HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

Similar documents
Massachusetts Department of Public Health. Privacy of Health Data

HIPAA PRIVACY TRAINING

The HIPAA privacy rule and long-term care : a quick guide for researchers

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

Notice of Privacy Practices

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

Balance Fitness and Nutrition

HIPAA Policies and Procedures Manual

The HIPAA Privacy Rule and Research: An Overview

Patient Privacy Requirements Beyond HIPAA

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

CAPITAL SURGEONS GROUP, PLLC

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

VHA Privacy Policy Training FY VHA Privacy Office

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

PATIENT INFORMATION. In Case of Emergency Notification

R. Gregory Cochran, MD, JD

Senior Care Pharmacy Wichita

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

A general review of HIPAA standards and privacy practices 2016

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

CHI Mercy Health. Definitions

SUMMARY OF NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES MedQuest Effective April 2003 Revised January 2014

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

NOTICE OF PRIVACY PRACTICES

AN ACT. SECTION 1. Title 4, Civil Practice and Remedies Code, is amended by CHAPTER 74A. LIMITATION OF LIABILITY RELATING TO HEALTH INFORMATION

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Module: Research and HIPAA Privacy Protections ( )

Southwest Acupuncture College /PWFNCFS

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Notice of HIPAA Privacy Practices Updates

The Health Insurance Portability and Accountability Act (HIPAA) Implementation via Case Law

Protecting Patient Privacy It s Everyone s Responsibility

POLICY NUMBER B JULY 8, 2014

NOTICE OF PRIVACY PRACTICES

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

DURABLE POWER OF ATTORNEY FOR HEALTH CARE DECISIONS (Medical Power of Attorney) I,, born, designate

******************************************************************** Policy Expectation:

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

HIPAA PRIVACY NOTICE

The Queen s Medical Center HIPAA Training Packet for Researchers

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

AN ACT authorizing the provision of health care services through telemedicine and telehealth, and supplementing various parts of the statutory law.

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

HIPAA Notice of Privacy Practices

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

States that Allow Prescribers and/or Dispensers to Appoint a Delegate to Access the PMP

Notice of privacy practices

Chapter 9 Legal Aspects of Health Information Management

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Notice of Privacy Practices

New Patient Information

SUMMARY OF JOINT NOTICE OF PRIVACY PRACTICES (HOSPITAL AND MEMBERS OF ITS MEDICAL STAFF)

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

Associates in ear, nose, throat/ Head & Neck surgery, pllc

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

Alignment. Alignment Healthcare

NOTICE OF PRIVACY PRACTICES

Pain Specialists of Greater Chicago Notice of Privacy Practices

Parental Consent For Minors to Receive Services

NOTICE OF PRIVACY PRACTICES

MCCP Online Orientation

For Payment. We will use and disclose your personal health information to obtain payment for health care services we have provided to you.

Access to Patient Information for Research Purposes: Demystifying the Process!

HIPAA Notice of Privacy Practices

1303A West Campus Drive

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

POLICY & PROCEDURE. This policy applies to all healthcare organizations owned and/or managed by WFH.

School Based Oral Health Services

OAK HAMMOCK AT THE UNIVERSITY OF FLORIDA, INC. NOTICE OF PRIVACY PRACTICES. Privacy Office: (352) Effective Date: September 23, 2013

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

Notice of Privacy Practices

Patient name (print) Signature of Patient/ Legal Representative. Relationship to Patient FOR OFFICE USE ONLY

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Louisiana Medicaid Hospital Precertification for Acute Care. On Line Webinar November 12 13, 2009

Surgical Associates of Central FL, PA 1181 Orange Avenue Winter Park, FL

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

Compliance with HIPAA Administrative Simplification

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Training for Non-Clinical Workforce


The Arizona HIO Statute

Transcription:

HIPAA in the Division of Public Health February 19, 2003 February 19, 2003 Division of Public Health 1

Handouts HIPAA Definitions AG Advisory Opinion - Definition of Health Plan DPH Coverage Determination Memorandum AG Advisory Opinion - Applicability of HIPAA to DPH Functions (public health and health oversight exceptions) DPH Programs and Functions Legal Reference (Draft) February 19, 2003 Division of Public Health 2

Public Law 104-191: Health Insurance Portability and Accountability Act of 1996 What are the HIPAA Regulations? Electronic Transactions and Code Sets Standardizes the data content and format of 10 financial or administrative transactions related to health care (e.g., claims, payments) Standardizes medical codes (no local codes, e.g. Y codes) Compliance deadline: October 16, 2003 Privacy of Individually Identifiable Health Information (IIHI) Regulates uses and disclosures of individually identifiable health information Provides patient rights with respect to their health information Establishes requirements to assure privacy of patient IIHI Compliance deadline: April 14, 2003 February 19, 2003 Division of Public Health 3

What are the HIPAA Regulations HIPAA in DPH Proposed Standards for Security and Electronic Signatures Security Standards Final Rule Published in Federal Register Feb. 20, 2003. Compliance deadline: 2 years after Final Rule (2005) Electronic Signature Standards Final Rule - projected availability TBD Proposed Standards for Identifiers National Employer Identifier (Final Rule published - no impact) National Provider Identifier (Final Rule projected early 2003) National Health Plan Identifier (Proposed rule projected early 2003) National Identifier for Individuals - on hold indefinitely Compliance deadline: 2 years after final rules (2005) February 19, 2003 Division of Public Health 4

Who is covered by HIPAA - Covered Entities? Health plans Provides or pays for the cost of health care services Includes Medicaid, Medicare, HealthChoice, Veterans Health Program, Military Health Plan, Indian Health Service, others Excludes most all other government-funded programs DPH Programs are not considered health plans (e.g., Ryan White, Sickle Cell Program, Cancer Control Program, etc.) - See Handout - AG Opinion on Health Plan Health care providers who conduct any of the HIPAA-regulated transactions electronically DPH Program Participants such as local health departments, State Lab, public and private health care providers, are covered entities if they electronically process any of the 10 transactions. Health care clearinghouses - not applicable to DPH February 19, 2003 Division of Public Health 5

Who is covered in DHHS? DHHS is a hybrid entity whose primary purpose is not to provide health care, but has components that perform covered functions (health plan, health care providers services). The areas within DHHS that perform HIPAA covered functions are called covered health care components. Health care components must comply with HIPAA fully. Business Associates of Health Care Components - A business associate performs functions specified by HIPAA on behalf of a covered entity (or health care component) that involves access to or exchange of IIHI. Examples are claims processing or billing, accounting, consulting, legal, data analysis, data processing, quality assurance, utilization review. Within DHHS, DPH performs functions on behalf of covered health care components. DPH may also perform functions on behalf of external covered entities. Covered entities must gain formal assurances from their associates that they will provide privacy protection for health information. Business associates by extension must comply with HIPAA privacy regulations. February 19, 2003 Division of Public Health 6

Health Care Components in the Division of Public Health State Laboratory of Public Health (Indirect Treatment Provider) Development Evaluation Centers - 13 state owned and operated (Provider) Business Associates in the Division of Public Health Administrative, Local, and Community Support Section IT (Lab and DECs) HSIS Business Liaison (local health depts, Lab, DECs) Local Technical Assistance and Training (local health depts) Medicaid Reimbursement and Liaison (DMA) State Center for Health Statistics (DMA) Children and Youth Branch - Specialized Services Unit -Children s Special Health Services (DMA) See Handouts - Memorandum-HIPAA Internal Business Associates Table - DPH HIPPA Coverage February 19, 2003 Division of Public Health 7

What are the Transaction and Code Set impacts on DPH? Health Services Information System (HSIS) provides billing service for local health departments, Lab, DECs and submits claims electronically to Medicaid Direct impact on State Lab, DECs, and HSIS and local support section (as owner of HSIS) DIRM is remediating with DPH business oversight and participation Indirect potential impact on POMCS for data content for DME Medicaid claims DPH programs and supporting applications must adopt the new standard codes HSIS local code conversion No other direct DPH impacts identified, except Y code used by POMCS for DME February 19, 2003 Division of Public Health 8

Privacy Regulation - Key Concepts HIPAA in DPH The Privacy Regulation establishes a federal floor of safeguards to protect the confidentiality of health information Applies to Protected Health Information (PHI), which is: Individually identifiable health information Transmitted or maintained in any form or medium (electronic, written, oral) IIHI is any information, including demographic information collected from an individual, that: a) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and; b) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of the provision of health care to an individuals, and; that (i) Identifies the individual, or (ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual February 19, 2003 Division of Public Health 9

Privacy Regulation - Key Concepts Sets boundaries on the use and disclosure of health records Establishes appropriate safeguards health care providers and others must achieve to protect privacy of client information Holds health care providers accountable with civil and criminal penalties if they violate individual s privacy rights Ensures that each covered health care component protects the health information it maintains Ensures that an individual s health information is not used inappropriately Ensures that the minimum amount of information is used or disclosed whenever possible Does not apply to treatment Limits the amount of information to be used or disclosed to what is minimally necessary to accomplish intended purpose February 19, 2003 Division of Public Health 10

Privacy Regulation - Key Concepts HIPAA in DPH Requires identification of members of the workforce who need access to IIHI and the types (categories) of information to which access is needed Requires training of all staff members Requires appropriate administrative, technical, and physical safeguards to protect health information Requires new policies and procedures to address privacy protections and an individual s access rights February 19, 2003 Division of Public Health 11

Privacy Regulation - Key Concepts HIPAA in DPH Establishes new rights for individuals regarding access to their personal health information Ensures individuals have more control over when and how their personal health information is used Individual Rights Right to be informed of about protections on and use of their health information through a notice of privacy practices Right to inspect, copy, and review their record Right to request amendments to their record Right to request restrictions on use and disclosure of health information Right to request reasonable personal communications Right to an accounting of disclosures of their health information Right to file a complaint against covered entity February 19, 2003 Division of Public Health 12

What is DHHS doing for privacy compliance? Developed HIPAA compliance plan, methodologies, and tools Assessed department-wide HIPAA impacts Determined HIPAA coverage Appointed DHHS Privacy Official Coordinating and overseeing department compliance efforts Developing DHHS privacy policies Providing continued privacy guidance and templates for agency implementation Extension of DHHS Privacy Policies DHHS privacy policies will apply to all areas that create, maintain, or receive individually identifiable health information during its regular course of business. This extends privacy protections beyond HIPAA covered health care components and business associates. Areas within an agency that has IIHI will follow applicable privacy policies and procedures. February 19, 2003 Division of Public Health 13

What are the Privacy impacts on DPH? Εnsure DPH compliance with department privacy policies Develop procedures, based on DHHS department privacy policies, to ensure the protection of individually identifiable health information within DPH Implement DPH privacy requirements by incorporating new operational privacy practices into existing business practices Implement appropriate and reasonable safeguards to protect individually identifiable health information Define minimum necessary requirements Develop and provide applicable privacy training to staff Provide a designated DPH contact for privacy complaints and assure that all complaints are appropriately documented Monitor DPH agency compliance with DHHS department privacy policies Assure appropriate use and disclosure of individually identifiable health information and appropriate client accessibility to health information Implement HSIS program area access controls (DIRM and DPH system administrator) February 19, 2003 Division of Public Health 14

What are the Privacy impacts on DPH? (see handout) Appoint Agency Privacy Official Agency Privacy Officials guide agency activities required to comply with DHHS department policies regarding the use and disclosure of individually identifiable health information, in accordance with state and federal laws and best business practices. Responsibilities: Serve as primary agency contact for privacy issues and concerns regarding the use and disclosure of health information and for appropriate client accessibility to health information Serve as the agency liaison to the DHHS Privacy Officer for privacy-related activities Coordinate and facilitate efforts to support the agency in the accomplishment of its privacy compliance activities February 19, 2003 Division of Public Health 15

What are the impacts on DPH? There is a risk that health care providers may resist providing individually identifiable health information to DPH citing HIPAA as reason to withhold Public Health Exemption Understand the public health exemption provisions of HIPAA (see handout - AG Opinion Applicability of HIPAA to DPH Functions) HIPPA permits disclosures without authorization for health information required by law HIPAA permits disclosures without authorization to public health authorities for public health activities and purposes HIPAA permits disclosures without authorization to a health oversight agency for oversight activities HIPAA does not require public health disclosures February 19, 2003 Division of Public Health 16

HIPAA s Public Health Exemption Provisions Public Law 104-191 (Health Insurance Portability and Accountability Act or HIPAA) carved out a specific provision to avoid impeding certain public health laws: Public Health. --Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention. (P.L. 104-191, Sec. 1178(b)). 45 CFR Part 160 160.203 General rule and exceptions. A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met: (c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. February 19, 2003 Division of Public Health 17

HIPAA s Public Health Exemption Provisions 45 CFR Part 162 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. (b) Standard: uses and disclosures for public health activities. (1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to: (i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; February 19, 2003 Division of Public Health 18

HIPAA s Public Health Exemption Provisions 45 CFR Part 162 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. (d) Standard: uses and disclosures for health oversight activities. (1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: (i) The health care system; (ii) Government benefit programs for which health information is relevant to beneficiary eligibility; (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance. February 19, 2003 Division of Public Health 19

What are the impacts on DPH? Public Health Exemption Guidelines Be knowledgeable about your program s/function s legal basis for collecting individually identifiable health information (see handout - Table DPH Programs/Functions using IIHI) Restrict request for health information to that required by law or to that which is minimally necessary to accomplish purpose Remember that public health data is still protected and its use is for public health purposes Other protections beside HIPAA govern health information Federal Laws NC General Statutes NC Administrative Codes Professional Standards February 19, 2003 Division of Public Health 20

Privacy Steps to Compliance (now to April 14, 2003): HIPPA-related requests from outside DPH Status of DHHS, DPH, or program area HIPAA coverage Request to sign their business associate agreement Do not respond directly Do not sign Contact DPH Privacy Official/Implementation Support February 19, 2003 Division of Public Health 21

Privacy Steps to Compliance (now to April 14, 2003): HIPAA is not going away Sets new privacy standard and public expectation for privacy protections and rights to access health information Civil and criminal penalties for non-compliance Additional regulations forthcoming Changes to standards expected Expanded use of electronic transactions Congressional pressure to tighten privacy protections (e.g., consents, marketing) February 19, 2003 Division of Public Health 22

Useful Links: HIPAA Regulations (federal site) http://aspe.os.dhhs.gov/admnsimp/ Office of Civil Rights (privacy) http://www.hhs.gov/ocr/hipaa CDC HIPAA Information http://www.cdc.gov/nip/registry/pcs.htm DHHS HIPAA Office http://dirm.state.nc.us/hipaa/ NC Public Health Law http://www.ncleg.net/gascripts/statutes/statutestoc.pl?0130a NC Administrative Rules (Title 15A) http://ncrules.state.nc.us/ncadministrativ_/title15aenviron_/default.htm Local Health Departments http://sph.unc.edu/hipaa February 19, 2003 Division of Public Health 23

Contacts larry.forrister@ncmail.net (919) 715-6758 bob.martin@ncmail.net (919) 715-3340 February 19, 2003 Division of Public Health 24

Questions and Answers February 19, 2003 Division of Public Health 25

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback