Presentation to Texas State University Student Speakers Seminar E. Angela Branch, Deputy Chief Privacy Officer of Audit and Compliance Travis Davis, Deputy Chief Privacy Officer Texas HHS Privacy Office
Health Insurance Portability And Accountability Act (HIPAA) • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Covered Entities (CE) • Health Care Providers that transmit any information in an electronic form in connection with a standard transaction, Health Plans, Health Care Clearinghouses and Business Associates Individual PHI includes identifying information that is: • Transmitted by electronic media • Maintained in electronic media • Transmitted or maintained in any other form or medium (includes paper and oral communication) 2
Health Insurance Portability and Accountability Act (HIPAA) • HIPAA Rules Privacy Rule • Protects PHI in Paper, Oral, and Electronic forms • Protects the individual’s right to control the use of her confidential information Security Rule • Sets the national standards for protecting the confidentiality, integrity, and availability of electronic protected health information 3
Health Insurance Portability and Accountability Act (HIPAA) • HIPAA Rules Enforcement Rule • Provides standards for the enforcement of HIPAA, including investigations, the imposition of civil money penalties for violations of HIPAA and procedures for hearings. Omnibus/Breach Notification Rule • Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. 4
FTC Rule • Federal Trade Commission Rule Notification Rules • Breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), applies to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. • Example - a web- based business that collects people’s health information including an on-line service that tracks their health information and online applications that interact with those services. 5
FTC Rule • Federal Trade Commission Rule What does the FTC rule require: • Notify each affected person “without unreasonable delay” • Within 60 calendar days after the breach is discovered • Countdown begins the day the breach becomes known – or the day someone should reasonably have known • Act without unreasonable delay (Don’t wait until 60 th day) • Notify FTC as soon as possible/within 10 business days after discovering the breach 6
Texas Medical Records Privacy Act • Texas Medical Records Privacy Act Broader than HIPAA Applies to Health care providers, health plans, health care clearing houses, individuals, businesses or organizations that obtain, store or possess PHI, including their agents, employees and contractors if they create, receive, obtain, use or transmit PHI. • Any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI, etc. § 181.001(b)(1)(A)-(D). 7
Texas Medical Records Privacy Act • Texas Medical Records Privacy Act Enforcement Authority: • Grants enforcement authority to relevant state agencies • Texas Attorney General Office • Texas Health and Human Services Commission The State Attorney General • Maintains an informational website relating to consumer and patient privacy in Texas. 8
Texas Medical Records Privacy Act • Texas Medical Records Privacy Act Adopts HIPAA PHI definition Adopts HIPAA’s standards relating to an individual’s access to his/her PHI and ability to amend his/her PHI. Adopts HIPAA’s standards relating to Notice of Privacy Practices Adopts HIPAA’s standards relating to uses and disclosures, including requirements relating to consent to treatment 9
Texas Medical Records Privacy Act • Texas Medical Records Privacy Act Some Important Differences: • Prohibits de-identified information to be re-identified • No prior consent or authorization for use and disclosure of PHI for: Financial institutions for the processing of payment transactions; Non- profit agencies; Worker’s compensation insurance; Employee benefit plans; Red Cross; and offenders with mental impairments. • Prohibits any release of PHI for marketing purposes without consent or authorization from the individual • Requires job specific privacy training/ w/in 90 days of hire 10
Texas Medical Records Privacy Act • Texas Medical Records Privacy Act Some Important Differences: • Healthcare providers that maintain electronic health records must respond to a request for access within 15 business days of receipt of a written request unless HIPAA does not require access • HIPAA standard is 30 calendar days • HIPAA permits extensions/no extensions under Texas H.B. 300 11
Texas Medical Records Privacy Act Always use the More Restrictive Standard! 12
Travis 13
Texas Health and Human Services Privacy Office • HHSC Workforce 58,000 employees • Serves 10-15 million people throughout Texas • HHSC Privacy Office Organization 14
HHS Privacy Office Organization HHS Chief Counsel Karen Ray HHS Privacy Office Legal Services Division Appeals Division Chief Privacy Officer Sheila Stine, JD HHS Deputy Chief Privacy Privacy Analyst HHS Deputy Chief Privacy Officer Officer Maisen Lawhon Audit and Compliance Chief Of Staff Angela Branch, JD Travis Davis Senior Privacy Officer Privacy Office Project Lead DFPS Privacy Liaison Diana Hanson Senior Privacy Officer Team Lead: Incident Response DADS Privacy Liaison Emilie Schulz Senior Privacy Officer DSHS Privacy Liaison Tim Hawkins Privacy Officer DARS Privacy Liaison Aida Hernandez Privacy Officer Jameila Styles As of April 7, 2016
Texas Health and Human Services Privacy Office Operations • Archer • Tableau • Breach Management • Investigation & Incident Response Team 16
Texas Health and Human Services Privacy Office Operations (Cont.) 17
Texas Health and Human Services Privacy Office Operations (Cont.) 18
Texas Health and Human Services Privacy Office Operations (Cont.) 19
Texas Health and Human Services Privacy Office Operations (Cont.) 20
Texas Health and Human Services Privacy Office Operations (Cont.) 21
Texas Health and Human Services Privacy Office Operations (Cont.) 22
Breach Management • Resources for breach management include local law enforcement – Cyber Security Teams • Federal Bureau of Investigations (FBI) • Texas Inspector General (IG) • Texas HHS Privacy Office and/or HHS IT Security • Breach management vendors like CSID, Kroll, Radar, and AllClearID that we’ve worked with. • Office for Civil Rights (OCR) is not a resource, but an enforcement agency only. 23
Investigation & Incident Response Team • The Privacy Office has implemented several controls to remain under the 60 day notification period. • Our experience with the OCR (generally, not breach specific e.g. how long the investigation can go on, what they typically ask for, their attitude) • How we engage on Texas privacy breaches, limited to HHS agencies, business associates and Medicaid or other benefit program providers, we are not the HIPAA police. The Texas Office of Attorney General (OAG) is, but has to our knowledge not enforced HIPAA at all. 24
25
Recommend
More recommend
