The Center for IDEA
Early Childhood Data Systems
UNDERSTANDING WHAT
HIPAA IS AND IS NOT
Ann Agnew
DaSy Center
Improving Data, Improving Outcomes
8/16/2016
I. HIPAA PRIVACY
WHAT IS HIPAA - AND WHY DOES IT
MATTER TO ME?
IDEA Part C and Part B 619 agencies frequently
interact with HIPAA “covered entities”
Need to exchange and share information with
“covered entities” providing Part C and 619 services
to children
“HIPAA” is not synonymous with “HIPAA privacy”
HIPAA comprised of a suite of regulations
implementing various parts of the law
3
Health Insurance Portability and
Accountability Act of 1996
Established certain insurance protections
Required standards for the exchange of electronic
information (transaction standards and code sets for
billing and payment of health care services)
Set a process and timeline for establishing privacy
and security protections for personal health
information used in those electronic transactions
4
HIPAA Administrative Simplification
Regulations
45 CFR Parts 160, 162, and 164
Suite of regulations covering HIPAA provisions
– Transactions and Code Sets
– Security
– Breach Notification
– Enforcement
– Privacy
– (More details included in Attachments)
Privacy Rule and Security Rule implemented and enforced by the Office of Civil
Rights in the Department of Health and Human Services
The Centers for Medicare and Medicaid Services (CMS) sets and administers
electronic standards (Transactions and Code Sets) through formal notice and
comment rule-making
5
Privacy - What rights are conferred?
Notice of privacy practices
Access to records
Amend/correct records
Accounting for disclosure
Restriction request
Confidential communications requirements
6
HIPAA Privacy - Who has to comply?
“Covered Entities”
Health Plans - in general, all group and individual plans that provide or
pay for health services
Health Care Providers - any health care provider who engages in any
electronic transactions covered by HIPAA standards
Healthcare Clearinghouses - generally entities that convert
nonstandard information into standard format required for electronic
transmission
Applicability of HIPAA Privacy provisions to these entities is NOT
dependent of receipt of federal funding.
7
HIPAA Privacy - Who has to comply?
“Business Associates”
Individual or organization
Performs services on behalf of a covered entity
OR
Provides services to a covered entity
AND
Services involve the use and/or disclosure of protected health information
Examples
An external entity that helps the agency with claims processing and billing third party
reimbursement such as Medicaid or private insurance
A private legal firm that has access to Protected Health Information (PHI) in the course
of its work for the agency
A technology company that has access to PHI while working on fixes to a state data
system
8
HIPAA Privacy - What’s information is
protected?
“Protected Health Information” (PHI)
Defined in the Rule as “individually identifiable health information” held or
transmitted by a covered entity
Information is protected regardless of form - electronic, paper, oral
Information is considered PHI if it can be directly or indirectly linked to the individual,
including:
Physical or mental health conditions
Any health care (services, treatments, diagnostic tests, etc.)
Payments made for or on behalf of an individual
Demographic information and common identifiers, such as name, address, and
birth date
9
HIPAA Privacy - What’s NOT included?
De-identified information
Education and certain other records subject to, or
defined in, the Family Educational Rights and Privacy
Act, 20 U.S.C. § 1232g
JOINT GUIDANCE ON THE APPLICABILITY OF FAMILY
EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) and
the HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA) TO STUDENT RECORDS
10
HIPAA Privacy - What about State
privacy requirements?
HIPAA Privacy Rule generally provides a “floor” of
federal privacy protections.
If a state law requires greater privacy protections,
the state law applies
Provisions of state law are pre-empted by HIPAA
Privacy only if they are “contrary” to HIPAA
provisions
11
HIPAA Privacy - Does an individual have to
authorize the disclosure of their information?
In general, the use or disclosure of an individual’s protected
health information is prohibited without prior authorization
from that individual.
Authorization must be in writing
Must be specific in terms of what data can be used, the
purpose for which it can be used and the length of time it may
be used
Privacy rule specifically requires authorization of disclosure
for release of individual information for purposes of
marketing and for the release of psychotherapy notes
12
HIPAA Privacy - Are there exceptions to the
requirement for authorization of disclosure?
The Privacy Rule provides for two categories of uses that do not require an
individual’s authorization.
“Required” Uses
A covered entity MUST disclose information:
To the individual or their personal representative upon request
To HHS for compliance investigation or enforcement action
“Permitted” Uses
The Rule lists five categories of disclosure where a covered entity is permitted
to release information without the individual’s authorization. Any information
disclosed under this category is required to adhere to the “minimum
necessary” requirement established in the rule.
13
HIPAA Privacy - Are there exceptions to the
requirement for authorization of disclosure?
HIPAA Privacy - What are “permitted” uses ?
“Treatment, Payment and Health Care Operations”
Information necessary for a covered entity to:
– Treat patients (e.g. consult with a specialist on appropriate procedures to use on a patient)
– Get paid for services (e.g. send information to an insurance company to support a bill for
services provided to a patient)
– Perform a range of activities necessary to operate and manage a business (e.g. quality
improvement activities, performance evaluation, credentialing and accreditation, medical
reviews, audits, etc.)
“Use with opportunity to object”
Incidental Use/Disclosure
Public Interest and Benefit Activities
Limited Data Set
14
HIPAA Privacy - Are there any exceptions for
research?
Limited Data Set
Documented Institutional Review Board (IRB) or
Privacy Board approval
Preparation for Research
15
HIPAA Privacy - Are there penalties for noncompliance?
Civil
HITECH established 4 Tiers based on level of culpability
Amount per violation - $100 to $50,000 or more
Calendar year cap - $1.5 million
Criminal
Penalties range from 1 to 10 years in prison
Enforced by Department of Justice
OCR has made 575 referrals to the Department of Justice as of May 2016
As of May 2016, OCR has:
Received 134,246 complaints
Initiated 879 reviews
Referred 575 cases to the Department of Justice for criminal investigation
HITECH extended direct liability to Business Associates
16
II. HIPAA AND FERPA
HIPAA and FERPA
Is protected health information in education records subject to HIPAA
privacy requirements?
How do I know if the information I have is covered by HIPAA or FERPA?
Does HIPAA Privacy cover a child’s immunization record?
What do I most need to know about the FAQs from “Joint Guidance on
the Applicability of Family Educational Rights and Privacy Act (FERPA)
and the Health Insurance Portability and Accountability Act of 1996
(HIPAA) to Student Health Records”?
18
ATTACHMENTS
HIPPA ADMINISTRATIVE SIMPLIFICATION RULES
Privacy Rule - 45 CFR Part 160 and Subparts A and E of Part 164
– Establishes national standards for the use and disclosure of personally identifiable
health information and for the protection of that information
Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164
– Establishes national standards for technical and non-technical safeguards necessary to
protect personally identifiable health information held in an electronic format
Enforcement - 45 CFR Parts 160 and 164
– Sets requirements relating to compliance with HIPAA regulations and the conduct of
investigations, establishes civil money penalties for violations and the procedures for
hearings. These provisions apply to HIPAA Privacy and Security Rules as well as to
other HIPAA Administrative Simplification regulations
20
HIPPA ADMINISTRATIVE SIMPLIFICATION RULES
(CONT.)
Breach Notification - 45 CFR 164.400-414
– Sets requirements for notification of individuals, the public, and the
U.S. Department of Health and Human Services (DHHS) when an
impermissible use or disclosure of unsecured protected health
information occurs
HIPAA Omnibus Rule - 45 CFR Parts 160 and 164
– Modifies Privacy, Security and Enforcement Rules to comply with and
implement provisions of the Health Information Technology for
Economical and Clinical Health Act (HITECH) - part of the American
Recovery and Reinvestment Act of 2009
21
DaSy Center
Visit the DaSy website at:
http://dasycenter.org/
Like us on Facebook:
https://www.facebook.com/dasycenter
Follow us on Twitter:
@DaSyCenter
22
The contents of this presentation were developed under a grant from the
U.S. Department of Education, # H373Z120002. However, those contents do
not necessarily represent the policy of the U.S. Department of Education,
and you should not assume endorsement by the Federal Government.
Project Officers, Meredith Miceli and Richelle Davis.
23