1 / 54

HIPAA Compliance Committees and Hybrid Entities

Beth Manley ISAC Compliance Officer February 23, 2017. HIPAA Compliance Committees and Hybrid Entities. Disclaimer.

Jims
Télécharger la présentation

HIPAA Compliance Committees and Hybrid Entities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beth Manley ISAC Compliance Officer February 23, 2017 HIPAA Compliance Committees and Hybrid Entities

  2. Disclaimer • The Iowa State Association of Counties (ISAC) provides education and information primarily as a general service to ISAC members.  This communication, or any other communication with ISAC, does not create an attorney-client relationship.  The information provided should not be interpreted or used as a substitute for a legal opinion from your county attorney or otherwise retained and qualified legal counsel.

  3. Outline • HIPAA Compliance Committees • Purpose • Membership • Meetings • Hybrid Entities • Definition • Benefits • Examples • ISAC HIPAA Program • Questions

  4. HIPAA Compliance • First steps • Designate Privacy Officer • Designate Security Officer • Establish a compliance program • Compliance committee • Adopt policies and procedures • Train workforce • Complete a risk analysis • Review current business associates and other contracted vendors • Audit compliance

  5. Components of a Compliance Program • Standards and Procedures • Oversight • Education and Training • Communication • Monitoring and Auditing • Enforcement and Discipline • Response and Prevention

  6. Compliance Committees

  7. Compliance Committees • Are they required? • No • Should you have one? • Yes

  8. OIG Compliance Guidance • The U.S. Department of Health & Human Services Office of Inspector General (OIG) had developed a series of voluntary guidance documents to help various entities have effective compliance programs and comply with applicable statutes and regulations. • https://oig.hhs.gov/compliance/compliance-guidance/ • https://oig.hhs.gov/compliance/compliance-guidance/compliance-resou rce-material.asp

  9. OIG Guidance-Purpose • The purpose of the compliance department is to implement the compliance program and to ensure compliance with all applicable Federal health care program requirements.

  10. OIG Guidance: Function of Compliance Committee • Analyzing the organization’s industry environment, the legal requirements with which it must comply, and specific risk areas; • Assessing existing policies and procedures that address these areas for possible incorporation into the compliance program; • Working with appropriate departments to develop standards of conduct and policies and procedures to promote compliance with the organization’s program;

  11. OIG Guidance: Function of Compliance Committee cont. • Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s standards, policies and procedures as part of its daily operations; • Determining the appropriate strategy/approach to promote compliance with the program and detection of any potential violations, such as through hotlines and other fraud reporting mechanisms; • Developing a system to solicit, evaluate and respond to complaints and problems.

  12. OIG Guidance: Function of Compliance Committee cont. • Monitoring internal and external audits and investigations for the purpose of identifying troublesome issues and deficient areas experienced by the organization, and implementing corrective and preventive action; and • The committee may also address other functions as the compliance concept becomes part of the overall organization operating structure and daily routine.

  13. Compliance Committee Members • Types of employees • Senior leadership? • Entry level? • Mixture of people and backgrounds • The number of committee members will depend on how big your county/region is and how many health care components you have in your hybrid entity.

  14. Compliance Committee Member Characteristics • Compliance committee members should demonstrate high integrity, good judgment, assertiveness, and an approachable demeanor, while eliciting the respect and trust of employees of the covered entity and having significant professional experience working with billing, clinical records, documentation, and auditing principles.

  15. County Compliance Committee Members • Who should be on your committee? Here are some suggestions: • Compliance Officer • Privacy Officer • Security Officer • IT Staff • Sheriff • Auditor • Supervisor • Public Health • Case Manager • County Attorney • Other departments that might have access to PHI

  16. Frequency of Meetings • How often should you meet? • Weekly • Monthly • Bi-monthly • Quarterly • Semi-annually • Other • Balance meeting frequency with efficiency • Corporate Integrity Agreements often require compliance committees to meet quarterly

  17. First Meeting • Discuss why you are there • Make a plan • Establish your hybrid entity (more about this later on in this presentation) • Risk Analysis • HIPAA Policies and Procedures • Business Associate Agreements • Training Employees

  18. Subsequent meetings • What should you discuss at each of your meetings? • Review current policies and procedures to make sure they are still accurate • Discuss recent violations • Review access to PHI • CSN high profile client access report • Changes to Iowa law • SF 2144 • Changes to Federal law • HIPAA and gun control • Section 1557 of ACA

  19. Benefits of an Effective Compliance Committee • Prevent breaches • Little to no civil monetary penalty in case of a breach • Better communication between departments • Compliance with policies and procedures

  20. Hybrid Entities

  21. Hybrid Entity • Designating your county as a hybrid entity is an important step in the compliance process for counties because not every part of the county works with PHI. • By designating as a hybrid entity, a county is able to separate departments that have to comply with HIPAA and those that don’t. • Health care components of a hybrid entity have to comply with HIPAA • Non-health care components of a hybrid entity do not have to comply with HIPAA • All departments within a county have to comply with HIPAA if the county does not designate as a hybrid entity.

  22. Hybrid Entity-45 C.F.R. § 164.103 • Hybrid entity means a single legal entity: • That is a covered entity; • Whose business activities include both covered and non-covered functions; and • That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(D). • Health care component means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with § 164.105(a)(2)(iii)(D).

  23. Hybrid Entities • § 164.105(a)(2)(iii)(D) • The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation in accordance with paragraph (c) of this section, provided that, if the covered entity designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity. Health care component(s) also may include a component only to the extent that it performs covered functions.

  24. Health Care Component • Essentially, a health care component is of a hybrid entity if it is either of the following: • A covered entity • A health plan • A health care clearinghouse • A health care provider • Business associate if it were a separate legal entity

  25. Business Associate • Business Associate: 45 C.F.R. § 164.504(e)(1) • A Business Associate is a person who: • On behalf of such covered entity…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter. • This includes: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or (next slide)

  26. Business Associate • A Business Associate is also someone that: • Provides any of the following services where the provision of service involves the disclosure of PHI: • legal • actuarial • accounting • consulting • data aggregation • management • administrative • accreditation • financial services

  27. Business Associate • Business Associate does not include: • A member of the organization’s workforce • A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual. • A plan sponsor, with respect to disclosures by a group health plan to the plan sponsor. • A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency. • Organized health care arrangements.

  28. Designating as a Hybrid Entity • Talk with someone from each department and determine which departments would be considered a covered entity. • Determine which parts of the county that could be considered a business associate of the county if it were a separate legal entity. • Follow PHI and see who handles or has access to it at every stage of the process • Document the health care components with your policies and procedures. • No requirement to file forms with the government.

  29. Benefits of Designating as a Hybrid Entity • Limit training and compliance duties • Less liability or chance for HIPAA non-compliance

  30. Not Designating as a Hybrid Entity • A county may choose to not designate as a hybrid entity • Simpler in terms of IT security • Not necessary to implement internal firewalls to keep non-health care components from accessing ePHI • Minimum necessary rule still applies • Must train all workforce members • All departments must comply with HIPAA

  31. Hybrid Entity ExamplesMost of the information from these slides were taken from a memo created by Alissa Smith from the Dorsey and Whitney law firm. You can access the memo on our member website.

  32. Auditor’s Office • Role: • Handles county/region claims and handles some functions of the self-funded insurance program. • Health Care Component: • Yes • Analysis: • The Auditor’s Office falls under the definition of a business associate because they process claims for other county departments and could be considered a health plan if they pay for claims for a county self-funded insurance program.

  33. Community Based Services • Role: • Provides various services for persons with mental illness, mental retardation, and developmental disabilities. • Health Care Component: • Yes • Analysis: • Community Based Services meet the definition of health care provider because they provide and bill for services.

  34. General Assistance • Role: • Provides short term financial assistance to residents • Health Care Component: • Maybe • Analysis: • Could meet the definition of a health plan because General Assistance because it could pay for the cost of medical care.

  35. Case Management • Role: • Provides ongoing coordination and monitoring of services for qualifying individuals. • Health Care Component: • Yes • Analysis: • Case Management would most likely be considered a health care provider because they provide services to clients and then bill for those services.

  36. Home Care • Role: • Provides services for residents that prevents or reduces institutionalization and performs other activities which enable comfortable daily living. • Health Care Component: • Yes • Analysis: • Home Care would be considered a health care provider because they provide services to residents and then bill for those services.

  37. Ambulance • Role: • Provides emergency medical services and transportation. • Health Care Component: • Yes • Analysis: • Ambulance would be considered a health care provider because they provide services to residents and then bill for those services.

  38. Public Health • Role: • Investigates communicable diseases, provides health planning and education for the county, offers childhood immunizations, and provides treatment for sexually transmitted diseases. • Health Care Component: • Yes • Analysis: • Public Health would be considered a health care provider because they provide services to residents and then bill for those services.

  39. Supervisor’s Office • Role: • Legislative body of the county and they approve claims and policies for other county departments. • Health Care Component: • Yes • Analysis: • The Supervisor’s Office falls under the definition of a business associate because they process claims for other county departments.

  40. Veterans Affairs Office • Role: • Assists with veteran medical care and has funds to help pay for temporary shelter/utilities, food/health supplies, medical/dental, counseling, and transportation. • Health Care Component: • Yes • Analysis: • Could fall under the definition of a health care provider or a health plan because the VA Office provides some health care services and also pays for services.

  41. Mental Health and Disability Regions • Role: • Separate legal entity from the county (28E entity). • Health Care Component: • Separate legal entity so not a health care component but they are a covered entity on their own. • Analysis: • MHDS Regions are separate legal entities from the counties but they share employees. The employees must follow both the county and region HIPAA policies and procedures, depending who the employee is working for at that particular time.

  42. Information Technology Office • Role: • Develops and maintains computer software applications that facilitate a county’s business operations. • Health Care Component: • Yes • Analysis: • The IT department would likely be considered a business associate of other health care components within the county because they provide support for functions that involve PHI.

  43. Sheriff’s Office • Role: • Provides various law enforcement services for the county. The sheriff serves mental health and substance abuse court orders and provides transports, provides security for the courthouse and county administration buildings and serves civil process. Detainees in the county jail shall also be provided appropriate care for serious medical, dental, and mental health needs. • Health Care Component: • Primarily no but some Sheriff’s Offices may need to subdivide if individuals within the office provide health care services at the jail. • Analysis: • The Sheriff’s Office would be considered a health care provider if they provide healthcare services, like having an on-staff nurse. The Sheriff’s Office could decide to designate only part of the office as a health care component.

  44. Environmental Health Office • Role: • Prevents disease by controlling community environmental threats and providing local education on environmental health issues. • Health Care Component: • Maybe • Analysis: • Could be considered a business associate of another department within the county if they every create, receive, maintain, or transmit PHI for another department.

  45. Clerk of Court • Role: • Not county employees but they do communicate with counties on various matters that could involve PHI • Health Care Component: • No • Analysis: • The Clerk of Court is not part of the county. Therefore, the Clerk of Court would not be considered part of the hybrid entity.

  46. Department of Motor Vehicle • Role: • The DMV is part of the DOT but they often work with treasurers and share office space. • Health Care Component: • No • Analysis: • The DMV is not a health plan, health care provider, and does not function as a business associate. An entity is not considered a business associate just because they share office space with a health care component.

  47. County Attorneys • Role: • Advises the county on legal matters. Could have access to PHI if there is any kind of legal dispute • Health Care Component: • Yes • Analysis: • County attorneys often have access to PHI if there is a legal dispute so they would be considered a business associate if they were a separate legal entity.

  48. Treasurer’s Office • Role: • Processes drivers’ licenses. • Health Care Component: • Most likely not • Analysis: • The Treasurer’s Office would not be considered a health care provider or health plan because they do not provide or pay for health care services. Further, they most likely don’t provide any service to other departments within the county that would make them a business associate.

  49. Medical Examiners • Role: • Investigates certain deaths • Health Care Component: • Most likely not • Analysis: • Performing an autopsy does not render the medical examiner a health care provider because it does not fall under the definition of health care. Medical examiners would not be considered business associates unless they provide other kinds of services for the county that involve PHI.

  50. Engineers • Role: • Responsible for the construction and maintenance of county roads. • Health Care Component: • No • Analysis: • The County Engineer is not considered a health plan, health care provider, and does not function as a business associate. An entity is not considered a business associate just because they share office space with a health care component.

More Related