Managing Access to Student Health Information per Federal HIPAA
Guidelines
Joan M. Kiel, Ph.D., CHPSDuquesne University
Pittsburgh, Penna412-396-4419
The Law
• HIPAA: Health Insurance Portability & Accountability Act
• HITECH: Health Information Technology Economic &
Clinical Health Act
Six Parts Are Set
1. T & C 2. Privacy 3. Standard Unique Identifier for Employers 4. Security 5. Standard Unique HC Provider Identifier (NPI) 6. Enforcement Rule
HIPAA Information
• HIPAA covers:• Oral• Written (and beyond
the medical record)• Electronic• [key: can the individual
be identified]• You will hear the term PHI-
patient health information
Keep in Mind
• Minimum Necessary [45CFR164.502(b)(1)]
• Emergency Situation [45CFR164.510(3)] ∙ Incidental Disclosure [45CFR164.502(a)(1)(iii)]
Covered Entity Status
• Health Plan: individual or group plan that provides or pays the cost of medical care
• Healthcare Clearinghouse: public or private entity that does billing, repricing, community health management or information systems, etc. functions
Covered Entity Status
• Healthcare Provider: transmits any health information in electronic form in connection with a transaction covered by HIPAA
Sample HIPAA Transactions
• Health care claims or equivalent encounter information
• Health care payment and remittance advice• Coordination of benefits• Health care claims status
Who Do You Treat
• Students (and how are they defined; ie. LOA)• Non-Students
• For organizations under FERPA, student records are under FERPA (loophole) even with transactions, but non student records are under HIPAA, so you are a covered entity.
• But most strict law generally takes precedent
You Are HIPAA If…
• You are one or more of the three covered entities
• You conduct one or more of the eleven transactions
• You treat non-students
College Assessment
• Also look at these areas:• Student, Faculty, and
Employee Training *Nursing *Pharmacy *Allied Health *Music Therapy *Business (I.T.)
College Assessment
• Health Services & Related Clinics
• Institutional Review Board; research
• Human Resources• Athletics• Vendors as business
associates
Hybrid Entity
• A single legal entity whose business activities include both covered and non-covered functions (ie. education & healthcare provider or health plan
Creating a Culture of HIPAA
• Are the policies and procedures set?
• Are they enforced or do they ‘sit on the shelf”
Compliance Officer Role
• Privacy Officer [45CFR164.530(a)(1)(i)]• Security Officer [45CFR164.308(a)(2)]
• The Federal Government mandates that covered entities have both a privacy officer and a security officer
• If the same person, generally titled, Compliance Officer
1. HIPAA Committee
• Representatives from records, information technology, student services and management.
2. Policies & Procedures
• For the six HIPAA Rules to date, develop policies from the law, not secondary sources
• Do not take from the Internet
3. Training & Awareness
• Live or on-line• Staff meeting
awareness• Integrate awareness to
daily activities
4. Documentation
• Establish a system, on-site or off-site.
• Documentation must be retained for six years
5. Risk Assessments & Audits
• Quarterly• Authentication: most
likely passwords• Data integrity checks• Act on the findings
6. Complaint Process
• Omsbudsman for confidentiality• Post process to file
complaints• Complaints are only to
be HIPAA related• Act on the complaints
7. Sanction Process
• Sanction only for the HIPAA violation
• Internal investigation or OCR
• Civil and criminal penalties per Enforcement Rule & HITECH
• Follow-up on the sanction and charge
8. Web Site
• If the covered entity has a web site, the Notice of Health Information Privacy Practices must be prominently displayed on the web site.
• Keep the web site updated
9. Formage
• Develop forms from the laws.
• May or may not be able to use from other covered entities (ie. addressable Security Rule policies)
• Educate staff on the formage
10. Business Associate Agreements
• Assess all those external to the workforce who have access to the covered entity’s PHI
• Both the Privacy Rule and the Security Rule mandate BAA’s
11. Research
• Play an integral role with the covered entity’s Institutional Review Board
• Ensure minimum necessary standards for data used in research
Determination of HIPAA Research Status
• Does the research involve the collection, use, or dissemination of PHI?
• Is the PHI from a healthcare provider, clearinghouse, or healthcare plan?
• Does the healthcare provider, clearinghouse, or healthcare plan perform one of the eleven covered electronic transactions?
• If yes to these, then HIPAA
Privacy Rule
• Notice & Notice Verification
• Internet Notice• Amend Records• Authorization• Accounting• Information Destruction• Business Associate
Agreements
The Notice
• Tells the rights of the organization and the rights of the patient
• Document that is considered the guideline.
Security Rule
• Technical Security• Administrative Security• Physical Security• Disaster Manual• Access Controls• Log-in Audit Warning• Termination of Access
Faculty & Staff Access
• Have access to minimum necessary information to accomplish the intended purpose of the request given their role
• Must have an established need to know prior to requesting the information
• Ex. How long absent, but not the condition as it would not change the situation
Advising Faculty, Staff, & Students
• Is the condition directly academically related such as ADHD
• But must always only request what is minimum necessary
• Have the student only submit and talk on what is minimum necessary
• Ex. Operating room reports, procedures notes, consultation reports, prescriptions
• Ensure who student allows one to talk to