Presentation to

Texas State University Student

Speakers Seminar

E. Angela Branch, Deputy Chief Privacy Officer of Audit and Compliance

Travis Davis, Deputy Chief Privacy Officer

Texas HHS Privacy Office

Health Insurance Portability And

Accountability Act (HIPAA)

• The Health Insurance Portability and Accountability Act of 1996

(HIPAA)

Covered Entities (CE)

• Health Care Providers that transmit any information in an

electronic form in connection with a standard transaction,

Health Plans, Health Care Clearinghouses and Business

Associates

Individual PHI includes identifying information that is:

• Transmitted by electronic media

• Maintained in electronic media

• Transmitted or maintained in any other form or medium

(includes paper and oral communication)

2

Health Insurance Portability and

Accountability Act (HIPAA)

• HIPAA Rules

Privacy Rule

• Protects PHI in Paper, Oral, and Electronic forms

• Protects the individual’s right to control the use of her

confidential information

Security Rule

• Sets the national standards for protecting the

confidentiality, integrity, and availability of electronic

protected health information

3

Health Insurance Portability and

Accountability Act (HIPAA)

• HIPAA Rules

Enforcement Rule

• Provides standards for the enforcement of HIPAA,

including investigations, the imposition of civil money

penalties for violations of HIPAA and procedures for

hearings.

Omnibus/Breach Notification Rule

• Requires HIPAA covered entities and their business

associates to provide notification following a breach of

unsecured protected health information.

4

FTC Rule

• Federal Trade Commission Rule

Notification Rules

• Breach notification provisions implemented and enforced

by the Federal Trade Commission (FTC), applies to

vendors of personal health records and their third party

service providers, pursuant to section 13407 of the

HITECH Act.

• Example - a web-based business that collects people’s

health information including an on-line service that tracks

their health information and online applications that

interact with those services.

5

FTC Rule

• Federal Trade Commission Rule

What does the FTC rule require:

• Notify each affected person “without unreasonable delay”

• Within 60 calendar days after the breach is discovered

• Countdown begins the day the breach becomes known –

or the day someone should reasonably have known

• Act without unreasonable delay (Don’t wait until 60th

day)

• Notify FTC as soon as possible/within 10 business days

after discovering the breach

6

• Texas Medical Records Privacy Act

Broader than HIPAA

Applies to Health care providers, health plans, health care

clearing houses, individuals, businesses or organizations that

obtain, store or possess PHI, including their agents,

employees and contractors if they create, receive, obtain, use

or transmit PHI.

• Any person who engages in the practice of assembling,

collecting, analyzing, using, evaluating, storing, or

transmitting PHI, etc. §181.001(b)(1)(A)-(D).

Texas Medical Records Privacy

Act

7

Texas Medical Records Privacy

Act

• Texas Medical Records Privacy Act

Enforcement Authority:

• Grants enforcement authority to relevant state agencies

• Texas Attorney General Office

• Texas Health and Human Services Commission

The State Attorney General

• Maintains an informational website relating to consumer

and patient privacy in Texas.

8

• Texas Medical Records Privacy Act

Adopts HIPAA PHI definition

Adopts HIPAA’s standards relating to an individual’s access to

his/her PHI and ability to amend his/her PHI.

Adopts HIPAA’s standards relating to Notice of Privacy

Practices

Adopts HIPAA’s standards relating to uses and disclosures,

including requirements relating to consent to treatment

Texas Medical Records Privacy

Act

9

• Texas Medical Records Privacy Act

Some Important Differences:

• Prohibits de-identified information to be re-identified

• No prior consent or authorization for use and disclosure

of PHI for: Financial institutions for the processing of

payment transactions; Non-profit agencies; Worker’s

compensation insurance; Employee benefit plans; Red

Cross; and offenders with mental impairments.

• Prohibits any release of PHI for marketing purposes

without consent or authorization from the individual

• Requires job specific privacy training/ w/in 90 days of hire

Texas Medical Records Privacy

Act

10

• Texas Medical Records Privacy Act

Some Important Differences:

• Healthcare providers that maintain electronic health

records must respond to a request for access within 15

business days of receipt of a written request unless

HIPAA does not require access

• HIPAA standard is 30 calendar days

• HIPAA permits extensions/no extensions under Texas

H.B. 300

Texas Medical Records Privacy

Act

11

Texas Medical Records Privacy

Act

Always use the More Restrictive Standard!

12

13

Travis

Texas Health and Human Services Privacy Office

• HHSC Workforce 58,000 employees

• Serves 10-15 million people throughout Texas

• HHSC Privacy Office Organization

14

HHS Privacy Office Organization

HHS Chief Counsel

Karen Ray

HHS Privacy Office

Chief Privacy Officer

Sheila Stine, JD

HHS Deputy Chief Privacy Officer

Audit and Compliance

Angela Branch, JD

HHS Deputy Chief Privacy

Officer

Chief Of Staff

Travis Davis

Senior Privacy Officer

Team Lead: Incident Response

DADS Privacy Liaison

Emilie Schulz

Privacy Analyst

Maisen Lawhon

Senior Privacy Officer

Privacy Office Project Lead

DFPS Privacy Liaison

Diana Hanson

Privacy Officer

Jameila Styles

Senior Privacy Officer

DSHS Privacy Liaison

Tim Hawkins

Privacy Officer

DARS Privacy Liaison

Aida Hernandez

As of April 7, 2016

Legal Services DivisionAppeals Division

Texas Health and Human Services Privacy Office

Operations

• Archer

• Tableau

• Breach Management

• Investigation & Incident Response Team

16

Texas Health and Human Services Privacy Office

Operations (Cont.)

17

Texas Health and Human Services Privacy Office

Operations (Cont.)

18

Texas Health and Human Services Privacy Office

Operations (Cont.)

19

Texas Health and Human Services Privacy Office

Operations (Cont.)

20

Texas Health and Human Services Privacy Office

Operations (Cont.)

21

Texas Health and Human Services Privacy Office

Operations (Cont.)

22

Breach Management

23

• Resources for breach management include local law enforcement – Cyber Security

Teams

• Federal Bureau of Investigations (FBI)

• Texas Inspector General (IG)

• Texas HHS Privacy Office and/or HHS IT Security

• Breach management vendors like CSID, Kroll, Radar, and AllClearID that we’ve

worked with.

• Office for Civil Rights (OCR) is not a resource, but an enforcement agency only.

Investigation & Incident Response Team

• The Privacy Office has implemented several controls to remain under the 60

day notification period.

• Our experience with the OCR (generally, not breach specific e.g. how long the

investigation can go on, what they typically ask for, their attitude)

• How we engage on Texas privacy breaches, limited to HHS agencies, business

associates and Medicaid or other benefit program providers, we are not the

HIPAA police. The Texas Office of Attorney General (OAG) is, but has to

our knowledge not enforced HIPAA at all.

24

25