Transcript SECURITY REGULATION STATUS - NC DHHS Office of Privacy …

HIPAA -
PRIVACY/SECURITY
Presentation for
FARO Conference
September 19, 2001
Presented By:
9/19/01
Sarah Brooks, MPA, RHIA
Marilyn Brothers, RHIA
NC DHHS - HIPAA PMO
1
PRIVACY REGULATION
STATUS
Compliance Date Unchanged
Must Comply by
April 14, 2003
9/19/01
NC DHHS - HIPAA PMO
2
SECURITY REGULATION
STATUS
FINAL RULE NOT PUBLISHED
 SPECULATION ABOUT FINAL SECURITY
RULE
– Substantial content changes are not
anticipated
– US DHHS is trying to more closely align
Security Regulations with the final Privacy
Regulations
– Anticipated Date - UNKNOWN
9/19/01
NC DHHS - HIPAA PMO
3
PRIVACY AND SECURITY
OFFICERS
Required Under HIPAA
 Should report to upper level of
management
 Agencies must determine if full-time
positions are needed, joint positions
or assign responsibilities to current
staff

9/19/01
NC DHHS - HIPAA PMO
4
PRIVACY AND SECURITY
OFFICERS (cont’d)

Begin process for establishing these
positions NOW
– Provide leadership in the planning, design
and evaluation of Privacy and Security
Related Projects
– Establish sense of ownership and
responsibility as result of early involvement
9/19/01
NC DHHS - HIPAA PMO
5
PRIVACY OFFICER ROLES






Leadership role for implementing Privacy
Regulations
Collaborative for Security Implementation
Education Role for Privacy Awareness and Training
Liaison with Area Program and Legal Authorities
Consultant role to Contract Agencies
Compliance role for state/federal requirements
9/19/01
NC DHHS - HIPAA PMO
6
PRIVACY OFFICER
RESPONSIBILITIES

Develop Privacy Program
– Analyze Current Privacy Practices
– Establish and Implement Privacy Policies and
Procedures
– Address Training Requirements
– Implement Monitoring System for Agency
Compliance and Business Associates Accountability
– Handle Complaints
– Establish Internal Privacy Audit Program
– Maintenance of Privacy Program
9/19/01
NC DHHS - HIPAA PMO
7
SECURITY OFFICER ROLES
AND RESPONSIBILITIES






Responsible for initial and ongoing security
awareness training
Develop and implement security policies/procedures
Focal point for security incidents
Responsible for ensuring disaster recovery plans are
adequate
Ensure physical security of buildings
Ensure final disposition of electronic data is properly
handled
9/19/01
NC DHHS - HIPAA PMO
8
JOB DESCRIPTIONS
NC DHHS PMO is developing drafts availability unknown
 Refer to following website URL for NC
Healthcare Information and
Communications Alliance, Inc. (NCHICA) 
http://www.nchica.org/HIPAA/HIPAAjobs.html
9/19/01
NC DHHS - HIPAA PMO
9
QUESTIONS???
9/19/01
NC DHHS - HIPAA PMO
10
PMO DELIVERABLES

EDI Assessment Tools
http://dirm.state.nc.us/hipaa/newsite/focusgroup/edi/edi.html

Information Flow Assessment Questionnaire,
User Guide and Facilitator Training
http://dirm.state.nc.us/hipaa/newsite/focusgroup/operation/
IFA.html
Privacy Toolkit (under development) Assessment and Gap Analysis Tool
 Security Assessment (under development)

9/19/01
NC DHHS - HIPAA PMO
11
PMO DELIVERABLES
Core Privacy Training (under development)
 Attorney General Opinions
 Frequently Asked Questions on DHHS
Website
 HIPAA Awareness Presentations

9/19/01
NC DHHS - HIPAA PMO
12
NCHICA DELIVERABLES

http://www.nchica.org/HIPAA/HIPAA_intro.html
– Presentations
– HIPAA EarlyView™ (Security available; Privacy under
development)

The following are under development
– Security Policy and Procedures Matrix
– Security Training Modules - Core Level in test
– Privacy Models (Notice, Consent, Authorization, Business
Associate Agreement)
9/19/01
NC DHHS - HIPAA PMO
13
NCHICA DELIVERABLES
– Minimum Necessary Decision Tree
– Review of NC Statutes
– HIPAA Privacy Checklists

Relationship between NCHICA and DHHS
Deliverables
– DHHS Staff are working with NCHICA Focus Groups
– DHHS PMO and Divisions will review and revise various
deliverables to better meet DHHS needs
– AG Office review when necessary
9/19/01
NC DHHS - HIPAA PMO
14
WHAT TO DO NOW?

Determine if agency is a Covered
Entity, Hybrid Entity, Business
Associate and/or Trading Partner
– Information Flow Assessment
Questionnaire
– EDI Assessment
– Consultation with Agency Attorney
9/19/01
NC DHHS - HIPAA PMO
15
COVERED ENTITY

Health Plan (provides or pays the cost of medical care
- e.g., Medicaid, HMOs, BC/BS, Medicare, Champus).

Health Care Clearinghouse

Health Care Provider who transmits any
health information in an electronic
transaction (e.g., Hospitals, Physicians, Public Health
(routes electronic
data between payers & providers - e.g., billing services ).
Departments, Group Homes, Home Health).
9/19/01
NC DHHS - HIPAA PMO
16
HYBRID ENTITY



Applies to Privacy Regulations only as they
relate to Uses and Disclosures (164.504)
Defined as, “a single legal entity that is a
covered entity and whose covered functions
are not its primary functions.”
Need to identify those health care
components within the Hybrid Entity that
perform covered functions and other
components that would normally be a
Business Associate
9/19/01
NC DHHS - HIPAA PMO
17
BUSINESS ASSOCIATES



Definition: Person who performs a function
or activity on behalf of a covered entity,
involving the use and/or disclosure of PHI.
Excludes person who is part of the
Covered Entity’s workforce (e.g.,
Employees, Physicians with Staff Privileges)
Excludes covered entities who disclose
PHI to providers for treatment purposes
9/19/01
NC DHHS - HIPAA PMO
18
BUSINESS ASSOCIATES


Must protect PHI and help Covered
Entity comply with its obligations under
the Privacy Rule
DO NOT have to comply with HIPAA
Privacy Rules such as:
– Appointment of Privacy Officer
– Develop Policies and Procedures for use and
disclosure of PHI
9/19/01
NC DHHS - HIPAA PMO
19
BUSINESS ASSOCIATES
Are Covered Entities held liable for privacy
violations of Business Associates?
– Not required to actively monitor Business
Associates
– Contract must obligate Business Associate to
advise Covered Entity when violations have
occurred
– If Covered Entity aware of violations or
breach of Business Associate obligations,
Covered Entity must take ‘reasonable steps’
to cure the breach or end the violation
9/19/01
NC DHHS - HIPAA PMO
20
WHAT TO DO NOW?

Thorough review of Privacy Regs
– Establish internal workgroup
– Involvement by Legal Counsel
– Essential in order to complete Privacy
Assessment/Gap Analysis
– Slow Process

Don’t make hasty/costly decisions
– Reasonableness
– Scalability
9/19/01
NC DHHS - HIPAA PMO
21
WHAT TO DO NOW?

Review Privacy Guidance Documents
from HHS
– http://aspe.os.dhhs.gov/admnsimp/final/
pvcguide1.htm
– First in a series issued July 6, 2001
– Explains and clarifies important
provisions of the privacy regulations
relative to the following areas:
9/19/01
NC DHHS - HIPAA PMO
22
WHAT TO DO NOW?









9/19/01
Consent
Minimum Necessary
Oral Communications
Business Associate Contracts
Parents and Minors
Health-Related Communications and
Marketing
Medical Research
Government Access to Health Information
Payment
NC DHHS - HIPAA PMO
23
WHAT TO DO NOW?

Continuous Education and Review of HIPAA
Information
– Review potential changes to Privacy Regs




Phone-in Prescriptions
Referral Appointments
Allowable Communications
Minimum Necessary Scope
– Monitor HIPAA Websites

9/19/01
http://dirm.state.nc.us/hipaa/newsite/resource.html
NC DHHS - HIPAA PMO
24
WHAT TO DO NOW?
Complete Information Flow Assessment and
EDI Assessment
 Inventory EDI, Security, Privacy Policies and
Procedures

– Readily available when assessments are done
– Identify policies and procedures that may need
to be remediated

Begin development of HIPAA Workplan
9/19/01
NC DHHS - HIPAA PMO
25
QUESTIONS??
9/19/01
NC DHHS - HIPAA PMO
26