TRAPS, TRICKS & TREPIDATION IN HIPAA & HYBRID ENTITY DESIGNATIONS AT UNIVERSITIES & AMCS

Transcription

1 TRAPS, TRICKS & TREPIDATION IN HIPAA & HYBRID ENTITY DESIGNATIONS AT UNIVERSITIES & AMCS

2 FACILITATORS Holly Benton, Duke Privacy, Duke University Lauren Steinfeld, Chief Privacy Officer, Penn Medicine Marti Arvin, VP Audit Strategy, Cynergistek, Inc.

3 DISCLAIMER: 3 This presentation contains slides that have been combined for purposes of presentation continuity. The speakers do not necessarily endorse the content of each other s slides. Moreover, the views expressed in this presentation belong to the speakers and do not necessarily represent the views of their organizations or other organizations.

4 AGENDA Background: review of the regulations Case studies Other relationships to consider Questions

5 BACKGROUND, A REVIEW OF THE REGULATIONS 5

6 6 HIPAA REGULATIONS ON HYBRID ENTITIES Hybrid entity Single legal entity that is A covered entity (Healthcare Provider, Health plan, Healthcare Clearinghouse) With both covered and non-covered functions; and That designates its health care components Covered functions Those functions of a covered entity the performance of which makes the entity a health plan, health care provider or health care clearinghouse.

7 7 REGULATIONS ON HYBRID ENTITIES Business units of the organization that engage in activities that would make them a business associate if they were a separate legal entity must be include in the health care component of the hybrid entity to the extent they engage in those BA activities The health care component may only include a component only to the extent it performs covered functions

8 CASE STUDIES FOR CONSIDERATION TO DEFINE HEALTH CARE COMPONENT 8

9 CASE STUDY 1 HYBRID ENTITY Your entity is a hybrid, consisting of an academic medical center and a university, with several schools involved in healthcare-related research You are trying address the training issues associated with being an AMC. Specifically, there is staff employed by the university that would like to work with PHI for research purposes.

10 CASE STUDY 1 HYBRID ENTITY You also have specialists in statistics and data analytics at other internal, non-covered component, Schools who can help evaluate utilization trends and reasons for readmission. You also would like to ensure proper agreements and relationships are in place when it comes to sharing PHI within the AMC and with the university schools.

11 CONSIDERATIONS CASE STUDY 1 Support services legal, waste management, audit, construction services Do they need the standard HIPAA training given to hospital employees? Groups who do not support the entity overall, but access data for projects for their own purposes, or for service work on behalf of the covered components Are there other safeguards to apply such as DUAs, BAAs, or training?

12 CASE STUDY 2 Ten campus, single legal entity university. All have student health centers Some treat students only Some treat students and student dependents Some treat student, student dependents and staff 6 campuses have medical centers All have a School of Medicine Some have other traditional health schools such as dentistry, nursing, allied health,

13 CASE STUDY 2 The non-amc campuses have health care activities Schools such as optometry Each campus has a unique structure and culture

14 CASE STUDY 2 Functions such as legal, internal audit, compliance have a system level office as well as offices at each campus. All the AMC campuses and some non-amc campuses engage in human subject research

15 CASE STUDY 2 Research has been designated as outside the healthcare component of the hybrid entity There is a system level administrative policy that designates the components which are inside the health care component but each campus must specify the business units and functions that are part of the health care component of their campus.

16 CONSIDERATIONS FOR CASE STUDY 2 What are the practical implications of who is included in the health care component and who is not? How do you assure each campus understands the rules and the system level policy well enough to identify the portions of their campus that is part of the healthcare component?

17 CONSIDERATIONS FOR CASE STUDY 2 How do you keep the consistency of documents like the NPP or a template BAA in place when each campus functions somewhat independently? How do you handle research information when the health system may be conducting services for research subjects?

18 CASE STUDY 3 You ve recently joined the privacy office of a university and discover that the hybrid designation may never have been formally reassessed. Past incident files point to non-covered departments, including transportation and printing services, providing services to covered components, and, seeing neither incident reports nor training records, you suspect some designated units may not even know they re covered.

19 CASE STUDY 3 New enterprise systems have been put into place over the last few years and the lack of related (or any!) risk analysis suggest ephi may be accessible by non-covered units. Of equal concern, you realize the information security office team may not be aware of and/or managing the Security Rule responsibilities.

20 CASE STUDY 3 You learn that the wellness service offered to employees, listed as a part of the ACE and included as an offering of the family medicine clinic, is actually a service provided by a vendor with whom central HR (not a covered unit) has contracted. As your looking at the hybrid designation, you receive a call from a business school employee who wants to know what to do with the state health department documents containing individuals health information he discovered left in a conference room.

21 What do you do, and where do you start? CONSIDERATIONS FOR CASE STUDY 3 What do these scenarios reveal are your institution s issues needing to be addressed? How do you strategize your approach? What do you address first and what order makes the most sense? With whom do you partner and what leadership support do you need upfront for the most successful reassessment? How do you operationalize the results of the reassessment? What documentation considerations does the project(s) present?

22 OTHER RELATIONSHIPS THAT MAY EXIST AT A UNIVERSITY OR AMC

23 Affiliated Covered Entity (ACE) WHAT TYPE OF AGREEMENTS/RELATIONSHIPS MIGHT EXIST? Organized Health Care Arrangement (OCHA) Business Associate 23 AHLA Legal Issues Affecting Academic Medical Centers January 2018

24 24 AFFILIATED COVERED ENTITY Legal separate covered entities that are affiliated designate themselves as an ACE i.e. become a single covered entity for purposes of HIPAA May designate the separate covered entities or any health care component of the CE) Required common ownership or control Designation must be documented AHLA Legal Issues Affecting Academic Medical Centers January 2018

25 25 AFFILIATED COVERED ENTITY What constitutes evidence of common ownership or control? Same parent Overseen by a common Board Be prepared to demonstrate common ownership or control Consider liability implications of becoming an ACE AHLA Legal Issues Affecting Academic Medical Centers January 2018

26 26 ORGANIZED HEALTH CARE ARRANGEMENT 45 CFR A clinically integrated care setting in which individuals typically receive health care from more than one health care provider An organized system of health care in which more than one covered entity participates and all participating CEs Hold themselves out as a joint arrangement Participate in joint activities that include at least one of the following: Utilization review Quality assessments Payment activities AHLA Legal Issues Affecting Academic Medical Centers January 2018

27 27 BUSINESS ASSOCIATES Any component of a covered entity that is a hybrid entity must include those business functions performing BA type activities in the health care component of its hybrid entity. Thus not business associate agreement is required. Entities that are part of an OHCA may be a business associate of another covered entity participating in the OHCA AHLA Legal Issues Affecting Academic Medical Centers January 2018

28 28 BUSINESS ASSOCIATES Business units, colleges or schools may have business associate relationships with external third parties The activities that make the unit, college or school a BA may or may not be considered covered functions Consideration must be given to whether separate P & Ps are required or they would follow the health care component HIPAA P & Ps as applicable. AHLA Legal Issues Affecting Academic Medical Centers January 2018

29 29 BUSINESS ASSOCIATES Need for process to identify external BA relationships before the engagement is entered and to monitor during the engagement to assure The risk profile is considered The compliance obligations are understood Breach notification is properly addressed. AHLA Legal Issues Affecting Academic Medical Centers January 2018

30 QUESTIONS

31 CONTACT INFORMATION Holly Benton Lauren Steinfeld Marti Arvin , ext 8071