Transcript Document
HIPAA -- A Primer for State Corrections CIOs
Scott McPherson
Chief Information Officer, Florida Department of Corrections
What HIPAA is NOT….
OK, smart guy, I
know
what HIPAA
isn’t
. What is HIPAA ?
HIPAA is:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Signed into Law August 21, 1996 Administrative Simplification Subtitle Congress gave itself until 1999 to enact the legislation Failing that, they gave HHS the ability to promulgate rules That happened August 26, 1999, when Congress failed to enact privacy rules
HIPAA standards apply to covered entities:
Health plans Health care clearinghouses Health care providers that conduct designated transactions electronically AND to those who conduct business for them (Business Associates)
March, 2002 HIPAA’s reach is more encompassing than anyone in the states thought it would be when the U.S. Congress passed the law in 1996.
The only ones excused are those who do not transfer any information electronically.
HIPAA applies to every health care provider, health plan or clearinghouse — in short, nearly anyone who bills or pays for a health service.
In effect, that means that HIPAA covers just about any public program or private company dealing with health records.
“There’s a tendency for those not really involved with HIPAA to look at it as a technology problem, as something like Y2K where you can just fix a database,” says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, known as NCHICA. “But technology is only 25 percent of the challenge. The rest is changing policies, cultures and business practices. HIPAA is a major shift in the way we do health care.”
Who is a Covered Entity?
“A health care provider who transmits any health information in electronic form in connection with a transaction.” • Providers get a choice; made by conducting electronic transactions (or getting a business associate to).
“A health care clearinghouse.” • clearinghouses get no choice.
“A health plan.” • Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc.
• Exceptions for some not primarily “health” plans.
– e.g., workers comp, property & casualty.
When Washington State did an analysis of which departments would fall under HIPAA, it found that, in addition to corrections and schools, the Department of Labor and Industries was involved. Although workers’ compensation programs are specifically excluded from HIPAA, the department has other programs that aren’t, such as a program on occupational safety and health and one that provides benefits to victims of
crimes.
On the government side, HIPAA clearly affects public hospitals, insurance programs for state and local employees and Medicaid. Less obviously, HIPAA extends to many agencies that one wouldn’t intuitively put in the health care column. Corrections departments, for instance, can fall under HIPAA, depending on who runs prison health services and how. Education systems are likely to be HIPAA impacted since most schools deal with student health records, and should they so much as fax a student’s vaccination record, that would be an electronic transfer of health information.
Covered Entities Required To:
Use HIPAA standards for designated transactions no later than appropriate compliance date via: – internal systems changes – clearinghouse – compliant business associate Use appropriate code sets in transactions
3 Parts to Administrative Simplification
45 CFR Subtitle A, Subchapter C PART 160 – General Administrative
Requirements
– Scope, common definitions, enforcement.
PART 162 – Administrative
Requirements
– Transaction, code set, [and identifier] standards.
PART 164 – Security And Privacy – Privacy [and security] rules.
Business Associates – Outsourced Medical Services?
Transactions Rule: 45 C.F.R. 162.923(c): requires a “business associate” of a covered entity to comply with all applicable requirements Privacy Rule: 164.502(e) and 164.504(e): parallel provision for privacy requirements
HIPAA timeline
Elections, Lobbying
Assessments, and Legislation?
Effective Mandatory
Compliance (security)
No Later Than 4Q 04
Mandatory Compliance: Privacy
April 2003
Mandatory Compliance: EDI
October 2003
Anticipated Final Rule: Security
No Later Than 3Q02
Congress Delays EDI implementation one year (Dec. 2001)
Final Rule: Privacy
December 2000
Final Rule: EDI
August 2000
21 August 1996: HIPAA Enacted
Copyright © 2001
So why should I care about HIPAA?
After all, I’m not a health care provider like other agencies are…
HIPAA and State Law Compliance: the Problem of the Lack of Federal Preemption
Clark Stanton Davis Wright Tremaine LLP
www.ehealthlaw.com
Preemption
Preemption
is the name we give to the theory under which the law at one level (federal, or even state) eliminates or controls the power of government at other levels (state and/or local) to regulate or pass laws in a particular area of activity.
Why Do We Care?
Currently, each state has a complex array of laws that affect the privacy of medical information.
– Medical record confidentiality laws – Public health reporting laws – Special topics: mental health; HIV; genetic information – Litigation related laws: physician-patient privilege; notice for subpoenas – State constitutional privacy
Why Do We Care?
Each state law concerning medical confidentiality has been crafted to provide privacy protections considered important to the people of that state.
– California HIV confidentiality law prevents disclosure of HIV test results and even the identity of persons tested for HIV – California consumer notice law requires person seeking to subpoena medical information to give notice to subject of records prior to serving subpoena on third party
HIPAA Preemption
Express Conflict based – Contrary – More stringent Exceptions Quirks – More stringent state law undercut by “back door” provisions that bring HIPAA back in
Privacy
When Can You Report?
National security exception Avert serious threats to health or public safety Law enforcement rules generally
National Security Exception
Section 512(k)(2) May disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities” Those activities as defined in law -- what you expect as “intelligence”
Averting Serious Threats
Section 512(j) permits voluntary disclosure by a covered entity Must be “consistent with applicable law and standards of ethical conduct”
Averting Serious Threats
Option 1, can disclose where: – “Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”; and – “Is to a person or persons reasonably able to prevent or lessen the threat”
Averting Serious Threats
Option 2, disclosure OK where: – “Is necessary for law enforcement authorities to identify or apprehend an individual” – “Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim” – That is, confessions to violent crimes
General Law Enforcement
Sec. 512(f) generally requires “in response to law enforcement official’s request” Covered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement
General Law Enforcement
Court order, grand jury subpoena, administrative subpoena for full file To locate or identify a suspect, fugitive, material witness, or missing person: – Name, SSN, limited other information
Greater Focus on Security
Less tolerance for hackers and other unauthorized use Cyber-security and the need to protect critical infrastructures Back-up needed in case of cyber-attack, attack on payments system, electricity grid, telephone system, or other systems you need
Security
and
Privacy
Good data handling practices become more important -- good security protects PHI against unauthorized use Audit trails, accounting become more obviously desirable -- helps some HIPAA compliance Part of system upgrade for security will be system upgrade for other requirements, such as HIPAA privacy
Employee Data
New exclusion from definition of PHI for – “Employment records held by a covered entity in its role as employer.” – Limiting language in preamble.
– But the regulatory
text
is very broad -- those records are entirely outside of the rule.
Hybrid entities
Current law: – If “primarily” a covered entity, then all your operations are covered.
Proposal: – Covered entity defines components that are covered Example: – If no standard transactions, could a hospital web site be outside the rule? Sell all data?
Thanks to: Professor Peter Swire Ohio State University College of Law Director D.C. program Consultant, Morrison & Foerster, with focus on medical privacy Phone: (301) 213-9587 Email: [email protected]
Web: www.osu.edu/units/law/swire.htm
EDI (Electronic Data Interchange)
Transaction and Code Sets Standards
Final Regulation published in August, 2000 Original compliance date: October 16, 2002 Many sectors of health care requested additional time to build, test, and successfully implement the standards
Congress’ Response
Administrative Simplification Compliance Act or ASCA (P.L. 107-105) Allows covered entities to request a one year extension for transactions and code sets compliance Does not affect other HIPAA standards, e.g., privacy
ASCA Provisions
Covered entities may receive a one-year extension (to 10/16/03) If they submit a compliance extension plan by 10/15/2002 NCVHS will study sample of plans to identify compliance barriers -- publish solutions
Compliance Extension Plan
Per ASCA, the plan must include a summary of: – schedule for HIPAA implementation – work plan and budget – implementation strategy – planned use of vendors – time frame for testing (begin NLT 4/03)
How to Submit a Plan
Electronically – at www.cms.hhs.gov/hipaa – strongly suggested – will receive confirmation number Via paper – model form or other format
Who Should Submit a Plan
Covered entity that does not expect to be compliant by 10/16/02 – Note: providers not conducting electronic transactions are not covered entities Exception: – Small plans already have until 10/03 and cannot receive an extension
Medicaid
Developed a HIPAA compliance “road map” for States – CD-based tool – Provides gap analysis, resources Facilitating cooperative working relationships among States to identify issues
Conclusions
Extension provides opportunity for higher quality, lower risk Don’t rush to submit a plan Establish a reasonable plan and stick to it Begin external testing as early as possible Use resources/information available through CMS, industry groups, associations and other partners
Covered Entity To Do List
Submit compliance plan if extension desired Work with IT staff and vendors Contact your business associates and trading partners Join WEDI/SNIP efforts Support SDOs Use the delay time to reach compliance
Security
Security Requirements
Covered Entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards - – to ensure integrity and confidentiality – to protect against – taking into account reasonably • unauthorized uses or disclosures • technical capabilities anticipated • threats or hazards to security or integrity • costs, training, value of audit trails • needs of small and rural providers
Security Issues
Covers transmitted data plus data at rest.
Involves policies/procedures & contracts with business associates.
– For most security technology to work, behavioral safeguards must also be established and enforced.
• requires administration commitment and responsibility.
Electronic signatures: – Final rule will depend on industry progress on reaching consensus on a standard.
Enforcement Philosophy
Pre-emption of state law wherever feasible.
• not politically possible for privacy.
Enforcement by investigating complaints.
• not HIPAA police force -- OCR not OIG.
“The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance” The philosophy is to improve the health care system by helping entities comply, not by punishing unintentional mistakes.
Excuses from civil penalties (from law)
NONCOMPLIANCE NOT DISCOVERED • the person did not know, and by exercising reasonable diligence would not have known.
FAILURES DUE TO REASONABLE CAUSE.
• the failure was due to reasonable cause and not to willful neglect; and • the failure is corrected within 30-days (which may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.) • the failure was because the person was unable to comply REDUCTION • If the failure is due to reasonable cause , any penalty may be waived …
Remediation, testing, implementation
‘You Take the High Road; I’m Busy Fighting the Alligators’
The high road: finally, a corporate data model – HIPAA standards provide a rare opportunity to standardize data elements and codes – Consolidate duplicate systems – The adoption of Internet technologies – Straight-through processing and reduced latency The low road: wrap, map and hack – Minimize the renovation of transaction systems – Eliminate impacts on downstream systems – Ostensibly required by HIPAA deadlines Copyright © 2001
Remediation Approaches
Replace Renovate
New
837 Wrap and Map 835 NSF
Mapper
NSF Wrap, Map and Hack 837 835 NSF
Mapper
NSF
Copyright © 2001
A Framework Approach to HIPAA Readiness
Phase 1: Current Design -
Functional Decomposition
“Framing Your Organization’s Environment” Sample Functional Areas Examples Processes Locations IT Environment
Membership and Enrollment; Claims Administration; Contract Management; Administration; Financial; Scheduling Hospital; Outpatient Clinic; Off-site storage; Headquarters; Remote Sales office; Data Center Wireless; WAN; LAN; Dial-up; WebServers; Workstations; Facilities; Databases
Applications Strategic Initiatives
Laboratory; Radiology; Pharmacy; Order Entry; Nurse Management; Financial; Enrollment; Billing & A/R; Provider Management; Sales Management Integrating the Healthcare Enterprise (IHE); Electronic Medical Records; Web-Enabling Clinical Applications; Electronic Data Interchange (EDI); Customer Relationship Management (CRM)
Phase 2: Requirements Interpretation –
Develop Reqt’s Categories
“Logical Means of Grouping the Criteria to Measure Progress” Category Policies and Standards Procedures Tools / Infrastructure Operational Description
Policies include senior management’s directives to create a computer security function, establish goals for the function, and assign responsibilities for the function. Standards include specific security rules for particular information systems and practices Procedures include the activities and tasks that dictate how the policies or supporting standards will be implemented in the organization’s environment Tools or infrastructure include the elements that are necessary to support implementation of the requirements within the organization such as process, organizational structure, network and system related controls, and logging and monitoring devices Operational includes all the activities and supporting processes associated with maintaining the solution or system and ensuring it is running as intended. Typically, an owner is assigned to manage the execution of the activities and supporting processes. Examples of activities and supporting processes include maintenance, configuration management, technical documentation, backups, software support and user support
Phase 3: Gap Assessment –
Determine Gaps
“ Avoid the Road to Abilene by Getting Organizational Alignment ” Current State + HIPAA Gap Analysis
Use the HIPAA Security Criteria( Phase 2 ) to assess organization’s current state
Determine gaps from the current state requirements
Phase 4: Execution -
Establish PMO
“ HIPAA Readiness is NOT an IT Project ” Security HIPAA Project Manager Privacy HIPAA Project Manager HIPAA PMO Manager Other PMO Staff TCI HIPAA Project Manager
Establish priorities
Manage both organization and internal HIPAA dependencies
Resolve project issues
Final HIPAA Rules To Come
Employer Identifier Security National Provider Identifier Electronic Signature Privacy modifications
This concludes the presentation.
Time for questions and comments.