Managing Access to Student Health Information per Federal HIPAA

Guidelines

Joan M. Kiel, Ph.D., CHPSDuquesne University

Pittsburgh, Penna412-396-4419

The Law

• HIPAA: Health Insurance Portability & Accountability Act

• HITECH: Health Information Technology Economic &

Clinical Health Act

HIPAA is Eleven Parts

• And what were you doing on July 30, 2004?

Six Parts Are Set

1. T & C 2. Privacy 3. Standard Unique Identifier for Employers 4. Security 5. Standard Unique HC Provider Identifier (NPI) 6. Enforcement Rule

HIPAA Information

• HIPAA covers:• Oral• Written (and beyond

the medical record)• Electronic• [key: can the individual

be identified]• You will hear the term PHI-

patient health information

Keep in Mind

• Minimum Necessary [45CFR164.502(b)(1)]

• Emergency Situation [45CFR164.510(3)] ∙ Incidental Disclosure [45CFR164.502(a)(1)(iii)]

Are You HIPAA or Not?

•YES •NO

Covered Entity Status

• Health Plan: individual or group plan that provides or pays the cost of medical care

• Healthcare Clearinghouse: public or private entity that does billing, repricing, community health management or information systems, etc. functions

Covered Entity Status

• Healthcare Provider: transmits any health information in electronic form in connection with a transaction covered by HIPAA

Sample HIPAA Transactions

• Health care claims or equivalent encounter information

• Health care payment and remittance advice• Coordination of benefits• Health care claims status

Who Do You Treat

• Students (and how are they defined; ie. LOA)• Non-Students

• For organizations under FERPA, student records are under FERPA (loophole) even with transactions, but non student records are under HIPAA, so you are a covered entity.

• But most strict law generally takes precedent

You Are HIPAA If…

• You are one or more of the three covered entities

• You conduct one or more of the eleven transactions

• You treat non-students

College Assessment

• Also look at these areas:• Student, Faculty, and

Employee Training *Nursing *Pharmacy *Allied Health *Music Therapy *Business (I.T.)

College Assessment

• Health Services & Related Clinics

• Institutional Review Board; research

• Human Resources• Athletics• Vendors as business

associates

Hybrid Entity

• A single legal entity whose business activities include both covered and non-covered functions (ie. education & healthcare provider or health plan

Creating a Culture of HIPAA

• Are the policies and procedures set?

• Are they enforced or do they ‘sit on the shelf”

Compliance Officer Role

• Privacy Officer [45CFR164.530(a)(1)(i)]• Security Officer [45CFR164.308(a)(2)]

• The Federal Government mandates that covered entities have both a privacy officer and a security officer

• If the same person, generally titled, Compliance Officer

1. HIPAA Committee

• Representatives from records, information technology, student services and management.

2. Policies & Procedures

• For the six HIPAA Rules to date, develop policies from the law, not secondary sources

• Do not take from the Internet

3. Training & Awareness

• Live or on-line• Staff meeting

awareness• Integrate awareness to

daily activities

4. Documentation

• Establish a system, on-site or off-site.

• Documentation must be retained for six years

5. Risk Assessments & Audits

• Quarterly• Authentication: most

likely passwords• Data integrity checks• Act on the findings

6. Complaint Process

• Omsbudsman for confidentiality• Post process to file

complaints• Complaints are only to

be HIPAA related• Act on the complaints

7. Sanction Process

• Sanction only for the HIPAA violation

• Internal investigation or OCR

• Civil and criminal penalties per Enforcement Rule & HITECH

• Follow-up on the sanction and charge

8. Web Site

• If the covered entity has a web site, the Notice of Health Information Privacy Practices must be prominently displayed on the web site.

• Keep the web site updated

9. Formage

• Develop forms from the laws.

• May or may not be able to use from other covered entities (ie. addressable Security Rule policies)

• Educate staff on the formage

10. Business Associate Agreements

• Assess all those external to the workforce who have access to the covered entity’s PHI

• Both the Privacy Rule and the Security Rule mandate BAA’s

11. Research

• Play an integral role with the covered entity’s Institutional Review Board

• Ensure minimum necessary standards for data used in research

Determination of HIPAA Research Status

• Does the research involve the collection, use, or dissemination of PHI?

• Is the PHI from a healthcare provider, clearinghouse, or healthcare plan?

• Does the healthcare provider, clearinghouse, or healthcare plan perform one of the eleven covered electronic transactions?

• If yes to these, then HIPAA

Privacy Rule

• Notice & Notice Verification

• Internet Notice• Amend Records• Authorization• Accounting• Information Destruction• Business Associate

Agreements

The Notice

• Tells the rights of the organization and the rights of the patient

• Document that is considered the guideline.

Security Rule

• Technical Security• Administrative Security• Physical Security• Disaster Manual• Access Controls• Log-in Audit Warning• Termination of Access

Faculty & Staff Access

• Have access to minimum necessary information to accomplish the intended purpose of the request given their role

• Must have an established need to know prior to requesting the information

• Ex. How long absent, but not the condition as it would not change the situation

Advising Faculty, Staff, & Students

• Is the condition directly academically related such as ADHD

• But must always only request what is minimum necessary

• Have the student only submit and talk on what is minimum necessary

• Ex. Operating room reports, procedures notes, consultation reports, prescriptions

• Ensure who student allows one to talk to

Summary

• Follow the Law• Keep it simple• Thank you