[PPT] - Texas HHS Privacy Office Health Insurance Portability And PowerPoint Presentation

SLIDE 1

Presentation to Texas State University Student Speakers Seminar

E. Angela Branch, Deputy Chief Privacy Officer of

Audit and Compliance Travis Davis, Deputy Chief Privacy Officer

Texas HHS Privacy Office

SLIDE 2

Health Insurance Portability And Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996

(HIPAA)

Covered Entities (CE)
Health Care Providers that transmit any information in an

electronic form in connection with a standard transaction, Health Plans, Health Care Clearinghouses and Business Associates

Individual PHI includes identifying information that is:
Transmitted by electronic media
Maintained in electronic media
Transmitted or maintained in any other form or medium

(includes paper and oral communication)

2

SLIDE 3

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Rules
Privacy Rule
Protects PHI in Paper, Oral, and Electronic forms
Protects the individual’s right to control the use of her

confidential information

Security Rule
Sets the national standards for protecting the

confidentiality, integrity, and availability of electronic protected health information

3

SLIDE 4

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Rules
Enforcement Rule
Provides standards for the enforcement of HIPAA,

including investigations, the imposition of civil money penalties for violations of HIPAA and procedures for hearings.

Omnibus/Breach Notification Rule
Requires HIPAA covered entities and their business

associates to provide notification following a breach of unsecured protected health information.

4

SLIDE 5

FTC Rule

Federal Trade Commission Rule
Notification Rules
Breach notification provisions implemented and enforced

by the Federal Trade Commission (FTC), applies to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

Example - a web-based business that collects people’s

health information including an on-line service that tracks their health information and online applications that interact with those services.

5

SLIDE 6

FTC Rule

Federal Trade Commission Rule
What does the FTC rule require:
Notify each affected person “without unreasonable delay”
Within 60 calendar days after the breach is discovered
Countdown begins the day the breach becomes known –
r the day someone should reasonably have known
Act without unreasonable delay (Don’t wait until 60th

day)

Notify FTC as soon as possible/within 10 business days

after discovering the breach

6

SLIDE 7

Texas Medical Records Privacy Act
Broader than HIPAA
Applies to Health care providers, health plans, health care

clearing houses, individuals, businesses or organizations that

btain, store or possess PHI, including their agents,

employees and contractors if they create, receive, obtain, use

r transmit PHI.
Any person who engages in the practice of assembling,

collecting, analyzing, using, evaluating, storing, or transmitting PHI, etc. §181.001(b)(1)(A)-(D).

Texas Medical Records Privacy Act

7

SLIDE 8

Texas Medical Records Privacy Act

Texas Medical Records Privacy Act
Enforcement Authority:
Grants enforcement authority to relevant state agencies
Texas Attorney General Office
Texas Health and Human Services Commission
The State Attorney General
Maintains an informational website relating to consumer

and patient privacy in Texas.

8

SLIDE 9

Texas Medical Records Privacy Act
Adopts HIPAA PHI definition
Adopts HIPAA’s standards relating to an individual’s access to

his/her PHI and ability to amend his/her PHI.

Adopts HIPAA’s standards relating to Notice of Privacy

Practices

Adopts HIPAA’s standards relating to uses and disclosures,

including requirements relating to consent to treatment

Texas Medical Records Privacy Act

9

SLIDE 10

Texas Medical Records Privacy Act
Some Important Differences:
Prohibits de-identified information to be re-identified
No prior consent or authorization for use and disclosure
f PHI for: Financial institutions for the processing of

payment transactions; Non-profit agencies; Worker’s compensation insurance; Employee benefit plans; Red Cross; and offenders with mental impairments.

Prohibits any release of PHI for marketing purposes

without consent or authorization from the individual

Requires job specific privacy training/ w/in 90 days of hire

Texas Medical Records Privacy Act

10

SLIDE 11

Texas Medical Records Privacy Act
Some Important Differences:
Healthcare providers that maintain electronic health

records must respond to a request for access within 15 business days of receipt of a written request unless HIPAA does not require access

HIPAA standard is 30 calendar days
HIPAA permits extensions/no extensions under Texas

H.B. 300

Texas Medical Records Privacy Act

11

SLIDE 12

Texas Medical Records Privacy Act

Always use the More Restrictive Standard!

12

SLIDE 13

13

Travis

SLIDE 14

Texas Health and Human Services Privacy Office

HHSC Workforce 58,000 employees
Serves 10-15 million people throughout Texas
HHSC Privacy Office Organization

14

SLIDE 15

HHS Privacy Office Organization

HHS Chief Counsel Karen Ray HHS Privacy Office Chief Privacy Officer Sheila Stine, JD HHS Deputy Chief Privacy Officer Audit and Compliance Angela Branch, JD HHS Deputy Chief Privacy Officer Chief Of Staff Travis Davis Senior Privacy Officer Team Lead: Incident Response DADS Privacy Liaison Emilie Schulz Privacy Analyst Maisen Lawhon Senior Privacy Officer Privacy Office Project Lead DFPS Privacy Liaison Diana Hanson Privacy Officer Jameila Styles Senior Privacy Officer DSHS Privacy Liaison Tim Hawkins Privacy Officer DARS Privacy Liaison Aida Hernandez As of April 7, 2016 Legal Services Division Appeals Division

SLIDE 16

Texas Health and Human Services Privacy Office Operations

Archer
Tableau
Breach Management
Investigation & Incident Response Team

16

SLIDE 17