presentation to texas state university student speakers
TRANSCRIPT
Presentation to
Texas State University Student
Speakers Seminar
E. Angela Branch, Deputy Chief Privacy Officer of Audit and Compliance
Travis Davis, Deputy Chief Privacy Officer
Texas HHS Privacy Office
Health Insurance Portability And
Accountability Act (HIPAA)
• The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Covered Entities (CE)
• Health Care Providers that transmit any information in an
electronic form in connection with a standard transaction,
Health Plans, Health Care Clearinghouses and Business
Associates
Individual PHI includes identifying information that is:
• Transmitted by electronic media
• Maintained in electronic media
• Transmitted or maintained in any other form or medium
(includes paper and oral communication)
2
Health Insurance Portability and
Accountability Act (HIPAA)
• HIPAA Rules
Privacy Rule
• Protects PHI in Paper, Oral, and Electronic forms
• Protects the individual’s right to control the use of her
confidential information
Security Rule
• Sets the national standards for protecting the
confidentiality, integrity, and availability of electronic
protected health information
3
Health Insurance Portability and
Accountability Act (HIPAA)
• HIPAA Rules
Enforcement Rule
• Provides standards for the enforcement of HIPAA,
including investigations, the imposition of civil money
penalties for violations of HIPAA and procedures for
hearings.
Omnibus/Breach Notification Rule
• Requires HIPAA covered entities and their business
associates to provide notification following a breach of
unsecured protected health information.
4
FTC Rule
• Federal Trade Commission Rule
Notification Rules
• Breach notification provisions implemented and enforced
by the Federal Trade Commission (FTC), applies to
vendors of personal health records and their third party
service providers, pursuant to section 13407 of the
HITECH Act.
• Example - a web-based business that collects people’s
health information including an on-line service that tracks
their health information and online applications that
interact with those services.
5
FTC Rule
• Federal Trade Commission Rule
What does the FTC rule require:
• Notify each affected person “without unreasonable delay”
• Within 60 calendar days after the breach is discovered
• Countdown begins the day the breach becomes known –
or the day someone should reasonably have known
• Act without unreasonable delay (Don’t wait until 60th
day)
• Notify FTC as soon as possible/within 10 business days
after discovering the breach
6
• Texas Medical Records Privacy Act
Broader than HIPAA
Applies to Health care providers, health plans, health care
clearing houses, individuals, businesses or organizations that
obtain, store or possess PHI, including their agents,
employees and contractors if they create, receive, obtain, use
or transmit PHI.
• Any person who engages in the practice of assembling,
collecting, analyzing, using, evaluating, storing, or
transmitting PHI, etc. §181.001(b)(1)(A)-(D).
Texas Medical Records Privacy
Act
7
Texas Medical Records Privacy
Act
• Texas Medical Records Privacy Act
Enforcement Authority:
• Grants enforcement authority to relevant state agencies
• Texas Attorney General Office
• Texas Health and Human Services Commission
The State Attorney General
• Maintains an informational website relating to consumer
and patient privacy in Texas.
8
• Texas Medical Records Privacy Act
Adopts HIPAA PHI definition
Adopts HIPAA’s standards relating to an individual’s access to
his/her PHI and ability to amend his/her PHI.
Adopts HIPAA’s standards relating to Notice of Privacy
Practices
Adopts HIPAA’s standards relating to uses and disclosures,
including requirements relating to consent to treatment
Texas Medical Records Privacy
Act
9
• Texas Medical Records Privacy Act
Some Important Differences:
• Prohibits de-identified information to be re-identified
• No prior consent or authorization for use and disclosure
of PHI for: Financial institutions for the processing of
payment transactions; Non-profit agencies; Worker’s
compensation insurance; Employee benefit plans; Red
Cross; and offenders with mental impairments.
• Prohibits any release of PHI for marketing purposes
without consent or authorization from the individual
• Requires job specific privacy training/ w/in 90 days of hire
Texas Medical Records Privacy
Act
10
• Texas Medical Records Privacy Act
Some Important Differences:
• Healthcare providers that maintain electronic health
records must respond to a request for access within 15
business days of receipt of a written request unless
HIPAA does not require access
• HIPAA standard is 30 calendar days
• HIPAA permits extensions/no extensions under Texas
H.B. 300
Texas Medical Records Privacy
Act
11
Texas Health and Human Services Privacy Office
• HHSC Workforce 58,000 employees
• Serves 10-15 million people throughout Texas
• HHSC Privacy Office Organization
14
HHS Privacy Office Organization
HHS Chief Counsel
Karen Ray
HHS Privacy Office
Chief Privacy Officer
Sheila Stine, JD
HHS Deputy Chief Privacy Officer
Audit and Compliance
Angela Branch, JD
HHS Deputy Chief Privacy
Officer
Chief Of Staff
Travis Davis
Senior Privacy Officer
Team Lead: Incident Response
DADS Privacy Liaison
Emilie Schulz
Privacy Analyst
Maisen Lawhon
Senior Privacy Officer
Privacy Office Project Lead
DFPS Privacy Liaison
Diana Hanson
Privacy Officer
Jameila Styles
Senior Privacy Officer
DSHS Privacy Liaison
Tim Hawkins
Privacy Officer
DARS Privacy Liaison
Aida Hernandez
As of April 7, 2016
Legal Services DivisionAppeals Division
Texas Health and Human Services Privacy Office
Operations
• Archer
• Tableau
• Breach Management
• Investigation & Incident Response Team
16
Breach Management
23
• Resources for breach management include local law enforcement – Cyber Security
Teams
• Federal Bureau of Investigations (FBI)
• Texas Inspector General (IG)
• Texas HHS Privacy Office and/or HHS IT Security
• Breach management vendors like CSID, Kroll, Radar, and AllClearID that we’ve
worked with.
• Office for Civil Rights (OCR) is not a resource, but an enforcement agency only.
Investigation & Incident Response Team
• The Privacy Office has implemented several controls to remain under the 60
day notification period.
• Our experience with the OCR (generally, not breach specific e.g. how long the
investigation can go on, what they typically ask for, their attitude)
• How we engage on Texas privacy breaches, limited to HHS agencies, business
associates and Medicaid or other benefit program providers, we are not the
HIPAA police. The Texas Office of Attorney General (OAG) is, but has to
our knowledge not enforced HIPAA at all.
24