Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau creative-lizzy Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Page 1
AMC/HIPAA Workgroup
213
General Policy and Management Guidelines

Page 2
AMC/HIPAA Workgroup
214
GEN.01
Roles and Responsibilities in Development and Maintenance
AMC Explanation of Guideline
The HIPAA security and privacy regulations include not only explicit requirements for roles but
also requirements for activities that imply the creation of formal roles and responsibilities for
many people in an institution as large and complex as an AMC. The requirements for a Security
Office(r) and a Privacy Official are the starting points, with other bodies needed to serve in
developing and maintaining HIPAA compliance elements. Paying careful attention to how roles
and responsibilities in developing and maintaining HIPAA compliance are arranged will reduce
the amount of waste, confusion, and delay. This section offers some guidance that AMCs may
find useful in approaching this subject.
Key Issues
How are authority and responsibility for compliance allocated?
Who (person and/or unit) is responsible for which aspects of developing the HIPAA
program?
How can the HIPAA responsibilities be coordinated with the existing management and
funding model in the covered entity?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Establish a formal HIPAA security and privacy compliance program.
Enlist external consultants.
Push responsibility down to line management.
Designate a responsible executive.
The coordinator should cultivate a small, informal group of advisors from among those
people whose current roles give them a significant stake in how the HIPAA development
process is structured (e.g. risk managers, internal auditors, accreditation managers, health
information managers, senior IT managers, senior clinical operations managers, counsel).
Appoint a Security Officer and a Privacy Official after the awareness phase for senior and
middle managers is mature.
Require regular reporting to senior management on the status of the development effort
during the awareness phase. Continue with a reporting format appropriate to the planning
and execution phases.
Organize around the idea that HIPAA is a compliance project with strong implications
for clinical operations, IT activities, and business relations. Appointments and processes
should respect this concept.
Establish a set of guidelines for use by the covered entity's management in forming
HIPAA-compliant operations. Use these as a common reference in decision-making
related to HIPAA.

Page 3
AMC/HIPAA Workgroup
215
Develop the HIPAA program models that include managers' involvement in ways that
will aid each manager's role with HIPAA. Be sure to actively involve managers from the
research, education, and clinical care areas of the covered entity.
Roadblocks
Getting enough of the "attention budget" of the key managers may be difficult. Many people in
such positions in healthcare today already have full agendas, and making room for HIPAA will
likely require adjustment. Also, making costs to meet the HIPAA requirements understandable
will require creativity and patience. Credible plans (including resource needs) take the time and
attention of managers to create and communicate. Finally, creating a well-timed development
effort to comply with the regulations within the time allowed (2 years) could present difficulties
for unprepared AMCs.
Comments
None.

Page 4
AMC/HIPAA Workgroup
216
GEN.02 Organizational Support for HIPAA Security and Privacy Compliance
This point addresses how to build support for HIPAA security and privacy compliance among
line management, who will have to balance compliance activities with many other demands on
their time, attention, and resources.
Key Issues
What incentives and support for HIPAA compliance activities will be provided to line
management whose staff are responsible for handling protected health information or
documentation of compliance activities?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Demonstrate executive management commitment to compliance with the HIPAA security
and privacy requirements.
Provide a contact who can assist line management with compliance activities.
Implement accountability for failure to participate in compliance activities.
Establish a HIPAA security and privacy compliance reporting program; require
compliance reporting on a regular basis.
Educate line management on the importance of HIPAA security and privacy compliance,
executive management's commitment to compliance, and the consequences of non-
compliance. Consider tracking participation in this education program.
Include HIPAA security and privacy compliance in line management performance
criteria.
Establish and publicize sanctions for failing to participate in compliance activities.
Roadblocks
No roadblocks specific to this point.
Comments
None.

Page 5
AMC/HIPAA Workgroup
217
GEN.03
Resources for Development and Maintenance
This point addresses funding of the development and maintenance of a HIPAA Security and
Privacy program. While it may be difficult to determine the exact costs of HIPAA security and
privacy compliance, resource requirements are likely to be extensive. As an unfunded mandate,
it may be difficult to establish appropriate financial and personnel resources.
Key Issues
How much will HIPAA security and privacy compliance cost? Determining this will be
important for budgeting.
How does one go about involving the right people in developing a useful estimate?
How should covered entities get started with building HIPAA security and privacy items
into the regular operations budget?
Who must answer the resource allocation question? Senior executives, boards, etc.?
Consider other benefits of compliance.
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Use existing resources to scope effort and cost.
Use an incremental funding model.
Pay attention to the principles of reasonability and scalability when forming budget
estimates.
Investigate minimal compliance.
Investigate cost recovery specific to the regulatory mandate.
Consider non-monetary costs.
Compare with the cost of non-compliance, including non-monetary costs.
Treat HIPAA security and privacy resource requests as part of the normal budget process.
Roadblocks
No roadblocks specific to this point.
Comments
None.

Page 6
AMC/HIPAA Workgroup
218
GEN.04
Evaluation and Monitoring of Development and Maintenance
This point addresses the development and maintenance of an effective HIPAA security and
privacy program. Evaluation and monitoring of compliance activities is a normal feature of any
compliance program. To be effective, a covered entity's HIPAA security and privacy
compliance program must fit the entity's culture, business operations, and risk management
strategy.
Key Issues
How can a covered entity make the initial and ongoing compliance activity effective?
How will a covered entity formulate a process that evaluates the approach of each unit for
adequacy and timeliness? Against what norms should approaches be evaluated?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Establish a governing body for evaluation and monitoring, to guide implementation, and
to review compliance.
Provide consistent guidelines for HIPAA security and privacy compliance across the
covered entity.
Forward progress reports up the covered entity's management chain.
Formally recognize when work moves from "development" to "operations."
Make line executives responsible for compliance oversight.
Tie compliance to formal audit and/or accreditation processes.
Consider the use of an automated tool to capture compliance activity.
Roadblocks
No roadblocks specific to this point.
Comments
The reporting technique should define mechanisms to ensure accountability.

Page 7
AMC/HIPAA Workgroup
219
GEN.05
Reasonableness
This point addresses how a covered entity can interpret the reasonableness provisions of the
HIPAA Security and Privacy regulations. The regulations permit entities to interpret their
requirements based on "reasonableness." Covered entities must exercise judgment to decide
what is and is not reasonable. Whether a particular proposed action would be considered
reasonable will depend on a number of factors including the nature and size of a covered entity,
the covered entity's internal expertise and technical abilities, the feasibility and difficulty of the
proposed action, and the cost of the proposed action.
Key Issues
Who in a covered entity will determine what is reasonable for the covered entity?
What criteria will be used to judge reasonableness?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Use cost and feasibility studies to assess reasonableness.
Conduct risk analysis to assess the reasonableness of compliance measures.
Benchmark against similar covered entities and network with peers.
Obtain advice of counsel on policies and procedures.
Evaluate and monitor functions to ensure the reasonableness of compliance measures.
Encourage internal consistency of practices.
Document justifications of reasonableness decisions.
Establish an effective remedial action process; such a process may be considered
evidence of reasonableness.
Obtain certification of security procedures; doing so may be considered evidence of
reasonableness.
Roadblocks
No roadblocks specific to this point.
Comments
The reasonableness criterion does not appear to apply to unambiguous mandates of the HIPAA
Security and Privacy regulations. All of the Category I guidelines in this document represent
unambiguous mandates of the regulations, so failing to implement Category I guidelines would
likely be considered unreasonable.

Page 8
AMC/HIPAA Workgroup
220
GEN.06
Scalability
This point addresses appropriate scaling of each covered entity's HIPAA security and privacy
program to its needs. The HIPAA regulations do not take a "one-size fits all" approach; instead,
each covered entity is expected to implement provisions of the act in a fashion appropriate to its
size and physical environment. What may be an appropriate mechanism for one covered entity
may be "overkill" in another.
Key Issues
Is the compliance program appropriate to the size of the covered entity?
What is reasonable for what size?
What physical environment aspects need to be considered?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Tie the justification of selected practices and safeguards to risk analysis.
Define your covered entity, its boundaries, and its scope.
Consider organizational size, assets, and capabilities in determining the reasonableness of
proposals for meeting the HIPAA security and privacy program.
Benchmark recommendations of risk analysis efforts against peers.
Comments
Very little guidance is given as to what is reasonable for a given size of covered entity.

Page 9
AMC/HIPAA Workgroup
221
GEN.07
Limiting Liability Arising from Compliance
This point addresses procedures for reducing liability associated with information discovered
during HIPAA security and privacy compliance activities. During compliance activities, a
covered entity may discover information that could create liability. Covered entities should
consider taking actions to reduce any such liability, and should consider a variety of mechanisms
for reducing these liabilities.
Key Issues
What kinds of compliance actions and findings might create liability for the covered
entity?
Which structures and policies should be used to limit liability arising from compliance
activities?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Formulate liability mitigation procedures for internal audit and critical self-analysis
findings.
Consider the use of attorney-client and other privileges to reduce liability.
Document and follow effective problem correction procedures.
Benchmark industry best practice and regulatory standards to establish conformance to
standards of best practice and due care.
Use a formal compliance program as a mitigating factor.
Document timeliness of response to reported problems as a mitigating factor.
Consider whether certification of the covered entity's security system is a mitigating
factor.
Involve the covered entity's legal counsel in the design of liability reduction measures.
Use the security system to protect the confidentiality of information that might create
liability.
Review IRB processes in relation to privacy and security incidents.
Roadblocks
No roadblocks specific to this point.
Comments
None.

Page 10
AMC/HIPAA Workgroup
222
GEN.08
HIPAA Accreditation Intersections
This guideline addresses mitigation of inconsistent accreditation requirements. Various
independent accrediting bodies such as JCAHO, the College of American Pathologists,
Residency Review Committees, state legislation, etc., establish accreditation requirements.
These requirements may be internally consistent within each body, but levy inconsistent
requirements when viewed in their entirety.
Key Issues
How many sets of rules apply to each situation? Which ones?
Are these rules consistent? If not, what can be done about the inconsistencies?
Do "special" restrictive disorders (psychiatric, HIV, etc.) require "special" permission,
which will impair the flow of protected health information between PCPs and specialists?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Compile a comparison list of conflicting rules.
Encourage boards, joint commissions, etc., to take public positions on conflicts and
eliminate them.
Determine whether HIPAA compliance eliminates the need for compliance to some other
regimes.
Encourage development of reciprocity agreements among regimes.
Comments
The list of private accrediting agencies is quite long. All request that AMCs provide lists of
protected health information to do their accreditation work. The AAMC has requested that this
requirement be eliminated.

Page 11
AMC/HIPAA Workgroup
223
GEN.09
Stricter State Law § 160.203
HIPAA Requirement
General rule. A standard, requirement, or implementation specification adopted
under or pursuant to this subchapter that is contrary to a provision of State law
preempts the provision of State law. This general rule applies, except where one
or more of the following conditions is met:
(a) A determination is made by the Secretary pursuant to § 160.204(a) that the
provision of State law:
(1) Is necessary:
(i) To prevent fraud and abuse;
(ii) To ensure appropriate State regulation of insurance and health plans;
(iii) For State reporting on health care delivery or costs; or
(iv) For other purposes related to improving the Medicare program, the Medicaid
program, or the efficiency and effectiveness of the health care system; or
(2) Addresses controlled substances.
(b) The provision of State law relates to the privacy of health information and is
more stringent than a standard, requirement, or implementation specification
adopted under subpart E of part 164 of this subchapter.
(c) The provision of State law, or the State established procedures, are
established under a State law providing for the reporting of disease or injury,
child abuse, birth, or death, or for the conduct of public health surveillance,
investigation, or intervention.
(d) The provision of State law requires a health plan to report, or to provide
access to, information for the purpose of management audits, financial audits,
program monitoring and evaluation, facility licensure or certification, or
individual licensure or certification.
AMC Explanation of HIPAA Regulation
HIPAA's privacy rule is a floor above which more stringent state law applies. HIPAA's security
rule, on the other hand, supersedes conflicting state law.
Key Issues
What is the process to determine which is the more strict interpretation, state law or the
HIPAA privacy regulations?
Which law/regulation applies when health care or health plan business is delivered across
state lines?
How will covered entities that do business in multiple states accommodate the different
stricter standards in each state?
When does the state of the patient, as opposed to the state of the covered entity, govern
which state's laws apply?

Page 12
AMC/HIPAA Workgroup
224
Category I Guidelines-Actions must be taken to address these
Determine when the federal floor for a particular situation is superseded by state law or
regulation.
Category II Guidelines-Actions should be taken to address these
Participate in statewide consortia that will provide guidance on when the federal floor for
a particular regulation is superseded by state law or regulation. This is an opportunity to
build consensus and reduce uncertainty and confusion while constraining costs.
Obtain advice from counsel when there are potential issues related to the application of
state law.
Roadblocks
Areas of potential conflict between federal and state laws and regulations are a particular
problem when the regulations are not written clearly or the interpretation of the regulations is
open. Covered entities may need to retain outside counsel to determine specific courses of
action.
Comments
State entities are encouraged to proactively request opinions from their state's Attorney General,
as well as from state elected officials sponsoring legislation perceived as potentially conflicting.
The following sections may require consideration for potentially more restrictive state law:
*
PRIV.11 Right of an individual to request restriction of uses and disclosures
§ 164.522(a)(1)
*
PRIV.24 Uses and disclosures of protected health information for marketing
*
PRIV.27 Uses and disclosures required by law § 164.512(a)
*
PRIV.29 Disclosures about victims of abuse, neglect or domestic violence
§ 164.512(c)
*
PRIV.31 Disclosures for judicial and administrative proceedings § 164.512(e)
*
PRIV.37 Uses and disclosures for specialized government functions § 164.512(k)
*
PRIV.58 Changes to policies or procedures § 164.530(i)(2)
For example, consider a situation where a health plan is incorporated in Washington, D.C., a
clinic is across the Potomac river in Virginia, and the patient resides in Maryland. There may be
conflicting state laws and regulations. How will these be resolved? Likely HIPAA transactions
that would cross state borders include enrollment, eligibility, referral and authorization, claim,
claim status, and remittance. Additionally, health records may be transferred across state lines in
support of care.

Page 13
AMC/HIPAA Workgroup
225
GEN.10
Policy establishment and modification
This point addresses the difficulty of establishing consistent policy across a complex covered
entity such as an AMC. A covered entity may not have the authority to dictate policies and
procedures to some of its subsidiary or affiliate entities. Nevertheless, the covered entity will
have to ensure that some of these entities comply with the HIPAA security and privacy
requirements.
Key Issues
Who (if anyone) has the authority to formulate and implement security and privacy
policies for the whole covered entity?
If subsidiary or affiliate entities have independent policy formulation processes, how can
the covered entity influence these entities to comply with HIPAA security and privacy
requirements in a consistent way?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Choose the covered entity's structure and affiliate relationships carefully where flexibility
in defining covered entity structure exists.
Encourage independent policy formulation authorities to work together on HIPAA
security and privacy policy development and implementation.
Use existing policy formulation and implementation processes and agreements wherever
possible (human resources processes, union contracts, etc.).
Consider requiring specific policies and procedures in contracts if necessary.
Roadblocks
No roadblocks specific to this point.
Comments
None.

Page 14
AMC/HIPAA Workgroup
226
GEN.11
Policy Usage Introduction
This point addresses strategies for successfully introducing HIPAA security and privacy policies
and procedures. Covered entities need to ensure that their employees learn and follow newly
introduced HIPAA security and privacy policies.
Key Issues
What factors contribute to successful introduction of new security and privacy policies?
What models for successful policy introduction already exist within the covered entity?
To what extent will acceptance be dependent on the degree of change mandated and the
methods used to elicit compliance?
What are the consequences if HIPAA security and privacy policies are not consistently
observed?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Justify policies by explaining how they benefit the covered entity and its customers.
Emphasize the risks of non-compliance.
Model security and privacy policy deployments on previous successful policy
deployments within the covered entity. Look specifically at human resources policy
introduction processes.
Require and keep records of workforce members' acknowledgement that they have
received and understood security and privacy policy.
Examine policy compliance during risk assessment and accreditation; implement
corrective actions if necessary.
Consider pilot policy deployments and adjust broader deployment plans based on the
results of the pilots.
Roadblocks
No roadblocks specific to this point.
Comments
None.

Page 15
AMC/HIPAA Workgroup
227
GEN.12
Privacy Culture
This guideline addresses the fostering of cultural changes through the creation of a privacy
culture. Privacy culture changes are often shaped by societal expectations resulting from law,
regulation, and litigation. Compliance with the HIPAA privacy regulations carries with it a need
to change the accountability and responsibility for privacy within a covered entity. This process
of change is facilitated through an appreciation of the sensitivity of the data being handled. In
addition, the security regulations will serve as a tool to enable the protection of privacy.
Key Issues
How can a covered entity change workforce members' existing bad habits in using and
communicating information?
How will a covered entity adapt to societal expectations related to privacy?
How long will it take to change the current culture; how can a covered entity
assess/measure it?
Are there issues of institutional conformity in a multi-facility covered entity?
How can covered entities induce the same level of regard for privacy within associated
entities and business partners?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Have senior management set clear expectations.
Ensure that role models set a good example.
Provide feedback on security and privacy behavior.
Publicize the application of sanctions.
Incorporate consumer perceptions, expectations, and suggestions into the curriculum.
Hold collegial discussions.
Incorporate security and privacy in the curriculum (to build good habits early).
Provide orientation training in terms of the expected culture of privacy, and establish and
enforce policies dealing with transgressions.
Roadblocks
Implementing the HIPAA security and privacy regulations will require a culture change with
regard to how patient information is handled in most AMCs. Developing a program to induce
this culture change requires support from senior managers, funding, elapsed time, and staff time
from a significant percentage of the staff in the AMC. Each of the early developmental choices
in HIPAA must work with this set of circumstances to achieve this type of change.
Comments
None.

Page 16
AMC/HIPAA Workgroup
228
GEN.13
Digital Signature
This guideline addresses digital signature mechanisms and standards employed with respect to
HIPAA identified transactions.
HIPAA Requirement
PL 104-91 Sec. 11173 (e) Electronic Signature.
(1) Standards. The Secretary, in coordination with the Secretary of Commerce,
shall adopt standards specifying procedures for the electronic transmission and
authentication of signatures with respect to the transactions referred to in
subsection (a)(1).
(2) Effect of Compliance. Compliance with the standards adopted under
paragraph (1) shall be deemed to satisfy Federal and State statutory requirements
for written signatures with respect to the transactions referred to in subsection
(a)(1).
Section 1173 (a)
(1) In General. The Secretary shall adopt standards for transactions, and data
elements for such transactions, to enable health information to be exchanged
electronically, that are appropriate for--
(A) the financial and administrative transactions described in paragraph (2); and
Other financial and administrative transactions determined appropriate by the
Secretary, consistent with the goals of improving the operation of the health care
system and reducing administrative costs.
AMC Explanation
The final DHHS Security rule may or may not contain the Secretary's response to HIPAA's
electronic signature requirements. This is due to the fact that suitable standards for digital
signatures in healthcare (as published by an ANSI accredited standards development
organization) currently do not exist . Nevertheless, it is anticipated that an electronic/digital
signature rule will ultimately be provided in response to HIPAA legislation - if not in the
security rule itself, then later on as a new rule.
In accordance with the draft DHHS Security and Electronic Signature Proposed Rule [45 CFR
160], if an electronic signature is required, then it must be a digital signature. When one of the
required standard claims transactions uses a digital signature (none of the current transactions are
required to at present), the digital signature
must
provide:
d) Message integrity;
e) Non-repudiation;
f) User authentication; and
g) Proof of "intent" to sign.
The digital signature
may
also provide:

Page 17
AMC/HIPAA Workgroup
229
h) Ability to add attributes;
i) Continuity of signature capability;
j) Countersignature capability;
k) Independent verifiability;
l) Interoperability;
m) Multiple signatures; and
n) Transportability.
Key Issues,
When must a digital signature be used?
How and when should a covered entity gain access to a suitable Public Key Infrastructure
(PKI)?
Category I Guidelines-Actions must be taken to address these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to address these
Anticipate and plan for participation in a PKI.
Actively follow and participate in the development of digital signature standards through
ANSI HISB and ANSI accredited standards development organizations.
Plan for, budget for, and educate workforce members on the technology and use of digital
signatures.
Plan for, and adopt/develop certificate policies for, PKI and digital signatures. These
policies should include granting, suspending, and revoking certificates, and assuring
interoperability.
Plan to replace proprietary electronic signatures with an interoperable standards-based
digital signature.
Consider developing limited near-term digital signature pilots.
Roadblocks
The technology of public key infrastructures and digital signatures is still relatively new,
expensive, and may not be suitable for small covered entities. A cost-benefit analysis may be
appropriate.
Replacing proprietary electronic signatures with a digital signature may require significant
changes to heritage healthcare applications. Electronic signatures developed as part of a
healthcare application reside on the application server. Digital signatures, on the other hand, are
bound to end users who retain control of their own private keys. Therefore, digital signatures are
associated with the end user device, the server functioning to securely store the signed
documents/transactions.
Comments
Standards development organizations (SDO) including NCPDP, X12, ASTM, HLT, and W3C
met in Orlando, Florida on 8 January 2001 and agreed to the development of a Multi-SDO
Digital Signature Standard. The standard would be largely based on standards work recently
approved from ASTM and HL7. Subsequently, hearings were held with NCVHS. ANSI HISB

Page 18
AMC/HIPAA Workgroup
230
will act to coordinate the development with the goal of producing the standard in the latter part
of 2001.
Draft certificate polices are under development by the NIST sponsored Federal PKI Technical
Working Group and from ASTM.
Further information on the Multi-SDO Digital Signature Project is available at:
http://hl7.org/special/Committees/multiSDO/index.htm
References:
The following digital signature standards in healthcare are germane:
o) ASTM E1762-95 Standard Guide for Electronic Authentication of Health Care
Information
p) ASTM E2084-00 Standard Specification for Authentication of Healthcare
Information Using Digital Signatures
q) ASTM E2085-00a Standard Guide on Security Framework for Healthcare
Information
r) HL7 Version 3.0

Page 19
AMC/HIPAA Workgroup
231
GEN.14
Other Federal Law and HIPAA Privacy
HIPAA's Privacy provisions interact with related provisions in several other federal laws. Those
most likely to be of primary interest to AMCs are discussed below.
Key Issues
How do the interactions with the various relevant federal laws affect the policy,
procedure, and practice set in the AMC?
What protections will be provided for student records in a student health clinic of the
AMC?
How will HIPAA coverage of ERISA-based plans affect AMC health plan operations?
How will the operational resources who work with FERPA, non-FERPA, and HIPAA
health records manage privacy issues?
How will the interactions between CLIA (Clinical Laboratory Improvement
Amendments) and HIPAA affect patient access process?
How will the safe harbor provisions related to the European Union privacy directive
affect CROs?
Category I Guidelines-Actions must be taken to address these.
Align the AMC's privacy program to be consistent with the intersecting demands of other
federal laws related to privacy practices.
Category II Guidelines-Actions should be taken to address these
AMCs should ensure that the program managers in the areas affected by the intersecting
(e.g. the Benefits group that handles the ERISA plan) are part of the HIPAA program
team.
AMCs should consider offering protections that comply with FERPA and HIPAA, even
where not required to do so, to student health records within the student health clinics,
educational administration, and other clinical facilities (e.g. the AMC's local hospital).
Doing so will avoid having to interface multiple protection standards for the same person
and sometimes even the same episode of care.
AMCs should seek advice from their legal counsels with respect to these intersecting
laws.
Roadblocks
No roadblocks specific to this point.
Comments
HIPAA Privacy provisions interact with several other Federal laws and at least one international
agreement. The preamble of the privacy rule discusses the following laws and their interactions
with HIPAA:
*
The Privacy Act;
*
The Freedom of Information Act;
*
Federal Substance Abuse Confidentiality Requirements;

Page 20
AMC/HIPAA Workgroup
232
*
Employee Retirement Income Security Act of 1974;
*
The Family Educational Rights and Privacy Act;
*
Gramm-Leach-Bliley;
*
Federally Funded Health Programs;
*
Food, Drug, and Cosmetic Act;
*
Clinical Laboratory Improvement Amendments;
*
Other Mandatory Federal or State Laws;
*
Federal Disability Nondiscrimination Laws; and
*
U.S. Safe Harbor Privacy Principles (European Union Directive on Data
Protection).
The laws most likely to be of interest to AMCs are noted below:
Employee Retirement Income Security Act of 1974
HIPAA does cover the ERISA plans in the typical AMC. There do not appear to be any
serious interactions between HIPAA privacy and ERISA
The Family Educational Rights and Privacy Act (FERPA)-
FERPA covers educational records in K-12 and post-secondary institutions that receive
Federal funds.
*
In FERPA-covered post-secondary institutions the records that are in the typical
student health clinic
are
not
considered FERPA educational records. Records shared
for purposes other than treatment (e.g. immunization declarations for dorm
placement) in these settings
are
FERPA educational records.
*
The non-FERPA health records are also specifically
excluded
from HIPAA Privacy
rule coverage by the definition of "protected health information" in § 164.501
(Definitions). See the discussion in the privacy rule preamble on 20 U.S.C.
§1232g(a)(4)(B)(iv).
*
The implication for the typical AMC is that the typical records in the student heath
center are not covered by HIPAA or FERPA. AMCs will therefore only be required
to provide privacy measures required by other laws, regulations, and/or accreditation
standards.
Federally Funded Health Programs
AMCs do a great deal of business with federally funded health plans (e.g.
Medicare, Medicaid, CHAMPUS). These plans were specifically included in
HIPAA coverage as "health plans" by the HIPAA law.
Food, Drug, and Cosmetic Act
Many AMCs use products that are either under development or in early release
use. Reports on adverse events and related disclosures to the FDA and FDA
authorized persons are provided for in HIPAA in § 164.512(b)(1)(iii).
Clinical Laboratory Improvement Amendments

Page 21
AMC/HIPAA Workgroup
233
Many AMC labs are governed by CLIA. CLIA requires that test results be
provided to authorized persons only. State law defines "authorized person;" it is
typically the person who ordered the test. CLIA's rule will override HIPAA's
requirement that the patient be provided their protected health information by the
lab. Since the lab results are almost always reported to a covered entity (e.g.
hospital, physician), however, the patient may still gain access to his information
through those to whom the lab results have been reported.
U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection)
Many AMCs engage in worldwide trials of pharmaceuticals, some of which
include participants in the European Union. The Safe Harbor provisions (on the
Department of Commerce web site, http://www.export.gov/safeharbor/) allow
U.S. organizations that comply with the provisions to receive data on European
Union citizens at facilities located within the United States. The general intent
evidenced by the U.S. team during the negotiations of the Safe Harbor provisions
was to ensure that those entities who were HIPAA compliant would also be
within the safe harbor set; however, no declaration or analysis to that effect is
available in the HIPAA privacy rule.