Slide 1 NC DHHS HIPAA Office

1
National Governors Association Preparing State
Government for HIPAA
Presented by Sarah Brooks and Karen Tomczak NC
DHHS April 3, 2003
2
(No Transcript)
3
NC Statewide Initiative

• Statewide Assessment Project
• Identify and document HIPAA requirements
• Report to the legislature
• Managed by DHHS
• Directed by budget office, state CIO, DHHS
• Statewide assessment (by agency)
• Developed common assessment tools
• Recommended timelines
• Assisted with implementation budgets
• Reported to the legislature

4
Legislative Report

• Assessed 42 entities (including 480 divisions)
• State agencies
• Universities
• Community colleges
• Boards/commissions
• 21 percent were covered, hybrid entities
• 7 percent were business associates, trading
  partners

5
Statewide Impact

• Covered Entities
• State Health Plan (includes HealthChoice for
  Children)
• UNC Health Care
• Business Associates
• Department of Justice
• Office of the State Auditor
• Office of the Controller

• Hybrid Entities
• Dept of Administration
• Dept of Correction
• Dept of Health and Human Services
• Office of Information Technology Services

• East Carolina University
• University of NC at Chapel Hill
• University of NC at Greensboro

6
DHHS Impact

• Medicaid
• Public health
• State Lab
• State Center for Health Statistics
• Local health services
• Childrens special health services
• Developmental education clinics (13)
• Education
• School for the blind (1)
• Schools for the deaf (2)

• Mental health, substance abuse
• State mental hospitals, substance abuse, nursing
  (7)
• Mental retardation centers (5)
• Adol treatment programs (2)
• Other divisions
• Controllers Office
• Information Resource Mgmt
• Communications
• Internal Auditor
• Research, Demonstrations, and Rural Health
  Development

7
Surprises

• Number of Impacted Agencies Was Smaller Than
  Originally Anticipated
• Change in health plan definition (major factor)
• Introduction of hybrid entity concept
• Exemption of education-related facilities (FERPA)
• Long Delay of Security Regulations
• State Budget Crisis Impact to HIPAA Funding
• Statewide HIPAA office (Senate Bill 1115)

8
(No Transcript)
9
Impact of Not Complying

• Possible Litigation
• Potential Withholding of Federal Medicaid and
  Medicare Funds
• Federal Medicaid Share in NC in _at_ 4.5 billion
• In DHHS, more than 300 million in revenues at
  risk
• Penalties
• Civil Monetary for Violations of Each Standard
• Wrongful Disclosure of Protected Health
  Information

10
Direction from OCR and CMS

• Complaint Driven
• Cure Period
• Compliance Audits - Not for a While

11
Reasonable vs. The Best

• Draw the Line Between Compliance and
  Non-compliance
• Examine remaining compliance activities to
  determine whether a graduated approach can be
  applied
• Standards are fixed but the level and degree of
  remediation are self-directed

• Try not to set goals that are unattainable given
  existing personnel and financial constraints

Graduated Levels of Compliance
12
Reasonable vs. The Best

• Rethinking of Concepts
• Physical, Administrative, and Technical
  Safeguards under Privacy
• Access Controls
• Physical Security
• Reduce scope of Privacy Policies
• Apply policies that reflect best business
  practices to all DHHS agencies
• Apply HIPAA specific policies (e.g., Notice) to
  covered components only
• Delay Security until after July 2003
• Apply limited resources to Transactions, Code
  Sets, and Privacy in 2001-2003

13
Reasonable vs. The Best

• Concentrate on Privacy Policies With Specific
  Impacts to Consumers Initially
• Perform General Staff Training Before 4/14/03
• Evaluate training methodologies
• Provide training in cost-effective forum
• Training Booklet - self instructional
• Web-based training
• Video
• Instructor led
• After Development of All Privacy Policies, Follow
  up With More Specific, Focused Training

14
DHHS Priorities (FY2003)

• Addressing critical needs
• Developing privacy policies (DHHS)
• Developing training tools (templates, guidance)
• Implementing business associate contracts
• Focusing resources on core requirements
• Scope reductions
• Eliminated staff to assist with end-user training
• Eliminated compliance verification program
• Discontinued security activities
• Eliminated new positions (Security Privacy
  Officers)
• Reduced existing staff (HIPAA office,
  applications)

15
HIPAA GIVEShttp//www.hipaagives.org
GovernmentInformationValueExchange forStates

• Internet-based forum for states to resolve
  HIPAA-related issues
• Information clearinghouse
• All states have joined

16
Other Resources

• North Carolina Healthcare Information and
  Communications Alliance (http//www.nchica.
  org)
• NC DHHS HIPAA Office
  (http//www.dirm/state.nc.us/hipaa/)
• HHS Office for Civil Rights (OCR)
  (http//www.hhs.gov/ocr/hipaa/)
• Centers for Medicare and Medicaid Services
  (http//www.cms.gov/hipaa)