AMC/HIPAA Workgroup 213 General Policy and Management Guidelines

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau creative-lizzy Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 1

AMC/HIPAA Workgroup

213

General Policy and Management Guidelines

Page 2

AMC/HIPAA Workgroup

214

GEN.01

Roles and Responsibilities in Development and Maintenance

AMC Explanation of Guideline

The HIPAA security and privacy regulations include not only explicit requirements for roles but

also requirements for activities that imply the creation of formal roles and responsibilities for

many people in an institution as large and complex as an AMC. The requirements for a Security

Office(r) and a Privacy Official are the starting points, with other bodies needed to serve in

developing and maintaining HIPAA compliance elements. Paying careful attention to how roles

and responsibilities in developing and maintaining HIPAA compliance are arranged will reduce

the amount of waste, confusion, and delay. This section offers some guidance that AMCs may

find useful in approaching this subject.

Key Issues

How are authority and responsibility for compliance allocated?

Who (person and/or unit) is responsible for which aspects of developing the HIPAA

program?

How can the HIPAA responsibilities be coordinated with the existing management and

funding model in the covered entity?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Establish a formal HIPAA security and privacy compliance program.

Enlist external consultants.

Push responsibility down to line management.

Designate a responsible executive.

The coordinator should cultivate a small, informal group of advisors from among those

people whose current roles give them a significant stake in how the HIPAA development

process is structured (e.g. risk managers, internal auditors, accreditation managers, health

information managers, senior IT managers, senior clinical operations managers, counsel).

Appoint a Security Officer and a Privacy Official after the awareness phase for senior and

middle managers is mature.

Require regular reporting to senior management on the status of the development effort

during the awareness phase. Continue with a reporting format appropriate to the planning

and execution phases.

Organize around the idea that HIPAA is a compliance project with strong implications

for clinical operations, IT activities, and business relations. Appointments and processes

should respect this concept.

Establish a set of guidelines for use by the covered entity's management in forming

HIPAA-compliant operations. Use these as a common reference in decision-making

related to HIPAA.

Page 3

AMC/HIPAA Workgroup

215

Develop the HIPAA program models that include managers' involvement in ways that

will aid each manager's role with HIPAA. Be sure to actively involve managers from the

research, education, and clinical care areas of the covered entity.

Roadblocks

Getting enough of the "attention budget" of the key managers may be difficult. Many people in

such positions in healthcare today already have full agendas, and making room for HIPAA will

likely require adjustment. Also, making costs to meet the HIPAA requirements understandable

will require creativity and patience. Credible plans (including resource needs) take the time and

attention of managers to create and communicate. Finally, creating a well-timed development

effort to comply with the regulations within the time allowed (2 years) could present difficulties

for unprepared AMCs.

Comments

None.

Page 4

AMC/HIPAA Workgroup

216

GEN.02 Organizational Support for HIPAA Security and Privacy Compliance

This point addresses how to build support for HIPAA security and privacy compliance among

line management, who will have to balance compliance activities with many other demands on

their time, attention, and resources.

Key Issues

What incentives and support for HIPAA compliance activities will be provided to line

management whose staff are responsible for handling protected health information or

documentation of compliance activities?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Demonstrate executive management commitment to compliance with the HIPAA security

and privacy requirements.

Provide a contact who can assist line management with compliance activities.

Implement accountability for failure to participate in compliance activities.

Establish a HIPAA security and privacy compliance reporting program; require

compliance reporting on a regular basis.

Educate line management on the importance of HIPAA security and privacy compliance,

executive management's commitment to compliance, and the consequences of non-

compliance. Consider tracking participation in this education program.

Include HIPAA security and privacy compliance in line management performance

criteria.

Establish and publicize sanctions for failing to participate in compliance activities.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 5

AMC/HIPAA Workgroup

217

GEN.03

Resources for Development and Maintenance

This point addresses funding of the development and maintenance of a HIPAA Security and

Privacy program. While it may be difficult to determine the exact costs of HIPAA security and

privacy compliance, resource requirements are likely to be extensive. As an unfunded mandate,

it may be difficult to establish appropriate financial and personnel resources.

Key Issues

How much will HIPAA security and privacy compliance cost? Determining this will be

important for budgeting.

How does one go about involving the right people in developing a useful estimate?

How should covered entities get started with building HIPAA security and privacy items

into the regular operations budget?

Who must answer the resource allocation question? Senior executives, boards, etc.?

Consider other benefits of compliance.

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Use existing resources to scope effort and cost.

Use an incremental funding model.

Pay attention to the principles of reasonability and scalability when forming budget

estimates.

Investigate minimal compliance.

Investigate cost recovery specific to the regulatory mandate.

Consider non-monetary costs.

Compare with the cost of non-compliance, including non-monetary costs.

Treat HIPAA security and privacy resource requests as part of the normal budget process.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 6

AMC/HIPAA Workgroup

218

GEN.04

Evaluation and Monitoring of Development and Maintenance

This point addresses the development and maintenance of an effective HIPAA security and

privacy program. Evaluation and monitoring of compliance activities is a normal feature of any

compliance program. To be effective, a covered entity's HIPAA security and privacy

compliance program must fit the entity's culture, business operations, and risk management

strategy.

Key Issues

How can a covered entity make the initial and ongoing compliance activity effective?

How will a covered entity formulate a process that evaluates the approach of each unit for

adequacy and timeliness? Against what norms should approaches be evaluated?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Establish a governing body for evaluation and monitoring, to guide implementation, and

to review compliance.

Provide consistent guidelines for HIPAA security and privacy compliance across the

covered entity.

Forward progress reports up the covered entity's management chain.

Formally recognize when work moves from "development" to "operations."

Make line executives responsible for compliance oversight.

Tie compliance to formal audit and/or accreditation processes.

Consider the use of an automated tool to capture compliance activity.

Roadblocks

No roadblocks specific to this point.

Comments

The reporting technique should define mechanisms to ensure accountability.

Page 7

AMC/HIPAA Workgroup

219

GEN.05

Reasonableness

This point addresses how a covered entity can interpret the reasonableness provisions of the

HIPAA Security and Privacy regulations. The regulations permit entities to interpret their

requirements based on "reasonableness." Covered entities must exercise judgment to decide

what is and is not reasonable. Whether a particular proposed action would be considered

reasonable will depend on a number of factors including the nature and size of a covered entity,

the covered entity's internal expertise and technical abilities, the feasibility and difficulty of the

proposed action, and the cost of the proposed action.

Key Issues

Who in a covered entity will determine what is reasonable for the covered entity?

What criteria will be used to judge reasonableness?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Use cost and feasibility studies to assess reasonableness.

Conduct risk analysis to assess the reasonableness of compliance measures.

Benchmark against similar covered entities and network with peers.

Obtain advice of counsel on policies and procedures.

Evaluate and monitor functions to ensure the reasonableness of compliance measures.

Encourage internal consistency of practices.

Document justifications of reasonableness decisions.

Establish an effective remedial action process; such a process may be considered

evidence of reasonableness.

Obtain certification of security procedures; doing so may be considered evidence of

reasonableness.

Roadblocks

No roadblocks specific to this point.

Comments

The reasonableness criterion does not appear to apply to unambiguous mandates of the HIPAA

Security and Privacy regulations. All of the Category I guidelines in this document represent

unambiguous mandates of the regulations, so failing to implement Category I guidelines would

likely be considered unreasonable.

Page 8

AMC/HIPAA Workgroup

220

GEN.06

Scalability

This point addresses appropriate scaling of each covered entity's HIPAA security and privacy

program to its needs. The HIPAA regulations do not take a "one-size fits all" approach; instead,

each covered entity is expected to implement provisions of the act in a fashion appropriate to its

size and physical environment. What may be an appropriate mechanism for one covered entity

may be "overkill" in another.

Key Issues

Is the compliance program appropriate to the size of the covered entity?

What is reasonable for what size?

What physical environment aspects need to be considered?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Tie the justification of selected practices and safeguards to risk analysis.

Define your covered entity, its boundaries, and its scope.

Consider organizational size, assets, and capabilities in determining the reasonableness of

proposals for meeting the HIPAA security and privacy program.

Benchmark recommendations of risk analysis efforts against peers.

Comments

Very little guidance is given as to what is reasonable for a given size of covered entity.

Page 9

AMC/HIPAA Workgroup

221

GEN.07

Limiting Liability Arising from Compliance

This point addresses procedures for reducing liability associated with information discovered

during HIPAA security and privacy compliance activities. During compliance activities, a

covered entity may discover information that could create liability. Covered entities should

consider taking actions to reduce any such liability, and should consider a variety of mechanisms

for reducing these liabilities.

Key Issues

What kinds of compliance actions and findings might create liability for the covered

entity?

Which structures and policies should be used to limit liability arising from compliance

activities?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Formulate liability mitigation procedures for internal audit and critical self-analysis

findings.

Consider the use of attorney-client and other privileges to reduce liability.

Document and follow effective problem correction procedures.

Benchmark industry best practice and regulatory standards to establish conformance to

standards of best practice and due care.

Use a formal compliance program as a mitigating factor.

Document timeliness of response to reported problems as a mitigating factor.

Consider whether certification of the covered entity's security system is a mitigating

factor.

Involve the covered entity's legal counsel in the design of liability reduction measures.

Use the security system to protect the confidentiality of information that might create

liability.

Review IRB processes in relation to privacy and security incidents.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 10

AMC/HIPAA Workgroup

222

GEN.08

HIPAA Accreditation Intersections

This guideline addresses mitigation of inconsistent accreditation requirements. Various

independent accrediting bodies such as JCAHO, the College of American Pathologists,

Residency Review Committees, state legislation, etc., establish accreditation requirements.

These requirements may be internally consistent within each body, but levy inconsistent

requirements when viewed in their entirety.

Key Issues

How many sets of rules apply to each situation? Which ones?

Are these rules consistent? If not, what can be done about the inconsistencies?

Do "special" restrictive disorders (psychiatric, HIV, etc.) require "special" permission,

which will impair the flow of protected health information between PCPs and specialists?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Compile a comparison list of conflicting rules.

Encourage boards, joint commissions, etc., to take public positions on conflicts and

eliminate them.

Determine whether HIPAA compliance eliminates the need for compliance to some other

regimes.

Encourage development of reciprocity agreements among regimes.

Comments

The list of private accrediting agencies is quite long. All request that AMCs provide lists of

protected health information to do their accreditation work. The AAMC has requested that this

requirement be eliminated.

Page 11

AMC/HIPAA Workgroup

223

GEN.09

Stricter State Law � 160.203

HIPAA Requirement

General rule. A standard, requirement, or implementation specification adopted

under or pursuant to this subchapter that is contrary to a provision of State law

preempts the provision of State law. This general rule applies, except where one

or more of the following conditions is met:

(a) A determination is made by the Secretary pursuant to � 160.204(a) that the

provision of State law:

(1) Is necessary:

(i) To prevent fraud and abuse;

(ii) To ensure appropriate State regulation of insurance and health plans;

(iii) For State reporting on health care delivery or costs; or

(iv) For other purposes related to improving the Medicare program, the Medicaid

program, or the efficiency and effectiveness of the health care system; or

(2) Addresses controlled substances.

(b) The provision of State law relates to the privacy of health information and is

more stringent than a standard, requirement, or implementation specification

adopted under subpart E of part 164 of this subchapter.

(c) The provision of State law, or the State established procedures, are

established under a State law providing for the reporting of disease or injury,

child abuse, birth, or death, or for the conduct of public health surveillance,

investigation, or intervention.

(d) The provision of State law requires a health plan to report, or to provide

access to, information for the purpose of management audits, financial audits,

program monitoring and evaluation, facility licensure or certification, or

individual licensure or certification.

AMC Explanation of HIPAA Regulation

HIPAA's privacy rule is a floor above which more stringent state law applies. HIPAA's security

rule, on the other hand, supersedes conflicting state law.

Key Issues

What is the process to determine which is the more strict interpretation, state law or the

HIPAA privacy regulations?

Which law/regulation applies when health care or health plan business is delivered across

state lines?

How will covered entities that do business in multiple states accommodate the different

stricter standards in each state?

When does the state of the patient, as opposed to the state of the covered entity, govern

which state's laws apply?

Page 12

AMC/HIPAA Workgroup

224

Category I Guidelines-Actions must be taken to address these

Determine when the federal floor for a particular situation is superseded by state law or

regulation.

Category II Guidelines-Actions should be taken to address these

Participate in statewide consortia that will provide guidance on when the federal floor for

a particular regulation is superseded by state law or regulation. This is an opportunity to

build consensus and reduce uncertainty and confusion while constraining costs.

Obtain advice from counsel when there are potential issues related to the application of

state law.

Roadblocks

Areas of potential conflict between federal and state laws and regulations are a particular

problem when the regulations are not written clearly or the interpretation of the regulations is

open. Covered entities may need to retain outside counsel to determine specific courses of

action.

Comments

State entities are encouraged to proactively request opinions from their state's Attorney General,

as well as from state elected officials sponsoring legislation perceived as potentially conflicting.

The following sections may require consideration for potentially more restrictive state law:

PRIV.11 Right of an individual to request restriction of uses and disclosures

� 164.522(a)(1)

PRIV.24 Uses and disclosures of protected health information for marketing

PRIV.27 Uses and disclosures required by law � 164.512(a)

PRIV.29 Disclosures about victims of abuse, neglect or domestic violence

� 164.512(c)

PRIV.31 Disclosures for judicial and administrative proceedings � 164.512(e)

PRIV.37 Uses and disclosures for specialized government functions � 164.512(k)

PRIV.58 Changes to policies or procedures � 164.530(i)(2)

For example, consider a situation where a health plan is incorporated in Washington, D.C., a

clinic is across the Potomac river in Virginia, and the patient resides in Maryland. There may be

conflicting state laws and regulations. How will these be resolved? Likely HIPAA transactions

that would cross state borders include enrollment, eligibility, referral and authorization, claim,

claim status, and remittance. Additionally, health records may be transferred across state lines in

support of care.

Page 13

AMC/HIPAA Workgroup

225

GEN.10

Policy establishment and modification

This point addresses the difficulty of establishing consistent policy across a complex covered

entity such as an AMC. A covered entity may not have the authority to dictate policies and

procedures to some of its subsidiary or affiliate entities. Nevertheless, the covered entity will

have to ensure that some of these entities comply with the HIPAA security and privacy

requirements.

Key Issues

Who (if anyone) has the authority to formulate and implement security and privacy

policies for the whole covered entity?

If subsidiary or affiliate entities have independent policy formulation processes, how can

the covered entity influence these entities to comply with HIPAA security and privacy

requirements in a consistent way?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Choose the covered entity's structure and affiliate relationships carefully where flexibility

in defining covered entity structure exists.

Encourage independent policy formulation authorities to work together on HIPAA

security and privacy policy development and implementation.

Use existing policy formulation and implementation processes and agreements wherever

possible (human resources processes, union contracts, etc.).

Consider requiring specific policies and procedures in contracts if necessary.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 14

AMC/HIPAA Workgroup

226

GEN.11

Policy Usage Introduction

This point addresses strategies for successfully introducing HIPAA security and privacy policies

and procedures. Covered entities need to ensure that their employees learn and follow newly

introduced HIPAA security and privacy policies.

Key Issues

What factors contribute to successful introduction of new security and privacy policies?

What models for successful policy introduction already exist within the covered entity?

To what extent will acceptance be dependent on the degree of change mandated and the

methods used to elicit compliance?

What are the consequences if HIPAA security and privacy policies are not consistently

observed?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Justify policies by explaining how they benefit the covered entity and its customers.

Emphasize the risks of non-compliance.

Model security and privacy policy deployments on previous successful policy

deployments within the covered entity. Look specifically at human resources policy

introduction processes.

Require and keep records of workforce members' acknowledgement that they have

received and understood security and privacy policy.

Examine policy compliance during risk assessment and accreditation; implement

corrective actions if necessary.

Consider pilot policy deployments and adjust broader deployment plans based on the

results of the pilots.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 15

AMC/HIPAA Workgroup

227

GEN.12

Privacy Culture

This guideline addresses the fostering of cultural changes through the creation of a privacy

culture. Privacy culture changes are often shaped by societal expectations resulting from law,

regulation, and litigation. Compliance with the HIPAA privacy regulations carries with it a need

to change the accountability and responsibility for privacy within a covered entity. This process

of change is facilitated through an appreciation of the sensitivity of the data being handled. In

addition, the security regulations will serve as a tool to enable the protection of privacy.

Key Issues

How can a covered entity change workforce members' existing bad habits in using and

communicating information?

How will a covered entity adapt to societal expectations related to privacy?

How long will it take to change the current culture; how can a covered entity

assess/measure it?

Are there issues of institutional conformity in a multi-facility covered entity?

How can covered entities induce the same level of regard for privacy within associated

entities and business partners?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Have senior management set clear expectations.

Ensure that role models set a good example.

Provide feedback on security and privacy behavior.

Publicize the application of sanctions.

Incorporate consumer perceptions, expectations, and suggestions into the curriculum.

Hold collegial discussions.

Incorporate security and privacy in the curriculum (to build good habits early).

Provide orientation training in terms of the expected culture of privacy, and establish and

enforce policies dealing with transgressions.

Roadblocks

Implementing the HIPAA security and privacy regulations will require a culture change with

regard to how patient information is handled in most AMCs. Developing a program to induce

this culture change requires support from senior managers, funding, elapsed time, and staff time

from a significant percentage of the staff in the AMC. Each of the early developmental choices

in HIPAA must work with this set of circumstances to achieve this type of change.

Comments

None.

Page 16

AMC/HIPAA Workgroup

228

GEN.13

Digital Signature

This guideline addresses digital signature mechanisms and standards employed with respect to

HIPAA identified transactions.

HIPAA Requirement

PL 104-91 Sec. 11173 (e) Electronic Signature.

(1) Standards. The Secretary, in coordination with the Secretary of Commerce,

shall adopt standards specifying procedures for the electronic transmission and

authentication of signatures with respect to the transactions referred to in

subsection (a)(1).

(2) Effect of Compliance. Compliance with the standards adopted under

paragraph (1) shall be deemed to satisfy Federal and State statutory requirements

for written signatures with respect to the transactions referred to in subsection

(a)(1).

Section 1173 (a)

(1) In General. The Secretary shall adopt standards for transactions, and data

elements for such transactions, to enable health information to be exchanged

electronically, that are appropriate for--

(A) the financial and administrative transactions described in paragraph (2); and

Other financial and administrative transactions determined appropriate by the

Secretary, consistent with the goals of improving the operation of the health care

system and reducing administrative costs.

AMC Explanation

The final DHHS Security rule may or may not contain the Secretary's response to HIPAA's

electronic signature requirements. This is due to the fact that suitable standards for digital

signatures in healthcare (as published by an ANSI accredited standards development

organization) currently do not exist . Nevertheless, it is anticipated that an electronic/digital

signature rule will ultimately be provided in response to HIPAA legislation - if not in the

security rule itself, then later on as a new rule.

In accordance with the draft DHHS Security and Electronic Signature Proposed Rule [45 CFR

160], if an electronic signature is required, then it must be a digital signature. When one of the

required standard claims transactions uses a digital signature (none of the current transactions are

required to at present), the digital signature

must

provide:

d) Message integrity;

e) Non-repudiation;

f) User authentication; and

g) Proof of "intent" to sign.

The digital signature

may

also provide:

Page 17

AMC/HIPAA Workgroup

229

h) Ability to add attributes;

i) Continuity of signature capability;

j) Countersignature capability;

k) Independent verifiability;

l) Interoperability;

m) Multiple signatures; and

n) Transportability.

Key Issues,

When must a digital signature be used?

How and when should a covered entity gain access to a suitable Public Key Infrastructure

(PKI)?

Category I Guidelines-Actions must be taken to address these.

None; this section is advisory only.

Category II Guidelines-Actions should be taken to address these

Anticipate and plan for participation in a PKI.

Actively follow and participate in the development of digital signature standards through

ANSI HISB and ANSI accredited standards development organizations.

Plan for, budget for, and educate workforce members on the technology and use of digital

signatures.

Plan for, and adopt/develop certificate policies for, PKI and digital signatures. These

policies should include granting, suspending, and revoking certificates, and assuring

interoperability.

Plan to replace proprietary electronic signatures with an interoperable standards-based

digital signature.

Consider developing limited near-term digital signature pilots.

Roadblocks

The technology of public key infrastructures and digital signatures is still relatively new,

expensive, and may not be suitable for small covered entities. A cost-benefit analysis may be

appropriate.

Replacing proprietary electronic signatures with a digital signature may require significant

changes to heritage healthcare applications. Electronic signatures developed as part of a

healthcare application reside on the application server. Digital signatures, on the other hand, are

bound to end users who retain control of their own private keys. Therefore, digital signatures are

associated with the end user device, the server functioning to securely store the signed

documents/transactions.

Comments

Standards development organizations (SDO) including NCPDP, X12, ASTM, HLT, and W3C

met in Orlando, Florida on 8 January 2001 and agreed to the development of a Multi-SDO

Digital Signature Standard. The standard would be largely based on standards work recently

approved from ASTM and HL7. Subsequently, hearings were held with NCVHS. ANSI HISB

Page 18

AMC/HIPAA Workgroup

230

will act to coordinate the development with the goal of producing the standard in the latter part

of 2001.

Draft certificate polices are under development by the NIST sponsored Federal PKI Technical

Working Group and from ASTM.

Further information on the Multi-SDO Digital Signature Project is available at:

http://hl7.org/special/Committees/multiSDO/index.htm

References:

The following digital signature standards in healthcare are germane:

o) ASTM E1762-95 Standard Guide for Electronic Authentication of Health Care

Information

p) ASTM E2084-00 Standard Specification for Authentication of Healthcare

Information Using Digital Signatures

q) ASTM E2085-00a Standard Guide on Security Framework for Healthcare

Information

r) HL7 Version 3.0

Page 19

AMC/HIPAA Workgroup

231

GEN.14

Other Federal Law and HIPAA Privacy

HIPAA's Privacy provisions interact with related provisions in several other federal laws. Those

most likely to be of primary interest to AMCs are discussed below.

Key Issues

How do the interactions with the various relevant federal laws affect the policy,

procedure, and practice set in the AMC?

What protections will be provided for student records in a student health clinic of the

AMC?

How will HIPAA coverage of ERISA-based plans affect AMC health plan operations?

How will the operational resources who work with FERPA, non-FERPA, and HIPAA

health records manage privacy issues?

How will the interactions between CLIA (Clinical Laboratory Improvement

Amendments) and HIPAA affect patient access process?

How will the safe harbor provisions related to the European Union privacy directive

affect CROs?

Category I Guidelines-Actions must be taken to address these.

Align the AMC's privacy program to be consistent with the intersecting demands of other

federal laws related to privacy practices.

Category II Guidelines-Actions should be taken to address these

AMCs should ensure that the program managers in the areas affected by the intersecting

(e.g. the Benefits group that handles the ERISA plan) are part of the HIPAA program

team.

AMCs should consider offering protections that comply with FERPA and HIPAA, even

where not required to do so, to student health records within the student health clinics,

educational administration, and other clinical facilities (e.g. the AMC's local hospital).

Doing so will avoid having to interface multiple protection standards for the same person

and sometimes even the same episode of care.

AMCs should seek advice from their legal counsels with respect to these intersecting

laws.

Roadblocks

No roadblocks specific to this point.

Comments

HIPAA Privacy provisions interact with several other Federal laws and at least one international

agreement. The preamble of the privacy rule discusses the following laws and their interactions

with HIPAA:

The Privacy Act;

The Freedom of Information Act;

Federal Substance Abuse Confidentiality Requirements;

Page 20

AMC/HIPAA Workgroup

232

Employee Retirement Income Security Act of 1974;

The Family Educational Rights and Privacy Act;

Gramm-Leach-Bliley;

Federally Funded Health Programs;

Food, Drug, and Cosmetic Act;

Clinical Laboratory Improvement Amendments;

Other Mandatory Federal or State Laws;

Federal Disability Nondiscrimination Laws; and

U.S. Safe Harbor Privacy Principles (European Union Directive on Data

Protection).

The laws most likely to be of interest to AMCs are noted below:

Employee Retirement Income Security Act of 1974

HIPAA does cover the ERISA plans in the typical AMC. There do not appear to be any

serious interactions between HIPAA privacy and ERISA

The Family Educational Rights and Privacy Act (FERPA)-

FERPA covers educational records in K-12 and post-secondary institutions that receive

Federal funds.

In FERPA-covered post-secondary institutions the records that are in the typical

student health clinic

are

not

considered FERPA educational records. Records shared

for purposes other than treatment (e.g. immunization declarations for dorm

placement) in these settings

are

FERPA educational records.

The non-FERPA health records are also specifically

excluded

from HIPAA Privacy

rule coverage by the definition of "protected health information" in � 164.501

(Definitions). See the discussion in the privacy rule preamble on 20 U.S.C.

�1232g(a)(4)(B)(iv).

The implication for the typical AMC is that the typical records in the student heath

center are not covered by HIPAA or FERPA. AMCs will therefore only be required

to provide privacy measures required by other laws, regulations, and/or accreditation

standards.

Federally Funded Health Programs

AMCs do a great deal of business with federally funded health plans (e.g.

Medicare, Medicaid, CHAMPUS). These plans were specifically included in

HIPAA coverage as "health plans" by the HIPAA law.

Food, Drug, and Cosmetic Act

Many AMCs use products that are either under development or in early release

use. Reports on adverse events and related disclosures to the FDA and FDA

authorized persons are provided for in HIPAA in � 164.512(b)(1)(iii).

Clinical Laboratory Improvement Amendments

Page 21

AMC/HIPAA Workgroup

233

Many AMC labs are governed by CLIA. CLIA requires that test results be

provided to authorized persons only. State law defines "authorized person;" it is

typically the person who ordered the test. CLIA's rule will override HIPAA's

requirement that the patient be provided their protected health information by the

lab. Since the lab results are almost always reported to a covered entity (e.g.

hospital, physician), however, the patient may still gain access to his information

through those to whom the lab results have been reported.

U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection)

Many AMCs engage in worldwide trials of pharmaceuticals, some of which

include participants in the European Union. The Safe Harbor provisions (on the

Department of Commerce web site, http://www.export.gov/safeharbor/) allow

U.S. organizations that comply with the provisions to receive data on European

Union citizens at facilities located within the United States. The general intent

evidenced by the U.S. team during the negotiations of the Safe Harbor provisions

was to ensure that those entities who were HIPAA compliant would also be

within the safe harbor set; however, no declaration or analysis to that effect is

available in the HIPAA privacy rule.