1. Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP HIPAA Executive Office Training January 2003 Cindy Fillman Department of Public Welfare Office of General Counsel

2. 1 HIPAA – How did we get here?  Health Insurance Portability and Accountability Act  Required Secretary of HHS to promulgate standards to implement the Administrative Simplification Portion of the Law (standard transactions).  Intended to “improve the efficiency and effectiveness of the health care system.”  Requires protection of security and privacy of Protected Health Information (PHI) maintained electronically and otherwise.

3. 2 HIPAA – How did we get here? REGULATIONS  Electronic Transactions and Code Sets Unique Employer Identifier National Provider Identifier  Security and Electronic Signature  Privacy

4. 3 COVERED ENTITIES Health care providers who engage in covered transactions Health plans  Includes Medicare and Medicaid and other specified government programs  Includes government programs that do not fall out with specific exclusion for those programs: Whose principal purpose is other than providing or paying the cost of health care, OR Whose principal activity is the direct provision of health care or the making of grants to fund the direct provision of health care Health care clearinghouses

5. 4 BUSINESS ASSOCIATES  A Person or entity who on behalf of a Covered Entity  Uses  Accesses  Rediscloses  PHI either  To provide services to a Covered Entity OR  To perform or assist in the performance of a function or activity for, or on behalf of, the Covered Entity

6. 5 DPW Priorities  How the Department Prioritized  Definitions assigned to DPW (Hybrid Covered Entity part of Affiliated Covered Covered Entity) and Counties, Contractors and other Business Partners (Business Associates)  Master Client Index Drove some Decision making

7. 6 What are we doing?  Appointing Privacy Officials for affected Offices/Bureaus.  Training all members of the workforce  Drafting policy and procedures and beginning new business practices  Rewriting Contracts and Quasi-Contracts (Business Associate Language)  Drafting/Revising Consents and Authorizations  Documenting Decisions and Activities

8. 7 Training  Committee comprised of personnel of impacted bureaus  Basic format created by the committee  Combination training to allow for flexibility Kickoff-October-December Computer and Blended Training-April Stand up (job specific)-June

9. 8 Policy and procedures  High level HIPAA Handbook  Adaptations made by each program office to meet their own needs  Business processes changes to be phased in by April, 2002.

10. 9 Privacy Standards  Purpose: To safeguard privacy of health information by setting rules on the use and disclosure of individuals protected health information (PHI)  Applies to: Covered entities and business associates who use, store, maintain, transmit, or dispose of patient health information in any form (verbal, written, or electronic)

11. 10 Privacy Standards (PHI)  Individually identifiable  About an individual’s physical or mental health or condition  About provision of or payment for health care  Created or received by a provider, health plan, clearinghouse, or employer  Transmitted or maintained in any medium (verbal, written, or electronic)

12. 11 Privacy Standards  Outline individual rights regarding PHI and obligations of providers, health plans, clearinghouses and business associates  Give consumers greater control over use, and disclosure of PHI  Restrict certain uses and disclosures of PHI by plans, providers, and clearinghouses, unless authorized by the patient or permitted by law

13. 12 Privacy Standards  Rules restrict use and sharing of PHI Higher security and protection levels Greater individual control and access Greater accountability  Rules apply to covered entities  Compliance deadline is April 14, 2003  Limit disclosures to the “minimum necessary”

14. 13 Minimum Disclosure  Except for medical treatment, release of PHI must be kept to the minimum amount necessary to accomplish the purpose of disclosure  We must determine the minimum amount needed

15. 14 Privacy Obligations  Plans and providers must create privacy- conscious business practices and disclose only the minimum information required  Department must: ensure internal protection of PHI monitor external disclosures of PHI Complete employee training, and establish procedures for addressing clients’ privacy complaints

16. 15  Plans and providers must inform clients of their business practices ( privacy notice )  Providers must obtain written consent from a client to use or disclose PHI, even if just for routine uses for treatment, payment, or operations  A separate, specific authorization is required for non-routine disclosure Privacy Obligations

17. 16 Consent vs. Authorization  Consents cover T/P/O–authorizations cover most other uses and disclosures  Authorizations are for specific disclosures  May refuse to treat without consent; cannot refuse to treat a patient who won’t sign authorization

18. 17 Use and Disclosure  may use or disclose PHI without consent, an authorization, or giving an opportunity to agree or object, including: For the payment activities of other CEs or providers who are not CEs, and for certain healthcare operations of other CEs. When required by law For public health activities Reporting domestic violence or abuse and neglect For health oversight activities For judicial and administrative proceedings in response to a court order, or in response to a subpoena or discovery request if certain assurances are obtained

19. 18 De-Identified Information  De-Identified Information is not subject to HIPAA requirements  A Covered Entity may determine that health information is not individually identifiable by:  Obtaining an opinion that information is not identifiable from an entity experienced with generally accepted statistical and scientific principles and methods for de-identifying information  Removing specified identifiers of the individual or of relatives, employers, or household members

20. 19 De-Identified Information  Names  All geographic subdivisions (address, zip code)  All elements of dates (incl. birthdate and date of admission  Telephone/Fax numbers  E-mail addresses  SSN  Medical record number  Health plan number  Account number  Certificate/license number  VIN/serial number  Device identifier/serial #  URL  IP address  Biometric identifiers (voice/finger prints)  Photos  Other unique characteristics

21. 20 Client Rights  Request restrictions on use and disclosure of PHI  Obtain a disclosure history  Review and copy their own medical records  Request amendments or corrections the record  Complain to the Department and to the Secretary of DHHS if privacy rights are violated

22. 21 Business Associate Agreements  Terms and Template  Other Agreements Trading Partner Chain of Trust User Agreements

23. 22 Enforcement  ENFORCER: Office of Civil Rights, HHS  Complaint Driven Process(but indicate willingness to provide “guidance” first).  PENALTIES:  For failure to comply – Civil Money Penalties of $100 per violation, not to exceed $25,000 per year For knowingly disclosing or obtaining PHI – CRIMINAL PENALTIES  CRIMINAL PENALTIES:  Knowing only: $50,000, one year in prison, or both  False pretenses: $100,000, five years, or both  Use for commercial or personal gain or malicious harm: $250,000, ten years, or both

24. 23 Practical Steps to Compliance  Shred all PHI to be discarded  Log off terminal when not in use  Do not discuss specific cases in public places  Verify fax locations  Be mindful of sharing only “minimum necessary” information

25. 24 Practical Steps to Compliance  Be aware of with whom you are sharing PHI  Report breaches to Privacy  Assure adequate safeguards/paperwork is in place  Check with IT staff to be sure dial-in is secure  Read and follow Privacy and Security Policies and Procedures