Unit HIPAA Coordinators Briefing. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Transcription

1 Unit HIPAA Coordinators Briefing J. T. Ash University of Hawaii System HIPAA Compliance Officer

2 Overview This coordinator s briefing provides a high- level overview of the role and responsibilihes of a covered component s Unit HIPAA Coordinator. More informahon will be forthcoming as the UH HIPAA Policy is implemented and refined. UH DraK Interim HIPAA Policy: hmp:// Status of UH HIPAA Policy: circulated for union consultahon; tentahve implementahon date 5/30/17

3 HHS HIPAA Information InformaHon about HIPAA from the U.S. Department of Health and Human Services: hmps:// professionals/index.html Unofficial version from HHS combining all HIPAA regulatory standards in one document (115 pages): hmps:// simplificahon pdf

4

5 h"ps:// professionals/faq/authoriza8ons

6 What is HIPAA? Health Insurance Portability & Accountability Act ImplementaHon RegulaHons: 45 Code of Federal RegulaHons ( CFR ) Parts 160, 162 and 164 Federal RegulaHons violators may be subject to large financial fines Up to $50,000 per HIPAA provision that is violated 2013: Oregon Health & Science University (Portland): $2.7M 2014: New York- Presbyterian Hospital and Columbia University (New York City): $4.8M hmps:// professionals/ compliance- enforcement/agreements/

7 Civil Money Penalties (CMP)

8 Essential Definitions Individually IdenHfiable Health InformaHon (IIHI): Includes demographic informahon that reasonably idenhfies an individual Created or received by a health care provider/clearinghouse/plan Relates to physical or mental health of an individual past, present, or future Involves past, present, or future payment for the provision of health care to an individual UH Data ClassificaHon Categories defines IIHI as regulated Protected Health InformaHon (PHI) All of the above but EXCLUDES: IIHI in educahon records covered by FERPA IIHI in employment records in the unit s role as an EMPLOYER UH Covered Component: UH units that are required to comply with HIPAA because the unit performs a Covered FuncHon as a Health Care Component or signed a Business Associate Agreement

9 UH Covered Component Covered Component: A health plan, health care clearinghouse, or a health care provider who transmit any health informahon in electronic form Covered FuncHon: The performance of funchons that make an enhty a health plan, health care provider, or health care clearinghouse Health Care Component: Unit that funchons as a Health Care Provider under HIPAA such as doctors, clinics, denhsts, psychologists, pharmacies, etc. hmps:// professionals/covered- enhhes/ index.html?language=es

10 UH Covered Component Requirements Must be listed as a Covered Component as part of the UH HIPAA policy: hmp:// Must idenhfy a Unit HIPAA Coordinator Unit HIPAA Coordinator must be listed as part of UH HIPAA policy ALL of the unit s workforce MUST complete HIPAA training (note: training can be the Unit s own specialized training) Unit must complete a Risk Assessment Unit must provide and post a NoHce of Privacy PracHces Must have current, signed Business Associate Agreement and Data Use Agreement with a non- covered en8ty if sharing PHI or a limited data set

11 Unit HIPAA Coordinators Roles & Responsibilities Performing the role of liaison and maintain ongoing communicahon with the UH System HIPAA Privacy and Security Officer(s); Developing and maintaining procedures consistent with this HIPAA Policy for protechon of PHI and ephi in the University Unit, which is considered a UH Covered Component; Maintaining and updahng, as needed, procedures consistent with the policy for protechon of PHI and ephi in the University Unit;

12 Unit HIPAA Coordinators Roles & Responsibilities - 2 Informing employees, volunteers, students, and as needed, consultants and others, about this HIPAA Policy and all University policies and procedures relahng to HIPAA through various methods including but not limited to staff meehngs, in person meehngs, seminars, orientahon meehngs and phone or web based meehngs; Monitoring the process of idenhfying and training new employees, volunteers and students within the University Unit who require access to PHI;

13 Unit HIPAA Coordinators Roles & Responsibilities - 3 Monitoring compliance with the policies and procedures of the University Unit relahng to HIPAA; ReporHng directly to the UH System HIPAA Privacy and Security Officer(s), any and all violahons that result in an impermissible use or disclosure of PHI, and report to the UH System HIPAA Privacy and Security Officer(s), violahons that result in an impermissible use or disclosure of ephi;

14 Unit HIPAA Coordinators Roles & Responsibilities - 4 ReporHng directly to the UH System HIPAA Privacy and Security Officer(s), any and all privacy violahons under HIPAA; ReporHng directly to the UH System HIPAA Privacy and Security Officer(s), any and all security violahons under HIPAA; Ensuring conhnued compliance with HIPAA, this HIPAA Policy, and all University policies and procedures relahng to HIPAA; Reviewing all BAAs, Data Use and Data Sharing Agreements prior to execuhon by the Project Principal InvesHgator or Program Lead.

15 HIPAA Privacy Rule The Rule requires appropriate safeguards to protect the privacy of personal health informahon, and sets limits and condihons on the uses and disclosures that may be made of such informahon without pahent authorizahon. The Rule also gives pahents rights over their health informahon, including rights to examine and obtain a copy of their health records, and to request correchons. hmps:// professionals/privacy/ index.html 45 CFR Part 160 and Subparts A and E of Part 164.

16 HIPAA Security Rule The Security Rule requires appropriate administrahve, physical and technical safeguards to ensure the confidenhality, integrity, and security of electronic protected health informahon. hmps:// professionals/security/ guidance/index.html 45 CFR Part 160 and Subparts A and C of Part 164. Safeguards: AdministraHve Physical Technical

17 Privacy Considerations IdenHfying PHI ProtecHng PHI Minimum Necessary Rule Access to PHI Disclosures Privacy NoHce

18 Examples of PHI Names; Address; Birth Dates; Telephone numbers; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Treatment records; Account numbers; CerHficate/license numbers; Device idenhfiers and serial numbers; Biometric idenhfiers, including finger and voice prints; Full face photographic images and any comparable images; and Any other unique idenhfying number, characterishc or code.

19 Protecting PHI Minimum Necessary Rule: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the least amount of PHI necessary to accomplish the intended purpose of the use or disclosure. Access to PHI: Implement policies and procedures to ensure only appropriate members of the workforce have access to PHI Implement policies and procedures for authorized access to PHI Ensure policies and procedures account for both electronic and non- electronic PHI

20 Disclosures The release, transfer, provision of access to, or divulging in any other manner of PHI outside of the enhty holding and/or maintaining the informahon. Many different types of disclosures (over 16 in UH HIPAA policy) IF YOU ARE NOT SURE, DO NOT DISCLOSE ANY INFORMATION!

21 Privacy Notice Must provide and post a NoHce of Privacy PracHces as required by HIPAA Required Elements of a Privacy NoHce: The nohce must contain the following statement as a header or otherwise prominently displayed: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Uses and disclosures; Separate statements for certain uses or disclosures; Individual rights; UH Covered Compnent s duhes; Complaints; Contact; and EffecHve date. Must document compliance with the nohce requirements, by retaining copies of the nohces issued by the UH Covered Component and, if applicable, any wrimen acknowledgements of receipt of the nohce or documentahon of good faith efforts to obtain such wrimen acknowledgement.

22 Authorization & Consent AuthorizaHon Form / Release Form (required): The purpose of a HIPAA authorizahon form is to allow another organizahon or individual to have access to a pahent's medical records, health informahon and medical history. The pahent must voluntarily sign the form to grant access to outside organizahons. An authorizahon is a detailed document that gives covered enhhes permission to use protected health informahon for specified purposes, which are generally other than treatment, payment, or health care operahons, or to disclose protected health informahon to a third party specified by the individual. Consent (voluntary): The Privacy Rule permits, but does not require, a covered enhty voluntarily to obtain pahent consent for uses and disclosures of protected health informahon for treatment, payment, and health care operahons.

23 Mandatory Security Requirements Ensure the confidenhality, integrity, and availability of all its PHI; Protect against any reasonably anhcipated threats or hazards to the security or integrity of the PHI, including ephi; Protect against any reasonably anhcipated uses or disclosures of PHI that are not permimed or required; Ensure compliance by its workforce.

24 HIPAA Security Rules AdministraHve Safeguards Physical Safeguards Technical Safeguards

25 Administrative Safeguards Implement policies and procedures to prevent, detect, contain and correct security violahons. This includes: risk analysis, risk management, sanchon policy, and informahon system achvity review. IdenHfy the security official who is responsible for the development and implementahon of the policies and procedures required by this HIPAA Policy and the HIPAA Security Rule. (Unit HIPAA Coordinator) Implement policies and procedures to ensure that only appropriate members of its workforce including students and volunteers have access to the PHI. Implement policies and procedures for authorized access to PHI.

26 Risk Assessment A risk assessment helps your organizahon ensure it is compliant with HIPAA s administrahve, physical, and technical safeguards. A risk assessment also helps reveal areas where your organizahon s protected health informahon (PHI) could be at risk. hmps:// professionals/security- risk- assessment UH preliminary assessment hmp://go.hawaii.edu/j6o

27

28 Admin Safeguards - continued Implement a security awareness training program for all members of its workforce (including management, students and volunteers). Implement policies and procedures to address security incidents. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence, e.g., fire, vandalism, system failure, and natural disaster, that damages systems that contain PHI. Perform periodic technical and non- technical evaluahons to ensure that standards conhnue to be met in response to operahonal and environmental changes affechng the security of PHI.

29 Physical Safeguards Implement policies and procedures to limit physical access to its electronic informahon systems and the facilihes in which they are housed, while ensuring that properly authorized access is allowed. Implement policies and procedures that specify the proper funchons to be performed, manner in which funchons are to be performed, and physical amributes of the surroundings of a specific workstahon/workstahons that can access PHI. Implement physical safeguards for all workstahons that access PHI to restrict access to authorized users. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi into, out of and within the facility.

30 Technical Safeguards Implement technical policies and procedures for electronic informahon systems that maintain ephi to allow access only to those persons or sokware programs that have been granted access rights. Implement hardware, sokware, and/or procedural mechanisms that record and examine achvity in informahon systems that contain or use ephi. Implement policies and procedures to protect PHI from improper alterahon or destruchon. Implement procedures to verify that a person or enhty seeking access to PHI is the one claimed. Implement technical security measures to guard against unauthorized access to ephi that is being transmimed over an electronic communicahons network.

31 Breach of Unsecured PHI NoHficaHon to Individuals: Individuals whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach must be nohfied. NoHficaHon to Others: A UH Covered Component shall also nohfy prominent local media outlets if the breach involves more than 500 residents of the State no later than 60 days aker discovery of the breach. NoHficaHon to DHHS Secretary: A UH Covered Component shall nohfy the DHHS Secretary within 60 days of discovery of the breach if less than 500 individuals are involved. If more than 500 individuals are involved, the UH Covered Component shall nohfy the DHHS Secretary in the manner provided by the DHHS Web site. NoHficaHon by a Business Associate. A Business Associate shall nohfy a UH Covered Component of a breach within 60 days that the Business Associate discovered a breach occurred

32 UH HIPAA Officer Dual Role: HIPAA Privacy Officer & HIPAA Security Officer Office of the Vice President for InformaHon Technology Responsible for the development, implementahon, and maintenance of this HIPAA Policy, in consultahon with the University s Office of Research Compliance and Chief InformaHon Security Officer, and including all University privacy and security policies and procedures relahng to HIPAA

33 HIPAA Privacy Responsibilities Maintain ongoing communicahon with all University Unit HIPAA Coordinators; Coordinate training programs for the designated UH Covered Components as needed (employees, students and volunteers) in cooperahon with the University Unit HIPAA Coordinators; Maintain ongoing communicahons with the IRB regarding research use of PHI and Limited Data Sets; Respond to complaints regarding University policies, procedures and prachces related to the privacy of health informahon; and Respond, or refer, to the appropriate UH Covered Component, requests by individuals for access and amendment, an accounhng of disclosures, or requested restrichons to the use and disclosure of PHI.

34 HIPAA Security Responsibilities Maintain ongoing communicahon with the University Unit HIPAA Coordinators; Assist in the development and implementahon of ongoing security awareness and training programs for the employees, students, and volunteers of each UH Covered Component; Monitor the use of security measures to protect PHI; and Assist in revising the UH HIPAA Policy and any University policy or procedure related to the privacy and security of PHI, as required to comply with changes in any applicable law, as well as documenhng any change to any policy or procedure related to the privacy and security of PHI.

35 Review & Signing Authorities Business Associate Agreements (BAA) & Data Sharing/Use Agreements Reviewed by the University HIPAA Officer in consultahon with the University Office of the General Counsel prior to signing. BAA must include the following approvals/ signatures (these may shll change): Project Principal InvesHgator or Program Lead; Unit Dean/Director; and Campus Chancellor (or designee).

36 J. T. Ash UH HIPAA Compliance Officer (808)