North Carolina Department of Health and Human Services

Transcription

1 NC DHHS HIPAA Program Management Office Agency Sign-Off Form Covered Health Care Component Determination North Carolina Department of Health and Human Services To: Leah Devlin, Director, Division of Public Health (DPH) Glenn Cutler, DPH HIPAA Coordinator From: Karen Tomczak, DHHS HIPAA PMO Director CC: Marc Lodge, Attorney General s Office Dennis Harrington, DPH Backup HIPAA Coordinator Ann Nance, DPH Backup HIPAA Coordinator Date: February 12, 2002 Subject: HIPAA Covered Health Care Component Determination Note: Definitions for HIPAA-specific terms used in this letter are attached It has been determined by the NC Attorney General s Office that the NC Department of Health and Human Services is considered a hybrid entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Regulations. As such, the department is a type of covered entity, and must identify those health care components within the department that perform functions covered by the HIPAA Regulations. All covered health care components within the department will be required to comply with HIPAA Regulations. In an effort to identify which components are performing covered functions within the department, the NC DHHS HIPAA Program Management Office (PMO) conducted a high-level EDI-TCI assessment on the application systems and business processes of NC DHHS Divisions, Offices and State-owned and DHHS-operated entities (SOEs). In addition, each agency completed the Business Information Flow Assessment (BIFA) that identified workgroups within the agency and the types of health information that flow within and outside those workgroups. Based upon the information received through assessments and discussions with various staff from your agency, the PMO has determined that certain components within the Division of Public Health, qualify as a HEALTH CARE PROVIDER as defined in 45 CFR, Part 160, Standards for Privacy of Individually Identifiable Health Information; Final Rule. As such, the following workgroups and facilities within the Division of Public Health are considered health care components that perform covered functions within the hybrid entity of NC DHHS and must therefore comply with the HIPAA Regulations: 1

2 Attached is an Impact Summary Matrix that provides rationale for the impact determinations. Based upon advice of the Attorney General s Office, the Developmental Evaluation Centers should be considered a covered component in their entirety since their sole objective is the provision of health care. The Directors of these facilities and their HIPAA Coordinator will receive a similar impact determination notification and they will be asked to provide signoff. In addition to the covered health care components identified above, there may be other workgroups/facilities within DPH that will have to comply with HIPAA. Some of these workgroups are identified on the attached Impact Summary Matrix under Performs a service on behalf of a health care component. However, please note that information in this column and the Trading Partner column is incomplete. This month the PMO, in conjunction with the Division HIPAA Coordinators, will initiate an evaluation to identify Division Business Associates, DHHS Business Associates and External Business Associates. The Division Business Associates and DHHS Business Associates will be considered covered in the same manner as staff within the covered health care component. Any workgroups/facilities that qualify as an External Business Associate will need to comply with privacy and security requirements specified in a Business Associate agreement with the external covered health care component. The PMO will be conducting additional assessments this year in areas such as Privacy and Security and covered health care components within your agency will be asked to participate in those assessments. The purpose of these assessments will be to identify gaps that need to be closed to achieve compliance under the HIPAA regulations and validation of compliance. The outcome of these detailed assessments will not change the impact determination noted above. The purpose of this letter is to give the Division of Public Health Director and HIPAA Coordinator the opportunity to agree or disagree with this determination. This letter serves as due diligence documentation for your records. If you have any questions, please contact Sarah Brooks in the NC DHHS HIPAA PMO by at sarah.brooks@ncmail.net or phone ( , Ext. 117). Please return the signed original of this memo to the below address by Friday, February 22, NC DHHS HIPAA PMO Attn: Kimberly Miller 2028 Mail Service Center Raleigh, NC Please submit a signed copy of this memo to the Attorney General s Office as follows: Attorney General s Office Attn: Marc Lodge PO Box 629 Raleigh, NC Attachment: Impact Summary Matrix - DPH 2

3 AGENCY DETERMINATION: We agree with the NC DHHS HIPAA PMO determination that the following workgroups/facilities within the Division of Public Health qualify as a HEALTH CARE PROVIDER as defined by the HIPAA Regulations and they are considered health care components that perform covered functions within the hybrid entity of NC DHHS: We disagree with the NC DHHS HIPAA PMO determination that one or more of the following specified components within the Division of Public Health qualify as a HEALTH CARE PROVIDER as defined by the HIPAA Regulations, and request additional analysis to determine any impact of the HIPAA Regulations on this agency: Leah Devlin, Division Director Date Glenn Cutler, HIPAA Coordinator Date 3

4 Definitions Business Associate = A business associate relationship may arise when a person or organization performs a function or activity on behalf of a covered entity, or provides certain legal, financial or management services to the covered entity, and the function, activity or services involve the use or disclosure of individually identifiable health information. Examples of Business Associate functions are: activities by a Trading Partner, claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing; legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Covered Health Care Component = A health care component that performs covered functions. Covered Entity = a health plan; a health care clearinghouse; or a health care provider who transmits any health information in electronic form in connection with an electronic transaction. Covered Functions = those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. DHHS Business Associate = Workgroup within a NC DHHS Division, Office or SOE that performs activities that would normally make the workgroup a business associate of a covered component within a different NC DHHS Division, Office or SOE and the activities involve the use or disclosure of PHI. Example Central Billing Office in the NC DHHS Office of the Controller is a DHHS Business Associate of the 5 Mental Retardation Centers, 4 Psychiatric Hospitals, 2 ADATCs and NC Special Care Center under DMH/DD/SAS since they provide a billing service for the institutions. Division Business Associate = Workgroup within a NC DHHS Division, Office or SOE that performs activities that would normally make the workgroup a business associate of a covered component within the same Division, Office or SOE and the activities involve the use or disclosure of PHI. Example Adult Substance Abuse Services Branch in DMH/DD/SAS central office is a Division Business Associate of W.B. Jones ADATC and J. F. Keith ADATC since they are responsible for direct supervision of the ADATCs. EDI-TCI = Electronic Data Interchange Standard Transactions, Code Sets and Identifiers External Business Associate = Business Associate outside of NC DHHS. These include other state and local government agencies as well as private contractors/vendors. Health Care Component = (1) Components of a covered entity that perform covered functions are part of the health care component. (2) Another component of the covered entity is part of the entity s health care component to the extent that: (i) It performs, with respect to a component that performs covered functions, activities that would make such other component a business associate of the component that performs covered functions if the two components were separate legal entities; and (ii) The activities involve the use or disclosure of protected health information that such other component creates or receives from or on behalf of the component that performs covered functions Health Care Provider = a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health plan = an individual or group plan that provides or pays the cost of medical care, including group health plans, health insurance issues, health maintenance organizations, Medicare, Medicaid, long-term care policies, nursing home fixed indemnity policies, employee welfare benefit plans, military healthcare programs, Veteran's healthcare programs, CHAMPUS, Indian Health Services Program, and the Federal Employees Health Benefit Plan. Hybrid Entity = a single legal entity that is a covered entity and whose covered functions are not its primary functions. 4

5 State-owned and DHHS-operated entity (SOE) = SOE means those health care facilities that are owned by the state under the legal authority of NC DHHS including 4 psychiatric hospitals, 5 mental retardation centers, 2 alcohol and drug abuse treatment centers, NC Special Care Center, Wright School, Whitaker School, Eastern Adolescent Treatment Center, Governor Morehead School, 2 schools for the deaf, and 13 developmental evaluation clinics. 5