Module 8: HIPAA Enforcement Support and Resources

Iliana Peters
Length: 18:31 | Format: Video with PowerPoint
Related Content: Module 8 HIPAA Enforcement Support and Resources.pdf

Loading the player ...

Okay, so, um…let’s quickly move to Module 8, which I think will be helpful for you because it really talks about some support and resources for you when you’re when you’re working through these, um, investigations and any issues that you may have. After Module 8, we’ll take a break and then we’ll come back and do a post-assessment, um, and work through some more questions and a case study and then some case evaluations. So, we’re very near to the end of the day, and I really appreciate your continued participation um, and hard work through all of this information. It’s a lot, I know. Um, so hopefully after we work through Module 8, you’ll be able to have sort of a better idea where to find some resources, some guidance, frequently asked questions to help you through this material. Even still as I work through a lot of these questions myself, one of the places that I continuously go is the preamble to the Final Rules, um, which is available on our website, but that’s something I continuously use when I’m working through how to sort of think through the provisions of the rule, what were contemplated when the rule was written, all of those types of issues. So, um, let’s figure out where you can find those when you’re doing it. So, um, some of the citations to statute and regulations are…this is what our website looks like…our main page. It’s and there are a whole host of different resources that are from your left hand toolbar and one of the places you can go is, um, “A Summary”, but you can also go to “Statutes and Regulations”. So, both of those links are there. I’m not sure whether I can…actually, can I link to them from here? (from the audience): “no.” No? Okay. So, um, I will let you test those out when you get home. But, as you can see from that um, left hand toolbar….um…under “Understanding HIPAA Privacy”. When you’re looking at the webpage, there’s that summary of the Privacy Rule, which talks a lot about the things that we’ve talked about today. But, there are also that statutes…uh….what does it say? It’s um…I can’t read from here, but it it’s “Statutes and Regulations”. You can also click there and it takes you to the actual text of the regulations. We also have multiple guidance documents on website. The way we have the website currently set-up, which will change a little bit in the near future. We’re working on a website re-design now, so this website will look a little bit different, uh, differently the next time and in in in the next year or so, we’re working to re-design it to really be more, sort of topic-focused. Right now the way we have it divided up, we…uh, have resources for consumers and resources for covered entities. So, when you’re sort of trying to frame a question, you kind of have to put on your “Okay, if I was a covered entity, how would I be approaching this? Or, if I was a consumer, how would I be approaching this? ” Um, because it’s really how we designed our website because those are the types of entities that are coming to our website to really find guidance and help, um, in…coming into compliance if you’re a covered entity or figuring out what your rights are, how to file complaints, those types of issues if you’re a consumer. So, when you come to our website, if you are looking for an issue, let us say, about compliance with the rule by a covered entity, then you could go to the um, “Issue for Covered Entities”. Thank you. So, if you’re going this um…”For Covered Entities” site. So, here we have “Summaries of the Rules”. We have the “Administrative Simplification Statutes and Rules”, so that this is where you find all the regulations, which was the slide I was just talking about before. But, when you’re looking at the “Covered Entity Guidance”, if you scroll down a little bit more…there are a whole host of different guidance documents- “How To Determine If You’re A Covered Entity”, “Guidance Material for Small Providers”, “Summaries of the Rule”, these are guidance on specific aspects of the Rule, “The Security Rule”, “Security Risks” , “Safeguarding”, “De-Identification”. These “Fast Facts” are a whole host of different um, issues on employment that we wouldn’t necessarily cover. Sample business associate contracts. This “Disposal Frequently Asked Questions” set we did as a result of a lot of these dumpster-diving cases. We also worked with the um, Department of Education on guidance with regard to the interaction overlap between FERPA and HIPAA, and how that works. So, that guidance document is here too. We also a list serve. So, all of these links are available. These guidance documents are very helpful. So, if you have a question about, for example, do you have educational records and are they accepted because they’re covered by FERPA? You can go to that document on FERPA and HIPAA and really figure out what’s going on in terms of the situation with the with the records. So, there’s some additional…can we get back to the slide set? Thank you. So, the additional Security Rule materials are also available. Um, a lot of these materials were originally published by CMS when they had the Rule. Um, they’re very helpful. I think they’re very thorough and um, we can, we would continuously work to update these as well. We also work very closely with the National Institutes for Standards and Technologies, as Kurt talked about earlier, NIST, because they provide security guidelines as well. So, you can find links to this, the NIST guidance documents also. So, we have what we call “Frequently Asked Questions”, these carry the weight of law, they are guidance, um, legal guidance materials. Um, they’re very well vetted in the Department. Um, so, our General Counsel looks at it. Um, so these are specific question/answers, so, they’re they are phrased like a question, so a covered entity might have a question like, um, “Are employment records covered?” And if you type in the search phrase “employment records” in the search phrase box, you’ll get all of the questions that deal with employment records. Any particular issue, you could “dumpster” in there and you’d get all all of the of the applicable questions. And, uh, the legal guidance also includes the citations to the rule. So, if you have a quick question, like this, if you can click on any one of these like this one is, um, “Can an Authorization Be Used Together With Other Written Documents?” So, this would be the answer here. This one…can we go back? This one doesn’t have a citation in it. Um, let’s see, here’s a “Public Health Provision”. Let’s look at that one. Right. So, this for example, talks about OSHA requirements that overlap with OSHA. Um, it talks about pre-placement physicals and drug tests. So, we have all of this guidance on this website that’s very specific to all of these different questions and um, I’m trying to think if this one has a…well, if there’s an applicable citation, it will have the applicable citation as well. If you have a question on these, and you’re talking to one of the regional representatives or you’re talking to someone at headquarters about this material, we may ask you what the FAQ number is. When our system switched over that’s a little bit hard to find, but if you’ll see, it’s up in the URL. So, for example, this is FAQ #301, because it’s 301 there at the end of the URL. So, it’s it’s that’s really sort of the way we refer to these FAQs. So, if you were…if you were working with someone and they asked you what number FAQ it is, that’s what we mean by that. But this is just to give you a good sense of the the fact that we have a whole host of these questions and answers on the website. We get these questions from a lot of different people, consumers and covered entities. Um, if an issue comes up, we’ll do a a suite of them and then publish them on the website, so they’re constantly being updated. And, of course, all of them will be updated. All of the guidance on our website will be updated after the Final Rule is published, that Final Rule we talked about earlier. We also have case studies, so if you’re curious about, um, interaction of these issues in any particular entity or by issue, that’s how we have our case studies, um, set-up. So, you can look at, for example, if you’re curious about…ummm…like, that example we had about condition and compliance with the Privacy Rule, that case study that we did, um, you can click on that and it would go to that particular issue. Can we go over here and click on that? Here we go. Can you go back one? This one right here. So, let’s see. It’s up there at the top. It says “Private Practice Conditions”. Yes. So, if we click on this, right here. Then we get the facts that we talked about earlier in our case study. So, these are all cases that we actually dealt with and have come to some sort of resolution. So, if you have questions about how any of these, um, issues or entities, how it works in practice, you can go here and look at our…our case studies. We also frequently update these depending on, um, you know, if we get..if we get cases that we think are good example for both entities and for consumers to look at to see how this works out in practice. The Enforcement webpage, um, talks about our enforcement process, for example, has that chart that you have in your book, where Kurt walked through when the complaint comes in and it goes to DOJ over here and it’s resolved here. Um, those are the different types of materials that we have on this part of the website. So, if you have more questions about, “Okay, I remember him talking about, um, the Enforcement Rule, or how many complaints come into OCR.” If you want to, you know, if you’re talking to your boss about, you know, the scope of this issue and you want to find that graph, you can go here, um, and get those resources here. So, the other thing that’s contained on this on…the case studies website, I believe. I think it’s in…it’s with the case studies, is all our resolution agreements. So, I know we talked had some questions earlier about what’s available on the website, you can get to the resolution agreements from the website and you can look at, um, the documents that are attached there as well if you want to see how those actually look. Um, you know, in PDF, you can pull them up. Okay, so that’s about it. Does anybody have any questions on the website? Where you might find documents? Or, um, what you…anything you think you might need? That you need to know where it is? Yes. (from the audience): “You said earlier that…uh…you could get to the preamble from the website, right? I didn’t see where that was.” I think it’s in…um, if you go…Can you click on the link? Can we go back to the page here? By any chance? Yes? No?......Thank you. Okay, so if we go, um, “Administration Simplification Statute and Rules”. Click there. And then if we go to the Privacy Rule, if you click here, and then if we go to “Modifications to the Final Rule” here, that’s the preamble. So it has the preamble and the regulation text at the bottom. And the good thing about this is this is actually word-searchable. So, if you have an issue that you want to look at, like, for example, I’m trying to think of one that I did recently. Um, I think it was a a wellness plan’s program or something. And so, I just did a quick search of wellness plans and you can, you know, do a quick word search within that preamble language to look for whatever issue you’re looking for, sort of to to see how…how the writers, um, were contemplating these these provisions when they wrote the rules. Anyone else?....Yes. (from the audience): “Do you have the NPDs, uh, posted publicly. Yes, I believe they are….Sorry, can we go back to the website? If we go to “Enforcement Activities and Results”, which is this here. And we go to, um, to “Case Examples and Resolution Agreements”, and if you go down to the bottom…keep going down. Okay, so we have “Civil Money Penalty Issued to Signet”. If you click on that, read the “Notice of Determination” in on the right hand side in that right hand toolbar. And the “Final Determination”, they’re both there. I’m not sure what this’s a it’s a file, so it’s going to open the file, so you can take a look at it. So, this is the Notice of Proposed Determination here. So, all the documents are accessible and you can get to them. So, as you can see, I use the website a lot. I think a lot of entities do as well because it, like I said, it’s a great resource for them. All this material is here. So, um, if you can’t find something, you know, we’re happy to help you. The regional folks are very good at using the website as well, because they refer people to it all the time. People can file complaints through the website as well. So, this is one of the ways that we get the complaints filed with our office. And the breach, um, the breach wall is here too. So, all of the information about…uh….if we go to “Understanding HIPAA Privacy”, which is at the top…on the left side. And then, um…let’s see, where is it?...Actually, I think it’s…where’s breach?...Sorry, looking at it…Yeah, I think it’s actually, I think you’re right, it’s actually in this section here…this one. Can you click on this? Thank you. There we go. “Breach Notification Rule”. And then if you look at um…if you go down…where it says “View Breaches Affecting 500 or More Individuals” on that right hand side, if you click on that list, that’s the quote-on-quote “Wall of Shame”. So, here. Here’s all the information about all of the over five hundred or more individuals affected-breaches. So, you can look, you know, you can figure out why this entity is in your state, how many people were affected, what the details are…(from the audience): “How long do those entities stay on that…on that…’Wall of Shame?’”We, as right now, don’t really have any cut-off date. (from the audience): “inaudible” Yeah. (from the audience): “Can you post the Notice Letters that went to consumers as well, or is it just…” No, this is it. The…the notice letters go directly from the entity.(from the audience): “Right.” Yeah. So when, when a…a covered entity notifies HHS, when they notify us, it’s a form they fill out on the website. So, it’s a different notice than what what, than what the covered entity sends to the individual. Yeah. Yes?! (from the audience): “This is not related to the website, but if…if we get a consumer complaint um, where somebody says that they think they’re…whatever their complaint is…it it is clear to us that there’s violation of HIPAA, and so we start to look into it…”Um hmm. (from the audience): “At, at what point do you…does HHS want us to contact…only at the point where we’re thinking of opening up a larger-scale investigation, whether into their Privacy and Security Rules, or…”I think, I mean, I think as Sean said earlier, the earlier the better. I mean, you know, obviously, if you’re…even if you’re trying to work through the issues and trying to figure out whether or not you have an allegation you want to pursue, that you think it’s worth your time, what the…what the…sort of what the ins and outs are. Are there any red herrings that you want to talk through? You know, those sorts of things. We’re more than happy to get involved earlier with you, before you try and decide whether you want to expend all these resources to dealing with all of these issues. Um, granted, if you decide to run with it and want to bring us in later too, that’s okay, that’s your decision as a…as a state enforcement agency. So, it’s…it’s up to you, um, we’re happy to provide you technical assistance, in terms of how this…how the rule works and any any assistance that you need. We do that for entities, we do that for consumers every day, so, I mean…that’s part of…sort of what what we do. Um, so there’s no reason why you should feel shy about calling us early on if you just have questions. Um, and granted, if you do, and you feel comfortable and you want to run with it and bring us in later on, obviously, we’d still like to come in early just to make sure that, you know, we’re coordinating on things. But, um, but, you know, it’s…it’s up to you. (from the audience): “And, does it make more sense to contact someone from your regional office?” That, yes, I think it does make the most sense to talk to the regional folks because those are the people who will really be dealing with, um, the particular…if there is a complaint, that is similar to the facts that you’re dealing with, they will be the ones who will actually be investigating that complaint. Um, so the…the regional…the regional people…it’s all of the information that, um, Kurt, presented earlier about the regions and about how to contact the regions directly are also on the website. So, you can call the regions directly, um, if for some reason, you can’t figure out who you’re really supposed to call, you can always call me. (from the audience): “(inaudible)….(laughter)” Call Kurt! Call Kurt! Yeah, or John. No, you can call me, you can call Kurt, you can call John, you can…You know, we’re all available to you. Um, anyone at headquarters will be happy to help. If you get the wrong region, they’re not going to tell you, “Sorry, we can’t help you.” They’ll, they’ll figure out who you need to talk to, you know what I mean, so please don’t…like I said, don’t be shy in calling us, um, because that’s part of what we do. (from the audience): (inaudible) Does anyone else have any other questions right now?
(To use allow video to load completely)
  • Module 8: Introduction, Objectives and Overview
  • Lesson 1: Resources Available From OCR
  • Module 8 Summary

Tell a friend: