The URL can be used to link to this page

Home My WebLink AboutHIPAA Discussion (2)Deschutes County Board of Commissioners 1300 NW Wall St., Suite 200, Bend, OR 97701-1960 (54!) 388-6570 -Fax (541) 385-3202 -www.deschutes.org AGENDA REQUEST & STAFF REPORT For Board BBsiass8 Aleetiftg of October 21, 2014 waR f( (esSl()N DATE: 10/16/14 FROM: John Lah~ Legal Department (541) 330-4645 TITLE OF AGENDA ITEM: Discussion of County's potential adoption of hybrid entity statuts for HP AA purposes. PUBLIC HEARING ON TmS DATE? No BACKGROUND AND POLICY IMPLICATIONS: Currently, the entirety ofDeschutes County government is a HIP AA "Covered Entity." This means that all County employees, whether they regularly use protected health information or not, must be HIPAA trained and must comply with HIP AA privacy and security rules. In order to reduce the number of County employees that are subject to HIP AA privacy and security rules, County's Legal Dept. recommends that the County adopt "Hybrid Entity" status under HIPAA. Ifthe County becomes a Hybrid Entity, only those County departments/divisions that regularly use protected health information (i.e., Health Services, Community Justice, Legal, etc.) would be subject to HIP AA privacy and security rules. Other departments (i.e., Road Dept., Solid Waste, Community Development, etc.) would not be subject to those rules. It is anticipated that adopting Hybrid Entity status would make it easier for the County to (a) comply with HIPAA training requirements, (b) satisfy HIPAA rules relating to the privacy and security of protected health information, and (c) reduce the possibility of HIP AA breaches by County employees who do not regularly use protected health information and are, therefore, not familiar with HIPAA rules governing that information. FISCAL IMPLICATIONS: It is anticipated that adoption ofHybrid Entity status would reduce the County's HIP AA training costs. RECOMMENDATION & ACfION REQUESTED: Advise the Legal Dept. whether to move forward in process of adopting Hybrid Entity status - specifically, by briefing affected department heads and drafting necessary documents. ATTENDANCE: John Laherty DISTRIBUTION OF DOCUMENTS: BOCC; Administration. DESCHUTES COUNTY LEGAL COUNSEL ~ JOHN E. LAHERTY Assistant Legal Counsel tl541-330-4645 TO: Board of County Commissioners DATE: October 16, 2014 RE: County Adoption of Hybrid Entity Status for HIPAA Purposes This memo addresses the possibility of Deschutes County adopting "hybrid entity" status for HIP AA purposes. I. What is "Hybrid Entity" Status Under HIPAA and Why Should Deschutes County Consider Adopting It? Over the past twenty-five years, many health-care providers and insurance companies have adopted a system of storing, maintaining and sharing patients' protected health information ("PHI") in an electronic format. As this practice has increased, so have concerns over patient privacy. In response to these concerns, Congress enacted the Health Insurance Portability and Accountability Act ("HIP AA") in 1996. "Covered entities" --consisting ofhealth plans, health care providers, and other entities (i.e., medical billing services) that transmit PHI electronically, must comply with HIPAA's provisions. HIP AA places restrictions on how, and under what circumstances, a Covered Entity may disclose a person's PHI, and establishes standards for how Covered Entities must store, maintain and access PHI. Ordinarily, if any part of an entity qualifies for Covered Entity status, then the entire entity is considered a Covered Entity for HIP AA purposes. By way of example, because certain Deschutes County departments (i.e., the Health Department) provide health-care services and transmit PHI electronically, the entire County government is likely a Covered Entity. Therefore, any County employee who comes into possession of PHI must comply with HIP AA rules, regardless of whether he or she performs any health-care related function. Board of County Commissioners Re: Hybrid Entity for HIP AA Purposes October 16, 2014, Page 2 In order to avoid the entire County government -and all County employees --being subject to HIPAA, the law allows the County to adopt "Hybrid Entity" status. A Hybrid Entity is one in which certain agencies or departments are designated as "Health Care Components" and others as "Non-Health Care Components." In a Hybrid Entity, only the Health Care Components must comply with HIPAA's provisions--Non-Health Care Components are exempt from the law's requirements. As a practical matter, the County's adoption of Hybrid Entity status would reduce the number of County departments and employees subject to HIP AA. This in tum would likely reduce the chance ofHIPAA violations within County government. In particular, adoption of Hybrid Entity status would insulate the County from HIP AA liability for the actions of County employees who do not perform health-care related services i.e., the employees least likely to be familiar with HIP AA' s requirements and, therefore, the most likely to inadvertently violate HIP AA. Adoption of Hybrid Entity status would also reduce employee training, since only those County employees working for a "Health Care Component" would need to be HIPAA-trained. II. How Would Deschutes County Adopt Hybrid Entity Status? Adoption of Hybrid Entity Status would involve several steps. Specifically: (1) The Board of County Commissioners would need to adopt a resolution declaring the County a Hybrid Entity and designating each department (or other subdivision) of County government as either a Health Care Component or a Non-Health Care Component; (2) The County would need to appoint a "security official" responsible for developing and implementing HIP AA-compliant policies and procedures regarding the Health-Care Components' handling, storage and maintenance of PHI; (3) The County would need to appoint a "privacy official" responsible for developing and implementing HIP AA-compliant policies and procedures regarding the Health-Care Component's disclosure of PHI; (4) The County would need to adopt HIP AA-compliant security and privacy policies; and (5) The County would need to provide HIPAA training to County employees working for a Health-Care Component. It should be noted that if the County does not adopt Hybrid Entity status, HIP AA still requires the County to perform items 2 through 5, above (with the required policies, procedures and training applicable to all of County government, rather than just the Health-Care Components). So, these items do not impose any additional burden on the County as a result of electing Hybrid Entity status. Board of County Commissioners Re: Hybrid Entity for HIP AA Purposes October 16,2014, Page 3 III. What Are the Possible Drawbacks to Adopting Hybrid Entity Status? Aside from the resources involved in performing the necessary steps to become a valid Hybrid Entity, the main issue is how Hybrid Entity status will affect the County's ability to share PHI internally. Currently, because the Covered Entity consists of all of County government, separate departments can share PHI openly. For instance, if the County personnel department requests an individual's medical records from the County health department, the health department can provide that PHI without any HIP AA issues being raised. However, if the County were to adopt Hybrid Entity status, Health Care Components of County government would only be able to share information with Non-Health Care Components in accordance with HIPAA restrictions and requirements (in most circumstances, upon a court order, execution of a Business Associate Agreement or with the patient's consent). This could reduce the efficiency of County operations in those situations where a Non-Health Care Component needs to access PHI in order to perform a function. This drawback could be significantly reduced, if not entirely eliminated, by making the Health Care Component designation broad enough to encompass any County department that may reasonably be expected to handle PHI in the future. Of course, the broader the Health-Care Component designation, the more County employees that are subject to HIP AA, and the weaker the benefits of electing Hybrid Entity status become. For this reason, it is important that the designation of a County department as a Health Care Component or Non-Health Care Components be performed after careful consideration of the frequency in which the department may need to access PHI.