Post on 02-Jan-2016
description
transcript
Hot Topics Legal Update
Jill D. Moore, JD, MPHUniversity of North Carolina School of Government
September 2014
HIPAA Highlights
Hybrid entities
Dealing with breaches
PHI and public health
Protected health information (PHI)
Individually identifiable health information created, received or maintained by a HIPAA-covered entity that relates to:• Health status or condition• Provision of health care• Payment for provision
of health care
Information
Confidential information
PHI covered by
HIPAA
HIPAA Highlights
Hybrid entities
Dealing with breaches
PHI and public health
Who is covered by HIPAA?Covered entity
• Health care provider that transmits health information electronically in connection with a HIPAA transaction
• Health plan• Health care clearinghouse
Business associate
• Creates, receives, maintains, or transmits PHI on behalf of a covered entity (for a HIPAA covered function or activity), or
• Provides services involving PHI (legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial)
What is a hybrid entity?
A covered entity with both covered and non-covered functions can be a hybrid entity.
Covered functions are:• Activities or functions that, standing alone,
would meet the definition of covered entity• Activities or functions that would create a
business associate relationship if they were carried out by a separate entity
What is a hybrid entity?
The entity must designate its covered component.
The covered component must include covered functions and may include non-covered functions.
The covered component must comply with HIPAA. The non-covered component is not required to comply with HIPAA (though it may be subject to other confidentiality laws).
Covered because meets covered entity definition
Covered because performs BA-like functions
Covered by local option
Not covered
Hybridentity
Where you are in the entity affects …• Policies for sharing
information• Obligations such as
distributing the notice of privacy practices
• Training requirements• Management of
breaches• And more
Hybrid entity resources
• HIPAA regulations: 45 CFR 164.105(a)
• US DHHS resources for covered entities and business associates:http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/
HIPAA Highlights
Hybrid entities
Dealing with breaches
PHI and public health
What is a breach?
• Breach: unauthorized acquisition, access to, use of, or disclosure of PHI, which compromises the privacy and security of the information.
• HIPAA requires notifying individuals and certain others of breaches, unless:– A specific exception in the breach rule
applies, or – A risk analysis shows a low probability
that PHI was compromised, or– The PHI was encrypted or had
been disposed securely.
Safe Harbor
• Don’t have to notify if:– PHI was encrypted, or– PHI was disposed in
keeping with HHS guidance on secure disposal
When is notification not required?
Specific exceptions• PHI could not reasonably
be retained• PHI access is
unintentional and by a workforce member or business associate acting in good faith
• Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI
Risk analysis factors• Nature and extent of PHI,
including types of identifiers & likelihood of re-identification
• Unauthorized person who received disclosure or used PHI
• Whether PHI was actually acquired and viewed
• Extent to which any risk to PHI has been mitigated
Recipients & timing of notice
• Affected individuals – within 60 days• US DHHS – if > 500 individuals involved, contemporaneous notice; otherwise annual report• Media, if > 500 involved – within 60 days.
Content of notice
• Description of incident, PHI involved, advice to individuals to minimize harm, actions you’ve taken to investigate and mitigate, contact information for more info.
Method of notice
• Written letter (standard); email if prior agreement to email notification obtained; telephone if urgent (but also send written)
• Breach: unauthorized access to or acquisition of records or data with “personal information,” which means name plus something that could be used to commit ID theft or threaten finances (SSN, DL number, financial account numbers, etc.)
• State law requires breach notification, if:– Illegal use of the information has occurred, or– Illegal use of the information is reasonably likely to
occur, or– The incident creates a material risk of harm to a
consumer.
State Law on Breaches
Checklist for breach follow-up
Determine if notification required under HIPAA and/or state law.
Mitigate harm caused by the breach.Note disclosure in accounting log.If workforce member involved, apply
sanctions policy.Consider whether incident points to a need
for changes in safeguards, policies, training, etc.
• HIPAA regulations: 45 CFR 164, subpart D (sections 164.400 – 164.414)
• US DHHS resources:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
Breach resources
HIPAA Highlights
Hybrid entities
Dealing with breaches
PHI and public health
Myth HIPAA reality
A LPHA program or activity is not subject to HIPAA if it is a core (or essential) public health activity.
Whether a LPHA program or activity is subject to HIPAA depends on whether it’s a covered component, and that goes back to the hybrid entity designation.
When does HIPAA apply to local public health?
If LPHA program/activity meets the covered entity definition or performs BA-like functions for a HIPAA covered component, it must be covered. Sometimes a program/activity is covered by local option for administrative or programmatic reasons.
Immunizations
• HIPAA changed but state law did not—this is causing confusion
• In NC, health care providers must discloseimmunization informationto schools on request; neither written authorization nor oral permission is required
HIPAA’s de-identification standard and the small numbers problem
• If information is de-identified, it is no longer subject to HIPAA’s restrictions on use and disclosure. See 45 CFR 164.514(a).
• But a HIPAA covered component may consider information de-identified only if one of two conditions are met:
HIPAA: De-identification of PHI
Expert determination
Person with knowledge of & experience with statistical methods for making information non-identifiable determines that the risk that the info could be used (alone or in combination with other info) to identify the individual is very small.
Specific identifiers stripped
Remove all:• Names & addresses• Geographic subdivisions
smaller than a state*• Dates related to individual--
birth, treatment, other dates• Telephone & fax numbers• E-mail, URLs, IP address• SSN, medical record
number, other numbers• And more—see rule
• If the information is PHI, to de-identify satisfactorily for HIPAA purposes:– Must strip geographic identifiers including county, or– Must have statistical expert determine that the risk an
individual could be identified is very small
• If PHI cannot be de-identified, the entity must follow HIPAA’s rules regarding use and disclosure. – Note that this does not mean the information may not be
used or disclosed. However, it does mean that uses or disclosures are limited to those permitted by HIPAA.
County-level data and the small number problem
The small numbers concern does not mean a LPHA can’t make, use, or disclose maps using PHI. It does mean that if PHI that has not been de-identified will be used for the map, you have to apply HIPAA’s rules for using or disclosing PHI to the making, use, or disclosure of the map.
What about maps?
• Immunizations:– US DHHS guidance:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/studentimmunizations.html
– SOG bulletin on immunizations & NC law: www.sog.unc.edu/pubs/electronicversions/pdfs/hlb91.pdf
• De-identification:– HIPAA regulation: 45 CFR 164.514– HHS guidance on de-identification methods:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
Public health resources
Jill Moore
UNC School of Government
919.966.4442
moore@sog.unc.edu
www.ncphlaw.unc.edu