Presentation is loading. Please wait.

Presentation is loading. Please wait.

North Carolina State University Health Information Privacy 4/16/03.

Published byJaylyn Gladney Modified over 9 years ago

Similar presentations

Presentation on theme: "North Carolina State University Health Information Privacy 4/16/03."— Presentation transcript:

1 North Carolina State University Health Information Privacy 4/16/03

2 Why do we have FERPA and HIPAA? Overcome protective attitudes of educators and physicians Gradual decline of the doctrine of In Loco Parentis Decline of the doctrine of therapeutic privilege in health care Recognition of difference in ownership of records and data

3 Why do we have FERPA and HIPAA? Guarantee access to health care records and education records Grant more control over use and disclosure Increased sensitivity to privacy issues Achieve more national uniformity on privacy rights

4 Why so we have FERPA and HIPAA? Increased use of electronic data has made personal information more accessible HIPAA encourages use of electronic data and uniform transactions standards (administrative simplification) Protect privacy

5 Penalties for Violations of FERPA Withhold Federal funds Obtain a cease and desist order Terminate eligibility to receive Federal funds

6 FERPA Operational Issues When are Student Health records exempted from the definition of FERPA “education records?” Records of health care professional/paraprofessional Used only in connection with treatment of student Disclosed only to those providing treatment

7 FERPA Operational Issues What are the rights of the student with regard to exempt Student Health records? To have the records reviewed by a health professional of his/her choice

8 FERPA Operational Issues What happens if the Student Health records are disclosed to the student or other persons not involved in the treatment process? The Student Health records become “education records” subject to all the requirements of FERPA

9 FERPA Operational Issues What are the requirements of FERPA if the Student Health records become “education records?” Disclosures require student consent except where otherwise authorized

10 FERPA Operational Issues What are the requirements of FERPA if the Student Health records become “education records?” Annual notification of rights under FERPA Inspect and review their own records; receive copy Seek amendment if believed to be in error; right to hearing

11 FERPA Operational Issues What are the elements of a valid FERPA consent for disclosure? In writing Specify the records to be disclosed State purpose of disclosure Identify party or class of parties to whom to be disclosed

12 FERPA Operational Issues When is written consent for disclosure not required? School officials, teachers with legitimate educational interest Other schools where student seeks to enroll Federal, state and local educational officials In connection with financial aid

13 FERPA Operational Issues When is written consent for disclosure not required? Organizations conducting studies for the University regarding tests, student aid, improving instruction Accrediting organizations Parents of a dependent student Court orders and subpoenas (contact Legal Affairs!)

14 FERPA Operational Issues When is written consent for disclosure not required? In a health or safety emergency Directory information To the student or parents of a minor student

15 FERPA Operational Issues When is written consent for disclosure not required? Victims of violent and sex crimes (results of disciplinary proceeding) Parents re illegal use of drugs/alcohol (Contact Legal Affairs!)

16 FERPA Operational Issues What are the FERPA Record keeping requirements? Maintain record of each request for access and each disclosure as long as the records are maintained (see 34 CFR §99.32 for details)

17 FERPA Operational Issues What limitations are applied to redisclosure of information? Any further disclosure for any purpose other than for which the disclosure was made requires consent, except to parents, pursuant to court orders or subpoenas, directory information, etc.

18 FERPA Operational Issues Does FERPA preempt state law? Generally, yes, but if in doubt, consult Legal Affairs

19 Penalties for Violation of HIPAA Privacy Rule Civil Penalties (OCR) $100 up to a maximum of $25,000 in a calendar year for each requirement violated Criminal Penalties (DOJ) Wrongful disclosure: Up to $50,000 and/or one year in prison If under false pretenses, up to $100,000 fine and/or 5 years in prison If malicious or disclosure is for personal gain, up to $250,000 and/or 10 years

20 Selected Operational Issues for NCSU Regulatory Issues 4/16/03 HIPAA Privacy Rule FERPA Coordination of FERPA & HIPAA Accountability Security/Privacy Uses/Disclosures Access Student Health Records Administrative Requirements Penalties Privacy Disclosures State Law Record Keeping Access

21 HIPAA Privacy Rule Operational Issues Does the Privacy Rule apply to health records maintained by the University on students? No, because those records are governed by FERPA or the FERPA student health records exemption.

22 HIPAA Privacy Rule Operational Issues Why has the University designated Counseling, Student Health and Sports Medicine as “health care components” under HIPAA? These are the only units having health care provider activities that meet the definition of “covered entity.” The University is a “hybrid entity” and these are its “health care components.”

23 HIPAA Privacy Rule Operational Issues Does the Privacy Rule apply to health records maintained by the University on students? No, because those records are governed by FERPA or the FERPA student health records exemption.

24 HIPAA Privacy Rule Operational Issues What information is covered by HIPAA? Individually identifiable oral or recorded (in any form) health information related to health care or the payment for health care (protected health information). Applies only to covered entities.

25 HIPAA Privacy Rule Operational Issues Who may exercise the HIPAA privacy rights? The patient or a representative of the patient such as parents, guardians, executors. Other legal representatives may have power to act on behalf of an individual, but it may be limited. Emancipated minors and minors authorized by state law to consent to treatment.

26 HIPAA Privacy Rule Operational Issues Who may exercise HIPAA privacy rights? Be aware of the right to refuse to disclose PHI to a personal representative where you believe there is danger to the patient in doing so (e.g., domestic violence or child abuse).

27 HIPAA Privacy Rule Operational Issues What should you know about an individual’s right to access his/her PHI? Individuals have the right to inspect and copy their PHI in “designated record sets.” 30 days to respond to requests unless the PHI is maintained off site (60 days). Limited extension for 30 days possible.

28 HIPAA Privacy Rule Operational Issues What should you know about an individual’s right to access his/her PHI? Cost based fees for copies have to be reasonable. Access may be denied in limited circumstances without a right of review, such as access to psychotherapy notes or the information was obtained on a promise of confidentiality (consult Legal Affairs!)

29 HIPAA Privacy Rule Operational Issues What should you know about an individual’s right to access his/her PHI? In other cases of denial an opportunity for review is necessary (licensed health care professional says access would endanger someone) (See University procedures; consult Legal Affairs)

30 HIPAA Privacy Rule Operational Issues What do you do if an individual demands to amend his/her records? If you agree, make the amendment and notify the individual and share with others who have received the erroneous information. If the PHI is accurate and complete, the University did not create it, it is not part of a designated record set, or it would not be available for inspection, you can deny the request in writing and and explain how they can challenge the decision.

31 HIPAA Privacy Rule Operational Issues What do you do if an individual demands to amend his/her records? The denial must inform the individual of how they can insert their own statement in the file which the University must disclose whenever the PHI is disclosed and of their right to file a complaint with the University or HHS. The University can include rebuttals to patient statements.

32 HIPAA Privacy Rule Operational Issues What are some of the operational issues related to use and disclosure of PHI? Use refers to sharing or using PHI internally. Disclosure is when PHI is disclosed outside the University health care component.

33 HIPAA Privacy Rule Operational Issues What are some of the operational issues related to use and disclosure of PHI? Except for disclosures to the individual, to HHS or as required by law, disclosure is optional. Disclose the “minimum necessary” PHI to achieve the purpose of the disclosure, except when related to treatment, PHI is disclosed to the individual, etc.

34 HIPAA Privacy Rule Operational Issues What are some of the operational issues related to use and disclosure of PHI? Apply the “minimum necessary” standard internally wherever possible through policies and procedures. “Incidental disclosures” are allowed (e.g., sign-in sheets, overheard conversations)

35 HIPAA Privacy Rule Operational Issues What are some of the operational issues related to use and disclosure of PHI? Disclosures to “business associates” are governed by required business associate agreements with independent contractors who perform services requiring access to PHI. (Consult Legal Affairs)

36 HIPAA Privacy Rule Operational Issues What are some of the operational issues related to use and disclosure of PHI? HIPAA does not require a “consent” for internal use of PHI for “treatment, payment and health care operations” purposes but the University has prepared a consent to comply with the more restrictive state law.

37 HIPAA Privacy Rule Operational Issues When is an authorization in the format required by HIPAA necessary for disclosures? Disclosure of psychotherapy notes. For marketing. Unless permitted by HIPAA or required by law.

38 HIPAA Privacy Rule Operational Issues When do you have to give the individual an opportunity to agree or object to use or disclosure? For facility directories. To persons involved in a person’s care.

39 HIPAA Privacy Rule Operational Issues When is an opportunity to agree or object to use or disclosure PHI not required? Required by law. For public health activities. Regarding victims of abuse, neglect, domestic violence

40 HIPAA Privacy Rule Operational Issues When is an opportunity to agree or object to use or disclosure PHI not required? Health oversight activities. Judicial and administrative proceedings, certain law enforcement purposes. (Consult Legal Affairs)

41 HIPAA Privacy Rule Operational Issues When is an opportunity to agree or object to use or disclosure PHI not required? Coroners, funereal directors. For organ donation purposes. To avert a threat to health or safety.

42 HIPAA Privacy Rule Operational Issues When is an opportunity to agree or object to use or disclosure PHI not required? Special government functions (military, national security, protective services for the President, etc,). (Consult Legal Affairs) Disclosures for workers compensation

43 HIPAA Privacy Rule Operational Issues When is an opportunity to agree or object to use or disclosure PHI not required? Avert a serious threat to health or safety. Academic research where authorization has been waived by an IRB or privacy board

44 HIPAA Privacy Rule Operational Issues What are other special disclosure issues? De-identified information is not PHI. Limited data set for public health, health care operations, and research purposes does not require an authorization.

45 HIPAA Privacy Rule Operational Issues What are the administrative requirements for under HIPAA? Written notice of privacy practices. Appropriate administrative, technical, and physical safeguards to protect privacy of PHI. Training

46 HIPAA Privacy Rule Operational Issues What are the administrative requirements for under HIPAA? Accounting for disclosures, except for TPO, limited data set, or where the individual has executed an authorization. Records must be retained for 6 years.

Download ppt "North Carolina State University Health Information Privacy 4/16/03."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
The Family Educational Rights & Privacy Act (FERPA) & other statutes related to student information.

The Family Educational Rights & Privacy Act (FERPA) & other statutes related to student information.
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.

Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
Confidentiality and HIPAA

Confidentiality and HIPAA
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) (known as THE PRIVACY RULE)

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) (known as THE PRIVACY RULE)
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.

Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
School-Based Health Centers & Confidentiality: Understanding FERPA & HIPAA Laurie Mesibov & Jill Moore UNC School of Government December 2012.

School-Based Health Centers & Confidentiality: Understanding FERPA & HIPAA Laurie Mesibov & Jill Moore UNC School of Government December 2012.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.

Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.
1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)

1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.

Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.

Similar presentations

Ads by Google