Beth Manley ISAC Compliance Officer February 23, 2017 HIPAA
54 Slides530.99 KB
Beth Manley ISAC Compliance Officer February 23, 2017 HIPAA Compliance Committees
Disclaimer The Iowa State Association of Counties (ISAC) provides education and information primarily as a general service to ISAC members. This communication, or any other communication with ISAC, does not create an attorney-client relationship. The information provided should not be interpreted or used as a substitute for a legal opinion from your county attorney or otherwise retained and qualified legal counsel.
Outline HIPAA Compliance Committees Purpose Membership Meetings Hybrid Entities Definition Benefits Examples ISAC HIPAA Program Questions
HIPAA Compliance First steps Designate Privacy Officer Designate Security Officer Establish a compliance program Compliance committee Adopt policies and procedures Train workforce Complete a risk analysis Review current business associates and other contracted vendors Audit compliance
Components of a Compliance Program 1) 2) 3) 4) 5) 6) 7) Standards and Procedures Oversight Education and Training Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention
Compliance Committees
Compliance Committees Are they required? No Should you have one? Yes
OIG Compliance Guidance The U.S. Department of Health & Human Services Office of Inspector General (OIG) had developed a series of voluntary guidance documents to help various entities have effective compliance programs and comply with applicable statutes and regulations. https://oig.hhs.gov/compliance/compliance-guidance/ https:// oig.hhs.gov/compliance/compliance-guidance/compliance-re sou rce-material.asp
OIG Guidance-Purpose The purpose of the compliance department is to implement the compliance program and to ensure compliance with all applicable Federal health care program requirements.
OIG Guidance: Function of Compliance Committee Analyzing the organization’s industry environment, the legal requirements with which it must comply, and specific risk areas; Assessing existing policies and procedures that address these areas for possible incorporation into the compliance program; Working with appropriate departments to develop standards of conduct and policies and procedures to promote compliance with the organization’s program;
OIG Guidance: Function of Compliance Committee cont. Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s standards, policies and procedures as part of its daily operations; Determining the appropriate strategy/approach to promote compliance with the program and detection of any potential violations, such as through hotlines and other fraud reporting mechanisms; Developing a system to solicit, evaluate and respond to complaints and problems.
OIG Guidance: Function of Compliance Committee cont. Monitoring internal and external audits and investigations for the purpose of identifying troublesome issues and deficient areas experienced by the organization, and implementing corrective and preventive action; and The committee may also address other functions as the compliance concept becomes part of the overall organization operating structure and daily routine.
Compliance Committee Members Types of employees Senior leadership? Entry level? Mixture of people and backgrounds The number of committee members will depend on how big your county/region is and how many health care components you have in your hybrid entity.
Compliance Committee Member Characteristics Compliance committee members should demonstrate high integrity, good judgment, assertiveness, and an approachable demeanor, while eliciting the respect and trust of employees of the covered entity and having significant professional experience working with billing, clinical records, documentation, and auditing principles.
County Compliance Committee Members Who should be on your committee? Here are some suggestions: Compliance Officer Privacy Officer Security Officer IT Staff Sheriff Auditor Supervisor Public Health Case Manager County Attorney Other departments that might have access to PHI
Frequency of Meetings How often should you meet? Weekly Monthly Bi-monthly Quarterly Semi-annually Other Balance meeting frequency with efficiency Corporate Integrity Agreements often require compliance committees to meet quarterly
First Meeting Discuss why you are there Make a plan Establish your hybrid entity (more about this later on in this presentation) Risk Analysis HIPAA Policies and Procedures Business Associate Agreements Training Employees
Subsequent meetings What should you discuss at each of your meetings? Review current policies and procedures to make sure they are still accurate Discuss recent violations Review access to PHI CSN high profile client access report Changes to Iowa law SF 2144 Changes to Federal law HIPAA and gun control Section 1557 of ACA
Benefits of an Effective Compliance Committee Prevent breaches Little to no civil monetary penalty in case of a breach Better communication between departments Compliance with policies and procedures
Hybrid Entities
Hybrid Entity Designating your county as a hybrid entity is an important step in the compliance process for counties because not every part of the county works with PHI. By designating as a hybrid entity, a county is able to separate departments that have to comply with HIPAA and those that don’t. Health care components of a hybrid entity have to comply with HIPAA Non-health care components of a hybrid entity do not have to comply with HIPAA All departments within a county have to comply with HIPAA if the county does not designate as a hybrid
Hybrid Entity-45 C.F.R. § 164.103 Hybrid entity means a single legal entity: 1) That is a covered entity; 2) Whose business activities include both covered and noncovered functions; and 3) That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(D). Health care component means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with § 164.105(a)(2)(iii)(D).
Hybrid Entities § 164.105(a)(2)(iii)(D) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation in accordance with paragraph (c) of this section, provided that, if the covered entity designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity. Health care component(s) also may include a component only to the extent that it performs covered functions.
Health Care Component Essentially, a health care component is of a hybrid entity if it is either of the following: A covered entity A health plan A health care clearinghouse A health care provider Business associate if it were a separate legal entity
Business Associate Business Associate: 45 C.F.R. § 164.504(e)(1) A Business Associate is a person who: On behalf of such covered entity creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter. This includes: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or (next slide)
Business Associate A Business Associate is also someone that: Provides any of the following services where the provision of service involves the disclosure of PHI: legal actuarial accounting consulting data aggregation management administrative accreditation financial services
Business Associate Business Associate does not include: A member of the organization’s workforce A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual. A plan sponsor, with respect to disclosures by a group health plan to the plan sponsor. A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency. Organized health care arrangements.
Designating as a Hybrid Entity 1. Talk with someone from each department and determine which departments would be considered a covered entity. 2. Determine which parts of the county that could be considered a business associate of the county if it were a separate legal entity. i. Follow PHI and see who handles or has access to it at every stage of the process 3. Document the health care components with your policies and procedures. 4. No requirement to file forms with the government.
Benefits of Designating as a Hybrid Entity Limit training and compliance duties Less liability or chance for HIPAA non-compliance
Not Designating as a Hybrid Entity A county may choose to not designate as a hybrid entity Simpler in terms of IT security Not necessary to implement internal firewalls to keep nonhealth care components from accessing ePHI Minimum necessary rule still applies Must train all workforce members All departments must comply with HIPAA
Hybrid Entity Examples Most of the information from these slides were taken from a memo created by Alissa Smith from the Dorsey and Whitney law firm. You can access the memo on our member website.
Auditor’s Office Role: Handles county/region claims and handles some functions of the self-funded insurance program. Health Care Component: Yes Analysis: The Auditor’s Office falls under the definition of a business associate because they process claims for other county departments and could be considered a health plan if they pay for claims for a county self-funded insurance program.
Community Based Services Role: Provides various services for persons with mental illness, mental retardation, and developmental disabilities. Health Care Component: Yes Analysis: Community Based Services meet the definition of health care provider because they provide and bill for services.
General Assistance Role: Provides short term financial assistance to residents Health Care Component: Maybe Analysis: Could meet the definition of a health plan because General Assistance because it could pay for the cost of medical care.
Case Management Role: Provides ongoing coordination and monitoring of services for qualifying individuals. Health Care Component: Yes Analysis: Case Management would most likely be considered a health care provider because they provide services to clients and then bill for those services.
Home Care Role: Provides services for residents that prevents or reduces institutionalization and performs other activities which enable comfortable daily living. Health Care Component: Yes Analysis: Home Care would be considered a health care provider because they provide services to residents and then bill for those services.
Ambulance Role: Provides emergency medical services and transportation. Health Care Component: Yes Analysis: Ambulance would be considered a health care provider because they provide services to residents and then bill for those services.
Public Health Role: Investigates communicable diseases, provides health planning and education for the county, offers childhood immunizations, and provides treatment for sexually transmitted diseases. Health Care Component: Yes Analysis: Public Health would be considered a health care provider because they provide services to residents and then bill for those services.
Supervisor’s Office Role: Legislative body of the county and they approve claims and policies for other county departments. Health Care Component: Yes Analysis: The Supervisor’s Office falls under the definition of a business associate because they process claims for other county departments.
Veterans Affairs Office Role: Assists with veteran medical care and has funds to help pay for temporary shelter/utilities, food/health supplies, medical/dental, counseling, and transportation. Health Care Component: Yes Analysis: Could fall under the definition of a health care provider or a health plan because the VA Office provides some health care services and also pays for services.
Mental Health and Disability Regions Role: Separate legal entity from the county (28E entity). Health Care Component: Separate legal entity so not a health care component but they are a covered entity on their own. Analysis: MHDS Regions are separate legal entities from the counties but they share employees. The employees must follow both the county and region HIPAA policies and procedures, depending who the employee is working for at that particular time.
Information Technology Office Role: Develops and maintains computer software applications that facilitate a county’s business operations. Health Care Component: Yes Analysis: The IT department would likely be considered a business associate of other health care components within the county because they provide support for functions that involve PHI.
Sheriff’s Office Role: Provides various law enforcement services for the county. The sheriff serves mental health and substance abuse court orders and provides transports, provides security for the courthouse and county administration buildings and serves civil process. Detainees in the county jail shall also be provided appropriate care for serious medical, dental, and mental health needs. Health Care Component: Primarily no but some Sheriff’s Offices may need to subdivide if individuals within the office provide health care services at the jail. Analysis: The Sheriff’s Office would be considered a health care provider if they provide healthcare services, like having an on-staff nurse. The Sheriff’s Office could decide to designate only part of the office as a health care component.
Environmental Health Office Role: Prevents disease by controlling community environmental threats and providing local education on environmental health issues. Health Care Component: Maybe Analysis: Could be considered a business associate of another department within the county if they every create, receive, maintain, or transmit PHI for another department.
Clerk of Court Role: Not county employees but they do communicate with counties on various matters that could involve PHI Health Care Component: No Analysis: The Clerk of Court is not part of the county. Therefore, the Clerk of Court would not be considered part of the hybrid entity.
Department of Motor Vehicle Role: The DMV is part of the DOT but they often work with treasurers and share office space. Health Care Component: No Analysis: The DMV is not a health plan, health care provider, and does not function as a business associate. An entity is not considered a business associate just because they share office space with a health care component.
County Attorneys Role: Advises the county on legal matters. Could have access to PHI if there is any kind of legal dispute Health Care Component: Yes Analysis: County attorneys often have access to PHI if there is a legal dispute so they would be considered a business associate if they were a separate legal entity.
Treasurer’s Office Role: Processes drivers’ licenses. Health Care Component: Most likely not Analysis: The Treasurer’s Office would not be considered a health care provider or health plan because they do not provide or pay for health care services. Further, they most likely don’t provide any service to other departments within the county that would make them a business associate.
Medical Examiners Role: Investigates certain deaths Health Care Component: Most likely not Analysis: Performing an autopsy does not render the medical examiner a health care provider because it does not fall under the definition of health care. Medical examiners would not be considered business associates unless they provide other kinds of services for the county that involve PHI.
Engineers Role: Responsible for the construction and maintenance of county roads. Health Care Component: No Analysis: The County Engineer is not considered a health plan, health care provider, and does not function as a business associate. An entity is not considered a business associate just because they share office space with a health care component.
ISAC HIPAA Program
ISAC HIPAA Program How to get the most out of the ISAC HIPAA Program Ask questions Suggest webinar topics Future webinars/trainings March Webinar: March 29th 10am-11am Beth Manley-Region specific webinar April In-person training: April 13th at Courtyard by Marriott in Ankeny Jim Sheldon-Dean will host the training and cover numerous HIPAA topics May Webinar: May 31st 10am-11am William Roberts from Shipman & Goodwill LLP will talk about business associates and vendor privacy June Webinar: June 27th 10am-11am Gary Jones-Employee training for non-clinical employees
April 13 In-Person Training th April 13th probably 9:30-4 or 4:30 Courtyard by Marriott in Ankeny (same as last year) Speaker: Jim SheldonDean Schedule-tentative Overview of HIPAA Regulations HIPAA Privacy Rule Principles, Policies and Recent Changes to the HIPAA Rules HIPAA Security Rule Principles HIPAA Security Policies and Procedures and Audits Risk Analysis for Security and Meaningful Use Risk Mitigation and Compliance Remediation Documentation, Training, Drills and Self-Audits
Questions Beth Manley 515-244-7181 [email protected]