Slide 1 NC DHHS HIPAA Office

National Governor’s Association

“Preparing State Government for HIPAA”

Presented by:Presented by:Sarah Brooks and Karen TomczakSarah Brooks and Karen Tomczak

NC DHHSNC DHHSApril 3, 2003April 3, 2003

HIPAA - The North Carolina HIPAA - The North Carolina ExperienceExperience

Slide 2 NC DHHS HIPAA Office

In the beginning…In the beginning…

Slide 3 NC DHHS HIPAA Office

NC Statewide InitiativeNC Statewide Initiative Statewide Assessment ProjectStatewide Assessment Project

– Identify and document HIPAA requirementsIdentify and document HIPAA requirements– Report to the legislatureReport to the legislature– Managed by DHHSManaged by DHHS– Directed by budget office, state CIO, DHHSDirected by budget office, state CIO, DHHS

Statewide assessment (by agency)Statewide assessment (by agency)– Developed common assessment toolsDeveloped common assessment tools– Recommended timelinesRecommended timelines– Assisted with implementation budgetsAssisted with implementation budgets– Reported to the legislatureReported to the legislature

Slide 4 NC DHHS HIPAA Office

Legislative ReportLegislative Report

Assessed 42 entities (including 480 divisions)Assessed 42 entities (including 480 divisions)– State agenciesState agencies– UniversitiesUniversities– Community collegesCommunity colleges– Boards/commissionsBoards/commissions

21 percent were covered, hybrid entities21 percent were covered, hybrid entities 7 percent were business associates, trading 7 percent were business associates, trading

partnerspartners

Slide 5 NC DHHS HIPAA Office

Statewide ImpactStatewide Impact

Covered EntitiesCovered Entities– State Health Plan (includes State Health Plan (includes

HealthChoice for Children)HealthChoice for Children)– UNC Health CareUNC Health Care

Business AssociatesBusiness Associates– Department of JusticeDepartment of Justice– Office of the State AuditorOffice of the State Auditor– Office of the ControllerOffice of the Controller

Hybrid EntitiesHybrid Entities– Dept of AdministrationDept of Administration– Dept of CorrectionDept of Correction– Dept of Health and Human ServicesDept of Health and Human Services– Office of Information Technology Office of Information Technology

ServicesServices**

– East Carolina UniversityEast Carolina University– University of NC at Chapel University of NC at Chapel

HillHill– University of NC at University of NC at

GreensboroGreensboro

Hybrid Entities

Covered Entities

Business Associates

Slide 6 NC DHHS HIPAA Office

DHHS ImpactDHHS Impact

MedicaidMedicaid Public healthPublic health

– State LabState Lab– State Center for Health State Center for Health

StatisticsStatistics– Local health servicesLocal health services– Children’s special health Children’s special health

servicesservices– Developmental education Developmental education

clinics (13)clinics (13)

EducationEducation– School for the blind (1)School for the blind (1)– Schools for the deaf (2)Schools for the deaf (2)

Mental health, substance Mental health, substance abuseabuse– State mental hospitals, State mental hospitals,

substance abuse, nursing (7)substance abuse, nursing (7)– Mental retardation centers (5)Mental retardation centers (5)– Adol treatment programs (2)Adol treatment programs (2)

Other divisionsOther divisions– Controller’s OfficeController’s Office– Information Resource MgmtInformation Resource Mgmt– CommunicationsCommunications– Internal AuditorInternal Auditor– Research, Demonstrations, Research, Demonstrations,

and Rural Health Developmentand Rural Health Development

Slide 7 NC DHHS HIPAA Office

SurprisesSurprises

Number of Impacted Agencies Was Smaller Number of Impacted Agencies Was Smaller Than Originally AnticipatedThan Originally Anticipated

– Change in “health plan” definition (major factor)Change in “health plan” definition (major factor)– Introduction of “hybrid entity” conceptIntroduction of “hybrid entity” concept– Exemption of education-related facilities (FERPA)Exemption of education-related facilities (FERPA)

Long Delay of Security RegulationsLong Delay of Security Regulations State Budget Crisis Impact to HIPAA State Budget Crisis Impact to HIPAA

FundingFunding– Statewide HIPAA office (Senate Bill 1115)Statewide HIPAA office (Senate Bill 1115)

Slide 8 NC DHHS HIPAA Office

Redefining “Reasonable”Redefining “Reasonable”

Slide 9 NC DHHS HIPAA Office

Impact of Not ComplyingImpact of Not Complying Possible LitigationPossible Litigation

Potential Withholding of Potential Withholding of Federal Medicaid and Medicare Federal Medicaid and Medicare FundsFunds

Federal Medicaid Share in NC in Federal Medicaid Share in NC in @ 4.5 billion@ 4.5 billion

In DHHS, more than $300 million In DHHS, more than $300 million in revenues at riskin revenues at risk

PenaltiesPenalties Civil Monetary for Violations of Civil Monetary for Violations of

Each StandardEach Standard Wrongful Disclosure of Protected Wrongful Disclosure of Protected

Health InformationHealth Information

Slide 10 NC DHHS HIPAA Office

Direction from OCR and CMSDirection from OCR and CMS

Complaint DrivenComplaint Driven Cure PeriodCure Period Compliance Audits - Not for a WhileCompliance Audits - Not for a While

Slide 11 NC DHHS HIPAA Office

Partial

Bare Minimum

Tolerable

Reasonable vs. The BestReasonable vs. The Best

Draw the Line Between “Compliance” and “Non-Draw the Line Between “Compliance” and “Non-compliance”compliance”– Examine remaining compliance activities to determine whether a graduated Examine remaining compliance activities to determine whether a graduated

approach can be appliedapproach can be applied– Standards are fixed but the level and degree of remediation are self-directedStandards are fixed but the level and degree of remediation are self-directed

Cost

Schedule Quality

Optimal

Graduated Levels of Compliance

– Try not to set goals that are unattainable given Try not to set goals that are unattainable given existing personnel and financial constraintsexisting personnel and financial constraints

In Compliance

Slide 12 NC DHHS HIPAA Office

Reasonable vs. The BestReasonable vs. The Best Rethinking of ConceptsRethinking of Concepts

– Physical, Administrative, and Technical Safeguards under Physical, Administrative, and Technical Safeguards under PrivacyPrivacy

• Access ControlsAccess Controls• Physical SecurityPhysical Security

– Reduce scope of Privacy PoliciesReduce scope of Privacy Policies• Apply policies that reflect best business practices to all DHHS Apply policies that reflect best business practices to all DHHS

agenciesagencies• Apply HIPAA specific policies (e.g., Notice) to covered components Apply HIPAA specific policies (e.g., Notice) to covered components

onlyonly

Delay Security until after July 2003Delay Security until after July 2003– Apply limited resources to Transactions, Code Sets, and Apply limited resources to Transactions, Code Sets, and

Privacy in 2001-2003Privacy in 2001-2003

Slide 13 NC DHHS HIPAA Office

Reasonable vs. The BestReasonable vs. The Best

Concentrate on Privacy Policies With Specific Concentrate on Privacy Policies With Specific Impacts to Consumers InitiallyImpacts to Consumers Initially

Perform ‘General’ Staff Training Before 4/14/03Perform ‘General’ Staff Training Before 4/14/03– Evaluate training methodologiesEvaluate training methodologies

– Provide training in cost-effective forumProvide training in cost-effective forum• Training Booklet - self instructionalTraining Booklet - self instructional• Web-based trainingWeb-based training• VideoVideo• Instructor led Instructor led

After Development of All Privacy Policies, Follow After Development of All Privacy Policies, Follow up With More Specific, Focused Trainingup With More Specific, Focused Training

Slide 14 NC DHHS HIPAA Office

DHHS Priorities (FY2003)DHHS Priorities (FY2003)

Addressing critical needsAddressing critical needs– Developing privacy policies (DHHS)Developing privacy policies (DHHS)– Developing training tools (templates, guidance)Developing training tools (templates, guidance)– Implementing business associate contractsImplementing business associate contracts– Focusing resources on core requirementsFocusing resources on core requirements

Scope reductionsScope reductions– Eliminated staff to assist with end-user trainingEliminated staff to assist with end-user training– Eliminated compliance verification programEliminated compliance verification program– Discontinued security activitiesDiscontinued security activities– Eliminated new positions (Security & Privacy Officers)Eliminated new positions (Security & Privacy Officers)– Reduced existing staff (HIPAA office, applications)Reduced existing staff (HIPAA office, applications)

Slide 15 NC DHHS HIPAA Office

HIPAA GIVESHIPAA GIVEShttp://http://www.hipaagives.orgwww.hipaagives.org

Internet-based forum for states to resolve HIPAA-related issuesInternet-based forum for states to resolve HIPAA-related issues Information clearinghouseInformation clearinghouse All states have joinedAll states have joined

GGovernmentovernmentIInformationnformationVValuealueEExchange forxchange forSStatestates

Slide 16 NC DHHS HIPAA Office

Other ResourcesOther Resources

North Carolina Healthcare Information and North Carolina Healthcare Information and Communications AllianceCommunications Alliance ( (http://www.nchica.orghttp://www.nchica.org))

NC DHHS’ HIPAA OfficeNC DHHS’ HIPAA Office ( (http://www.dirm/state.nc.us/hipaa/http://www.dirm/state.nc.us/hipaa/))

HHS Office for Civil Rights (OCR)HHS Office for Civil Rights (OCR) ( (http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/))

Centers for Medicare and Medicaid ServicesCenters for Medicare and Medicaid Services ( (http://http://www.cms.gov/hipaawww.cms.gov/hipaa))