1 / 35

Managing Access to Student Health Information per Federal HIPAA Guidelines

Managing Access to Student Health Information per Federal HIPAA Guidelines. Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419. The Law. HIPAA: H ealth I nsurance P ortability & A ccountability A ct

charissa-santana
Download Presentation

Managing Access to Student Health Information per Federal HIPAA Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419

  2. The Law • HIPAA: Health Insurance Portability & Accountability Act • HITECH: Health Information Technology Economic & Clinical Health Act

  3. And what were you doing on July 30, 2004? HIPAA is Eleven Parts

  4. Six Parts Are Set 1. T & C 2. Privacy 3. Standard Unique Identifier for Employers 4. Security 5. Standard Unique HC Provider Identifier (NPI) 6. Enforcement Rule

  5. HIPAA Information • HIPAA covers: • Oral • Written (and beyond the medical record) • Electronic • [key: can the individual be identified] • You will hear the term PHI-patient health information

  6. Keep in Mind • Minimum Necessary [45CFR164.502(b)(1)] • Emergency Situation [45CFR164.510(3)] ∙ Incidental Disclosure [45CFR164.502(a)(1)(iii)]

  7. YES NO Are You HIPAA or Not?

  8. Covered Entity Status • Health Plan: individual or group plan that provides or pays the cost of medical care • Healthcare Clearinghouse: public or private entity that does billing, repricing, community health management or information systems, etc. functions

  9. Covered Entity Status • Healthcare Provider: transmits any health information in electronic form in connection with a transaction covered by HIPAA

  10. Sample HIPAA Transactions • Health care claims or equivalent encounter information • Health care payment and remittance advice • Coordination of benefits • Health care claims status

  11. Who Do You Treat • Students (and how are they defined; ie. LOA) • Non-Students • For organizations under FERPA, student records are under FERPA (loophole) even with transactions, but non student records are under HIPAA, so you are a covered entity. • But most strict law generally takes precedent

  12. You Are HIPAA If… • You are one or more of the three covered entities • You conduct one or more of the eleven transactions • You treat non-students

  13. College Assessment • Also look at these areas: • Student, Faculty, and Employee Training *Nursing *Pharmacy *Allied Health *Music Therapy *Business (I.T.)

  14. College Assessment • Health Services & Related Clinics • Institutional Review Board; research • Human Resources • Athletics • Vendors as business associates

  15. Hybrid Entity • A single legal entity whose business activities include both covered and non-covered functions (ie. education & healthcare provider or health plan

  16. Creating a Culture of HIPAA • Are the policies and procedures set? • Are they enforced or do they ‘sit on the shelf”

  17. Compliance Officer Role • Privacy Officer [45CFR164.530(a)(1)(i)] • Security Officer [45CFR164.308(a)(2)] • The Federal Government mandates that covered entities have both a privacy officer and a security officer • If the same person, generally titled, Compliance Officer

  18. 1. HIPAA Committee • Representatives from records, information technology, student services and management.

  19. 2. Policies & Procedures • For the six HIPAA Rules to date, develop policies from the law, not secondary sources • Do not take from the Internet

  20. 3. Training & Awareness • Live or on-line • Staff meeting awareness • Integrate awareness to daily activities

  21. 4. Documentation • Establish a system, on-site or off-site. • Documentation must be retained for six years

  22. 5. Risk Assessments & Audits • Quarterly • Authentication: most likely passwords • Data integrity checks • Act on the findings

  23. 6. Complaint Process • Omsbudsman for confidentiality • Post process to file complaints • Complaints are only to be HIPAA related • Act on the complaints

  24. 7. Sanction Process • Sanction only for the HIPAA violation • Internal investigation or OCR • Civil and criminal penalties per Enforcement Rule & HITECH • Follow-up on the sanction and charge

  25. 8. Web Site • If the covered entity has a web site, the Notice of Health Information Privacy Practices must be prominently displayed on the web site. • Keep the web site updated

  26. 9. Formage • Develop forms from the laws. • May or may not be able to use from other covered entities (ie. addressable Security Rule policies) • Educate staff on the formage

  27. 10. Business Associate Agreements • Assess all those external to the workforce who have access to the covered entity’s PHI • Both the Privacy Rule and the Security Rule mandate BAA’s

  28. 11. Research • Play an integral role with the covered entity’s Institutional Review Board • Ensure minimum necessary standards for data used in research

  29. Determination of HIPAA Research Status • Does the research involve the collection, use, or dissemination of PHI? • Is the PHI from a healthcare provider, clearinghouse, or healthcare plan? • Does the healthcare provider, clearinghouse, or healthcare plan perform one of the eleven covered electronic transactions? • If yes to these, then HIPAA

  30. Privacy Rule • Notice & Notice Verification • Internet Notice • Amend Records • Authorization • Accounting • Information Destruction • Business Associate Agreements

  31. The Notice • Tells the rights of the organization and the rights of the patient • Document that is considered the guideline.

  32. Security Rule • Technical Security • Administrative Security • Physical Security • Disaster Manual • Access Controls • Log-in Audit Warning • Termination of Access

  33. Faculty & Staff Access • Have access to minimum necessary information to accomplish the intended purpose of the request given their role • Must have an established need to know prior to requesting the information • Ex. How long absent, but not the condition as it would not change the situation

  34. Advising Faculty, Staff, & Students • Is the condition directly academically related such as ADHD • But must always only request what is minimum necessary • Have the student only submit and talk on what is minimum necessary • Ex. Operating room reports, procedures notes, consultation reports, prescriptions • Ensure who student allows one to talk to

  35. Summary • Follow the Law • Keep it simple • Thank you

More Related