No Slide Title

Download Report

Transcript No Slide Title

Slide 1
PART FOUR
Page 1
NC DHHS HIPAA PMO
Slide 2
Business Associates
Page 2
NC DHHS HIPAA PMO
Slide 3
Misconception
All Contractors Will Become Business
Associates
Not True!
In Fact, Probably Very Few Contractors
Will Become Business Associates
Page 3
NC DHHS HIPAA PMO
Slide 4
Who Is A Business
Associate?

A person who, on behalf of a covered health care
component (but other than a workforce member),
performs or assists in performing a function or
activity; or provides legal, actuarial, accounting
consulting, data aggregation, management,
administrative, accreditation or financial services to
or for the covered health care component and
involves the use or disclosure of protected health
information (PHI)
Page 4
NC DHHS HIPAA PMO
Slide 5
Identifying a Business
Associate

An individual or organization that
performs a service, other than
treatment…
– on behalf of a covered health care
component
– involves the use/disclosure of PHI
– other than a member of workforce

Page 5
Must meet these three required elements
NC DHHS HIPAA PMO
Slide 6
Member of Workforce

Workforce means employees, volunteers, trainees,
and other persons whose conduct, in the
performance of work for a covered health care
component, is under the direct control of such
entity, whether or not they are paid by the covered
health care component

Member of workforce test:
– Works on site of the covered health care component
– Works under the direction and control of covered health
care component

MUST FOLLOW POLICIES/PROCEDURES OF
CHCC
Page 6
NC DHHS HIPAA PMO
Slide 7
Example of Business
Associate
 Collection agency whose contract is to
contact individuals with delinquent
accounts in an effort to recoup
payment for services.
– The collection agency is performing a
service for a covered health care
component.
– The collection agency has access to
elements of protected health information
in order to contact individuals.
– The collection agency is not part of the
covered health care component’s
workforce.
Page 7
NC DHHS HIPAA PMO
Slide 8
Other Potential Business
Associates

Page 8
Private Attorneys

Risk Management Consultants

Transcription Vendors

QI Consultants

Auditing Firms

Record Copying Services

Joint Commission (JCAHO)

Architects
NC DHHS HIPAA PMO
Slide 9
Covered Services under
HIPAA

The Privacy Regulations are specific as to the
services that typically require a Business Associate
relationship.

The Regulations
also provide a list of
functions or
activities that may
require a Business
Associate
relationship.
Page 9
NC DHHS HIPAA PMO
Slide 10
Examples of Covered Services


Legal Services
– Attorney representing
agency

– Claims Processing
– Claims Administration

Actuarial Services
Accounting Services
Consulting Services
– Professional Services
– Assessments
– Benefits Management

Data Aggregation
– Data Analysis
– Data Processing
Page 10
NC DHHS HIPAA PMO
Slide 11
More Examples of Covered
Services

Management Services
– Utilization Review
– Central Office Supervision

Administrative Services
– Facility Management
– Purchasing

Accreditation Services
– JCAHO
– Council on Accreditation

Financial Services
– Re-pricing
– Rate Setting
Page 11
NC DHHS HIPAA PMO
Slide 12

Services That MAY Require
Business Associate Relationship
Treatment Services
– Services that involve more than just
treatment, such as serving on UR
Committee, etc.

Banking Services
– Services that involve more than just
the transfer of funds for
compensation for health care

Courier Services
– HIPAA excludes courier or other postal services

Administrative Services
– Services that involve the use of PHI
Page 12
NC DHHS HIPAA PMO
Slide 13
What About Treatment?

The “treatment” exception does not require a
Business Associate relationship when the service is
strictly treatment only and no other administrative
services are provided, such as performing
utilization review.

This does not negate the DHHS requirement for a
CONTRACT with a treatment service provider and
whenever in doubt…….include HIPAA language.
Page 13
NC DHHS HIPAA PMO
Slide 14

More Services That MAY Require A
Business Associate Relationship
Third-Party Cleaning Service
– Services provided under
direct control of CHCC
and involves the use of PHI

Board Member
– Typically board is not
under direct control of
CHCC; services may
or may not involve the
the use of PHI
Page 14
NC DHHS HIPAA PMO
Slide 15
Incidental Access to PHI

Incidental access to PHI is generally not grounds
for a business associate relationship.

Incidental access may occur when a service
provider may be performing a service in your facility
and incidentally have access to PHI in the
performance of those services.

Unless the use and disclosure of PHI is required in
the performance of the service, it is considered
incidental access.

Incidental access would need to be addressed in
other ways, such as remediation of security policies
and procedures regarding the accessibility of PHI.
Page 15
NC DHHS HIPAA PMO
Slide 16
What Does NOT Constitute a
Business Associate Relationship?

A person who provides treatment services on
behalf of the covered health care component.

A bank that provides financial transactions.

A courier or postal service that transports protected
health information on behalf of the covered health
care component.

Administrative services when protected health
information is not used or disclosed.

A member of the covered health care component’s
WORKFORCE.
Page 16
NC DHHS HIPAA PMO
Slide 17
Business Associate Requirements

Must enter into an agreement with a covered
health care component

Must agree to not use or further disclose PHI
other than as permitted or required in the
agreement.

Must use appropriate safeguards to
unauthorized use or disclosure of PHI.

Must report any unauthorized use or disclosure
of PHI to the covered health care component.

Must agree to provide client access to BA
records at the request of the covered health
care component. NC DHHS HIPAA PMO
Page 17
Slide 18
What is Not Required of
Business Associates?

A Business Associate is not directly subject to the
HIPAA Regulations.

A Business Associate DOES NOT have to appoint
a Privacy Officer.

A Business Associate does not have to develop and
post a Notice of Information Practices.
Page 18
NC DHHS HIPAA PMO
Slide 19
“Satisfactory Assurance” =
Agreement

A covered health care component may disclose
protected health information to a Business
Associate and may allow a Business Associate to
create or receive protected health information on
its behalf, if the covered component obtains
satisfactory assurance that the Business Associate
will appropriately safeguard the information.

Satisfactory assurance that the Business Associate
will protect client information is accomplished
through a Business Associate Agreement
(contract/MOU).
Page 19
NC DHHS HIPAA PMO
Slide 20
DHHS Standard Contracts

DHHS is responsible for revising its standard
contract templates to include the appropriate HIPAA
language.

Each covered health care component will have to
customize the HIPAA language with each Business
Associate Agreement to fit the specific
requirements agreed upon during negotiations.
Page 20
NC DHHS HIPAA PMO
Slide 21
Requirements in Business
Associate Agreements

Required uses and disclosures of PHI

Permissible uses and disclosures of PHI

Safeguards

Reporting of unauthorized use/disclosure

Use of subcontractors

Access to records

Record keeping requirements

Disposition of PHI

Grounds for termination
Page 21
NC DHHS HIPAA PMO
Slide 22
Liability for Business
Associates

Covered health care components are not required
to actively monitor their Business Associates.
However,
– the contract must obligate Business Associate to advise
covered health care component when violations have
occurred and;
– if the covered health care component is aware of
violations or breach of Business Associate obligations,
the covered health care component must take
‘reasonable steps’ to assure such breech or violation will
not continue to occur or end the contract.
Page 22
NC DHHS HIPAA PMO
Slide 23
How Does This Affect DHHS?

DHHS is a hybrid entity that has covered health
care components within some of its divisions

Services are provided to these covered health
care components by
–
–
–
–
Page 23
Other workgroups in the same division
Workgroups in other DHHS divisions
Workgroups in other NC Departments
External contractors/vendors
NC DHHS HIPAA PMO
Slide 24
Business Associate Categories

Division Business Associates – workgroups within
the same division

DHHS Business Associates – workgroups from
another DHHS division

State Government Business Associates –
workgroups from another NC State Department

External Business Associate – Private/Public
external contractor/vendor
Page 24
NC DHHS HIPAA PMO
Slide 25
Internal Business Associate Test

When making the determination whether or not a
workgroup internal to the state system is a
Business Associate, follow these steps:
– Identify workgroups that perform on your
behalf
– Determine if service provided in covered
under HIPAA
– Determine if PHI is exchanged
– Determine how PHI is used
– Determine how to “assure” PHI is
safeguarded
Page 25
NC DHHS HIPAA PMO
Slide 26
External Business Associate
Test

When making the determination whether or not an
external contractor (private or public) is a Business
Associate, follow these steps:
– Determine if service provided
is covered under HIPAA
– Determine if service provider
is part of your workforce
– Determine if PHI is exchanged
– Determine how PHI is used
– Determine language to be
included in agreement to
safeguard PHI
Page 26
NC DHHS HIPAA PMO
Slide 27
What Kind of Agreement is
Needed?

Division Requirement for Assurance of
Confidentiality
– Division Business Associate
– DHHS Business Associate

Memorandum of Understanding
– State Government Business Associate

Page 27
DHHS Contract
– External public/private contractor/vendor
NC DHHS HIPAA PMO
Slide 28
Business Associate Strategies

Identify current contractors who will become
Business Associates

Negotiate with potential Business Associates

Develop back-up plan

Establish training materials

Develop action plans
Page 28
NC DHHS HIPAA PMO
Slide 29
Page 29
Potential Problems with Business
Associate Process

Not identifying all business
associates

Inadequate contracts

Allowing sufficient time to negotiate
changes in contracts

Non-compliant contractor

Non-compliant sub-contractor
NC DHHS HIPAA PMO
Slide 30
QUESTIONS?
Next: Administrative
Requirements
Page 30
NC DHHS HIPAA PMO
Slide 31
Administrative Requirements
Page 31
NC DHHS HIPAA PMO
Slide 32
Designated Persons

Covered health care components are required to:
– Designate a privacy official
• Development and implementation of policies and
procedures
– Designate a contact person or office responsible
for
• receiving complaints
• provide further information about matters covered in
Notice of Privacy Practices
– Personnel and offices selected to fill these 2
requirements must be documented
• in accordance with Rule’s documentation requirements
• as required in Notice of Privacy Practices
Page 32
NC DHHS HIPAA PMO
Slide 33
Privacy Training

Covered health care components are required
– To provide privacy training to its workforce
• Component policies and procedures relevant to PHI
• Training necessary to carry out job functions
• ALL staff must be trained no later than 4/14/03
• Train NEW employees within reasonable time after
employment
• When changes in policies and procedures occur,
train affected staff within reasonable period of time
• Document training provided
– Component wide
– Individual (signed verification recommended)
Page 33
NC DHHS HIPAA PMO
Slide 34
Sanctions

Covered health care components are required to:
– Develop a system of sanctions for employees who
violate the health care component's privacy
policies
• Not applicable to
– Whistleblowers
– Workforce member crime victims
– Workforce member filing complaint with OCR, testifying, assisting or
participating in an investigation, compliance review or similar
proceeding
• Document applied sanctions
Page 34
NC DHHS HIPAA PMO
Slide 35

Intimidating or Retaliatory Acts/
Waiving Rights
Covered health care components are required to:
– Refrain from intimidating or retaliatory acts
• May not intimidate, threaten, coerce, discriminate against, or take
other retaliatory action against
– Clients for exercising their privacy rights including filing complaints
– Clients or other persons for
» filing complaints with OCR
» testifying, assisting, or participating in an investigation,
compliance review, proceeding or hearing
» opposing any act or practice made unlawful by the Rule
– Refrain from requiring clients to waive their privacy rights
as condition for treatment, payment, enrollment in health
plan, or eligibility for benefits
Page 35
NC DHHS HIPAA PMO
Slide 36
Safeguards

Covered health care components are required to:
– Have in place appropriate administrative, technical
and physical safeguards
• Reasonably safeguard PHI from any intentional or unintentional
use or disclosure
– Security Regulations will work hand in hand with Privacy
– Until Security Regulations are finalized, this is only
relative to security
Page 36
NC DHHS HIPAA PMO
Slide 37
Mitigation

Covered health care components are required to:
– Mitigate, to the extent possible, any harmful effects
of a violation of privacy policies and procedures or
HIPAA privacy requirements by the covered health
care component or its business associates
Mitigate - to make less severe or painful.
Page 37
NC DHHS HIPAA PMO
Slide 38
Policies and Procedures

Covered health care components are required to:
– Develop and implement policies and procedures
with respect to PHI
• Flexible and Scalable
• Change policies and procedures as necessary
– resulting from changes in laws/regulations
– if changes in policies/procedures impact Notice of Privacy
Practices, must make changes in Notice
» state the changed practice
» make revised notice available as required
– cannot implement policy/procedure change prior to effective
date of revised Notice
– document revised policy/procedure
Page 38
NC DHHS HIPAA PMO
Slide 39
Policies and Procedures
Policy Matrix available at http://dirm.state.nc.us/hipaa/hipaa2002/toolsandtemplates/toolsandtemplates.html#pri1
POLICY CATEGORY
POLICY
PURPOSE
ADMINISTRATIVE
REQUIREMENTS
164.502
(a)(b)(c)(d)(e)(f)(g)(h)(I)(j)
General Policy for adhering to
HIPAA Regulations
To specify requirements; minimal disclosures; de-identification of PHI;
Business Associates; deceased individuals; personal reps; confidentiality;
notice; w histleblow ers/crime victims
164.530 (a)(1)(I)
Designation of a Privacy Official
Responsibility for development and implementation of privacy policies and
procedures for covered entity
164.530 (a)(1)(2)
Designation of a contact person
Responsibility for receiving complaints and for providing information about
the Notice requirements
164.530 (b)(1)
Training of w orkforce members
To ensure that members of the w orkforce are trained to carry out their
functions w ithin the covered entity
164.530 (c)(1)
Establishment of administrative, To reasonably safeguard protected health information from any intentional
technical and physical safeguards or unintentional use or disclosure
(PHI)
Page 39
NC DHHS HIPAA PMO
Slide 40
Documentation

Covered health care components are required to:
– Meet documentation requirements
• Maintain policies and procedures
• Any communication required in Rule to be in writing
(e.g., Consent, Authorization)
• Other actions, activities or designations required by
Rule
• Maintain documentation in written or electronic form
• Retain documentation for 6 years
– from date of its creation
– date when last in effect
– whichever is later
Page 40
NC DHHS HIPAA PMO
Slide 41
Designated Record Sets

Covered health care components must identify
their Designated Record Sets

Document Designated Record Sets
– By Type (e.g., Medical Record; X-rays; HSIS; HEARTS)
– Content (e.g., Demographics; Assessments; Diagnosis)

Identify records that are not Designated Record
Sets - For Example
– Incident Reports
– Psychotherapy or other working notes
– Copies of reports also maintained in medical recordsnot used or disclosed within or outside the component
– Utilization Review or Quality Improvement records
– Appointment or surgical schedules
– Dictation Tapes
Page 41
NC DHHS HIPAA PMO
Slide 42
Designated Record Sets

Include records maintained by Division Business
Associates and DHHS Business Associates

Include records maintained by State Government
Business Associates or External Business
Associates if they are maintained on behalf of
covered health care component
– e.g., Billing Records maintained by a private billing
service
Page 42
NC DHHS HIPAA PMO
Slide 43
Designated Record Sets

Utilize the Business Information Flow Assessment
– Defines types of information maintained by various
component work groups

Include record sets maintained in all types of media
– paper, oral, video, electronic, etc
Page 43
NC DHHS HIPAA PMO
Slide 44
QUESTIONS?
Next: Compliance and
Enforcement
Page 44
NC DHHS HIPAA PMO
Slide 45
Compliance & Enforcement
Page 45
NC DHHS HIPAA PMO
Slide 46
Compliance

Required of all covered entities

NC DHHS is responsible for ensuring compliance by
covered health care components within DHHS, as a hybrid
entity

NC DHHS is NOT responsible for ensuring compliance by
local agencies
– Not under the single legal entity
of NC DHHS

With or without a complaint
the secretary may conduct
compliance reviews
Page 46
NC DHHS HIPAA PMO
Slide 47
Office of Civil Rights (OCR)

OCR given delegation of authority to enforce
privacy rule

Technical assistance (TA): Helping covered
entities achieve compliance

Compliance reviews

Investigation & resolution of complaints
Page 47
NC DHHS HIPAA PMO
Slide 48
Complaints

Any person or organization who believes a covered
entity is not complying with HIPAA requirements may
file a complaint with Covered Entity or OCR
–
–
–
–
Must be filed in writing (on paper or electronically)
Must name entity that is subject of complaint
Describe acts or omissions believed to be in violation
Only for possible violations occurring after compliance date
(4/14/03)
– Must be filed within 180 days of when complainant knew or
should have known that violation occurred
• unless time limit is waived for good cause

Secretary may investigate complaint
– Review of pertinent policies, procedures or practices
– Review of circumstances regarding alleged acts or
omissions concerning compliance
Page 48
NC DHHS HIPAA PMO
Slide 49
Covered Entity Responsibilities

Provide Records and Compliance Reports

Cooperate with OCR during complaint investigations
and compliance reviews

Permit Access to Information
– During normal business hours
– Access to pertinent facilities, books, records, accounts and other
sources of information (including PHI)
– If any requested information is in possession of another agency
that fails or refuses to provide the information, must document
efforts made to obtain the information
Page 49
NC DHHS HIPAA PMO
Slide 50
Enforcement

Enforcement Regulations not published

DHHS to issue Enforcement Requirement
– Applicable to covered health care components for all
HIPAA regulations
– Address imposition of civil monetary penalties
– Address referral of criminal cases where violation of
Privacy Rule has occurred
Page 50
NC DHHS HIPAA PMO
Slide 51
Civil Monetary Penalties

Penalties:
– Any person who violates
a provision
– $100 per violation
– Capped at $25,000 for each calendar
year for each requirement or prohibition
that is violated

Exceptions:
– Person did not know, nor would have known, with
reasonable investigation
– Failure to comply due to reasonable cause and not
willful neglect
Page 51
NC DHHS HIPAA PMO
Slide 52
Criminal Penalties
Wrongful Disclosures
 Criminal Penalties: For knowingly violating
patient privacy, the following federal criminal
penalties apply:
– Up to $50,000 and 1 year in prison for obtaining or
disclosing protected information
– Up to $100,000 and up to 5 years in prison for
obtaining or disclosing protected information under
false pretenses
– Up to $250,000 and up to 10 years in prison for
obtaining or disclosing protected information with
the intent to sell, transfer, or use it for commercial
advantage, personal gain, or malicious harm.”
– Prosecuted by the Department of Justice
Page 52
NC DHHS HIPAA PMO
Slide 53
Whistleblower

A member of the workforce who discloses information
about the covered health care component
–
–
–
–

When it believes the component has engaged in unlawful conduct
When it believes the component has violated professional standards
When it believes care or service endangers one or more clients
To a health over-sight agency or public health authority
The covered health care component cannot apply
sanctions against the “whistleblower”
Page 53
NC DHHS HIPAA PMO
Slide 54
For More Information

OCR privacy website:
http://www.hhs.gov/cor/hipaa

Toll-free telephone numbers
1-866-ocr-priv (1-866-627-7748)
1-866-788-4989 (tty)

Administrative simplification website
http://aspe.hhs.gov/admnsimp/
Page 54
NC DHHS HIPAA PMO
Slide 55
CLARIFICATIONS / MODIFICATIONS
Page 55
NC DHHS HIPAA PMO
Slide 56
We’re Here To Help You!

In July, 2001 the Office For Civil Rights published a
guidance document that provides answers to general
questions regarding the Privacy Regulations.

The guidance document addresses the
following specific requirements:
–
–
–
–
–
–
–
–
–
Page 56
Consents
Minimum Necessary
Oral Communications
Business Associates
Parents and Minors
Communications and Marketing
Research
Restrictions on Government Access to heath info
Payment
NC DHHS HIPAA PMO
Slide 57
Quick Reference

The Guidance Document is a good quick
reference guide when you are searching for
guidance for specific requirements.
Page 57
NC DHHS HIPAA PMO
Slide 58
Identifying Things to Come

When the Privacy Rules became effective on
April 14, 2001 the Secretary had one year in
which modifications could be made to the
regulations.

The Guidance document gave us a hint of
changes that were being proposed:
–
–
–
–
–
Page 58
Phoned-in Prescriptions
Referral Appointments
Allowable Communications
Minimum Necessary Scope
Parents and Minors
NC DHHS HIPAA PMO
Slide 59
It’s Here!
 On March 27, 2002 the NPRM (Notice of
Proposed Rule-Making) was published. This
publication reveals the proposed
modifications to the Privacy Regulations. The
following slides will point out those proposed
modifications.
Page 59
NC DHHS HIPAA PMO
Slide 60
Consent

Current: Signed patient consent is required for use and
disclosure of protected health information for treatment,
payment and other health care operations.
 Proposed:
Removes the consent
requirement and allows the covered
health care component the option of
obtaining consents.
 Point
of Interest: The NC Mental Health Law
that requires authorization appears to be more
stringent than HIPAA consent and will probably prevail.
Page 60
NC DHHS HIPAA PMO
Slide 61
Notice of Information Practices

Current: HIPAA is specific about the elements that must be
included in the Notice of Privacy Practices to inform clients
of how protected health information is handled in each
covered health care component.

Proposed: The Notice has been strengthened and requires
the covered health care component to make a good faith
effort to obtain written acknowledgement of receipt of
Notice.

Point of Interest: This will be an additional administrative
burden for covered health care components to administer
and track.
Page 61
NC DHHS HIPAA PMO
Slide 62
Oral Communications
Current: Concern has been expressed about the liability of
incidental disclosure when a confidential conversation
about a client between professionals is overheard.
Proposed: Modified to make it clear that physicians (and
other professionals) can discuss client treatment without
the fear of violating the privacy regulations if incidentally
overheard.
Point of Interest: This should
ease the concern of professionals
that this could be a breech of confidentiality.
Page 62
NC DHHS HIPAA PMO
Slide 63
Research

Current: The standard includes additional requirements for
research authorizations that include treatment.
 Proposed: A single set of requirements for all types of
authorizations. This NPRM standardizes the authorization
for all uses and disclosures.

Point of Interest: This
simplifies the authorization
provisions and consolidates
the implementation specs
into a single set of criteria.
Page 63
NC DHHS HIPAA PMO
Slide 64
Business Associates

Current: Business Associate agreements must be in place
on April 14, 2003.

Proposed: Allows covered health care components to
continue operating under existing contracts on April 14,
2003, but HIPAA requirements must be included in all
contracts before or by April 14, 2004.

Point of Interest: Existing contracts that
extend past the April 14, 2004 deadline
must be amended by that date in order to
be in compliance with HIPAA requirements.
Page 64
NC DHHS HIPAA PMO
Slide 65

Examples of Business
Associates Agreements
Contract period 7-01-02 through 6-30-03 (one year
contract)
– On 4-14-03 this is an existing contract
• Does not have to be amended by April 14,2003 to be HIPAA
compliant

Contract period 7-01-02 through 6-30-05 (three year
contract)
– On 4-14-03 this is an existing contract
• Since the contract is effective past the April 14, 2004 compliance
date, this contract will have to contain the HIPAA requirements or
be amended to contain the HIPAA requirements by April 14, 2004

Contract period 7-01-03 through 6-30-04
– 4-14-03 is privacy regulation compliance date
– New contract effective 7-01-03 must contain HIPAA
requirements
Page 65
NC DHHS HIPAA PMO
Slide 66
Parents and Minors

Current: Restrictions placed on the disclosure of a child’s
medical record to parents.

Proposed: Clarifies that state law governs disclosures to
parents or in absence of law, professional judgment.

Point of Interest: NC Law
will prevail. Mental Health laws
address parent involvement with
a child’s treatment in certain situations.
Page 66
NC DHHS HIPAA PMO
Slide 67
Accounting of Disclosures

Current: Accounting of Disclosures for everything except
treatment, payment and other health care operations.

Proposed: Accounting of Disclosures not required when
individual has provided written authorization for disclosure.

Point of Interest: This will
require less documentation
and less tracking of
disclosures.
Page 67
NC DHHS HIPAA PMO
Slide 68
Disclosures for TPO of Another
Organization

Current: Must obtain a separate authorizations for specific
disclosures.

Proposed: This will eliminate the need for different types of
authorization forms.

Point of Interest: This change
will relieve the burden of
having multiple authorization
forms.
Page 68
NC DHHS HIPAA PMO
Slide 69
Uses and Disclosure-FDA
Regulated Products

Current: Allows use and disclosure to tract
products to a person directed by the FDA.

Proposed: Language is revised tp assure that the
rule permits use and disclosure to nongovernmental entities subject to FDA jurisdiction.

Point of Interest: Broadens scope
of reporting.
Page 69
NC DHHS HIPAA PMO
Slide 70
Hybrid Entity

Current: The hybrid entity is somewhat limited in
what can be considered a covered component.

Proposed: Provides the hybrid entity with
additional discretion in designating covered health
care components.

Point of Interest: This
should not negatively affect the
covered health care
components identified by DHHS.
Page 70
NC DHHS HIPAA PMO
Slide 71
De-Identification

Proposed: Request for Comments on an alternate
approach to de-identifying information.

HHS is seeking comments on establishing a limited
data set that does not include directly identifiable
information but in which certain identifiers remain.
– ANY IDEAS????
Page 71
NC DHHS HIPAA PMO
Slide 72
Other Modifications in NPRM

Marketing: Requires specific authorization before
sending marketing materials.

Group Health Plans: Permits group health plan to
disclose enrollment and dis-enrollment information.

Sale of Business: Permits disclosure in certain
circumstances for the sale of a covered entity’s
business.

Point of Interest: These
modifications should not
affect DHHS.
Page 72
NC DHHS HIPAA PMO
Slide 73
Other Technical
Corrections/Clarifications

This proposal also includes a list of technical
corrections and some additional clarifications
related to various sections of the rule.

The review period for this proposal is 30 days.

Additional information about the proposed rule is
available on the web at:
– http://www.hhs.gov/ocr/hipaa/
Page 73
NC DHHS HIPAA PMO
Slide 74
QUESTIONS?
Next: Implementation
Page 74
NC DHHS HIPAA PMO
Slide 75
Implementation
Page 75
NC DHHS HIPAA PMO
Slide 76

Covered Health Care
Component Responsibilities
Identify business associates and enter into new
contractual agreements or MOUs
– Currently in process

Appoint privacy official and contact office

Ensure policies and procedures are updated to
reflect HIPAA requirements

Ensure all staff (including Division/DHHS Business
Associates) are trained in HIPAA requirements

Ensure clients are aware of their rights

Monitor for compliance

Document (everything!)
Page 76
NC DHHS HIPAA PMO
Slide 77
HIPAA Privacy Officers
Roles and Responsibilities

Focal point for
division/agency compliance
with privacy regulations

Division liaison with DHHS

Analyze current
division/agency practices
relative to privacy practices

Develop division/agency
procedures based upon
enterprise policies and/or
templates
Page 77
NC DHHS HIPAA PMO
Slide 78
HIPAA Privacy Officers
Roles and Responsibilities

Implement division/agency privacy requirements

Responsible for initial and ongoing privacy
training of division/agency staff

Monitor division/agency for compliance with
privacy requirements

Initial division/agency contact for complaints
regarding division/agency privacy practices

Work with DHHS HIPAA PMO in development of
policies/templates
Page 78
NC DHHS HIPAA PMO
Slide 79
Policy and Procedure
Development

Privacy Policy/Procedure Matrices

Wanted - volunteers to work with DHHS HIPAA
PMO in development of policies/templates
HELP WANTED
Page 79
NC DHHS HIPAA PMO
Slide 80
Privacy Compliance Process
Baselining
the
Organization
Understanding
HIPAA
Planning
Compliance
Strategies
Remediating
the
Organization
Validating
Compliance
Maintaining
Maintaining
Compliance
Compliance
Self-validation (Oct. 2002 Apr. 2003)
Enterprise remediation (Apr. 2002 - Dec. 2002)
Intermediate training (Jun. 2002 - Oct. 2002)
Division remediation (Oct. 2002 - Apr. 2003)
Privacy officer training (Jan. 2003 - Apr. 2003)
Potential Enterprise-level
solutions (Apr. 2002 - Sep. 2002)
Remediation guidelines (Apr. 2002
- Sep. 2002)
Covered entities determination (Jun. 2001 - Mar. 2002)
Assessment methodology and tools (Oct. 2001 - May 2002)
Initial assessment (Dec. 2001 - Sep. 2002)
2001
Regulation review (Aug. 2001 - Dec. 2001)
Legal review (Feb. 2001 - Apr. 2002)
Core training (Nov. 2001 - May 2002)
2002
2003
Understanding HIPAA
Baselining the organization
Planning compliance
Remediating the organization
Page 80
NC DHHS HIPAA PMO
Validating compliance
Maintaining compliance
2004 ===>
Slide 81
QUESTIONS?
Please Complete Evaluation
Mark Volunteer Column on Sign-In
Sheet if interested in working on
Policies and Procedures
Page 81
NC DHHS HIPAA PMO