HIPAA is Happening at MnSCU
Have you heard about HIPAA but aren't sure about whether it affects you as a MnSCU employee? Read on, especially if you provide health care services or instruct students who do.
What is HIPAA? HIPAA is an acronym for the federal law entitled: Health Insurance Portability and Accountability Act of 1996 (HIPAA). This broad-sweeping federal act covers many components, and affects employers, insurers, and health care providers, which may include colleges and universities. Title II of the Act addresses "Administrative Simplification" for the management of health care records, and includes three sets of regulations that may impact certain functions at MnSCU institutions:
1. Electronic Data Interchange (EDI), compliance date: October 16, 2003.
2. Privacy Standards, in effect for "covered entities" as of April 14, 2003; and
3. Security Standards, compliance date: February 2005.
The HIPAA regulations only apply to Minnesota State Colleges and Universities to the extent that they perform "covered entity" functions. See below for guidance.
HIPAA Privacy Regulations - what are they? The HIPAA Privacy Regulations set a national "floor" for the privacy of individual health information for covered entities. They are found at 45 CFR Parts 160 and 164 (accessible through the Federal Health and Human Services Department (HHS) Web site, www.hhs.gov/ocr/hipaa/. The Regulations apply to health plans, health care clearinghouses and health care providers that transmit health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities"). Where they apply, implementation of the Regulations requires the appointment of a Privacy Officer, careful consideration of the organizational structure to determine the workgroups subject to the regulations, adoption of many new policies and procedures, and on-going training.
Minnesota already has strict laws protecting the privacy of medical records - does HIPAA change these laws? It is important to understand that the HIPAA Privacy Regulations do not automatically pre-empt existing state laws concerning the privacy of health records; HIPAA leaves in place those laws that provide more privacy protection for the individual. Thus, implementing HIPAA at MnSCU institutions requires a careful analysis of existing state laws, such as the Minnesota Government Data Practices Act and the Minnesota Medical Records Act to determine which law applies because it is stricter. The HIPAA tools developed by the Minnesota State Colleges and Universities Office of General Counsel (OGC) incorporate this analysis.
Note to all health care providers: Minnesota law requires all providers to post a notice advising individuals of their rights under state law to access their health records. This notice has recently been amended and is available at: www.health.state.mn.us/divs/hpsc/dap/notice.pdf Posting this notice continues to be required even for health care providers covered by the HIPAA Privacy Regulations.
How is it determined whether a health care provider is a "covered entity" for purposes of the HIPAA Privacy Regulations? The general rule is that every health care provider, regardless of size, that electronically transmits health information in connection with certain transactions, is a "covered entity." These transactions include: claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Fax or telephone transactions are not considered to be "electronic," but e-mail is if in connection with one of the standard transactions. Generally, the Privacy regulations apply if a provider directly engages in electronic transactions or uses a billing service or other third party to do so on its behalf. Electronic transactions of health information are the "trigger" for HIPAA privacy for health care providers.
MnSCU health care providers were surveyed before the compliance date for the Privacy Regulations and determinations were made, based upon current functions and practices, about their "covered entity" status. Minnesota State Colleges and Universities "covered entities" received assistance on implementation. For reference, the HHS has published a decision tool for determining whether the Privacy Rules apply: www.cms.hhs.gov/, then click on "HIPAA" under "Regulations and Guidance."
It is important that any MnSCU health care provider having questions about its "covered entity" status consult with the OGC. As discussed below, application of HIPAA in the college or university setting is different from other kinds of entities.
HIPAA provides for significant financial penalties for violations if an entity is required to comply.
Do all MnSCU "covered entities" need to comply with the HIPAA Privacy Regulations? Surprisingly, no. This is where being a college or university health care provider becomes important. Medical records maintained by colleges and universities on students are exempted from the HIPAA Privacy Regulations. Congress decided that the privacy protections already afforded by FERPA are sufficient and adding another layer of federal regulations would be too confusing. Thus, for example, a MnSCU student health service that meets the definition of "covered entity" because it engages in one or more of the standard electronic transactions does not need to comply with the HIPAA Privacy Regulations if it only treats students - it would need to continue to follow FERPA and other applicable state law regarding the privacy of those records. A student health service that engages in any of the standard electronic transactions will need to comply with the electronic transactions standards as of October 16, 2003, even if it treats only students.
Some MnSCU health care providers are, however, "covered entities" that must comply with HIPAA Privacy Regulations because they provide care for non-students, such as faculty, staff or visitors, and engage in one or more of the standard electronic transactions described above. These providers must implement all the requirements of the Regulations and apply them to any individual health information for non-students that they maintain in any form, not just electronic.
MnSCU health care providers that are covered entities do not need to develop HIPAA implementation materials independently. The OGC has developed a full set of compliance tools for the HIPAA Privacy Regulations. These tools incorporate Minnesota law, where applicable, and will make implementation easier.
Are MnSCU health care providers that are not directly subject to the Privacy Regulations affected in any way by HIPAA? There are several ways in which HIPAA could be relevant to a provider even if it is not required itself to comply with the regulations. If a provider is requesting protected health information from a "covered entity," such as another provider, it may require the use of a release form that includes all the HIPAA Privacy Requirements. Form that may be used for such purposes.
Also, all MnSCU health care providers that are "covered entities" (i.e., because they engage in one or more of the standard electronic transactions) must comply with the electronic transactions standards as of October 16, 2003, even if they only treat students; this section of HIPAA does not have a "FERPA exception." Health care providers should be working with insurers and other third parties now to ensure that appropriate software is in place and operational by the compliance deadline. Contact the Office of General Counsel for assistance.
All institutions, irrespective of HIPAA, may wish to review their general privacy practices, given the highlighting of those concerns by these laws, not to mention events in the news. A periodic review of and training on your institution's privacy and security policies and procedures - especially with regard to student records - is always advisable. There are various resources available to assist you on the Office of General Counsel Web site: www.ogc.mnscu.edu and we are available to provide further assistance in these matters.
Should I attend HIPAA training sponsored by my professional organization? Many private and some public organizations are offering training and HIPAA compliance materials. While participation in such sessions may be helpful in providing general orientation to HIPAA, no MnSCU health care provider should implement any part of the HIPAA Regulations without first consulting with the MnSCU OGC to ensure an accurate understanding of how HIPAA applies to specific functions and incorporates state law. Few trainers understand the special considerations in implementing HIPAA on a college or university campus, and fewer still are familiar with the Minnesota Government Data Practices Act, which applies to data held by MnSCU institutions.
Since HR handles medical information on employees, does HIPAA apply to those functions? Questions concerning employment-related issues under the HIPAA Privacy Regulations should be addressed to the Office of the Chancellor Human Resources Division, or the Department of Employee Relations. DOER has posted a guidance memo at: http://extranet.doer.state.mn.us. As a general matter, medical information held by an employer for employment-related purposes is not subject to HIPAA privacy requirements. Medical information obtained from the employee instead of directly from the provider is not subject to HIPAA privacy regulations.
What is a HIPAA Business Associate? In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or services on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions include claims processing, data analysis, utilization review, and billing. Business associate services are limited to legal actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Persons or organizations are not business associates if their functions or services do not require protected health information, or where any access to such information would be incidental, if at all. Health care providers that are not covered entities have no need for business associate agreements. Contact the Office of General Counsel for assistance.
What needs to be done if we are a party to a business associate relationship? Covered entities that use business associates must have in place Business Associate Agreements that contain certain provisions concerning the business associate's responsibilities to maintain the privacy of the protected health information. These agreements were needed no later than April 14 2004. Business associates do not become directly regulated by the HIPAA Privacy Regulations, but they must agree to adopt certain policies and procedures and generally be accountable to the covered entity for protecting health information.
H ow do we proceed if we, as a covered entity, need a Business Associate Agreement? Like other contracts, it is important to use the language that has been approved for use by state agencies. See the AGO approved contract addendum language. Remember to verify that a Business Associate Agreement is being used only for the functions included in the list above. Incidental exposure to protected health information, such as by janitorial personnel, does not require such an agreement. If a proposed agreement includes provisions not in the AGO approved addendum, contact the OGC before signing.
What if we are asked to sign an agreement? Some MnSCU institutions are being asked to sign Business Associate Agreements - and in almost all cases, incorrectly. Because HIPAA is a new law, we believe there is misinformation or excess caution on the part of many covered entities when it comes to business associates.
One area in which the business associate concept seems to be a recurring concern is in clinical training for health care programs. Virtually all training facilities are HIPAA covered entities and must ensure that the use and disclosure of protected health information that they authorize complies with the Privacy Regulations. However, as you can tell from the above list, the training of students at a health care site is not a business associate function or service; moreover, neither the students nor the faculty are performing services "on behalf of" the training site. Thus, the relationship is not that of a business associate, as defined by law.
A short FAQ on the relationship of clinical students or interns and HIPAA is found on the Web site for the Association of American Medical Colleges at: www.aamc.org/members/gir/hipaa/aamchipaafaqs.pdf.
Instead, students and college or university faculty who supervise at a training site should be considered to be members of the facility's "workforce" as that term is defined by the Privacy Regulations. Members of the workforce include anyone working under the facility's control, irrespective of whether they are paid; for the purposes of protecting the privacy of health information, MnSCU students and employees follow the facility's policies and procedures. A sample letter that could be sent to a facility that has incorrectly requested a business associate agreement. If you need further assistance, contact the Office of General Counsel.
How can we address HIPAA concerns at clinical training sites if we do not agree to be business associates? Covered entities are required to train their workforce in HIPAA Privacy compliance. The standard MnSCU MOU for nursing clinical training contains provisions about the parties' respective training responsibilities on the facility's policies that may be adapted for HIPAA. Minnesota State Colleges and Universities Department of Finance Contracting Form 25 is an amendment to an existing MOA for clinical nursing training that addresses HIPAA privacy training. Click here and choose Form 25. This amendment maintains the responsibilities as contained in the original MOU, but the parties could agree to a different assignment of responsibility. For example, a facility may simply wish to do the training itself or make its web-based training available. The OGC could assist campuses in developing training resources on this issue for students if there is sufficient interest. The amendment also makes clear that neither students nor faculty are "employees" of the facility for workers' compensation or other purposes.
What if a MnSCU health care provider plans to start conducting electronic transactions? Electronic transactions are, of course, the triggering event for HIPAA application. You will want to carefully consider the administrative impact of implementing the HIPAA Privacy and other Regulations on your workforce before making these changes. The OGC can assist health care providers in determining their best options and, if required, implementation of the HIPAA policies and procedures. Depending on when electronic transactions begin, a new covered entity may need to implement not only the Privacy Regulations, but also the Electronic Transactions Standards. These matters require careful attention, as potential sanctions for non-compliance can be severe, including significant fines against the institution.
Couldn't a MnSCU health care provider decide to implement the HIPAA Privacy Regulations even if they aren't required so as not to be out of step with other providers? We are not recommending at this time that campus health care providers voluntarily implement the HIPAA Privacy Regulations. While for student health services this may mean having somewhat different procedures for handling student and other health care records in the same office, we believe it is advisable to adhere to Congress' assessment that health records of students are adequately protected by FERPA, and applicable state laws. Adopting additional privacy standards by policy could create unnecessary contractual liability for the college or university. We recognize, however, that understanding HIPAA and compliance issues is an evolving task; we will continue to assess these matters. Contact the OGC if you have questions about application of the laws protecting the privacy of student records.
Is there good information on the Web about HIPAA? Yes - lots, the most comprehensive and important is posted by the U.S. Department of Health and Human Services, Office for Civil Rights, the entity charged with enforcing HIPAA, on its HIPAA Home Page at: www.hhs.gov/ocr/hipaa/. From this site, you can access a wide variety of documents, from relatively simplified summaries of the Regulations, through detailed compliance guidance, and, of course, the actual Regulations.
PREVIEW OF HIPAA ATTRACTIONS.
As noted earlier, the Privacy Regulations are only one part of HIPAA. Two other sections have potential implications for MnSCU institutions: the Electronic Transactions Standards, and the Security Regulations.
A. Electronic Transactions Standards
The Electronic Transactions Standards are a central part of the "administrative simplification" concept of HIPAA: one standard electronic "language" is to be used by all health care providers that engage in any of the standard electronic transactions listed in the regulations. There is no "FERPA exception" for these regulations, and so, for example, a student health service that engages in electronic billing for its students must use HIPAA compliant software. Institutions were advised that software testing began on April 16, 2003, and the Regulations became effective October 16, 2003. In many cases, the insurance companies coordinated compliance activities with Minnesota State Colleges and Universities' institutions that engage in electronic transactions with them.
HHS has developed guidance materials available via the HIPAA page on http://www.hhs.gov/
B. Security Regulations
You may access the final HIPAA Security Regulations through: www.hhs.gov/ocr/hipaa.These Regulations include standards for the security of health care data being maintained and transmitted by a "covered entity." Like the Privacy Regulations, the Security Regulations include a FERPA exception, and so will not cover student health records held by colleges or universities. However, because the Security Regulations cover records that are "maintained" in addition to transmitted, the impact will be broader than the Privacy Regulations. We are studying the implication of these regulations for MnSCU colleges and universities. The Security Regulations became mandatory for "covered" entities two years from their publication date, February 2005.
Please feel free to contact the Office of General Counsel if you have questions or concerns about HIPAA or other data privacy issues.