HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September 23, 2003 Presented by Robert J. Burns NGA Center for Best Practices

© 2003 National Governors Association 2 What Is HIPPA? Health Insurance Portability and Accountability Act of 1996 –Health insurance access (portability, renewal) –Privacy, security –Administrative simplification Patient protections, marketplace standards –Federal floor –Preserves stronger state protections (“New Federalism”)

© 2003 National Governors Association 3 What Does HIPAA Do? Privacy – Authorized disclosures – Conditions necessary – Individual rights Governs the proper handling of, access to individually identifiable health information (any medium) Security – Administrative – Physical – Technical Prescribes minimum safeguards to prevent unauthorized access to electronic patient health information Administrative Simplification – Electronic data interchange – Standard transactions – Code sets, identifiers Establishes the standard format that must be used to enable the free exchange of electronic health information

© 2003 National Governors Association 4 Critical Issues for Schools Covered entity status – Privacy – Security – Administrative Simplification – Health plan? – Health care provider? – Information clearinghouse? Information handled – Privacy – Security – Protected health information? – Education records? – Transfers? Transactions performed – Administrative Simplification – Electronic billing?

© 2003 National Governors Association 5 Covered Entities (Public Law , 110 Stat. 2021) Individual or group health plans (or programs) that provide health benefits directly, through insurance, or otherwise Health care providers (or suppliers) who furnish, bill, or are paid for health care in the normal course of business (and transmits certain health information electronically) Information clearinghouses that process or facilitate the processing of electronic health information into a standard format)

© 2003 National Governors Association 6 Are Schools ‘Covered Entities?’ Schools can be covered entities –Service delivery, payment arrangement(-s) Providers (direct employees, vendors, billing) Health plan (Medicaid, SCHIP, high-risk pools) –Health plan excludes other government-funded programs whose principal purpose is: Direct provision of health care Making of grants to fund direct provision of health care Other than providing (or paying the cost of) health care Source: 45 CFR

© 2003 National Governors Association 7 Information Handled (Privacy and Security Only) Protected health information (PHI) –Related to an individual’s health (or care) –May be used to identify the individual –If not PHI, then not subject to HIPAA (Privacy, Security only) PHI excludes certain education records –FERPA, IDEA supercede HIPAA –Hinges on federal funding Source: U.S. Department of Health and Human Services, “Standards for Privacy of Individually Identifiable Health Information,” [Preamble] Federal Register 65, no. 250 (December 28, 2000):

© 2003 National Governors Association 8 Education Records Education records governed by FERPA –Files, documents, other materials –Maintained by educational agency, institution –Contain information directly related to student –Student is <18 years old Other FERPA-defined education records –Files, documents, other materials –Made, maintained by provider for student’s treatment –Available only to student, provider –Student is >18, attending postsecondary institution Source: U.S. Department of Health and Human Services, “Standards for Privacy of Individually Identifiable Health Information: Final Rule,” [45 CFR § ] Federal Register 65, no. 250 (December 28, 2000):

© 2003 National Governors Association 9 Transactions Performed (Administrative Simplification Rules Only) Standard Transactions –Certain administrative, financial exchanges (8) –Applies to all health-related info, not just PHI –Transmitted, maintained electronically –If not standard transaction, then not subject to HIPAA (Administrative Simplification rules only) School must comply if a covered entity (and billing electronically) –If not billing electronically, then not bound to use standard data elements, code sets

© 2003 National Governors Association 10 Potential Pitfalls Does school collect PHI from covered entities? –If so…can school reasonably assure PHI will be used in a HIPAA-compliant manner? Business associate, trading partner agreements Changes to policies, procedures Will health plan(-s) still accept nonstandard paper, electronic claims? –If not…will school have the capacity to conduct standard transactions? Technology upgrades, clearinghouse solutions

© 2003 National Governors Association 11 Summary Schools can be covered entities Education records not governed by HIPAA Data standards not required unless performing standard transactions May still need to partially comply –Reasonable assurances (Privacy, Security) –Electronic billing (Administrative Simplification)

© 2003 National Governors Association 12 NGA Center for Best Practices ( Robert J. Burns Policy Analyst Health Policy Studies Division National Governors Association Center for Best Practices Hall of States, Suite North Capitol Street, NW Washington, DC (202) fax: (202)