Metro County Perspective HIPAA & Recent Developments

Transcription

1 Metro County Perspective HIPAA & Recent Developments October 2, 2014 Presented by: Kristi Lahti Johnson Data Governance Officer Hennepin County Kristi.Lahti Ben Rosene Assistant County Attorney Ramsey County Susan Jennen Larson Attorney, CIPP 3StateData Technology Law Firm 1

2 Overview Part 1 Why does it matter and what are the risks? Part 2 Core Background Part 3 Ramsey County s Designation Part 4 DHS Designation Part 5 Data Sharing Issues and Concerns Part 6 Conclusion 2

3 Part 1 Why does it matter and what are the risks? HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (1996) Implementation Privacy Rule and Security Rule 2009 HITECH Act Breach Notification Rule and Enforcement Rule 2013 Final Omnibus Rule Applied the rules to Business Associates 3

4 Part 1 Why does it matter and what are the risks? 2013 FINAL OMNIBUS RULE This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented, said HHS Office for Civil Rights Director Leon Rodriguez. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. Pasted from < 4

5 Part 1 Why does it matter and what are the risks? HIPAA REQUIREMENTS HIPAA Administrative Requirements are Significant and Costly Privacy Requirements Policies and Procedures Training Mitigation Data Safeguards Complaints Document and Record Retention Security Requirements Policies and Procedures Training Ongoing Risk Analysis and Evaluation Role Based Security Technical Safeguards Physical Safeguards Business Associate Agreements Breach Notification 5

6 Part 1 Why does it matter and what are County Designations the risks? Non Compliance and breaches can be costly! Graph 1: Total privacy fines, penalties and settlements worldwide, Just six weeks into 2014, the world total in privacy damages has already reached half the level of last year's record $74 million. Pasted from < 6

7 Part 1 Why does it matter and what are County Designations the risks? Costs to County and State Governments Skagit County, Washington: $215,000 for non compliance (March 2014) Alaska Department of Health and Human Services: $1.7 M for data security violation (June 2012) Increased Enforcement Accretive Health, Inc. (a BA to several Minnesota hospitals) sued by the MN Attorney General for Loss of Patient Data (2012) $2.5 Million Fine Banned from business operations in MN for 6 years OCR is launching 300 new HIPAA audits in the upcoming year MN DHS conducting mock HIPAA audits 7

8 Part 1 Why does it matter and what are the risks? Resource Needs are Ongoing Employee time and effort to manage HIPAA requirements Often a need for legal services or consultants Analyzing relationships with DHS, contractors, and subcontractors (e.g., Business Associate relationship, concept of agent) Pasted from < /> Local Dollars We do not get state or federal reimbursement for HIPAA compliance Money spent on HIPAA compliance is money that is not being spent on clients and the community 8

9 Part 1 Why does it matter and what are County Designations the risks? SECURITY REQUIREMENTS ONGOING RISK ANALYSIS AND EVALUTION 45 C.F.R Requires covered entities to conduct a risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. October 2008 HSPHD announced an RFP for a HIPAA Risk Analysis 9

10 Part 1 Why does it matter and what are County Designations the risks? HENNEPIN COUNTY HUMAN SERVICES AND PUBLIC HEALTH DEPARTMENT OVERDESIGNATED Hennepin County Hybrid Entity Designation HIPAA covered: HSPHD Clinical Health Programs and Direct Service Areas Why? We didn t know any be er! Medical Data HIPAA Covered Data To facilitate sharing of data It just seemed easier 10

11 Part 2 HIPAA Background Part 2 Overview 1. Scope of HIPAA 2. Hybrid Entities Under HIPAA 3. Section Permitted Disclosures (42 C.F.R ). 11

12 HIPAA is often misunderstood HIPAA does not apply to all health records; it only applies to Covered Entities and Business Associates Health care provider: Part 2 HIPAA Background 1) Institutional provider under Medicare; 2) Medical or health services provider under Medicare; Health or care clearinghouse: 3) Person an entity or organization that processes who furnishes, or facilitates bills, the or processing is paid for health of health care information normal course received from of business. 45 C.F.R Business Associate: 1) creates, receives, maintains, or transmits PHI on behalf of a covered entity for a function or activity regulated by HIPAA; or 2) provides legal, actuarial, accounting, consulting, management, administrative, or financial services for a covered entity that involves the disclosure of PHI. 45 C.F.R Does YOUR county perform these functions? Where? another entity and transfers the data from nonstandard to standard or standard to nonstandard. 45 C.F.R Health Plan: an individual or group plan that provides, or pays the cost of, medical care, or any of the specifically listed examples of health plans, such as Medicaid. 45 C.F.R

13 Part 2 HIPAA Background A Hybrid Entity is a Covered Entity that formally declares and limits its Health Care Component (HCC). Without a declaration a Covered Entity is fully HIPAA covered. SAMPLE HYBRID ENTITY DESIGNATION (embellish as desired) WHEREAS Green County is a HIPAA covered entity; WHEREAS Green County has operational units that are not HIPAA covered functions; WHEREAS Green County desires to be a HIPAA hybrid entity; Now, Therefore, Be It RESOLVED, That the Green County Board of Commissioners designates the following operational units as included in its Health Care Component: Public Clinic IT Subunit for HIPAA Support (BA) Children s Crisis Response Financial Subunit for HIPAA Support (BA) Correctional Health Services Unit Admin Subunit for HIPAA Support (BA) Conduct same analysis for EACH county JPA/consortium. 13

14 HIPAA Permits Disclosure Without Client Authorization Most are for Government Purposes. Privacy Rule Does Not Preempt These. Standards at 45 C.F.R Uses & Disclosures w/o Authorization (a) When required by law (g) Decedents New NICS Disclosure Standard Also Pending Under (k) Below (b) Public health activities (c) Victims of abuse, neglect, or domestic violence (d) Health oversight activities (h) Cadaveric organ, eye or tissue donation (i) Research purposes (j) Serious threat to health or safety (e) Judicial and administrative proceedings (f) Law enforcement (k) Specialized government functions (k)(1) Military and veterans... (k)(5) Custodial situations (k)(6) Public benefits Read Metro County White Paper on county use of these. 14

15 Getting our HIPAA house in order The impetus: Part 3 Ramsey County Story The HIPAA Omnibus Final Rule effective 9/23/ years had passed since our house was last put in order the time had come to do it again The current view, with the advantage of time and experience, is that counties may have over designated their initial HIPAA hybrid designations in The growing effort to coordinate the metro counties and DHS concerning the application of HIPAA to their business and technology relationships 15

16 Part 3 Ramsey County Story 16

17 Part 3 Ramsey County Story Our Goals: Getting in compliance with the new rules Reviewing our HIPAA footprint to see if it makes sense in the current regulatory environment Does the shoe fit, or is it too big? Re designating our HIPAA hybrid components Return to the County Board with a new resolution declaring a smaller (and more clearly defined) hybrid entity? Joining the Metro County Attorney initiative with DHS Let s all get on the same page (of the same book) 17

18 Part 3 Ramsey County Story Red Dotting the Org Charts An Approach to Managing the HIPAA Footprint 18

19 Part 3 Ramsey County Story Red Dotting the Org Charts An Approach to Managing the HIPAA Footprint 19

20 Part 3 Ramsey County Story Snapshot from the Master Table of Programs Red Dot Flag Programs Subject to HIPAA Each row exports to individual HIPAA Fact Sheet 20

21 Sample HIPAA Fact Sheet from data sheet 21

22 Part 4 Minnesota Landscape Part 4 Overview 1. DHS HIPAA Status 2. Comments on Recent DHS Analysis 3. MDH HIPAA Status 4. Vision of HIPAA as One Layer of Data Protection 22

23 Part 4 Minnesota Landscape Covered Entity Under HIPAA ( fully covered entity ) DHS Status for Past 10 Years HIPAA Umbrella All Health Care Info Held is Covered by HIPAA 23

24 Part 4 Minnesota Landscape Covered Entity Under HIPAA ( fully covered entity ) DHS Current Evaluation Option: Hybrid Entity HIPAA Umbrella Covered Components All Health Care Info Covered Health Care Info Not Covered 24

25 Part 4 Minnesota Landscape Metro County Response to DHS Path seems obvious; DHS should declare hybrid entity status Set good policy direction for welfare system Eliminate an unnecessary layer of data protection requirements Consider interests of county (Minn. Stat. 256B.04) Reduce HIPAA liability and administrative requirements Reduce business associate relationships and agreements Significantly reduce scope of HIPAA Risk Analysis Data remains properly protected Will not impair ability to appropriately share data Other legal authority exists for sharing/disclosing data 25

26 Part 4 Minnesota Landscape Metro County Response to DHS We Are Hearing from DHS: They recognize reduced HIPAA liability and administration and better alignment with counties; BUT concerned about: Greater organizational and administrative burdens Inability to share/disclose data internally Tracking HIPAA data and functions; and firewalls Difficulty understanding when HIPAA applies Duplicate policies and forms How to track authority for data disclosure/sharing Additional accounting disclosures Comingling covered and non covered data System Modernization may result in further co mingling 26

27 Part 4 Minnesota Landscape Metro County Response to DHS Metro County View: HIPAA should not be used as vehicle for sharing that is not authorized by MGDPA and other laws, even for TPO HIPAA Workforce rules allow: 1 person to wear two hats (covered and non) Store and secure data appropriately ( red dot ) Don t comingle any data without retaining classification System Modernization is opportunity to properly classify all data Let systems identify data source and classify data elements upon data entry; and track through movement (metadata) Program color schemes and mouse over bubbles to inform users 27

28 Part 4 Minnesota Landscape Minnesota Department of Health Not a HIPAA Covered Entity (no covered functions)* MDH web site references two applicable Section 512 Standards in the context of communicable disease reporting: (a) Uses and disclosures required by law; and (b) Uses and disclosures for public health activities; * Per phone confirmation with legal counsel December

29 Part 5 Data Sharing Issues and Concerns FEEDBACK FROM DHS PRIVACY AREA AND SENIOR MANAGEMENT TEAM Why stay as a fully covered entity? It just seems easier The data is already comingled (e.g., health care data being entered into SSIS) and system modernization would be more complicated. It would be an administrative burden to manage different policies and practices across the organization DHS HIPAA Hybrid Entity = DHS thinking in silos Becoming a hybrid entity creates barriers and additional requirements for sharing data with DHS. If most counties are hybrid entities, DHS may share internally, but the barriers and additional requirements will be between DHS and the counties. 29

30 Part 5 Data Sharing Issues and Concerns DATA SOURCE AND CLASSIFICATION HIPAA is not the only federally/state regulated data in DHS systems Welfare data Chemical Health data IRS data FBI data BCA data DMV data HIPAA is the focus of the discussions How would the discussion unfold if the decision by DHS was to apply the IRS data standards to all DHS data? 30

31 Part 5 Data Sharing Issues and Concerns WHAT S ALREADY IN PLACE FOR SHARING HIPAA DATA Permitted Disclosures 45 C.F.R Collectively, these standards are important bedrock of the HIPAA regulatory scheme, to ensure that HIPAA is not an obstacle to the disclosure of PHI when disclosure is appropriate under law or serves an authorized governmental function. Authorization to Release 31

32 Part 5 Data Sharing Issues and Concerns INTEGRATED SERVICE DELIVERY SYSTEM WHERE ARE THE GLITCHES? DHS Analysis Most of the relationships between counties and DHS are in the non health care area. Should be able to share that data under Chapter 13 Most DHS Data is Welfare Data; Welfare Data Restrictions May Prevail Over HIPAA If Chapter 13 is more stringent than HIPAA, we are required to follow Chapter 13 Interpretation of sharing of welfare data There are inconsistencies between programs in DHS MN Stat Whose responsibility is it to determine that necessary for the administration and management of programs? 32

33 Part 5 Data Sharing Issues and Concerns INTEGRATED SERVICE DELIVERY SYSTEM WHERE ARE THE GLITCHES? Language in the MNSure Application Allows for the sharing of health care data. Could language be added to allow sharing of welfare data with health care for the purposes of coordinated health and welfare services? 33

34 Part 5 Data Sharing Issues and Concerns MNSure Language in the MNSure Application By accepting or receiving Medical Assistance (MA), I give my consent to the following agencies or individuals to share between them medical information [and welfare] about information me only about for the me limited only for purposes the limited indicated: purposes indicated: Health providers including health plans, insurance agencies, Medical Assistance (MA), county advocates, school districts, my county or state case workers, and their contractors and subcontractors To determine who should pay for my health care, and To provide, manage and coordinate health care [and services. welfare] services. All other agencies or persons as listed on this Notice of Privacy Practices: For program administration, payment for services, research and investigations.

35 Part 5 Data Sharing Issues and Concerns INTEGRATED SERVICE DELIVERY SYSTEM WHERE ARE THE GLITCHES? Language in the MNSure Application Allows for the sharing of health care data. Could language be added to allow sharing of welfare data with health care for the purposes of coordinated health and welfare services? Concept of agent Viewing counties as agents of DHS results in a business associate relationship Other components of an integrated service delivery system Corrections Schools 35

36 Part 6 Conclusion Moving Forward DHS is asking for consensus Metro county effort started last year We recognize statewide implications We strive for a mutual understanding Do you have additional considerations? How can we move forward together? System modernization is the opportunity for counties and DHS to properly classify our data 36