Presentation is loading. Please wait.

Presentation is loading. Please wait.

August 19, 2016 Presented by Laurel E. Baum, RN, Esq.

Published byOctavia Johnson Modified over 6 years ago

Similar presentations

Presentation on theme: "August 19, 2016 Presented by Laurel E. Baum, RN, Esq."— Presentation transcript:

1 CNYCC Friday Webinar Data Sharing Within the PPS Applying HIPAA and NY Law
August 19, 2016 Presented by Laurel E. Baum, RN, Esq. Corporate Compliance Officer/General Counsel

2 Welcome and Agenda Sharing Protected Health Information (“PHI”) within the PPS (between Partners and CNYCC) in furtherance of DSRIP under: HIPAA New York Law Disclaimer: While CNYCC cannot render legal advice/opinion to our partners, we can share our position on data sharing.

3 A Few HIPAA Definitions (short form)
Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. (Many PPS Partners fit the definition of CE) Business Associate*: A person or entity who, on behalf of the CE, creates, receives, maintains, or transmits PHI while performing certain functions or activities for the CE. BAs may include, for example, a CE’s attorney, consultant, accountant, etc., depending on whether the CE’s PHI is involved. (CNYCC is a BA of NYSDOH/Medicaid, and of our Partner Organizations who are CEs). *Note, the subcontractor of a BA is also be a BA under HIPAA if it is using/disclosing PHI. (See 45 CFR )

4 More HIPAA Definitions
PHI: Individually identifiable health information transmitted in any form (excludes some health information such as employee health information, FERPA-covered records, and records for a person deceased greater than 50 years). T-P-O: Treatment, Payment, Healthcare Operations. (See 45 CFR ; 45 CFR )

5 Use and Disclosure of PHI Under HIPAA- relevant to our discussion
Under HIPAA: CE may use and disclose an individual’s PHI for purposes of TPO without the individual’s authorization- really important concept. Keep the above in mind when we compare HIPAA to NY law in this regard. (See 45 CFR ; and )

6 CE Sharing PHI with its BA under HIPAA
HIPAA permits a CE to provide PHI to its BA (who is providing services on behalf of the CE) provided there is a HIPAA compliant Business Associate Agreement (BAA) between them. Note: A BA is not permitted to use or disclose PHI in a manner that would not be permitted if done by the CE. Thus, for example, the BA may only request the “Minimum Necessary” PHI from the CE which is reasonably necessary to accomplish the given purpose. (See 45 CFR (a)(3); and (e))

7 Sharing PHI within the PPS based on HIPAA
Based on HIPAA (we still need to consider NY law) – may a provider/partner share its PHI with CNYCC? Partner organization with a HIPAA compliant BAA with CNYCC (AKA, the Partner’s BA) is permitted to share PHI with CNYCC for purposes of the Partner’s participation in DSRIP implementation, including project activities. Note: CNYCC has a bidirectional BAA with every contracted Partner Organization with whom it exchanges, or will be exchanging, PHI. Moreover, in furtherance of the DSRIP Project, CNYCC would be authorized to provide the Partner’s PHI with a Subcontractor BA, provided there is a HIPAA compliant BAA between CNYCC and the Sub. But what about NY law?

8 Sharing PHI for DSRIP Purposes Under NY Law
Although HIPAA allows for a CE to use and disclose PHI for TPO w/o an individual’s authorization, NY law requires some level of consent- be it written, oral or implied. However, (even in the absence of patient consent) NY’s consent requirement does not necessarily prevent a health care provider from sharing health information with a person or entity under contract with the provider to perform a service for such provider, where the PHI is needed in the performance of the services.

9 Common Examples Health care providers in NY routinely disclose PHI, without patient consent, to: Third-party coding, billing and compliance auditing companies; Medical record storage companies; Accreditation agencies; and Attorneys [plus attorneys sometimes engage “downstream” experts such as in the case of a billing audit via a subcontract]. Please keep the above scenarios in mind when we discuss the concept of an “agency” relationship later in the presentation.

10 DOH Guidance on Privacy and Data Sharing Within DSRIP
The Guidance describes 4 scenarios: 1. PHI from state Medicaid sources (demographic, rosters, claims/encounter data- Medicaid Confidential Data or MCD); DOH via DEAA/BAA to the PPS Lead (then potentially from PPS Lead to Partners), unless the patient “Opt Outs”. The Opt Out letter is included with these materials. The sharing of MCD (meaning MCD that CNYCC receives from DOH) between PPS partners is a future topic of discussion. 2. PHI generated within the PPS (our focus for today) 3. PHI generated by MCO; and 4. PHI managed in a Qualified Entity (analytic service provider or HIE)

11 DOH Guidance on PHI Generated Within the PPS
Although DOH will not provide a binding legal opinion on the methodology used by any PPS to share data, it did describe 2 potential data sharing scenarios for consideration: Scenario # 1 Possible reliance on an Organized Health Care Arrangement under HIPAA (still vetting the application of reliance on an OHCA); and

12 DOH’s second suggested methodology for exchange within PPS:
Scenario # 2 (my favorite, so far) is via the use of BAAs DOH states in part: “The PPS Lead is a HIPAA business associate of the PPS Partner. The PPS Lead is, on behalf of the PPS Partner, creating, receiving, maintaining or transmitting clinical data for a function or activity regulated by HIPAA. [citation omitted] The disclosure is for treatment and/or payment and/or health care operations, because the disclosure is, among other things, for delivery system reform incentive payments and quality management. Thus, the PPS Partner is disclosing clinical data to the PPS Lead the same way that the PPS Partner, as a QE Participant, shares information with the QE (the QE is the business associate of the QE Participant). The BAA in this scenario needs to clearly allow for the direction of data flow, whether it is one direction only or both directions (upstream and downstream/”bidirectional”). Note: Please refer to DOH’s Guidance Document (which is included in these materials) for more detail.

13 Legal Principle of Agency Under NY Law applied to Sharing PHI within the PPS
Here is our NYS “consent” issue described by DOH in a December 2015 Report*: “Physician-patient confidentiality is a basic tenet of medical ethics. In New York, the following is professional misconduct for a physician: ‘Revealing of personally identifiable facts, data, or information obtained in a professional capacity without the prior consent of the patient, except as authorized or required by law.’ HIPAA [does] not preempt state laws that prohibit health care providers from disclosing patient information to third parties without patient consent, including disclosures to other health care providers for the purpose of treatment of the patient.” * See: NYS DOH Health Information Technology Workgroup Final Report (the “Report”), found at

14 But DOH goes on to state in its Report:
“Even though health care providers may not disclose patient information to third parties without a patient’s consent, under the legal principle of agency, health care providers may allow members of their workforce and contractors to create, receive, maintain, and transmit patient information on their behalf without patient consent. Thus, health care providers do not need patient consent to enter into [QE] participation agreements that allow QEs to facilitate the electronic exchange of patient information, for the same reason that health care providers do not need patient consent to place paper medical records in the hands of the FedEx courier.” [Emphasis added]

15 DOH further comments in its Report the following:
“The Department believes that this principle* was taken for granted prior to the implementation of HIPAA, since health care providers have always used contractors, from the sole practitioner who uses a medical transcriber to the large general hospital that uses a warehouse to archive medical records. This principle is made explicit in HIPAA, which allows disclosures to a ‘business associate’ for ‘health care operations’ without patient consent, and in 42 CFR Part 2, which allows disclosures to a ‘qualified service organization.’” *i.e., the principle of agency.

16 Example of Data Sharing within the PPS- Project 2. d. i
Example of Data Sharing within the PPS- Project 2.d.i. Let’s walk thru the use of PHI PAM Screenings. Patient agrees to screening and sharing of PHI; also bidirectional BAAs are in place. CG-CAHPS Surveys. Involves disclosure of patient rosters by Partner to CNYCC, and CNYCC to its Subcontractor (who interviews the patients): BAAs are in place. The interviewer states that he/she is calling on behalf of the patient’s named provider.

17 Use and Disclosure of PHI for DSRIP is a Hot Topic
CNYCC is currently participating in statewide discussions with many of the other PPSs regarding use and disclosure of PHI for purposes of DSRIP; This is an evolving subject matter and CNYCC will keep our Partners updated! Any Questions? Thanks for your time!

18 Compliance Hotline Any concerns or questions about the CNYCC Compliance Program feel free to contact me at , or via at Or via our Compliance Hotline: Or online compliance reporting via:

Download ppt "August 19, 2016 Presented by Laurel E. Baum, RN, Esq."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
2 H. Westley Clark, M.D., J.D., M.P.H., CAS, FASAM Director Center for Substance Abuse Treatment Substance Abuse Mental Health Services Administration.

2 H. Westley Clark, M.D., J.D., M.P.H., CAS, FASAM Director Center for Substance Abuse Treatment Substance Abuse Mental Health Services Administration.

Similar presentations

Ads by Google