270 likes | 423 Views
Business Associate Training provided for Division Business Associates of the J. Iverson Riddle Developmental Center. Why More Training?. All Division staff have already received training in the Health Insurance Portability and Accountability Act (HIPAA)
E N D
Business Associate Trainingprovided forDivision Business Associatesof theJ. Iverson Riddle Developmental Center
Why More Training? • All Division staff have already received training in the Health Insurance Portability and Accountability Act (HIPAA) • This training specifically addresses how Central Office workgroups must work with the Division’s facilities in order to appropriately safeguard the Protected Health Information (PHI) gathered by the facilities and shared with you and others in your workgroup
Who does HIPAA apply to? • For purposes of HIPAA, DHHS has declared itself to be a “hybrid entity” – a combination of “covered” and “non-covered” health care components • Agencies selecting the “hybrid entity” designation must declare which of their components are “covered components”, and which are “non-covered components” • HIPAA only applies to covered components
Who is and who isn’t . . . • DHHS, as the hybrid entity, must specify exactly which of their components is a HIPAA “covered healthcare component” • The Psychiatric Hospitals, Mental Retardation Centers, Substance Abuse Programs, Schools, and the NC Special Care Center are health care “providers”, and so MUST be on that list • Any other part of DMH which performs a function for a health care provider which would make that office a BA of the provider if they were separate entities MAY be included on the official DHHS list • No other components may be included.
Official List of Covered Components • DHHS’s official list of HIPAA covered healthcare components is maintained in the DHHS Privacy and Security Office (PSO) • HIPAA requires that DHHS publish this list and be able to produce this list when asked • If DHHS changes this list, DHHS must be able to produce older versions of this list for up to 6 years after the list is no longer in effect
Who do the HIPAA Criminal Penalties under section 1320d-6 apply to? • Just covered components (and perhaps Directors and Officers); not staff in non-covered components(June 1, 2005 US Dept. of Justice Legal Opinion) • If staff from DHHS’s covered components (like JIRDC) seem to be overly concerned about protecting PHI, please be patient with them. Keep in mind that they are just trying their best to do what the HIPAA law requires them to do
Facilities have three kinds of BAs • Division Business AssociatesFrom within the Division, such as the HEARTS workgroup • Department Business AssociatesFrom within the Department, such as the Division of Facility Services • External Business AssociatesPrivate companies, such as MC/Plus Pharmacy Support
“Internal” Business Associates • Division Business Associatesand Department Business Associatesare considered “Internal” Business Associates by DHHS • A signed agreement is allowed, but not required, between covered components and internal business associates; however the covered component MUST receive “satisfactory assurances” that the BA is “appropriately safeguarding the information”
Facilities Must Share Their PHI • The Federal government recognized that sometimes covered components need to share protected information with others • HIPAA says that when a non-covered component (like the HEARTS workgroup) performs a function (such as software support) on behalf of a covered component (such as JIRDC) which involves the use or disclosure of protected health information – that workgroup is a Business Associate of JIRDC.
Who is a Business Associate? • You must perform a service for a facility or do work on behalf of a facility which requires that the facility disclose PHI to you • You can’t self-declare yourself to be a Business Associate – you must be identified as a BA of a Covered Component by one or more HIPAA covered entities • If you are identified as a BA of a facility, you are then considered to be a “workforce member” of that facility for purposes of HIPAA compliance
Identified Division BAs • Staff of the following workgroups are probably Division Business Associates of all of the facilities, since they do work for them, or on their behalf, which requires sharing PHI a) HEARTS Workgroup b) Division Director’s Office c) DMH Budget Office d) DMH Medical Services Office e) State-Operated Services Office f) Advocacy and Customer Services
More About Division BAs • Some other DMH/DD/SAS workgroups may be identified by one or more Facilities as being Division Business Associates of that particular Facility • Remember - Facilities can only declare as Business Associates those workgroups who do work for the Facility, or on the Facility’s behalf, which requires that the Facility disclose PHI to the workgroup
This Training Presents . . . • The Six things HIPAA covered components must do to protect privacy and security when they have Division Business Associates • TheTen things staff who are Division Business Associates of a Facility must do to protect the Facilities’ PHI • The Threemain things that the Facilities need for you to remember so you can help them protect their information
Covered Components must . . • Identify their Business Associates, and submit this information annually to DHHS(DHHS Business Associates Policy, Page 6) • Recognize that Division Business Associates are considered to be members of the covered components workforce(DHHS Guidance for Identifying Business Associates, Page 5) • Provide training, as necessary, for Division Business Associate workforce members(DHHS Workforce Policy, Page 1)
Covered Components must also • Maintain documentation verifying that each member of the BA workforce has been trained in and will comply with HIPAA-compliant policies and procedures (DHHS Guidance for Identifying Business Associates, Page 5) • Establish a process for evaluating each BA workforce member regarding their need for access to a Facility’s PHI, and for ensuring that “minimum necessary” access is used(DHHS Privacy Safeguards Policy, page 13)
Facilities mustalso • Covered components must monitor the Division Business Associate’s performance, and report directly to the DHHS Privacy Officer if it determines that a practice of the Business Associate constitutes a material breach of the Division Business Associate’s obligation to protect the PHI in its possession • (DHHS Business Associates Policy, Page 5)
Division Business Associates must • Use or disclose PHI received from Facilities ONLY for the purposes for which the PHI was received • If a Division BA needs to use or disclose PHI for any other purpose, it may do so only if either:a) It obtains authorization from each individual b) The use or disclosure is of the type that does not require an authorization (See DHHS Use and Disclosure Policy, Authorizations)c) The information is de-identified (See DHHS Use and Disclosure policy, De-identification of Health Information)
Business Associates must also • Use appropriate physical, technical, administrative and procedural safeguards to prevent use or disclosure of a Facility’s PHI other than as required for its functions as a Business Associate • Mitigate, to the extent practicable, any harmful effects known to the Division Business Associate of a use or disclosure which was in violation of HIPAA regulations
Business Associates must also • Report to the Facility any use or disclosure of a Facility’s PHI in violation of HIPAA of which it becomes aware • Agree to ensure that any agent to whom it provides PHI, including a subcontractor or another DMH workgroup, agrees to be bound by the same restrictions and conditions as the Business Associate in regards to protecting Facility PHI HEARTS Team CDW
Business Associates must also • Agree to make their internal records and procedures regarding the use, disclosure and protection of PHI available to the Secretary of Health and Human Services, or his designee • Allow each Facility’s HIPAA Coordinator to monitor the Business Associate’s adherence to the BA requirements • Follow the Privacy and Security policies and procedures of DHHS, DMH/DD/SAS, and each facility for whom they are a Business Associate
Business Associates must also • Document such disclosures of PHI as would be required for the Facility to respond to a request by a client for an accounting of disclosures, and provide this information to the Facility when asked for it(When a consumer asks a Facility for an “accounting of disclosures”, they must provide them with a list of disclosures made by the Facility and all of its business associates)
It is not a matter of trust . . • “Trust your mother, but cut the cards”(Old Chinese proverb) • It is not a matter of a covered component not trusting others in the Division - instead, we must recognize that the Federal Government made a law which requires that we implement these procedures • Thank you for working with the Facilities to help protect the privacy of the people we serve
The Big Three . . • Understand who you can share PHI with and who you cannot (Do not provide PHI to any workgroup or person unless they are a covered entity, or unless your workgroup has a Business Associate relationship with them sufficient to protect the privacy of the information shared) • Report to each Facility HIPAA Coordinator any uses or disclosures which must be reported to a consumer if they ask • Report to each Facility any known privacy violations involving the Facility’s PHI
What is the Next Step? • The first step was determining who in the Division’s Central Office is a Business Associate of whom • The second step was providing this training to Central Office staff who have been identified as being a BA of one or more of our Facilities • The next step is providing the Facilities with the documentation they need
Documentation is Required • The Facilities are required to document the HIPAA training of all members of their workforce, including Business Associates • For each Facility which has identified you as a BA, please send email now to inform them that you have taken this training, and do not have any questions about your responsibilities as a Business Associate • If you have a question, now is the time to ask
Email the Facilities Now! • Click on each Facility for whom you serve as a Division Business Associate, then click “Send”, or click Here for all
BalancingtheInformation Needs of the DivisionwithConsumer Privacy Protection The Work is Worth It!