contains Seven Components, or Regulation Areas - This Training Focuses on the Privacy Regulation. Slide 6 NC DHHS HIPAA Office

HIPAA Who Must Comply? Covered Entities Health Care Providers that conduct standard transactions electronically (e.g., DMH/DD/SAS, DMA, DPH) Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs) Excludes government funded programs whose primary mission is not providing for or paying the cost of medical care (e.g., Willie M. and Thomas S.) Clearinghouses DHHS has been determined to be a hybrid entity, which means that only specific programs of the agency are covered. These covered programs are known as Covered Health Care Components (HCCs). Trading Partners who electronically exchange IIHI with covered entities. Business Associates who perform covered functions or activities for or on behalf of a covered entity that involves the use of IIHI. Slide 7 NC DHHS HIPAA Office

HIPAA HIPAA Privacy Rule For the first time, provides national standards to protect individuals’ medical records and other personal health information. Clients have more control over their health information. Sets boundaries on use and disclosure of health information. Establishes appropriate safeguards to protect health information. Holds violators accountable. Strikes a balance between privacy of health information and the public’s need to know (e.g., reporting of communicable diseases). Slide 8 NC DHHS HIPAA Office NC DHHS

HIPAA Why HIPAA? Why Now? Promotes public trust. Comes at a time when technology can meet the requirements. Monitors the use of health information. Establishes a floor for acceptable privacy and security standards for health care information. However, stricter state laws will preempt HIPAA. Slide 9 NC DHHS HIPAA Office NC DHHS

HIPAA Why Comply with HIPAA? Organizations can continue business relationships within the health care community. Avoid denied claims or delayed payments from health plans. Organizations and individuals avoid severe criminal and civil penalties for non-compliance. DHHS staff avoid being subjected to personnel sanctions (e.g., disciplinary actions, loss of employment). Slide 10 NC DHHS HIPAA Office NC DHHS

HIPAA Penalties for Failure to Comply with HIPAA CIVIL CRIMINAL $100 fine per person per violation $25,000 fine per year for multiple violations $25,000 fine cap per year per requirement CRIMINAL Knowingly or wrongfully disclosing or receiving IIHI protected by HIPAA: $50,000 fine and/or one year prison time Commit offense under false pretenses: $100,000 fine and/or five years prison time Intent to sell IIHI protected by HIPAA or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prison time Slide 11 NC DHHS HIPAA Office NC DHHS

HIPAA Enforcement Centers for Medicare and Medicaid Services (CMS) is the designated enforcement agency for the HIPAA Transactions, Code Sets, Identifiers, and Security Standards. US HHS Office for Civil Rights (OCR) is the designated enforcement agency for the HIPAA Privacy Regulation. US Department of Justice (DOJ) will be involved in criminal privacy violations. This agency will issue penalties such as fines and imprisonment. The HIPAA Enforcement Regulation Will Provide More Information When Finalized. Slide 12 NC DHHS HIPAA Office NC DHHS

FOR MORE HIPAA INFORMATION More Information About HIPAA Is Available on the Following Web Sites. US Department of Health and Human Services - HIPAA Administration Simplification http://aspe.os.dhhs.gov/admnsimp/ Office of Civil Rights (Privacy Information) http://www.hhs.gov/ocr/hipaa/finalreg.html Centers for Medicare and Medicaid Services (Transactions, Code Sets, Identifiers and Security Information) http://www.cms.hhs.gov/hipaa/hipaa2/default.asp DHHS HIPAA Web Site http://dirm.state.nc.us/hipaa/ Slide 13 NC DHHS HIPAA Office NC DHHS

DHHS HIPAA INITIATIVE DHHS HIPAA Office Established in June 2000. Identified DHHS HCCs and Internal Business Associates (those within DHHS) and External Business Associates (outside DHHS). Conducted Assessments for: Transactions and Code Sets Privacy Preliminary Security Develops DHHS Privacy Policies to Comply with HIPAA Privacy Requirements. Provides Guidance for HIPAA Activities in DHHS Agencies (e.g., DMA, DMH/DD/SAS, DIRM). Slide 14 NC DHHS HIPAA Office NC DHHS

DHHS HIPAA INITIATIVE DHHS Agencies Designated HIPAA Coordinators and Privacy Officials. Formed agency HIPAA implementation teams. Identified initial security risks. Remediates systems and updating business processes impacted by Transactions and Code Sets and Privacy Rules. Creates/updates procedures to implement the DHHS Privacy Policies. Provides training on updated systems, business processes, and privacy policies/procedures. Slide 15 NC DHHS HIPAA Office NC DHHS

AGENCY HIPAA EFFORTS What Does HIPAA Mean for Our Agency? We Must Remediate systems and business processes for transaction, code sets, and identifier requirements. Identify privacy practices. Remediate systems and processes for privacy requirements. Develop clear privacy procedures to safeguard IIHI. Provide training for staff regarding agency privacy procedures (this and any other subsequent training). Provide appropriate safeguards for all forms of IIHI. Slide 16 NC DHHS HIPAA Office NC DHHS

PRIVACY AND YOU NC DHHS

WHAT IS PRIVACY? Definition Related Privacy Terms Privacy is the right of the individual to have his/her individual health information protected from unauthorized use and disclosure. Related Privacy Terms Individually Identifiable Health Information (IIHI) is health information that contains specific elements or details by which a person can be identified (e.g., address, facial photograph, Social Security Number). A Business Associate is a person or entity that performs a function that requires the creation, use, or disclosure of IIHI on behalf of or for a covered health care component, but is not considered part of the covered component’s workforce. A DHHS agency that performs a covered function or activity for another DHHS agency is called an Internal Business Associate. A business associate that is not part of DHHS (e.g., a state government agency outside of DHHS or a private vendor) is called an External Business Associate. Slide 18 NC DHHS HIPAA Office NC DHHS

WHAT IS PRIVACY? Related Privacy Terms - (cont’d) Authorization is a client’s permission for the use and disclosure of his/her health information for a specific purpose. Minimum Necessary means making reasonable efforts to limit the use of health information to only that needed to accomplish the intended purpose of the use, disclosure, or request. To Use IIHI means to share, employ, apply, utilize, examine, or analyze health information within the organization that maintains such information. To Disclose IIHI means to release, divulge, transfer, or provide access to health information to persons or organizations outside of the organization holding the information. Slide 19 NC DHHS HIPAA Office NC DHHS

WHY IS PRIVACY IMPORTANT? Individuals Will Know That Their Sensitive Health Information Will Be Protected from Inappropriate Disclosures. Individuals Will Be More Open With Health Care Providers Concerning Their Health Information. Morally and Ethically the Right Thing to Do. Removes Fear of Discrimination Based on Health Information. Slide 20 NC DHHS HIPAA Office NC DHHS

WHY IS PRIVACY IMPORTANT? Improper Use and Disclosure of IIHI Could Impact your health care A 13-year old daughter of a hospital employee had access to a list of patient names and phone numbers when visiting her mother at work. As a joke, the girl called the patients and informed them that they had been diagnosed with HIV. Impact your personal life A hospital clerk took the treatment records of three patients to a local bar where he discussed the records with others. The patients’ confidentiality was breached and they were awarded $2.3 million by a jury. Impact your professional life A historically good employee was fired after his employer learned of the employee’s positive test for a genetic illness that could lead to lost work time and increased insurance costs. Impact your financial status A banker who also served on his county’s health board cross referenced his banking customers with patient information. He called due mortgages of anyone suffering from cancer. Slide 21 NC DHHS HIPAA Office NC DHHS

INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI) What and Where NC DHHS

WHAT IS IIHI? Individually Identifiable Health Information (IIHI) Is Health information that contains specific elements or details by which a person (living or dead) can be identified. IIHI Can Exist or Be Transmitted Via Paper Oral Communication Electronic Information system applications Internet, intranet, extranet, email, faxes Computer screens Storage devices - magnetic tapes, floppy disks, CDs, optical devices Slide 23 NC DHHS HIPAA Office NC DHHS

EXAMPLES OF IIHI Health Information Associated With Any Of the Following Individual Identifiers For a Client, a Client’s Relatives, Employer, or Other Household Members Of That Client Is IIHI. Names Addresses (including zip code) Dates (birth and death dates, admission/discharge dates, etc.) Telephone and Fax Numbers E-mail Addresses Social Security Number (SSN) Medical Record Number Health Plan Beneficiary Numbers Account Numbers Certificate/License Numbers Vehicle Identifiers, Serial, and License Plate Numbers Device Identifiers and Serial Numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometric Identifiers (finger prints, voice print, etc.) Full Face Photographic Images or Comparable Images Any Other Identifying Number, Characteristic, or Code Slide 24 NC DHHS HIPAA Office NC DHHS

WHERE IS IIHI IN THIS AGENCY? IIHI Could Be Found In the Following Locations Paper Based Medical Record Departments Nursing Stations Client Accounting Departments Admissions Utilization Review Risk Management Radiology Clinical Laboratory Outpatient Clinics Other areas where health information is routinely stored Electronic Media Computer applications and systems Computer Screens Local drives on computers (files, Temp files, databases, etc.) Magnetic tapes, floppy diskettes, CDs, etc. Email Faxes Slide 25 NC DHHS HIPAA Office NC DHHS

PRIVACY POLICIES AND PROCEDURES DHHS Privacy Policies Agency Privacy Procedures Sanctions and Mitigation Who to Contact NC DHHS

DHHS PRIVACY POLICIES The DHHS HIPAA Oversight Committee Is Adopting Departmental Privacy Policies that Comply With the HIPAA Privacy Requirements. Policies are drafted by the DHHS HIPAA Office. Policies are reviewed and approved by DHHS Agency Privacy Officials DHHS HIPAA Coordinators HIPAA Attorney in the NC Office of the Attorney General Policies are published online at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5. Slide 27 NC DHHS HIPAA Office NC DHHS

DHHS PRIVACY POLICIES The DHHS Privacy Policies Are Privacy Protections Privacy Official Workforce Safeguards Privacy Complaints Business Associates Legal Occurrences Authorizations Use and Disclosure Accounting of Disclosures De-identification of PHI Minimum Necessary Research Marketing and Fundraising Notice of Privacy Practices Client Privacy Rights Personal Representatives Designated Record Sets Slide 28 NC DHHS HIPAA Office NC DHHS

POLICY: PRIVACY PROTECTIONS The DHHS Privacy Protections Policy Requires DHHS To develop privacy policies based on the HIPAA Privacy Rule as well as state and other federal laws. To determine agencies that must comply with each policy. Agencies within the scope of each DHHS Privacy Policy to develop agency-specific procedures to implement the departmental policy. Slide 29 NC DHHS HIPAA Office NC DHHS

POLICY: PRIVACY OFFICIAL The DHHS Privacy Official Policy Requires HCCs and Internal Business Associates To appoint an Agency Privacy Official who is responsible for the following privacy activities. Serve as primary agency contact for privacy issues and concerns regarding the use and disclosure of health information and for client rights regarding health information. Serve as the agency liaison to the DHHS Privacy Officer for privacy-related activities. Coordinate, facilitate, and assist in agency efforts to develop and implement privacy compliance activities such as Procedures development Training Monitoring agency practices Contact for questions and complaints. Slide 30 NC DHHS HIPAA Office NC DHHS

POLICY: WORKFORCE The DHHS Workforce Policy Requires All DHHS Agencies That Maintain IIHI To provide privacy training to all staff (permanent employees, contractors, temps, volunteers, etc.). To obtain signed Confidentiality Agreements from all agency staff. To develop and issue appropriate sanctions if staff do not comply with agency privacy procedures and DHHS Privacy Policies. To not discriminate against, intimidate, threaten, coerce, or take any retaliatory actions against staff who report questionable privacy activities. To properly identify staff, as appropriate to the agency. Slide 31 NC DHHS HIPAA Office NC DHHS

POLICY: SAFEGUARDS The DHHS Safeguards Policy Requires All DHHS Agencies That Maintain IIHI To identify and develop appropriate safeguards that protect the IIHI that is maintained by the agency. To implement reasonable measures to safeguard IIHI from intentional or unintentional use or disclosure. To provide training to ensure staff are made aware of acceptable practices and procedures that safeguard information to which staff have access. To monitor and document any violations of the agency’s safeguard procedures. Slide 32 NC DHHS HIPAA Office NC DHHS

POLICY: SAFEGUARDS How to Safeguard IIHI - Examples Don’t discuss IIHI in public areas. Ensure unescorted visitors do not enter areas designated for staff use only. Position you computer monitor so that it cannot be viewed by someone walking past your work area. Keep your passwords private. Don’t store IIHI on personal computers. Log out of applications containing IIHI when you leave your computer. Lock all portable electronic media containing IIHI (tapes, floppy disks, CDs, etc.) in a locked room, filing cabinet ,or drawer when not in use. Lock all paper IIHI in a room or filing cabinet when not in use. Don’t post paper containing IIHI in public areas such as hallways or conference rooms. Pick up all printed/faxed IIHI immediately. Dispose of paper based IIHI by shredding or placing in locked shred bins. Slide 33 NC DHHS HIPAA Office NC DHHS

POLICY: PRIVACY COMPLAINTS The DHHS Privacy Complaints Policy Requires All DHHS Agencies That Maintain IIHI To designate a contact person to resolve complaints concerning agency privacy practices. To forward all documentation related to complaints to CARE-LINE. CARE-LINE, in the Office of Citizen’s Affairs, has been designated to receive/document all privacy complaints received by DHHS. Any complaint that cannot be resolved by the agency or CARE-LINE must be forwarded to the DHHS Privacy Officer (DHHS.Privacy.Officer@ncmail.net). Slide 34 NC DHHS HIPAA Office NC DHHS

POLICY: PRIVACY COMPLAINTS DHHS Privacy Complaints Policy (cont’d) CARE-LINE contact information Telephone Voice (English or Español) North Carolina Only: 1-800-662-7030 Local & Out of State: (919) 733-4261 Dedicated Text Telephone (TTY) for Hearing Impaired: TTY Local: (919) 733-4851 TTY Toll-Free: 1-877-452-2514 FAX (919) 715-8174 E-mail care.line@ncmail.net Postal Address 2012 Mail Service Center Raleigh, NC 27699-2012 Slide 35 NC DHHS HIPAA Office NC DHHS

POLICY: BUSINESS ASSOCIATES The DHHS Business Associate Policy Requires HCCs and Internal Business Associates To identify Business Associates Internal Business Associates (other agencies within DHHS) External Business Associates (Non DHHS NC State Government Agencies and the private sector) Note: The Guidance for Identifying Business Associates and Business Associate Questionnaires tools can assist you with this task. These are available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c3. To develop Business Associate Addenda to be attached to DHHS contracts or Memoranda of Understanding that identifies privacy protection requirements for External Business Associates The Business Associate MOU/Contract Addenda are available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5. Slide 36 NC DHHS HIPAA Office NC DHHS

POLICY: LEGAL OCCURRENCES The DHHS Legal Occurrences Policy Identifies Instances when IIHI MAY BE Disclosed, According to Legal Requirements: Judicial and Administrative Proceedings Court Order Subpoena Protective Order Law Enforcement Purposes Required in N C Statutes Victims of Crime Decedents Reporting Crime in Emergency Slide 37 NC DHHS HIPAA Office

POLICY: AUTHORIZATIONS The DHHS Authorizations Policy Requires DHHS Agencies That Serve Clients To disclose IIHI only upon authorization by the client (or personal representative), unless state or federal law allows for specific exceptions. Authorizations obtained or received for disclosure of IIHI must contain all the elements in the DHHS Authorizations Form (available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5). Note that an authorization permits, but does not require, a DHHS agency to disclose IIHI. Slide 38 NC DHHS HIPAA Office NC DHHS

POLICY: USE AND DISCLOSURE The DHHS Use and Disclosure Policy Identifies The Following Permitted Uses and Disclosures of IIHI: With and without authorization For treatment purposes When included in psychotherapy notes When state or federal Law is more stringent For oversight/exception to oversight purposes For decedents For public health activities When specified for specialized government functions Within/outside the agency To a client Slide 39 NC DHHS HIPAA Office NC DHHS

POLICY: ACCOUTING OF DISCLOSURES The DHHS Accounting of Disclosures Policy Requires HCCs and Internal Business Associates To document certain disclosures of IIHI. To provide the client with an accounting of disclosures of the client’s IIHI made by the agency or a business associate of the agency upon client request. To maintain accountings of disclosures for a duration of six years prior to the request date. To develop a process for determining charges for providing the accounting of disclosures. Slide 40 NC DHHS HIPAA Office

POLICY: DE-IDENTIFICATION OF PHI The DHHS De-identification of Health Information and Limited Data Sets Policy Requires HCCs and Internal Business Associates To ensure staff are aware of specific elements that are considered identifying elements. To evaluate appropriate IIHI for use or disclosure to determine if the individual identifiers should be eliminated (i.e., the data should be de-identified). To identify those instances when a Limited Data Set, which contains limited identifying elements, may be appropriate for use/disclosure. Slide 41 NC DHHS HIPAA Office NC DHHS

POLICY: DE-IDENTIFICATION OF PHI DHHS De-identification of Health Information and Limited Data Sets Policy (cont’d) Limited Data Sets can contain the following identifiers for the client, employer, relatives or other household members of that client State, County, City or Town, Zip Code Birth date, admission date, discharge date, date of death Age An unique identifying number, characteristic, or code exclusive of identifiers that is not a Social Security Number, account number, medical record number, health plan beneficiary number, certificate/license number, vehicle identification number/serial number or license plate number, device identifiers or serial numbers, IP addresses, or telephone number. Data Use Agreements must be based on the DHHS Data Use Agreement template (available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5). Slide 42 NC DHHS HIPAA Office NC DHHS

POLICY: MINIMUM NECESSARY The DHHS Minimum Necessary Policy Requires All DHHS Agencies That Maintain IIHI To make reasonable efforts to limit IIHI to only that which is necessary to accomplish the intended purpose of the use, disclosure, or request for information. To evaluate current practices to limit inappropriate or unnecessary use of disclosure of IIHI by Determining what health information is the minimum necessary to accomplish each job/role in the agency. Requesting modifications to existing computer applications to support User/Role-based security (i.e., access controls) as needed. Ensure staff have access to only the health information required to perform their job duties. Slide 43 NC DHHS HIPAA Office NC DHHS

POLICY: MINIMUM NECESSARY DHHS Minimum Necessary Policy (cont’d) Minimum necessary does not apply to Disclosures to or requests by a health care provider for treatment. Uses or disclosures made to a client to whom the information applies. Uses or disclosures authorized by the client (or the client’s personal representative). The Secretary of the United States Department of Health and Human Services for compliance enforcement. Uses or disclosures required by law. Uses or disclosures required for compliance with the HIPAA Privacy Rule. Slide 44 NC DHHS HIPAA Office NC DHHS

POLICY: RESEARCH The DHHS Research Policy Requires HCCs and Internal Business Associates To disclose IIHI only after the client has signed an authorization for this type of disclosure. If research includes treatment, the researcher may condition the provision of the treatment on the receipt written client authorization client for use and disclosure of IIHI for such research. De-identified data must be used wherever possible. Similarly, use of a Limited Data Set must be considered as well. Use of Limited Data Sets requires a Data Use Agreement between the DHHS agencies disclosing the data and the researcher. Slide 45 NC DHHS HIPAA Office

POLICY: MARKETING AND FUNDRAISING The DHHS Marketing and Fundraising Policy Provides Guidelines to HCCs and Internal Business Associates Concerning These Activities. Marketing Making a communication about a product or service for the purpose of encouraging recipients of the communication to purchase or use the product or service. What is not marketing Communications about government-sponsored programs (Medicare, Medicaid, or NC Health Choice). Communications about health products/services provided by or covered by the HCC’s health plan. Case Management and Care Coordination. Slide 46 NC DHHS HIPAA Office

POLICY: MARKETING AND FUNDRAISING DHHS Marketing and Fundraising Policy (cont’d) A written authorization must be obtained from the client prior to Disclosing IIHI to Business Associates or third parties for the marketing purposes of the party receiving the IIHI. Selling of client/enrollee lists to a third party for the marketing purposes of the party buying the IIHI. HCCs may use IIHI to market their own or third-party health products/services if the marketing Discloses that the HCC is the source of the marketing. Discloses any payment/benefit received from the third party whose products/services are being marketed. Contains information on how to ‘opt out’ of receiving future marketing, unless the marketing is part of a general communication such as a newsletter HCCs can use Business Associates to send marketing for the HCC, provided that the Business Associate Agreement specifies that the IIHI will be used by the Business Associate only for the HCC communication. Slide 47 NC DHHS HIPAA Office

POLICY: MARKETING AND FUNDRAISING DHHS Marketing and Fundraising Policy (con’td) Fundraising Solicitation for the purpose of raising funds to benefit a HCC or Internal Business Associate. HCCs must obtain a written authorization from a client prior to using the client’s health status as a basis for targeting that client for fundraising activities. HCCs may disclose the following IIHI without client authorization to Business Associates and institutionally related foundations for the purposes of fundraising on behalf of the HCC. Demographic information Dates health care was provided to the client Fundraising materials must contain information on how the recipient can ‘opt out’ of future fundraising communications. HCCs must make reasonable efforts to comply with opt out requests. Slide 48 NC DHHS HIPAA Office

POLICY: NOTICE OF PRIVACY PRACTICES The DHHS Notice of Privacy Practices Policy Requires HCCs To develop an agency Notices of Privacy Practices using the DHHS Notice template (located at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5) to describe the uses and disclosures of IIHI that may be made by the agency, and that notifies individuals of their rights and the agency’s legal duties with respect to IIHI. To provide the Notice to clients (except inmates) applying for or receiving agency services. Electronic Notices may be sent, as long as the individual receives a paper copy upon request. To provide the Notice to any individual upon request, even if the individual is not an agency client. To post the Notice in a prominent locations where it will be viewed by clients and on public agency web sites. Slide 49 NC DHHS HIPAA Office

POLICY: CLIENT PRIVACY RIGHTS The DHHS Client Rights Policy Requires HCCs and Internal Business Associates That Serve Clients To Establish and Implement Procedures That Ensure the Following Rights of Clients Right to confidential communications of IIHI, including the right of the client to request alternative locations and methods for communications Right to adequate notice of use and disclosure of IIHI. Right to obtain paper Notice after receiving an electronic copy. Right to request access (inspect, copy) to IIHI within a Designated Record Set as defined by the HCC. Right to request amendment (changing, adding, deleting) of IIHI within a Designated Record Set as defined by the HCC. Right to request privacy restrictions for IIHI. Right to access a contact person concerning privacy complaints. Slide 50 NC DHHS HIPAA Office NC DHHS

POLICY: PERSONAL REPRESENTATIVES The DHHS Personal Representatives Policy Requires that HCCs and Internal Business Associates To recognize individuals authorized by the courts or by state or federal law to act on behalf of DHHS clients regarding their IIHI. Slide 51 NC DHHS HIPAA Office NC DHHS

POLICY: DESIGNATED RECORD SETS The DHHS Designated Record Sets Policy Requires HCCs and Internal Business Associates To define the records to which DHHS clients can request access or amendment. Designated Records Sets can include Client medical and billing records maintained by or for a covered health care provider Employee health records that are maintained separately from personnel records The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan Categories of records that are used, in whole or in part, to make decisions about clients. Records created by Business Associates must be considered when defining Designated Record Sets. Slide 52 NC DHHS HIPAA Office NC DHHS

AGENCY PRIVACY PROCEDURES Training on Individual Privacy Policies and Agency Privacy Procedures Will Be Provided As Necessary. Slide 53 NC DHHS HIPAA Office NC DHHS

NON COMPLIANCE WITH PRIVACY What Should You Do If You Notice a Co-worker Not Following a DHHS Privacy Policy? Contact your Supervisor immediately! If your Supervisor is not available, contact your agency Privacy Official or the DHHS Privacy Officer. Slide 54 NC DHHS HIPAA Office NC DHHS

PRIVACY IMPACTS TO APPLICATIONS/SYSTEMS What To Do When You Receive a Request for a New System or System Enhancement NC DHHS

PRIVACY IMPACTS TO SYSTEMS Privacy Requirements Also Impact How You Approach Requests for New and System Enhancements. The Requirements Definition Guide for Applications with IIHI (coming soon, to be posted at http://dirm.state.nc.us/hipaa/hipaa2002/toolsandtemplates/toolsandtemplates.html#pri) will assist you in identifying privacy impacts to enhancement/new system requests for systems containing IIHI. Slide 56 NC DHHS HIPAA Office NC DHHS

PRIVACY IMPACTS TO SYSTEMS The Requirements Definition Guide for Applications with IIHI Will Guide You Through the Following Steps Identifying requests for systems that contain IIHI. Identifying existing application-level privacy capabilities and related security features. Identifying network or infrastructure-level privacy features that provide application privacy protection. Identifying user requirements to be developed for user/role access standards. Identifying application screen views, files, and report outputs to contain IIHI that will be accessed by users. Slide 57 NC DHHS HIPAA Office NC DHHS

PRIVACY IMPACTS TO SYSTEMS Requirements Definition Guide for Applications with IIHI Steps (cont’d) Performing Gap Analysis of current/proposed privacy/security features with the HIPAA Privacy requirements. Based on Gap Analysis results, identifying additional application-level privacy capabilities and related security features that will be needed to comply with the HIPAA Privacy requirements. Conducting Risk Assessment by identifying risks, prioritizing, and making a cost/benefit determination that will assist your business client in prioritizing HIPAA changes to the system/enhancement request. Slide 58 NC DHHS HIPAA Office NC DHHS

QUESTIONS NC DHHS

QUESTIONS? What Should You Do If You Have Questions Concerning Privacy or Agency Privacy Procedures? Consult the Agency Privacy Procedures. Consult the DHHS Privacy Policies, published at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5 Ask your Supervisor. Ask the Agency Privacy Official. Slide 60 NC DHHS HIPAA Office NC DHHS

TEST YOUR PRIVACY KNOWLEDGE NC DHHS

Please Print and Take the Attached Privacy Test. PRIVACY TRAINING TEST Please Print and Take the Attached Privacy Test. Return Your Completed and Signed Test To Your Supervisor. Your Test Results Will Be Maintained By the Agency Privacy Official. Slide 62 NC DHHS HIPAA Office NC DHHS

CONFIDENTIALITY AGREEMENT Please Print and Sign the Attached Confidentiality Agreement and Give to Your Supervisor. Your Signed Confidentiality Agreement Will Be Kept in Your Employee File. Slide 63 NC DHHS HIPAA Office NC DHHS