Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Similar presentations

Presentation on theme: "Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419."— Presentation transcript:

1 Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419

2 The Law HIPAA: Health Insurance Portability & Accountability Act HITECH: Health Information Technology Economic & Clinical Health Act

3 HIPAA is Eleven Parts And what were you doing on July 30, 2004?

4 Six Parts Are Set 1. T & C 2. Privacy 3. Standard Unique Identifier for Employers 4. Security 5. Standard Unique HC Provider Identifier (NPI) 6. Enforcement Rule

5 HIPAA Information HIPAA covers: Oral Written (and beyond the medical record) Electronic [key: can the individual be identified] You will hear the term PHI- patient health information

6 Keep in Mind Minimum Necessary [45CFR164.502(b)(1)] Emergency Situation [45CFR164.510(3)] ∙ Incidental Disclosure [45CFR164.502(a)(1)(iii)]

7 Are You HIPAA or Not? YES NO

8 Covered Entity Status Health Plan: individual or group plan that provides or pays the cost of medical care Healthcare Clearinghouse: public or private entity that does billing, repricing, community health management or information systems, etc. functions

9 Covered Entity Status Healthcare Provider: transmits any health information in electronic form in connection with a transaction covered by HIPAA

10 Sample HIPAA Transactions Health care claims or equivalent encounter information Health care payment and remittance advice Coordination of benefits Health care claims status

11 Who Do You Treat Students (and how are they defined; ie. LOA) Non-Students For organizations under FERPA, student records are under FERPA (loophole) even with transactions, but non student records are under HIPAA, so you are a covered entity. But most strict law generally takes precedent

12 You Are HIPAA If… You are one or more of the three covered entities You conduct one or more of the eleven transactions You treat non-students

13 College Assessment Also look at these areas: Student, Faculty, and Employee Training *Nursing *Pharmacy *Allied Health *Music Therapy *Business (I.T.)

14 College Assessment Health Services & Related Clinics Institutional Review Board; research Human Resources Athletics Vendors as business associates

15 Hybrid Entity A single legal entity whose business activities include both covered and non- covered functions (ie. education & healthcare provider or health plan

16 Creating a Culture of HIPAA Are the policies and procedures set? Are they enforced or do they ‘sit on the shelf”

17 Compliance Officer Role Privacy Officer [45CFR164.530(a)(1)(i)] Security Officer [45CFR164.308(a)(2)] The Federal Government mandates that covered entities have both a privacy officer and a security officer If the same person, generally titled, Compliance Officer

18 1. HIPAA Committee Representatives from records, information technology, student services and management.

19 2. Policies & Procedures For the six HIPAA Rules to date, develop policies from the law, not secondary sources Do not take from the Internet

20 3. Training & Awareness Live or on-line Staff meeting awareness Integrate awareness to daily activities

21 4. Documentation Establish a system, on- site or off-site. Documentation must be retained for six years

22 5. Risk Assessments & Audits Quarterly Authentication: most likely passwords Data integrity checks Act on the findings

23 6. Complaint Process Omsbudsman for confidentiality Post process to file complaints Complaints are only to be HIPAA related Act on the complaints

24 7. Sanction Process Sanction only for the HIPAA violation Internal investigation or OCR Civil and criminal penalties per Enforcement Rule & HITECH Follow-up on the sanction and charge

25 8. Web Site If the covered entity has a web site, the Notice of Health Information Privacy Practices must be prominently displayed on the web site. Keep the web site updated

26 9. Formage Develop forms from the laws. May or may not be able to use from other covered entities (ie. addressable Security Rule policies) Educate staff on the formage

27 10. Business Associate Agreements Assess all those external to the workforce who have access to the covered entity’s PHI Both the Privacy Rule and the Security Rule mandate BAA’s

28 11. Research Play an integral role with the covered entity’s Institutional Review Board Ensure minimum necessary standards for data used in research

29 Determination of HIPAA Research Status Does the research involve the collection, use, or dissemination of PHI? Is the PHI from a healthcare provider, clearinghouse, or healthcare plan? Does the healthcare provider, clearinghouse, or healthcare plan perform one of the eleven covered electronic transactions? If yes to these, then HIPAA

30 Privacy Rule Notice & Notice Verification Internet Notice Amend Records Authorization Accounting Information Destruction Business Associate Agreements

31 The Notice Tells the rights of the organization and the rights of the patient Document that is considered the guideline.

32 Security Rule Technical Security Administrative Security Physical Security Disaster Manual Access Controls Log-in Audit Warning Termination of Access

33 Faculty & Staff Access Have access to minimum necessary information to accomplish the intended purpose of the request given their role Must have an established need to know prior to requesting the information Ex. How long absent, but not the condition as it would not change the situation

34 Advising Faculty, Staff, & Students Is the condition directly academically related such as ADHD But must always only request what is minimum necessary Have the student only submit and talk on what is minimum necessary Ex. Operating room reports, procedures notes, consultation reports, prescriptions Ensure who student allows one to talk to

35 Summary Follow the Law Keep it simple Thank you

Download ppt "Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419."

Similar presentations

Ads by Google