1 / 14

HIPAA and Academic Medical Centers, Colleges and Universities

HIPAA and Academic Medical Centers, Colleges and Universities. Presented By: Michael L. Blau, Esq. Tina S. Sheldon McDermott, Will & Emery Assistant Compliance Officer, 28 State Street Risk Management and Audit Services Boston, MA 02109 Harvard University 617-535-4010 617-496-7175

ora-thomas
Download Presentation

HIPAA and Academic Medical Centers, Colleges and Universities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA and Academic Medical Centers, Colleges and Universities Presented By: Michael L. Blau, Esq. Tina S. Sheldon McDermott, Will & Emery Assistant Compliance Officer, 28 State Street Risk Management and Audit Services Boston, MA 02109 Harvard University 617-535-4010 617-496-7175 mblau@mwe.com tina_sheldon@harvard.edu

  2. Introduction • HIPAA Challenges for AMCs, Colleges and Universities • Addressing HIPAA at Harvard • Impact of HIPAA on Research

  3. Compliance Strategies • Why identify covered entities, hybrid entities and covered components? • Entities/components subject to HIPAA compliance requirements • Workforce of entities/components subject to HIPAA compliance training • Status of University and AMC • University is a “hybrid entity” • Primary purpose is education

  4. Compliance Strategies • AMC organized as a separate legal entity is a covered entity • If AMC is not organized as a separate legal entity, AMC is a covered component (at least in part) of a hybrid entity • NPRM - eliminates primary purpose test • AMC may be a hybrid entity with covered (and noncovered) components

  5. Compliance Strategies • Potential hybrid entities and covered components • Medical school/dental school • Clinic services • Clinical education • Research related treatment • Faculty practice plans • School of Public Health • School/Department of Social Work • School/Department of Psychology

  6. Compliance Strategies • School/Department of Nursing • Student Health Centers/Infirmaries • Employee Clinics • Department of Athletics • On-site day care • Student counseling services • Human Resource Department • Employer sponsored health and dental plans • Self-insured health and dental plans • Flexible spending accounts

  7. Compliance Strategies • Medical co-payment reimbursement programs • NPRM - providers who do not engage in standardized transactions need not be included in covered component • Offices/workforce that provide “business associate” functions for hybrid entity or covered component • legal staff • IS staff

  8. Compliance Strategies • Accounting staff • Risk management/compliance • Patient advocate programs • Volunteers • Deans? • Senior management? • Governing board?

  9. Compliance Strategies • FERPA (Family Education and Privacy Act) exception for student health/education records • Status of prospective students, summer students, recent graduates, visiting parents, other visitors

  10. Compliance Strategies • Single vs. multiple privacy officers/ compliance offices • Reporting line/access to governing board • Designation and documentation requirement • Designation by vote of governing board • Who has authority to designate for public University/AMC?

  11. Compliance Strategies • Facilitating flow of PHI within University • Affiliated Covered Entities (ACEs) -- common ownership (5% or more) or control • Organized Health Care Arrangements (OHCAs) -- clinically integrated care setting or held out to public as joint arrangement for UR, QA or financial risk sharing purposes • ACEs and OHCAs can use joint Consents and Notices • Can share PHI for TPO purposes of disclosing entity

  12. Compliance Strategies • ACEs need unified administration of patient rights • NPRM - would eliminate Consent requirement/would require acknowledgement of receipt of Notice • The Problem of Faculty Practice Plans • May not be ACE • May not be an OHCA for office-based services • Medical staff and AMC are an OHCA for hospital-based services • May need separate Consents and Notices

  13. Compliance Strategies • The Problem of Voluntary and Part-time Faculty • The Problem of Physicians-In-Training, including rotations from outside institutions • Covered workforce? • Business associates? • OHCA? • Implications for training and compliance responsibility • Business Associate Contracts

  14. Addressing HIPAA at Harvard

More Related