Archives
Questions & Answers
Brian W. Murphy, director of the health professions IT partnership in the Office of the Vice President for Health Affairs, serves as director of HIPAA compliance for UB.
What is HIPAA?
HIPAA (Health Insurance Portability and
Accountability Act of 1996) is a federal law originally intended to
provide for the portability of health insurance when employees change
jobs. HIPPA accomplished this by eliminating the pre-existing condition
waiting periods previously associated with seeking health insurance
through a new employer. Since the law's introduction, federal
regulations associated with it have mushroomed in an attempt to
standardize certain electronic transactions and protect individually
identifiable health information that is created or received by any
entity HIPAA has jurisdiction over. HIPAA defines its covered entities
as health-care plans, health-care clearinghouses or health-care
providers that engage in specific electronic transactions associated
with the provision of health-care. As a consequence, any activity that
interacts with a covered entity (patient, work-force member, student,
researcher, faculty member, business associate, etc.) is impacted by
HIPAA. A common misconception, however, is that HIPAA applies to all
individually identifiable health information. HIPAA applies only to
covered entities or entities with certain contractual relationships to
covered entities. HIPAA also specifically exempts employment records and
records covered by the Family Educational Rights and Privacy Act
(FERPA), which applies to educational records, from its definition of
"protected health information."
Who is impacted by HIPAA?
HIPAA impacts the entire
health-care industry and essentially everyone who interacts with it.
Anyone who has visited a health-care provider recently can thank HIPAA
for the "Notice of Privacy Practices" they've been required to
acknowledge. Insurance carriers have been sending out similar notices,
as well as forms for you to authorize others to access your health
information. All of this activity is a result of the HIPAA "privacy"
regulations that took effect on April 14 of this year. This section of
the regulations also affords new rights to patients, including the right
to amend their health information if they believe it to be inaccurate,
and the right to request an accounting of disclosures of their health
information, with some exceptions, when used for purposes other than
treatment, payment or health-care operations. HIPAA regulations related
to the conduct of electronic transactions in the health-care industry
take effect in October of this year and should be transparent to the
patient, though the possibility of billing/payment delays due to
glitches in the implementations by covered entities or their
billing-service providers loom as a possibility. HIPAA also has a set of
security regulations comprised of administrative, physical and technical
safeguards that will take effect in the Spring of 2005 aimed
specifically at information stored and/or transmitted electronically.
I'm currently working with the office of the CIO to incorporate aspects
of the HIPAA security provisions as "best practices" into general
guidelines that office is developing to aid the campus in securing
information that is maintained electronically.
How is UB affected by HIPAA?
SUNY is a hybrid entity under
HIPAA, meaning it is comprised of functions that qualify as
HIPAA-covered functions and functions that do not. UB is required to
designate its covered functions that are part of the SUNY-covered
entity. Currently, only the functions of the School of Dental Medicine
clinic qualify. The Speech, Language and Hearing Clinic will be required
to comply when it begins to transmit covered electronic transactions. A
hybrid entity is free to add additional functions to the covered
function when it makes sense from an operational standpoint. For
example, the School of Dental Medicine's education activities also have
been made part of that SUNY-covered function. Several functions not
required to comply with HIPAA will, none the less, be adopting HIPAA as
a "best practice." These include the Student Health Center and Student
Counseling Center. HIPAA also impacts UB students who train within
covered entities in that it requires workforce training on
HIPAA-specific policies and procedures. Under HIPAA, students within a
covered entity are considered part of its workforce and are therefore
required to receive HIPAA training. The UB health professions schools
(Medicine and Biomedical Sciences, Dental Medicine, Nursing, Pharmacy
and Pharmaceutical Sciences, Public Health and Health Professions), as
well as the School of Social Work, have deployed general HIPAA awareness
programs for their students to help prepare them for HIPAA in their
educational experiences within covered entities. Non-SUNY covered
entities closely tied to UB are the Research Foundation health plan
activities and the medical/dental practice plans associated with the
schools of Medicine and Biomedical Sciences and Dental Medicine. The
teaching hospitals affiliated with UB also are HIPAA-covered
entities.
Some UB research involves the health information of research
subjects. How does HIPAA apply?
In general, research at UB has
been specifically defined as SUNY activity that is not part of the
SUNY-covered function. This option is available to UB under HIPAA
because of its structure and covered-function activities. In contrast,
SUNY Upstate Medical Center has elected to place research entirely
within its SUNY-covered function. As a consequence, all research
activities of that facility are obligated to comply with the full set of
HIPAA regulations and are subject to potential civil and monetary
penalties for violations that range from simply changing policies and
procedures that are found to be non-compliant to $100,000 and time in a
federal penitentiary for purposal violations that bring personal gain.
However, even though research at UB is not part of a HIPAA-covered
function, UB researchers often acquire information from covered entities
in order to conduct their research, and those covered entities also are
potentially subject to the full range of HIPAA penalties if a UB
rresearcher acquires any protected health information in a HIPAA
non-compliance matter. As a result, HIPAA has a direct impact on those
research activities. In general, HIPAA provides seven
mechanisms—individual authorization, waiver of authorization,
limited data set, de-identified data set, reviews preparatory to
research, research on decedents, transition provision for existing
research—by which health information can be collected for research
purposes under HIPAA. Many of these mechanisms closely parallel
protections already employed by researchers using protected health
information (PHI), but HIPAA formalizes them and occasionally adds some
unexpected twists in terms of new documentation requirements, or by
imposing restrictions on the way information can be used under a given
mechanism. In addition, PHI acquired by any mechanisms other than
reviews preparatory to research, de-identified data or a limited data
set constitutes a disclosure of PHI by the covered entity to the
researcher. The covered entity is required by HIPAA to track such
disclosures and account for them to patients upon request. Acquiring PHI
(protected health information) in a way not consistent with the
requirements prescribed by these mechanisms can generate a HIPAA
violation for the covered entity supplying the health information. To
avoid generating liabilities for our covered entity partners, the UB
Institutional Review Boards, which traditionally have been responsible
for human subject protections in research, have taken on the additional
burden of ensuring that protocols involving the provision of health care
or accessing health information from other entities do so in a
HIPAA-appropriate fashion.
How did you get involved with HIPAA compliance at UB?
I've been working with HIPAA out of the Office of the Vice President
for Health Affairs for more than three years. In the fall of last year,
SUNY began a HIPAA effort and I served as an advisor to Robert Wagner
(former senior vice president who now serves as senior counselor to the
president) on that project, which included an outside consultant
evaluating HIPAA implications for UB. SUNY requested that each campus
provide a liaison to its HIPAA-mandated "privacy officer" position, and
in January of this year I accepted additional job responsibilities
associated with that requirement for UB and added "UB director of HIPAA
compliance" to my title. Currently, I report to Kevin Seitz (vice
president for university services) and Margaret Paroski (interim vice
president for health affairs) on HIPAA-related issues. The job has
proven to be very exciting, as it has necessitated an examination of
basically every nook and cranny of the university, on both the academic
(provost, deans, vice president for research, research centers, etc.)
and service (Human Resources, CIT, business office, vice president for
student affairs, Sub-Board I, etc.) sides in an attempt to determine
which functions might have to comply with HIPAA and which functions
might be receiving information from entities that must comply with
HIPAA. Because the university is a dynamic place, constant monitoring is
required to insure that new entities that fall into the HIPAA sphere of
influence are identified and dealt with appropriately. HIPAA also is,
for obvious reasons, a topic fo interest nationally at institutions of
higher education. UB is considered by SUNY to be in the forefront of
dealing with HIPAA in a university setting. Consequently, this position
also affords me the oppurtunity to share the UB approach to HIPAA with
others at national meetings, such as the upcoming National Council of
University Research Administrators meeting in Washington, D.C./p>
Where can one get further information about HIPAA?
Questions with respect to HIPAA and the operations of any individual
component of the university should be directed to me at bwmurphy@buffalo.edu or 829-3866.
Information also is available at http://www.hpitp.buffalo.edu/
hipaa.