1 / 28

Hot Topics Legal Update

Hot Topics Legal Update. Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014. HIPAA Highlights. Protected health information (PHI). Individually identifiable health information created, received or maintained by a HIPAA-covered entity that relates to:

lance-suarez
Télécharger la présentation

Hot Topics Legal Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014

  2. HIPAA Highlights

  3. Protected health information (PHI) Individually identifiable health information created, received or maintained by a HIPAA-covered entity that relates to: • Health status or condition • Provision of health care • Payment for provision of health care

  4. HIPAA Highlights

  5. Who is covered by HIPAA?

  6. What is a hybrid entity? A covered entity with both covered and non-covered functions can be a hybrid entity. Covered functions are: • Activities or functions that, standing alone, would meet the definition of covered entity • Activities or functions that would create a business associate relationship if they were carried out by a separate entity

  7. What is a hybrid entity? The entity must designate its covered component. The covered component must include covered functions and may include non-covered functions. The covered component must comply with HIPAA. The non-covered component is not required to comply with HIPAA (though it may be subject to other confidentiality laws).

  8. Where you are in the entity affects … • Policies for sharing information • Obligations such as distributing the notice of privacy practices • Training requirements • Management of breaches • And more

  9. Hybrid entity resources • HIPAA regulations: 45 CFR 164.105(a) • US DHHS resources for covered entities and business associates:http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/

  10. HIPAA Highlights

  11. What is a breach? • Breach: unauthorized acquisition, access to, use of, or disclosure of PHI, which compromises the privacy and security of the information. • HIPAA requires notifying individuals and certain others of breaches, unless: • A specific exception in the breach rule applies, or • A risk analysis shows a low probabilitythat PHI was compromised, or • The PHI was encrypted or hadbeen disposed securely.

  12. Safe Harbor • Don’t have to notify if: • PHI was encrypted, or • PHI was disposed in keeping with HHS guidance on secure disposal

  13. When is notification not required? Specific exceptions Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re-identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated • PHI could not reasonably be retained • PHI access is unintentional and by a workforce member or business associate acting in good faith • Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI

  14. State Law on Breaches • Breach: unauthorized access to or acquisition of records or data with “personal information,” which means name plus something that could be used to commit ID theft or threaten finances (SSN, DL number, financial account numbers, etc.) • State law requires breach notification, if: • Illegal use of the information has occurred, or • Illegal use of the information is reasonably likely to occur, or • The incident creates a material risk of harm to a consumer.

  15. Checklist for breach follow-up • Determine if notification required under HIPAA and/or state law. • Mitigate harm caused by the breach. • Note disclosure in accounting log. • If workforce member involved, apply sanctions policy. • Consider whether incident points to a need for changes in safeguards, policies, training, etc.

  16. Breach resources • HIPAA regulations: 45 CFR 164, subpart D (sections 164.400 – 164.414) • US DHHS resources:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

  17. HIPAA Highlights

  18. When does HIPAA apply to local public health? If LPHA program/activity meets the covered entity definition or performs BA-like functions for a HIPAA covered component, it must be covered. Sometimes a program/activity is covered by local option for administrative or programmatic reasons.

  19. Immunizations • HIPAA changed but state law did not—this is causing confusion • In NC, health care providers must discloseimmunization informationto schools on request; neither written authorization nor oral permission is required

  20. HIPAA’s de-identification standard and the small numbers problem • If information is de-identified, it is no longer subject to HIPAA’s restrictions on use and disclosure. See 45 CFR 164.514(a). • But a HIPAA covered component may consider information de-identified only if one of two conditions are met:

  21. HIPAA: De-identification of PHI Expert determination Specific identifiers stripped Remove all: Names & addresses Geographic subdivisions smaller than a state* Dates related to individual--birth, treatment, other dates Telephone & fax numbers E-mail, URLs, IP address SSN, medical record number, other numbers And more—see rule Person with knowledge of & experience with statistical methods for making information non-identifiable determines that the risk that the info could be used (alone or in combination with other info) to identify the individual is very small.

  22. County-level data and the small number problem • If the information is PHI, to de-identify satisfactorily for HIPAA purposes: • Must strip geographic identifiers including county, or • Must have statistical expert determine that the risk an individual could be identified is very small • If PHI cannot be de-identified, the entity must follow HIPAA’s rules regarding use and disclosure. • Note that this does not mean the information may not be used or disclosed. However, it does mean that uses or disclosures are limited to those permitted by HIPAA.

  23. What about maps? The small numbers concern does not mean a LPHA can’t make, use, or disclose maps using PHI. It does mean that if PHI that has not been de-identified will be used for the map, you have to apply HIPAA’s rules for using or disclosing PHI to the making, use, or disclosure of the map.

  24. Public health resources • Immunizations: • US DHHS guidance: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/studentimmunizations.html • SOG bulletin on immunizations & NC law: www.sog.unc.edu/pubs/electronicversions/pdfs/hlb91.pdf • De-identification: • HIPAA regulation: 45 CFR 164.514 • HHS guidance on de-identification methods: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

  25. Jill Moore UNC School of Government 919.966.4442 moore@sog.unc.edu www.ncphlaw.unc.edu

More Related