hipaa & public schools new federalism in a new century the challenges of administering hipaa in...

HIPAA & Public SchoolsHIPAA & Public SchoolsNew Federalism in a New CenturyNew Federalism in a New Century

HIPAA & Public SchoolsHIPAA & Public SchoolsNew Federalism in a New CenturyNew Federalism in a New Century

The Challenges of Administering HIPAA in Public SchoolsThe Challenges of Administering HIPAA in Public SchoolsASTHO/NGA Center Joint AudioconferenceASTHO/NGA Center Joint Audioconference

September 23, 2003September 23, 2003

Presented byPresented by

Robert J. BurnsRobert J. BurnsNGA Center for Best PracticesNGA Center for Best Practices

© 2003 National Governors Association© 2003 National Governors Association

2

What Is HIPPA?What Is HIPPA?

Health Insurance Portability and Health Insurance Portability and Accountability Act of 1996Accountability Act of 1996– Health insurance access (portability, renewal)Health insurance access (portability, renewal)– Privacy, securityPrivacy, security– Administrative simplificationAdministrative simplification

Patient protections, marketplace standardsPatient protections, marketplace standards– Federal Federal floorfloor– Preserves stronger state protections Preserves stronger state protections

(“New Federalism”)(“New Federalism”)


3

What Does HIPAA Do?What Does HIPAA Do?

PrivacyPrivacy– – Authorized disclosuresAuthorized disclosures– Conditions necessary– Conditions necessary– Individual rights– Individual rights

Governs the Governs the proper handling of, proper handling of, access toaccess to individually identifiable individually identifiable health information (any medium)health information (any medium)

SecuritySecurity– – AdministrativeAdministrative– – PhysicalPhysical– Technical– Technical

Prescribes Prescribes minimum safeguardsminimum safeguards to prevent unauthorized access to to prevent unauthorized access to electronic patient health informationelectronic patient health information

Administrative Administrative SimplificationSimplification– – Electronic data interchangeElectronic data interchange– – Standard transactionsStandard transactions– Code sets, identifiers– Code sets, identifiers

Establishes the Establishes the standard formatstandard format that must be used to enable the that must be used to enable the free exchange of electronic health free exchange of electronic health informationinformation


4

Critical Issues for SchoolsCritical Issues for Schools

Covered entity statusCovered entity status– PrivacyPrivacy– SecuritySecurity– Administrative SimplificationAdministrative Simplification

– Health plan? Health plan? – Health care provider? Health care provider? – Information clearinghouse?Information clearinghouse?

Information handledInformation handled– PrivacyPrivacy– SecuritySecurity

– Protected health information?Protected health information?– Education records?Education records?– Transfers?Transfers?

Transactions Transactions performedperformed– Administrative SimplificationAdministrative Simplification

– Electronic billing?Electronic billing?


5

Covered EntitiesCovered Entities(Public Law 104-191, 110 Stat. 2021)(Public Law 104-191, 110 Stat. 2021)

Individual or group Individual or group health planshealth plans (or programs) (or programs) that provide health benefits directly, through that provide health benefits directly, through insurance, or otherwiseinsurance, or otherwise

Health care providersHealth care providers (or suppliers) who (or suppliers) who furnish, bill, or are paid for health care in the furnish, bill, or are paid for health care in the normal course of business (normal course of business (andand transmits certain transmits certain health information electronically)health information electronically)

Information clearinghousesInformation clearinghouses that process or that process or facilitate the processing of electronic health facilitate the processing of electronic health information into a standard format)information into a standard format)


6

Are Schools ‘Covered Entities?’Are Schools ‘Covered Entities?’

Schools Schools can becan be covered entities covered entities– Service delivery, payment arrangement(-s)Service delivery, payment arrangement(-s)

Providers (direct employees, vendors, billing)Providers (direct employees, vendors, billing)

Health plan (Medicaid, SCHIP, high-risk pools)Health plan (Medicaid, SCHIP, high-risk pools)– Health plan Health plan excludesexcludes other government-funded other government-funded

programs whose principal purpose is:programs whose principal purpose is:Direct provision of health careDirect provision of health care

Making of grants to fund direct provision of health careMaking of grants to fund direct provision of health care

Other than providing (or paying the cost of) health careOther than providing (or paying the cost of) health care

Source: 45 CFR 160.103Source: 45 CFR 160.103


7

Information HandledInformation Handled(Privacy and Security Only)(Privacy and Security Only)

Protected health information (PHI)Protected health information (PHI)– Related to an individual’s health (or care)Related to an individual’s health (or care)– May be used to identify the individualMay be used to identify the individual– If not PHI, then not subject to HIPAAIf not PHI, then not subject to HIPAA

(Privacy, Security only)(Privacy, Security only)

PHI excludes certain education recordsPHI excludes certain education records– FERPA, IDEA supercede HIPAAFERPA, IDEA supercede HIPAA– Hinges on federal fundingHinges on federal funding

Source: U.S. Department of Health and Human Services, “Standards for Privacy ofSource: U.S. Department of Health and Human Services, “Standards for Privacy ofIndividually Identifiable Health Information,” [Preamble] Individually Identifiable Health Information,” [Preamble] Federal RegisterFederal Register 65, no. 250 65, no. 250 (December 28, 2000): 82496.(December 28, 2000): 82496.


8

Education RecordsEducation Records

Education records governed by FERPAEducation records governed by FERPA– Files, documents, other materialsFiles, documents, other materials– Maintained by educational agency, institutionMaintained by educational agency, institution– Contain information directly related to studentContain information directly related to student– Student is <18 years oldStudent is <18 years old

Other FERPA-defined education recordsOther FERPA-defined education records– Files, documents, other materialsFiles, documents, other materials– Made, maintained by provider for student’s treatmentMade, maintained by provider for student’s treatment– Available only to student, providerAvailable only to student, provider– Student is >18, attending postsecondary institutionStudent is >18, attending postsecondary institution

Source: U.S. Department of Health and Human Services, “Standards for Privacy of Source: U.S. Department of Health and Human Services, “Standards for Privacy of Individually Identifiable Health Information: Final Rule,” [45 CFR Individually Identifiable Health Information: Final Rule,” [45 CFR § § 160.103] 160.103] Federal RegisterFederal Register 65, no. 250 (December 28, 2000): 82798. 65, no. 250 (December 28, 2000): 82798.


9

Transactions PerformedTransactions Performed(Administrative Simplification Rules Only)(Administrative Simplification Rules Only)

Standard TransactionsStandard Transactions– Certain administrative, financial exchanges (8)Certain administrative, financial exchanges (8)– Applies to all health-related info, not just PHIApplies to all health-related info, not just PHI– Transmitted, maintained Transmitted, maintained electronicallyelectronically– If not standard transaction, then not subject to HIPAA If not standard transaction, then not subject to HIPAA

(Administrative Simplification rules only)(Administrative Simplification rules only)

School must comply if a covered entity (School must comply if a covered entity (andand billing electronically)billing electronically)– If not billing electronically, then not bound to use If not billing electronically, then not bound to use

standard data elements, code setsstandard data elements, code sets


10

Potential PitfallsPotential Pitfalls

Does school Does school collect PHIcollect PHI from covered from covered entities?entities?– If so…can school reasonably assure PHI will be If so…can school reasonably assure PHI will be

used in a HIPAA-compliant manner?used in a HIPAA-compliant manner?Business associate, trading partner agreementsBusiness associate, trading partner agreementsChanges to policies, proceduresChanges to policies, procedures

Will health plan(-s) still accept Will health plan(-s) still accept nonstandard paper, electronic claims?nonstandard paper, electronic claims?– If not…will school have the capacity to conduct If not…will school have the capacity to conduct

standard transactions?standard transactions?Technology upgrades, clearinghouse solutionsTechnology upgrades, clearinghouse solutions


11

SummarySummary

Schools Schools can becan be covered entities covered entities

Education records not governed by HIPAAEducation records not governed by HIPAA

Data standards not required unless Data standards not required unless performing standard transactionsperforming standard transactions

May still need to partially complyMay still need to partially comply– Reasonable assurances (Privacy, Security)Reasonable assurances (Privacy, Security)– Electronic billing (Administrative Simplification)Electronic billing (Administrative Simplification)


12

NGA Center for Best PracticesNGA Center for Best Practices((http://www.nga.org/center/hipaa/http://www.nga.org/center/hipaa/))

Robert J. BurnsRobert J. BurnsPolicy AnalystPolicy AnalystHealth Policy Studies DivisionHealth Policy Studies Division

National Governors AssociationNational Governors AssociationCenter for Best PracticesCenter for Best Practices

Hall of States, Suite 267Hall of States, Suite 267444 North Capitol Street, NW444 North Capitol Street, NWWashington, DC 20001-1512Washington, DC 20001-1512

(202) 624-7729(202) 624-7729fax: (202) 624-5313fax: (202) 624-5313email: email: [email protected]@nga.org

hipaa & public schools new federalism in a new century the challenges of administering hipaa in...

Documents