How DHHS Privacy Policies Affect You Prepared by: NC DHHS HIPAA Office April 2003 PRIVACY TRAINING.

How DHHS Privacy Policies Affect YouHow DHHS Privacy Policies Affect You

Prepared by:Prepared by:NC DHHS HIPAA OfficeNC DHHS HIPAA Office

April 2003April 2003

PRIVACY TRAININGPRIVACY TRAINING

Slide 2 NC DHHS HIPAA Office

Training GoalsTraining Goals To increase your knowledge and understanding of privacy and

individually identifiable health information (IIHI), where IIHI could be found in this agency, what threats may exist to privacy in this agency, and why information you access must be kept private.

To promote awareness of your role in helping this agency follow Privacy Procedures implemented according to DHHS Privacy Policies.

To provide information about to whom you can go with questions about privacy.

To inform you about your reporting responsibilities when privacy violations occur.

To alert you to the possible penalties for violation of agency Privacy Procedures and DHHS Privacy Policies for both you and this agency.

To understand that privacy also protects you.

BACKGROUNDBACKGROUND


HIPAAHIPAA Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act

(HIPAA) of 1996, Public Law 104-191 Is a Federal Law (HIPAA) of 1996, Public Law 104-191 Is a Federal Law That ProvidesThat Provides– Health Insurance Portability - Guarantees health insurance when employees

change jobs.– Accountability - Protects health data integrity, confidentiality, and availability.

• Reduces fraud and abuse.• Gives patients more control over their health information.

– Administrative Simplification - Reduces paperwork and associated administrative costs.

– Data Standardization - Establishes standards for transmission of electronic transactions (EDI, Code Sets, and Identifiers).

– Privacy and Security - Requires reasonable measures to protect individuals’ health information.


HIPAAHIPAA

HIPAA Is Comprised of Five Titles (Sections).HIPAA Is Comprised of Five Titles (Sections). This Training Addresses One of the Components This Training Addresses One of the Components

of Title II - Administrative Simplification.of Title II - Administrative Simplification.

Title IHealth Insurance

Portability

Title IIAdm inistrativeSim plification

Title IIITax Related

Health Provision

Titles IVApplication and

Enforcement of GroupHealth Plan Requirements

Titles VRevenueO ffsets

HIPAA


HIPAAHIPAA

Electron icTran sactio nStan dards

Stan dardCod e Sets

Un iqu eHealth

Iden tifiers

Secu rityStan dards

Electron icS ignatu reStan dards

Privacy Enforcem en t

Title IIAdm inistrativeSim plification

HIPAA

HIPAA Administrative Simplification Contains HIPAA Administrative Simplification Contains Seven Components, or Regulation Areas - This Seven Components, or Regulation Areas - This Training Focuses on the Privacy Regulation.Training Focuses on the Privacy Regulation.


HIPAAHIPAA Who Must Comply?Who Must Comply?

– Covered Entities• Health Care Providers that conduct standard transactions electronically (e.g.,

DMH/DD/SAS, DMA, DPH)• Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare,

Champus, BC/BS, HMOs) Excludes government funded programs whose primary mission is not providing for or paying

the cost of medical care (e.g., Willie M. and Thomas S.)

• Clearinghouses• DHHS has been determined to be a hybrid entity, which means that only specific

programs of the agency are covered. These covered programs are known as Covered Health Care Components (HCCs).

– Trading Partners who electronically exchange IIHI with covered entities. – Business Associates who perform covered functions or activities for or

on behalf of a covered entity that involves the use of IIHI.


HIPAAHIPAA HIPAA Privacy RuleHIPAA Privacy Rule

– For the first time, provides national standards to protect individuals’ medical records and other personal health information.

• Clients have more control over their health information.• Sets boundaries on use and disclosure of health information.• Establishes appropriate safeguards to protect health information.• Holds violators accountable.• Strikes a balance between privacy of health information and the

public’s need to know (e.g., reporting of communicable diseases).


HIPAAHIPAA

Why HIPAA? Why Now?Why HIPAA? Why Now?– Promotes public trust.– Comes at a time when technology can meet the

requirements.– Monitors the use of health information.– Establishes a floor for acceptable privacy and

security standards for health care information. However, stricter state laws will preempt HIPAA.


HIPAAHIPAA

Why Comply with HIPAA?Why Comply with HIPAA?– Organizations can continue business relationships

within the health care community.– Avoid denied claims or delayed payments from

health plans. – Organizations and individuals avoid severe

criminal and civil penalties for non-compliance.– DHHS staff avoid being subjected to personnel

sanctions (e.g., disciplinary actions, loss of employment).


HIPAAHIPAA Penalties for Failure to Comply with HIPAAPenalties for Failure to Comply with HIPAA

– CIVIL• $100 fine per person per violation• $25,000 fine per year for multiple violations• $25,000 fine cap per year per requirement

– CRIMINAL• Knowingly or wrongfully disclosing or receiving IIHI protected by

HIPAA: $50,000 fine and/or one year prison time

• Commit offense under false pretenses: $100,000 fine and/or five years prison time

• Intent to sell IIHI protected by HIPAA or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prison time


HIPAAHIPAA EnforcementEnforcement

– Centers for Medicare and Medicaid Services (CMS) is the designated enforcement agency for the HIPAA Transactions, Code Sets, Identifiers, and Security Standards.

– US HHS Office for Civil Rights (OCR) is the designated enforcement agency for the HIPAA Privacy Regulation.

– US Department of Justice (DOJ) will be involved in criminal privacy violations. This agency will issue penalties such as fines and imprisonment.

The HIPAA Enforcement Regulation Will The HIPAA Enforcement Regulation Will Provide More Information When Finalized.Provide More Information When Finalized.


FOR MORE HIPAA INFORMATIONFOR MORE HIPAA INFORMATION

More Information About HIPAA Is Available on More Information About HIPAA Is Available on the Following Web Sites.the Following Web Sites.– US Department of Health and Human Services - HIPAA

Administration Simplification• http://aspe.os.dhhs.gov/admnsimp/

– Office of Civil Rights (Privacy Information)• http://www.hhs.gov/ocr/hipaa/finalreg.html

– Centers for Medicare and Medicaid Services (Transactions, Code Sets, Identifiers and Security Information)

• http://www.cms.hhs.gov/hipaa/hipaa2/default.asp

– DHHS HIPAA Web Site• http://dirm.state.nc.us/hipaa/


DHHS HIPAA INITIATIVEDHHS HIPAA INITIATIVE DHHS HIPAA OfficeDHHS HIPAA Office

– Established in June 2000.

– Identified DHHS HCCs and Internal Business Associates (those within DHHS) and External Business Associates (outside DHHS). Conducted Assessments for:

• Transactions and Code Sets• Privacy• Preliminary Security

– Develops DHHS Privacy Policies to Comply with HIPAA Privacy Requirements.

– Provides Guidance for HIPAA Activities in DHHS Agencies (e.g., DMA, DMH/DD/SAS, DIRM).


DHHS HIPAA INITIATIVEDHHS HIPAA INITIATIVE DHHS AgenciesDHHS Agencies

– Designated HIPAA Coordinators and Privacy Officials.

– Formed agency HIPAA implementation teams.

– Identified initial security risks.

– Remediates systems and updating business processes impacted by Transactions and Code Sets and Privacy Rules.

– Creates/updates procedures to implement the DHHS Privacy Policies.

– Provides training on updated systems, business processes, and privacy policies/procedures.


AGENCY HIPAA EFFORTSAGENCY HIPAA EFFORTS

What Does HIPAA Mean for Our Agency? We What Does HIPAA Mean for Our Agency? We MustMust– Remediate systems and business processes for

transaction, code sets, and identifier requirements. – Identify privacy practices.– Remediate systems and processes for privacy

requirements.– Develop clear privacy procedures to safeguard IIHI. – Provide training for staff regarding agency privacy

procedures (this and any other subsequent training).– Provide appropriate safeguards for all forms of IIHI.

PRIVACY AND YOUPRIVACY AND YOU


WHAT IS PRIVACY?WHAT IS PRIVACY? DefinitionDefinition

– Privacy is the right of the individual to have his/her individual health information protected from unauthorized use and disclosure.

Related Privacy TermsRelated Privacy Terms– Individually Identifiable Health Information (IIHI) is health information that

contains specific elements or details by which a person can be identified (e.g., address, facial photograph, Social Security Number).

– A Business Associate is a person or entity that performs a function that requires the creation, use, or disclosure of IIHI on behalf of or for a covered health care component, but is not considered part of the covered component’s workforce.

• A DHHS agency that performs a covered function or activity for another DHHS agency is called an Internal Business Associate.

• A business associate that is not part of DHHS (e.g., a state government agency outside of DHHS or a private vendor) is called an External BusinessAssociate.


WHAT IS PRIVACY?WHAT IS PRIVACY? Related Privacy Terms - (cont’d)Related Privacy Terms - (cont’d)

– Authorization is a client’s permission for the use and disclosure of his/her health information for a specific purpose.

– Minimum Necessary means making reasonable efforts to limit the use of health information to only that needed to accomplish the intended purpose of the use, disclosure, or request.

– To Use IIHI means to share, employ, apply, utilize, examine, or analyze health information within the organization that maintains such information.

– To Disclose IIHI means to release, divulge, transfer, or provide access to health information to persons or organizations outside of the organization holding the information.


WHY IS PRIVACY IMPORTANT?WHY IS PRIVACY IMPORTANT?

Individuals Will Know That Their Sensitive Individuals Will Know That Their Sensitive Health Information Will Be Protected from Health Information Will Be Protected from Inappropriate Disclosures.Inappropriate Disclosures.

Individuals Will Be More Open With Health Individuals Will Be More Open With Health Care Providers Concerning Their Health Care Providers Concerning Their Health Information.Information.

Morally and Ethically the Right Thing to Do.Morally and Ethically the Right Thing to Do. Removes Fear of Discrimination Based on Removes Fear of Discrimination Based on

Health Information.Health Information.


WHY IS PRIVACY IMPORTANT?WHY IS PRIVACY IMPORTANT? Improper Use and Disclosure of IIHI CouldImproper Use and Disclosure of IIHI Could

– Impact your health careA 13-year old daughter of a hospital employee had access to a list of patient names and phone numbers when visiting her mother at work. As a joke, the girl called the patients and informed them that they had been diagnosed with HIV.

– Impact your personal lifeA hospital clerk took the treatment records of three patients to a local bar where he discussed the records with others. The patients’ confidentiality was breached and they were awarded $2.3 million by a jury.

– Impact your professional lifeA historically good employee was fired after his employer learned of the employee’s positive test for a genetic illness that could lead to lost work time and increased insurance costs.

– Impact your financial statusA banker who also served on his county’s health board cross referenced his banking customers with patient information. He called due mortgages of anyone suffering from cancer.

INDIVIDUALLY IDENTIFIABLE INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI)HEALTH INFORMATION (IIHI)

What and WhereWhat and Where


WHAT IS IIHI?WHAT IS IIHI?

Individually Identifiable Health Information (IIHI) IsIndividually Identifiable Health Information (IIHI) Is– Health information that contains specific elements or details

by which a person (living or dead) can be identified.

IIHI Can Exist or Be Transmitted ViaIIHI Can Exist or Be Transmitted Via– Paper

– Oral Communication

– Electronic• Information system applications • Internet, intranet, extranet, email, faxes• Computer screens• Storage devices - magnetic tapes, floppy disks, CDs, optical devices


EXAMPLES OF IIHIEXAMPLES OF IIHI

– Names– Addresses (including zip code)

– Dates (birth and death dates, admission/discharge dates, etc.)

– Telephone and Fax Numbers

– E-mail Addresses

– Social Security Number (SSN)

– Medical Record Number

– Health Plan Beneficiary Numbers

– Account Numbers

– Certificate/License Numbers

– Vehicle Identifiers, Serial, and License Plate Numbers

– Device Identifiers and Serial Numbers

– Web Universal Resource Locators (URLs)

– Internet Protocol (IP) Address Numbers

– Biometric Identifiers (finger prints, voice print, etc.)

– Full Face Photographic Images or Comparable Images

– Any Other Identifying Number, Characteristic, or Code

Health Information Associated With Any Of the Following Individual Identifiers For a Client, a Client’s Relatives, Employer, or Other Household Members Of That Client Is IIHI.


WHERE IS IIHI IN THIS AGENCY?WHERE IS IIHI IN THIS AGENCY? IIHI Could Be Found In the Following LocationsIIHI Could Be Found In the Following Locations

– Paper Based Medical Record Departments

Nursing Stations

Client Accounting Departments

Admissions

Utilization Review

Risk Management

Radiology

Clinical Laboratory

Outpatient Clinics

Other areas where health information is routinely stored

– Electronic Media Computer applications and

systems

Computer Screens

Local drives on computers (files, Temp files, databases, etc.)

Magnetic tapes, floppy diskettes, CDs, etc.

Email

Faxes

PRIVACY POLICIES AND PRIVACY POLICIES AND PROCEDURESPROCEDURES

DHHS Privacy PoliciesDHHS Privacy PoliciesAgency Privacy ProceduresAgency Privacy Procedures

Sanctions and MitigationSanctions and MitigationWho to ContactWho to Contact


DHHS PRIVACY POLICIESDHHS PRIVACY POLICIES

The DHHS HIPAA Oversight Committee Is The DHHS HIPAA Oversight Committee Is Adopting Departmental Privacy Policies that Adopting Departmental Privacy Policies that Comply With the HIPAA Privacy Requirements.Comply With the HIPAA Privacy Requirements.

– Policies are drafted by the DHHS HIPAA Office.

– Policies are reviewed and approved by• DHHS Agency Privacy Officials• DHHS HIPAA Coordinators • HIPAA Attorney in the NC Office of the Attorney General

– Policies are published online at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5.


DHHS PRIVACY POLICIESDHHS PRIVACY POLICIES The DHHS Privacy Policies AreThe DHHS Privacy Policies Are

– Privacy Protections

– Privacy Official

– Workforce

– Safeguards

– Privacy Complaints

– Business Associates

– Legal Occurrences

– Authorizations

– Use and Disclosure

– Accounting of Disclosures

– De-identification of PHI

– Minimum Necessary

– Research

– Marketing and Fundraising

– Notice of Privacy Practices

– Client Privacy Rights

– Personal Representatives

– Designated Record Sets


POLICY: PRIVACY PROTECTIONSPOLICY: PRIVACY PROTECTIONS The The DHHS Privacy Protections PolicyDHHS Privacy Protections Policy

Requires DHHSRequires DHHS– To develop privacy policies based on the HIPAA

Privacy Rule as well as state and other federal laws.

– To determine agencies that must comply with each policy.

– Agencies within the scope of each DHHS Privacy Policy to develop agency-specific procedures to implement the departmental policy.


POLICY: PRIVACY OFFICIALPOLICY: PRIVACY OFFICIAL The The DHHS Privacy Official Policy DHHS Privacy Official Policy Requires HCCs Requires HCCs

and Internal Business Associatesand Internal Business Associates– To appoint an Agency Privacy Official who is responsible for the

following privacy activities.• Serve as primary agency contact for privacy issues and concerns regarding the

use and disclosure of health information and for client rights regarding health information.

• Serve as the agency liaison to the DHHS Privacy Officer for privacy-related activities.

• Coordinate, facilitate, and assist in agency efforts to develop and implement privacy compliance activities such as

Procedures development Training Monitoring agency practices Contact for questions and complaints.


POLICY: WORKFORCEPOLICY: WORKFORCE The The DHHS Workforce PolicyDHHS Workforce Policy Requires All DHHS Requires All DHHS

Agencies That Maintain IIHIAgencies That Maintain IIHI– To provide privacy training to all staff (permanent employees,

contractors, temps, volunteers, etc.).

– To obtain signed Confidentiality Agreements from all agency staff.

– To develop and issue appropriate sanctions if staff do not comply with agency privacy procedures and DHHS Privacy Policies.

– To not discriminate against, intimidate, threaten, coerce, or take any retaliatory actions against staff who report questionable privacy activities.

– To properly identify staff, as appropriate to the agency.


POLICY: SAFEGUARDSPOLICY: SAFEGUARDS The The DHHS Safeguards PolicyDHHS Safeguards Policy Requires All Requires All

DHHS Agencies That Maintain IIHIDHHS Agencies That Maintain IIHI– To identify and develop appropriate safeguards that

protect the IIHI that is maintained by the agency.

– To implement reasonable measures to safeguard IIHI from intentional or unintentional use or disclosure.

– To provide training to ensure staff are made aware of acceptable practices and procedures that safeguard information to which staff have access.

– To monitor and document any violations of the agency’s safeguard procedures.


POLICY: SAFEGUARDSPOLICY: SAFEGUARDS How to Safeguard IIHI - ExamplesHow to Safeguard IIHI - Examples

– Don’t discuss IIHI in public areas. – Ensure unescorted visitors do not enter areas designated for staff use only. – Position you computer monitor so that it cannot be viewed by someone

walking past your work area. – Keep your passwords private.– Don’t store IIHI on personal computers.– Log out of applications containing IIHI when you leave your computer.– Lock all portable electronic media containing IIHI (tapes, floppy disks, CDs,

etc.) in a locked room, filing cabinet ,or drawer when not in use. – Lock all paper IIHI in a room or filing cabinet when not in use.– Don’t post paper containing IIHI in public areas such as hallways or

conference rooms.– Pick up all printed/faxed IIHI immediately.– Dispose of paper based IIHI by shredding or placing in locked

shred bins.


POLICY: PRIVACY COMPLAINTSPOLICY: PRIVACY COMPLAINTS The The DHHS Privacy Complaints Policy DHHS Privacy Complaints Policy Requires Requires

All DHHS Agencies That Maintain IIHIAll DHHS Agencies That Maintain IIHI – To designate a contact person to resolve complaints

concerning agency privacy practices.

– To forward all documentation related to complaints to CARE-LINE.

• CARE-LINE, in the Office of Citizen’s Affairs, has been designated to receive/document all privacy complaints received by DHHS.

– Any complaint that cannot be resolved by the agency or CARE-LINE must be forwarded to the DHHS Privacy Officer ([email protected]).


POLICY: PRIVACY COMPLAINTSPOLICY: PRIVACY COMPLAINTS DHHS Privacy Complaints Policy DHHS Privacy Complaints Policy (cont’d)(cont’d)

– CARE-LINE contact information• Telephone

Voice (English or Español) North Carolina Only: 1-800-662-7030Local & Out of State: (919) 733-4261Dedicated Text Telephone (TTY) for Hearing Impaired:TTY Local: (919) 733-4851 TTY Toll-Free: 1-877-452-2514

• FAX(919) 715-8174

• E-mail [email protected]

• Postal Address 2012 Mail Service Center Raleigh, NC 27699-2012


POLICY: BUSINESS ASSOCIATESPOLICY: BUSINESS ASSOCIATES The The DHHS Business Associate Policy DHHS Business Associate Policy Requires Requires

HCCs and Internal Business AssociatesHCCs and Internal Business Associates– To identify Business Associates

Internal Business Associates (other agencies within DHHS) External Business Associates (Non DHHS NC State Government Agencies and

the private sector) Note: The Guidance for Identifying Business Associates and Business Associate

Questionnaires tools can assist you with this task. These are available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c3.

– To develop Business Associate Addenda to be attached to DHHS contracts or Memoranda of Understanding that identifies privacy protection requirements for External Business Associates

– The Business Associate MOU/Contract Addenda are available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5.


POLICY: LEGAL OCCURRENCESPOLICY: LEGAL OCCURRENCES The The DHHS Legal Occurrences PolicyDHHS Legal Occurrences Policy Identifies Identifies

Instances when IIHI Instances when IIHI MAY BEMAY BE Disclosed, Disclosed, According to Legal Requirements:According to Legal Requirements:– Judicial and Administrative Proceedings

• Court Order

• Subpoena

• Protective Order

– Law Enforcement Purposes• Required in N C Statutes

• Victims of Crime

• Decedents

• Reporting Crime in Emergency


POLICY: AUTHORIZATIONSPOLICY: AUTHORIZATIONS The The DHHS Authorizations Policy DHHS Authorizations Policy Requires DHHS Requires DHHS

Agencies That Serve ClientsAgencies That Serve Clients – To disclose IIHI only upon authorization by the client (or

personal representative), unless state or federal law allows for specific exceptions.

– Authorizations obtained or received for disclosure of IIHI must contain all the elements in the DHHS Authorizations Form (available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5).

– Note that an authorization permits, but does not require, a DHHS agency to disclose IIHI.


POLICY: USE AND DISCLOSUREPOLICY: USE AND DISCLOSURE The The DHHS Use and Disclosure Policy DHHS Use and Disclosure Policy

Identifies The Following Permitted Uses and Identifies The Following Permitted Uses and Disclosures of IIHI:Disclosures of IIHI:– With and without authorization

– For treatment purposes

– When included in psychotherapynotes

– When state or federal Law is more stringent

– For oversight/exception tooversight purposes

– For decedents

– For public health activities

– When specified for specialized government functions

– Within/outside the agency

– To a client


POLICY: ACCOUTING OF DISCLOSURESPOLICY: ACCOUTING OF DISCLOSURES

The DHHS Accounting of Disclosures Policy Requires HCCs and Internal Business Associates– To document certain disclosures of IIHI.

– To provide the client with an accounting of disclosures of the client’s IIHI made by the agency or a business associate of the agency upon client request.

– To maintain accountings of disclosures for a duration of six years prior to the request date.

– To develop a process for determining charges for providing the accounting of disclosures.


POLICY: DE-IDENTIFICATION OF PHIPOLICY: DE-IDENTIFICATION OF PHI The The DHHS De-identification of DHHS De-identification of Health Information

and Limited Data Sets Policy Policy Requires HCCs and Requires HCCs and Internal Business AssociatesInternal Business Associates

– To ensure staff are aware of specific elements that are considered identifying elements.

– To evaluate appropriate IIHI for use or disclosure to determine if the individual identifiers should be eliminated (i.e., the data should be de-identified).

– To identify those instances when a Limited Data Set, which contains limited identifying elements, may be appropriate for use/disclosure.


POLICY: DE-IDENTIFICATION OF PHIPOLICY: DE-IDENTIFICATION OF PHI DHHS De-identification of DHHS De-identification of Health Information and

Limited Data Sets Policy Policy (cont’d)(cont’d)– Limited Data Sets can contain the following identifiers for the client,

employer, relatives or other household members of that client• State, County, City or Town, Zip Code

• Birth date, admission date, discharge date, date of death

• Age

• An unique identifying number, characteristic, or code exclusive of identifiers that is not a Social Security Number, account number, medical record number, health plan

beneficiary number, certificate/license number, vehicle identification number/serial number or license plate number, device identifiers or serial numbers, IP addresses, or telephone number.

– Data Use Agreements must be based on the DHHS Data Use Agreement template (available at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5).


POLICY: MINIMUM NECESSARYPOLICY: MINIMUM NECESSARY The The DHHS Minimum Necessary PolicyDHHS Minimum Necessary Policy Requires Requires

All DHHS Agencies That Maintain IIHIAll DHHS Agencies That Maintain IIHI– To make reasonable efforts to limit IIHI to only that which is necessary

to accomplish the intended purpose of the use, disclosure, or request for information.

– To evaluate current practices to limit inappropriate or unnecessary use of disclosure of IIHI by

• Determining what health information is the minimum necessary to accomplish each job/role in the agency.

• Requesting modifications to existing computer applications to support User/Role-based security (i.e., access controls) as needed.

• Ensure staff have access to only the health information required to perform their job duties.


POLICY: MINIMUM NECESSARYPOLICY: MINIMUM NECESSARY DHHS Minimum Necessary PolicyDHHS Minimum Necessary Policy (cont’d) (cont’d)

– Minimum necessary does not apply to• Disclosures to or requests by a health care provider for treatment.

• Uses or disclosures made to a client to whom the information applies.

• Uses or disclosures authorized by the client (or the client’s personal representative).

• The Secretary of the United States Department of Health and Human Services for compliance enforcement.

• Uses or disclosures required by law.

• Uses or disclosures required for compliance with the HIPAA Privacy Rule.


POLICY: RESEARCHPOLICY: RESEARCH The The DHHS Research PolicyDHHS Research Policy Requires HCCs Requires HCCs

and Internal Business Associatesand Internal Business Associates– To disclose IIHI only after the client has signed an

authorization for this type of disclosure. • If research includes treatment, the researcher may condition the

provision of the treatment on the receipt written client authorization client for use and disclosure of IIHI for such research.

– De-identified data must be used wherever possible.

– Similarly, use of a Limited Data Set must be considered as well. Use of Limited Data Sets requires a Data Use Agreement between the DHHS agencies disclosing the data and the researcher.


POLICY: MARKETING AND FUNDRAISINGPOLICY: MARKETING AND FUNDRAISING

The The DHHS Marketing and Fundraising PolicyDHHS Marketing and Fundraising Policy Provides Guidelines to HCCs and Internal Provides Guidelines to HCCs and Internal Business Associates Concerning These Activities.Business Associates Concerning These Activities.– Marketing

• Making a communication about a product or service for the purpose of encouraging recipients of the communication to purchase or use the product or service.

– What is not marketing• Communications about government-sponsored programs (Medicare,

Medicaid, or NC Health Choice).

• Communications about health products/services provided by or covered by the HCC’s health plan.

• Case Management and Care Coordination.



DHHS Marketing and Fundraising PolicyDHHS Marketing and Fundraising Policy (cont’d) (cont’d)– A written authorization must be obtained from the client prior to

• Disclosing IIHI to Business Associates or third parties for the marketing purposes of the party receiving the IIHI.

• Selling of client/enrollee lists to a third party for the marketing purposes of the party buying the IIHI.

– HCCs may use IIHI to market their own or third-party health products/services if the marketing

• Discloses that the HCC is the source of the marketing.• Discloses any payment/benefit received from the third party whose

products/services are being marketed.

• Contains information on how to ‘opt out’ of receiving future marketing, unless the marketing is part of a general communication such as a newsletter

– HCCs can use Business Associates to send marketing for the HCC, provided that the Business Associate Agreement specifies that the IIHI will be used by the Business Associate only for the HCC communication.



DHHS Marketing and Fundraising PolicyDHHS Marketing and Fundraising Policy (con’td) (con’td) – Fundraising

• Solicitation for the purpose of raising funds to benefit a HCC or Internal Business Associate.

– HCCs must obtain a written authorization from a client prior to using the client’s health status as a basis for targeting that client for fundraising activities.

– HCCs may disclose the following IIHI without client authorization to Business Associates and institutionally related foundations for the purposes of fundraising on behalf of the HCC.

• Demographic information • Dates health care was provided to the client

– Fundraising materials must contain information on how the recipient can ‘opt out’ of future fundraising communications.

– HCCs must make reasonable efforts to comply with opt out requests.


POLICY: NOTICE OF PRIVACY PRACTICESPOLICY: NOTICE OF PRIVACY PRACTICES

The The DHHS Notice of Privacy Practices PolicyDHHS Notice of Privacy Practices Policy Requires HCCsRequires HCCs– To develop an agency Notices of Privacy Practices using the DHHS

Notice template (located at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5) to describe the uses and disclosures of IIHI that may be made by the agency, and that notifies individuals of their rights and the agency’s legal duties with respect to IIHI.

– To provide the Notice to clients (except inmates) applying for or receiving agency services.

• Electronic Notices may be sent, as long as the individual receives a paper copy upon request.

– To provide the Notice to any individual upon request, even if the individual is not an agency client.

– To post the Notice in a prominent locations where it will be viewed by clients and on public agency web sites.


POLICY: CLIENT PRIVACY RIGHTSPOLICY: CLIENT PRIVACY RIGHTS The The DHHS Client Rights PolicyDHHS Client Rights Policy Requires HCCs and Requires HCCs and

Internal Business Associates That Serve ClientsInternal Business Associates That Serve Clients To To Establish and Implement Procedures That Ensure the Establish and Implement Procedures That Ensure the Following Rights of ClientsFollowing Rights of Clients– Right to confidential communications of IIHI, including the right of the client to

request alternative locations and methods for communications

– Right to adequate notice of use and disclosure of IIHI.

– Right to obtain paper Notice after receiving an electronic copy.

– Right to request access (inspect, copy) to IIHI within a Designated Record Set as defined by the HCC.

– Right to request amendment (changing, adding, deleting) of IIHI within a Designated Record Set as defined by the HCC.

– Right to request privacy restrictions for IIHI.

– Right to access a contact person concerning privacy complaints.


POLICY: PERSONAL REPRESENTATIVESPOLICY: PERSONAL REPRESENTATIVES

The The DHHS Personal Representatives PolicyDHHS Personal Representatives Policy Requires that HCCs and Internal Business Requires that HCCs and Internal Business Associates Associates – To recognize individuals authorized by the courts

or by state or federal law to act on behalf of DHHS clients regarding their IIHI.


POLICY: DESIGNATED RECORD SETSPOLICY: DESIGNATED RECORD SETS The The DHHS Designated Record Sets PolicyDHHS Designated Record Sets Policy

Requires HCCs and Internal Business Associates Requires HCCs and Internal Business Associates – To define the records to which DHHS clients can request

access or amendment.• Designated Records Sets can include

Client medical and billing records maintained by or for a covered health care provider Employee health records that are maintained separately from personnel records The enrollment, payment, claims adjudication, and case or medical management record

systems maintained by or for a health plan Categories of records that are used, in whole or in part, to make decisions about clients.

• Records created by Business Associates must be considered when defining Designated Record Sets.


AGENCY PRIVACY PROCEDURESAGENCY PRIVACY PROCEDURES Training on Individual Privacy Policies and Training on Individual Privacy Policies and

Agency Privacy Procedures Will Be Provided As Agency Privacy Procedures Will Be Provided As Necessary.Necessary.


NON COMPLIANCE WITH PRIVACYNON COMPLIANCE WITH PRIVACY

What Should You Do If You Notice a What Should You Do If You Notice a Co-worker Not Following a DHHS Privacy Co-worker Not Following a DHHS Privacy Policy?Policy?– Contact your Supervisor immediately!

– If your Supervisor is not available, contact your agency Privacy Official or the DHHS Privacy Officer.

PRIVACY IMPACTS TO PRIVACY IMPACTS TO APPLICATIONS/SYSTEMSAPPLICATIONS/SYSTEMS

What To Do When You Receive aWhat To Do When You Receive aRequest for a New System Request for a New System

or System Enhancementor System Enhancement


PRIVACY IMPACTS TO SYSTEMSPRIVACY IMPACTS TO SYSTEMS Privacy Requirements Also Impact How Privacy Requirements Also Impact How

You Approach Requests for New and You Approach Requests for New and System Enhancements.System Enhancements.– The Requirements Definition Guide for

Applications with IIHI (coming soon, to be posted at http://dirm.state.nc.us/hipaa/hipaa2002/toolsandtemplates/toolsandtemplates.html#pri) will assist you in identifying privacy impacts to enhancement/new system requests for systems containing IIHI.


PRIVACY IMPACTS TO SYSTEMSPRIVACY IMPACTS TO SYSTEMS The The Requirements Definition Guide for Applications Requirements Definition Guide for Applications

with IIHIwith IIHI Will Guide You Through the Following Steps Will Guide You Through the Following Steps– Identifying requests for systems that contain IIHI.

– Identifying existing application-level privacy capabilities and related security features.

– Identifying network or infrastructure-level privacy features that provide application privacy protection.

– Identifying user requirements to be developed for user/role access standards.

– Identifying application screen views, files, and report outputs to contain IIHI that will be accessed by users.


PRIVACY IMPACTS TO SYSTEMSPRIVACY IMPACTS TO SYSTEMS Requirements Definition Guide for Applications Requirements Definition Guide for Applications

with IIHIwith IIHI Steps (cont’d) Steps (cont’d)– Performing Gap Analysis of current/proposed privacy/security

features with the HIPAA Privacy requirements.

– Based on Gap Analysis results, identifying additional application-level privacy capabilities and related security features that will be needed to comply with the HIPAA Privacy requirements.

– Conducting Risk Assessment by identifying risks, prioritizing, and making a cost/benefit determination that will assist your business client in prioritizing HIPAA changes to the system/enhancement request.

QUESTIONSQUESTIONS


QUESTIONS?QUESTIONS?

What Should You Do If You Have What Should You Do If You Have Questions Concerning Privacy or Agency Questions Concerning Privacy or Agency Privacy Procedures?Privacy Procedures?– Consult the Agency Privacy Procedures.

– Consult the DHHS Privacy Policies, published at http://dirm.state.nc.us/hipaa/hipaa2002/privacy/privacy.html#c5

– Ask your Supervisor.

– Ask the Agency Privacy Official.

TEST YOUR PRIVACY KNOWLEDGETEST YOUR PRIVACY KNOWLEDGE


PRIVACY TRAINING TESTPRIVACY TRAINING TEST

Please Print and Take the Attached Privacy Please Print and Take the Attached Privacy Test.Test.

Return Your Completed and Signed Test To Your Supervisor. Return Your Completed and Signed Test To Your Supervisor. Your Test Results Will Be Maintained By the Agency Privacy Your Test Results Will Be Maintained By the Agency Privacy

Official.Official.

Privacy Training Test


CONFIDENTIALITY AGREEMENTCONFIDENTIALITY AGREEMENT

Please Print and Sign the Attached Please Print and Sign the Attached Confidentiality Agreement and Give to Your Confidentiality Agreement and Give to Your

Supervisor.Supervisor.

Your Signed Confidentiality Agreement Will Your Signed Confidentiality Agreement Will Be Kept in Your Employee File.Be Kept in Your Employee File.

DHHS Confidentiality

Statement

How DHHS Privacy Policies Affect You Prepared by: NC DHHS HIPAA Office April 2003 PRIVACY TRAINING.

Documents

privacy of health information

use of health information

individuals health information

personal health information

privacy regulation

privacy violations

dhhs privacy policies

hipaahipaa privacy rulefor