HIPAA PRIVACY WORK GROUP FOR EYE BANKS

EBAA HIPAA PRIVACY WORK GROUPChristina W. Strong, Esq., Facilitator

Eye Banks

ARE NOT

typically subject to HIPAA.

HIPAA Overview

Health

Insurance

Portability &

Accountability

Act

• 1996• Portability and accessibility

- Pre-existing conditions- Enrollment at “life events”

• Accountability- Administrative

Simplification- Privacy /Security Rule- Enforcement - Breach

HITECH Act

Health Information Technology for Electronic and Clinical Health

• 2009• Part of ARRA, aka the

“Stimulus Bill”• EMR/EHR Adoption

Rules and Incentives• Increased HIPAA Fines

and Penalties• Expanded

Applicability of HIPAA

Allowable Disclosures

HIPAA allows for the use and disclosure of PHI without authorization under 45 CFR 164:• 164.512(b) FDA-regulated products:

tracking, adverse events, post market surveillance

• 164.512(g) Coroners and Medical examiners: for determining cause of death

• 164.512(h) Cadaveric organ, eye or tissue donation facilitation

Who is Subject to HIPAA

• Covered Entities

• Business Associates

Covered Entity

• (A health plan).• (A health care clearinghouse).• A health care provider who transmits

any health information in electronic form in connection with a transaction covered by this chapter.

• 45 CFR 160.103

Covered Entity – Exception #1

“We delete from the definition of ‘‘health care’’ activities related to the procurement or banking of blood, sperm, organs, or any other tissue for administration to patients…

“Consequently, such procurement or banking activities are not considered health care and the organizations that perform such activities are not considered health care providers for purposes of this rule.”

HIPAA Privacy Final Rule, Federal Register/Vol. 65, No. 250/ Thursday, December 28, 2000, p. 82571-2

Covered Entity – Exception #2

Business Associate

With respect to a covered entity, a person who:• On behalf of such covered entity,• But other than as a member of its workforce,• Performs or assists in the performance of• A function or activity involving the use or

disclosure of individually identifiable health information…

45 CFR 160.103

Business Associate (BA)

• Claims processing or administration• Data analysis• Processing or administration• Utilization review• Quality Assurance• Billing• Benefit Management• Practice Management• Repricing• Any other function regulated in this subchapter

…On behalf of the covered entity

Business Associate (BA)

• Legal• Actuarial• Accounting• Consulting • Data Aggregation• Management• Administrative• Accreditation• Financial Services…

Business Associate – NOT US

HIPAA Privacy Final Rule, Federal Register/Vol. 65, No. 250/ Thursday, December 28, 2000, p. 82688.

Business Associate – What’s the Problem

• HIPAA now applies directly to Business Associates

• Civil and Criminal Penalties now apply directly to BAs

• Must report Covered Entity for HIPAA non-compliance

• Subject to HIPAA Audit by Heath and Human Services

Signing a Business Associate Agreement subjects an exempt organization to HIPAA compliance

What’s so Bad about Being a BA

Business Associates subject to HIPAA Fines and Penalties:

“Authority to impose civil money penalties on business associates for violations of the HITECH Act is provided by sections 13401(b) and 13404(c).”

Breach Notification for Unsecured Protected Health Information, Interim Final Rule, Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009

Business Associate - Implications

Business Associates are subject to HIPAA Audit by HHS:

“The protocol and audit program performance requested under this contract shall assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”

Federal Business Opportunities (FBO.gov)

Defend your Status

Document for your partners:

• 512(h) disclosures allowed without authorization

• Covered Entity –NOT for Eye Banks

• Business Associate -NOT for Eye Banks

• Your dedication to donor privacy and data security (including compliance with 21 CFR Part 11)