national governor’s association “preparing state government for hipaa”
DESCRIPTION
HIPAA - The North Carolina Experience. National Governor’s Association “Preparing State Government for HIPAA”. Presented by: Sarah Brooks and Karen Tomczak NC DHHS April 3, 2003. In the beginning…. NC Statewide Initiative. Statewide Assessment Project - PowerPoint PPT PresentationTRANSCRIPT
Slide 1 NC DHHS HIPAA Office
National Governor’s Association
“Preparing State Government for HIPAA”
Presented by:Presented by:Sarah Brooks and Karen TomczakSarah Brooks and Karen Tomczak
NC DHHSNC DHHSApril 3, 2003April 3, 2003
HIPAA - The North Carolina HIPAA - The North Carolina ExperienceExperience
Slide 2 NC DHHS HIPAA Office
In the beginning…In the beginning…
Slide 3 NC DHHS HIPAA Office
NC Statewide InitiativeNC Statewide Initiative Statewide Assessment ProjectStatewide Assessment Project
– Identify and document HIPAA requirementsIdentify and document HIPAA requirements– Report to the legislatureReport to the legislature– Managed by DHHSManaged by DHHS– Directed by budget office, state CIO, DHHSDirected by budget office, state CIO, DHHS
Statewide assessment (by agency)Statewide assessment (by agency)– Developed common assessment toolsDeveloped common assessment tools– Recommended timelinesRecommended timelines– Assisted with implementation budgetsAssisted with implementation budgets– Reported to the legislatureReported to the legislature
Slide 4 NC DHHS HIPAA Office
Legislative ReportLegislative Report
Assessed 42 entities (including 480 divisions)Assessed 42 entities (including 480 divisions)– State agenciesState agencies– UniversitiesUniversities– Community collegesCommunity colleges– Boards/commissionsBoards/commissions
21 percent were covered, hybrid entities21 percent were covered, hybrid entities 7 percent were business associates, trading 7 percent were business associates, trading
partnerspartners
Slide 5 NC DHHS HIPAA Office
Statewide ImpactStatewide Impact
Covered EntitiesCovered Entities– State Health Plan (includes State Health Plan (includes
HealthChoice for Children)HealthChoice for Children)– UNC Health CareUNC Health Care
Business AssociatesBusiness Associates– Department of JusticeDepartment of Justice– Office of the State AuditorOffice of the State Auditor– Office of the ControllerOffice of the Controller
Hybrid EntitiesHybrid Entities– Dept of AdministrationDept of Administration– Dept of CorrectionDept of Correction– Dept of Health and Human ServicesDept of Health and Human Services– Office of Information Technology Office of Information Technology
ServicesServices**
– East Carolina UniversityEast Carolina University– University of NC at Chapel University of NC at Chapel
HillHill– University of NC at University of NC at
GreensboroGreensboro
Hybrid Entities
Covered Entities
Business Associates
Slide 6 NC DHHS HIPAA Office
DHHS ImpactDHHS Impact
MedicaidMedicaid Public healthPublic health
– State LabState Lab– State Center for Health State Center for Health
StatisticsStatistics– Local health servicesLocal health services– Children’s special health Children’s special health
servicesservices– Developmental education Developmental education
clinics (13)clinics (13)
EducationEducation– School for the blind (1)School for the blind (1)– Schools for the deaf (2)Schools for the deaf (2)
Mental health, substance Mental health, substance abuseabuse– State mental hospitals, State mental hospitals,
substance abuse, nursing (7)substance abuse, nursing (7)– Mental retardation centers (5)Mental retardation centers (5)– Adol treatment programs (2)Adol treatment programs (2)
Other divisionsOther divisions– Controller’s OfficeController’s Office– Information Resource MgmtInformation Resource Mgmt– CommunicationsCommunications– Internal AuditorInternal Auditor– Research, Demonstrations, Research, Demonstrations,
and Rural Health Developmentand Rural Health Development
Slide 7 NC DHHS HIPAA Office
SurprisesSurprises
Number of Impacted Agencies Was Smaller Number of Impacted Agencies Was Smaller Than Originally AnticipatedThan Originally Anticipated
– Change in “health plan” definition (major factor)Change in “health plan” definition (major factor)– Introduction of “hybrid entity” conceptIntroduction of “hybrid entity” concept– Exemption of education-related facilities (FERPA)Exemption of education-related facilities (FERPA)
Long Delay of Security RegulationsLong Delay of Security Regulations State Budget Crisis Impact to HIPAA State Budget Crisis Impact to HIPAA
FundingFunding– Statewide HIPAA office (Senate Bill 1115)Statewide HIPAA office (Senate Bill 1115)
Slide 8 NC DHHS HIPAA Office
Redefining “Reasonable”Redefining “Reasonable”
Slide 9 NC DHHS HIPAA Office
Impact of Not ComplyingImpact of Not Complying Possible LitigationPossible Litigation
Potential Withholding of Potential Withholding of Federal Medicaid and Medicare Federal Medicaid and Medicare FundsFunds
Federal Medicaid Share in NC in Federal Medicaid Share in NC in @ 4.5 billion@ 4.5 billion
In DHHS, more than $300 million In DHHS, more than $300 million in revenues at riskin revenues at risk
PenaltiesPenalties Civil Monetary for Violations of Civil Monetary for Violations of
Each StandardEach Standard Wrongful Disclosure of Protected Wrongful Disclosure of Protected
Health InformationHealth Information
Slide 10 NC DHHS HIPAA Office
Direction from OCR and CMSDirection from OCR and CMS
Complaint DrivenComplaint Driven Cure PeriodCure Period Compliance Audits - Not for a WhileCompliance Audits - Not for a While
Slide 11 NC DHHS HIPAA Office
Partial
Bare Minimum
Tolerable
Reasonable vs. The BestReasonable vs. The Best
Draw the Line Between “Compliance” and “Non-Draw the Line Between “Compliance” and “Non-compliance”compliance”– Examine remaining compliance activities to determine whether a graduated Examine remaining compliance activities to determine whether a graduated
approach can be appliedapproach can be applied– Standards are fixed but the level and degree of remediation are self-directedStandards are fixed but the level and degree of remediation are self-directed
Cost
Schedule Quality
Optimal
Graduated Levels of Compliance
– Try not to set goals that are unattainable given Try not to set goals that are unattainable given existing personnel and financial constraintsexisting personnel and financial constraints
In Compliance
Slide 12 NC DHHS HIPAA Office
Reasonable vs. The BestReasonable vs. The Best Rethinking of ConceptsRethinking of Concepts
– Physical, Administrative, and Technical Safeguards under Physical, Administrative, and Technical Safeguards under PrivacyPrivacy
• Access ControlsAccess Controls• Physical SecurityPhysical Security
– Reduce scope of Privacy PoliciesReduce scope of Privacy Policies• Apply policies that reflect best business practices to all DHHS Apply policies that reflect best business practices to all DHHS
agenciesagencies• Apply HIPAA specific policies (e.g., Notice) to covered components Apply HIPAA specific policies (e.g., Notice) to covered components
onlyonly
Delay Security until after July 2003Delay Security until after July 2003– Apply limited resources to Transactions, Code Sets, and Apply limited resources to Transactions, Code Sets, and
Privacy in 2001-2003Privacy in 2001-2003
Slide 13 NC DHHS HIPAA Office
Reasonable vs. The BestReasonable vs. The Best
Concentrate on Privacy Policies With Specific Concentrate on Privacy Policies With Specific Impacts to Consumers InitiallyImpacts to Consumers Initially
Perform ‘General’ Staff Training Before 4/14/03Perform ‘General’ Staff Training Before 4/14/03– Evaluate training methodologiesEvaluate training methodologies
– Provide training in cost-effective forumProvide training in cost-effective forum• Training Booklet - self instructionalTraining Booklet - self instructional• Web-based trainingWeb-based training• VideoVideo• Instructor led Instructor led
After Development of All Privacy Policies, Follow After Development of All Privacy Policies, Follow up With More Specific, Focused Trainingup With More Specific, Focused Training
Slide 14 NC DHHS HIPAA Office
DHHS Priorities (FY2003)DHHS Priorities (FY2003)
Addressing critical needsAddressing critical needs– Developing privacy policies (DHHS)Developing privacy policies (DHHS)– Developing training tools (templates, guidance)Developing training tools (templates, guidance)– Implementing business associate contractsImplementing business associate contracts– Focusing resources on core requirementsFocusing resources on core requirements
Scope reductionsScope reductions– Eliminated staff to assist with end-user trainingEliminated staff to assist with end-user training– Eliminated compliance verification programEliminated compliance verification program– Discontinued security activitiesDiscontinued security activities– Eliminated new positions (Security & Privacy Officers)Eliminated new positions (Security & Privacy Officers)– Reduced existing staff (HIPAA office, applications)Reduced existing staff (HIPAA office, applications)
Slide 15 NC DHHS HIPAA Office
HIPAA GIVESHIPAA GIVEShttp://http://www.hipaagives.orgwww.hipaagives.org
Internet-based forum for states to resolve HIPAA-related issuesInternet-based forum for states to resolve HIPAA-related issues Information clearinghouseInformation clearinghouse All states have joinedAll states have joined
GGovernmentovernmentIInformationnformationVValuealueEExchange forxchange forSStatestates
Slide 16 NC DHHS HIPAA Office
Other ResourcesOther Resources
North Carolina Healthcare Information and North Carolina Healthcare Information and Communications AllianceCommunications Alliance ( (http://www.nchica.orghttp://www.nchica.org))
NC DHHS’ HIPAA OfficeNC DHHS’ HIPAA Office ( (http://www.dirm/state.nc.us/hipaa/http://www.dirm/state.nc.us/hipaa/))
HHS Office for Civil Rights (OCR)HHS Office for Civil Rights (OCR) ( (http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/))
Centers for Medicare and Medicaid ServicesCenters for Medicare and Medicaid Services ( (http://http://www.cms.gov/hipaawww.cms.gov/hipaa))