Local public health options. Legal Update for NC Public Health Nurse Administrators LOCAL PUBLIC HEALTH IN NORTH CAROLINA 12/6/2013

Transcription

1 Legal Update for NC Public Health Nurse Administrators Jill D. Moore, JD, MPH University of North Carolina School of Government December 2013 LOCAL PUBLIC HEALTH IN NORTH CAROLINA Local public health options Agency type County health department Consolidated human services agency District health department Public health authority** Governing board County board of health, or Board of county commissioners* Consolidated HS board, or Board of county commissioners* District board of health Public health authority board *Advisory committee on health, but legal powers & duties exercised by BOCC **Public hospital authority option available only in Cabarrus county 1

2 Types of Local Public Health Agencies and Boards in NC July 1, 2012 County health department with county BOH District health department Consolidated HS agency with CHS board Consolidated HS agency governed by BOCC Public health authority Public hospital authority Types of Local Public Health Agencies and Boards in NC November 20, 2013 County health department with county BOH (61) County health department governed by BOCC (health advisory committee) (1) District health department with district BOH (6 districts delineated by different shades of purple, 21 counties) Consolidated HS agency with CHS board (8) Consolidated HS agency governed by BOCC (health advisory committee) (7) Public health authority with PHA board (1) Public hospital authority with hospital board authorized to act as BOH (1) Key Players Board of county commissioners Local public health governing board Local public health agency Local health director Local agency employees 2

3 Board of Health Role: protect and promote the public health Powers and duties: Appoint local health director Make policy for local public health agency Adopt local public health rules Adjudicate disputes regarding local rules or locally imposed public health administrative penalties (fines) Impose local public health fees Satisfy state accreditation requirements for BOHs 7 Board of Health Variations Consolidated Human Services Board Specific powers & duties in statute: fees, compliance, budget, oversight, public relations and advocacy Acquires most powers & duties of boards of agencies included in consolidated agency Advises and consents to county manager s appointment of CHS director County Commissioners Assume Board Functions Acquires powers & duties of board (conventional BOH or CHS board) Appoints advisory committee on health 8 Local Health Director County or District BOH appoints after consulting with BOCC Minimum education & experience requirements Powers & duties in GS 130A-41 and other laws Public health authority PHA board appoints after consulting with BOCC Minimum education & experience requirements Powers & duties in GS 130A-45.5 and other laws Consolidated HS agency County manager appoints with advice & consent of CHS board No statutory education/experience requirements Powers & duties in GS 153A-77 plus 130A-41 and other laws Must appoint a person with health director qualifications 3

4 Local Health Director Powers & Duties G.S. 130A-41 Administer PH programs Hire/dismiss employees* Enforce PH laws & employ legal remedies Investigate & control communicable diseases & rabies Investigate other diseases Disseminate PH information and promote health Advise local officials on health matters Enter contracts** Elsewhere in GS 130A Rabies vaccination clinic Embargo authority Access to records Etc. Elsewhere in GS Approve jail medical plan Relocation of graves Etc. Other Compliance, budget, etc. 10 Local public health employees Minimum staff rule Local health director, PH nurse, EH specialist, secretary Accreditation standards Medical director, nursing director, EH director, communicable disease director, expertise in epidemiology, data management, other areas Other considerations Who is needed to carry out functions/activities? Medical record specialists, health educators, nutritionists, social workers, administrative and operations support, 11 Local PH employees: state or county personnel policies? SPA applies County health department District health department SPA optional Consolidated human services agency SPA does not apply Public health authority 4

5 County commissioners Establish PH agency County health department or consolidated human services agency BOCC District health department or PHA joint agreement of BOCC & BOH Establish PH board District or PHA: Appointed board matched to agency type County HD or CHSA: Option of appointed board or BOCC serves as board Appropriate funds Maintenance of effort: FY 2010 levels Other duties Approve fees imposed by BOH or CHS board If CHSA, decide if employees under SPA If acting as BOH, assume BOH powers and duties and appoint advisory committee on health 13 HIPAA UPDATE New Rules Effective Sept (AKA Mega or Omnibus Rules) Business Associates Breach Notification Individual Rights Immunization Information 5

6 Business Associates What is a BA? A person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity (for a HIPAA covered function or activity) provides services involving PHI (legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial) Business Associates Changes to BA responsibilities Now directly responsible for HIPAA compliance and directly liable for violations Must identify their own BAs (subcontractors) and enter BA agreements with them to assure downstream compliance Must comply with minimum necessary standard Business Associates Changes to BA Agreements Comply with the HIPAA security rule Report breaches to covered entity Ensure subcontractors agree to same restrictions To the extent BA carries out covered entity obligations under the Privacy Rule, comply with the requirements that apply to the covered entity 6

7 BA-Like Relationships in Hybrid Entities What is a hybrid entity? Covered entity with both covered and non-covered functions That designates health care components Business associate-like functions Old rule: allowed to include in component New rule: required to include in component County = Covered Entity Public Health BA-Like Functions EMS Business Associates Review your business relationships to identify BAs or BA-like relationships within your entity Review hybrid entity designation to ensure those acting in BA-like capacity are part of covered component Execute or update BA agreements Breach Notification Must notify individuals of security breaches. Unauthorized access or disclosure is presumed to be a breach unless: A specific exception in the rule applies, or A risk analysis shows a low probability that PHI was compromised, or You re in a safe harbor as defined by the rule. 7

8 Breach? Specific exceptions PHI could not reasonably be retained PHI access is unintentional and by a workforce member or business associate acting in good faith Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re-identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated Safe Harbor Don t have to notify if: PHI was encrypted, or PHI was disposed in keeping with HHS guidance on secure disposal Recipients & timing of notice Affected individuals within 60 days US DHHS if > 500 individuals involved, contemporaneous notice; otherwise annual report Media, if > 500 involved within 60 days. Content of notice Description of incident, PHI involved, advice to individuals to minimize harm, actions you ve taken to investigate and mitigate, contact information for more info. Method of notice Written letter (standard); if prior agreement to notification obtained; telephone if urgent (but also send written) 8

9 Breach Notification Review and update breach notification procedures to reflect new risk analysis. Old breach rule applicable until September , after that follow new rule. Individual Rights Notice of Privacy Practices (NPP) Restrictions on disclosures to health plans Access to electronic PHI Notice of Privacy Practices Must be revised to reflect rule changes, including: Covered entity s legal duty to give notice of breaches. Right to request restriction of disclosure to health plans for care paid in full out-of-pocket. Revised Notice must be disseminated: To new clients, in accordance with current policies To existing clients on request Via website, if you have one 9

10 Restrictions on disclosures Care paid out-ofpocket Upon patient request, no disclosures of information to health plans (insurance) unless disclosure to health plan required by law Does not limit disclosures to public health or to health care providers for treatment Access to electronic PHI Individuals have a right of access to their own PHI. If requests PHI in electronic form, must provide it if you already maintain the information electronically and the form requested is readily producible. If not readily producible, must reach agreement with individual on alternative form. Individual Rights Revise Notice of Privacy Practices and disseminate. Develop a policy about requests for restrictions on disclosure for care paid for in full out-of-pocket. Review and if necessary update policies about individual access to PHI to address electronic access 10

11 Immunizations HIPAA changed but state law did not this is causing confusion In NC, health care providers must disclose immunization information to schools on request; neither written authorization nor oral permission is required HIPAA Omnibus To-Do List Review business relationships and update hybrid entity designation and business associate agreements. Update breach notification policies and procedures. Update policies regarding individual access. Update notice of privacy practices and disseminate. Review other policies (training, workforce, etc.) and update if needed. Compliance dates: September 23, 2013 for most matters September 22, 2014 for some existing BA agreements Jill Moore UNC School of Government