North Carolina Department of Health and Human Services

advertisement
DHHS POLICY AND PROCEDURE MANUAL
Section VIII:
Title:
Chapter:
Current Effective Date:
Revision History:
Original Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
April 14, 2003
Key privacy terms found in the NC Department of Health and Human Services (DHHS) Privacy
Policies are defined below.
Access to Health Information: Refers to the right of DHHS clients to request to inspect and copy
their health information in any designated record set maintained by a DHHS agency.
Accounting of Disclosures: Refers to the right of DHHS clients to a statement of the disclosures
made by a DHHS agency of their health information, for a period of time not to exceed six years
prior to the date of such request. Such requests may not include dates prior to April 14, 2003.
Agency: An administrative unit of government. Within DHHS, an agency may be a division,
office, facility, or subunit of any of these organizations. Within State Government, another
department and its divisions, offices, facilities, or subunits may also be referred to as an ‘agency’.
Amendment of Health Information: Refers to the right of clients to request to amend or correct
information that is contained in any DHHS covered health care component’s designated record set.
Authorization: Permission given to a DHHS agency by a client, or a client’s personal
representative, to disclose the client’s individually identifiable health information to a specific
person or entity, for a specific purpose. Although most authorizations are written, there are specific
circumstances when verbal authorization is acceptable.
Business Associate: A person, organization, or agency that provides specific functions, activities,
or services that involve the use, creation, or disclosure of individually identifiable health information
for, or on behalf of, a HIPAA covered health care component. Examples of business associate
functions are activities such as claims processing or administration, data analysis, utilization review,
quality assurance, billing, benefit management, practice management, and repricing; and legal,
actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or
financial services.


DHHS Internal Business Associate: A non-covered unit within the same division or
unit in another DHHS division that performs HIPAA covered functions for, or on
behalf of, a covered health care component.
DHHS External Business Associate: Another state government department or
public/private contractor that performs HIPAA covered functions for, or on behalf of,
a covered health care component.
Civil Investigative Demand:
1.
If the Attorney General has reasonable cause to believe that a person has information or is in
possession, custody, or control of any document or other tangible object relevant to an
investigation or that would lead to the discovery of relevant information in an investigation
of a violation of North Carolina General Statute (NCGS) 108A 70.12, the Attorney General
may serve upon the person, before bringing an action under NCGS 108A 70.12 or other false
claims law, a civil investigative demand to appear and be examined under oath, to answer
written interrogatories under oath, and to produce any documents or objects for their
inspection and copying.
2.
The civil investigative demand shall:

Be served upon the person in the manner required for service of process in civil
actions and may be served by the Attorney General or investigator assigned to the NC
Department of Justice;

Describe the nature of the conduct constituting the violation under investigation;

Describe the class or classes of any documents or objects to be produced with
sufficient definiteness to permit them to be fairly identified;

Contain a copy of any written interrogatories to be answered;

Prescribe a reasonable date and time at which the person shall appear to testify,
answer any written interrogatories, or produce any document or object;

Advise the person that objections to or reasons for not complying with the demand
may be filed with the Attorney General on or before that date and time;

Specify a place for the taking of testimony;

Designate a person to whom answers to written interrogatories shall be submitted and
to whom any document or object shall be produced; and

Contain a copy of subsections (b) and (c) of this section.
3.
The date within which to answer any written interrogatories and within which any document
or object must be produced shall be more than 30 days after the civil investigative demand
has been served upon the person. The date within which a person must appear to testify shall
be more than 15 days after the demand has been served upon a person who resides out-ofstate or more than 10 days after the demand has been served upon a person who resides instate.
Client: An individual who receives services from a DHHS agency. Any individual who makes
inquiries, is interviewed, or is or has been otherwise served to some extent by DHHS may is also
considered a client. ‘Client’ is synonymous with other terms used by DHHS agencies such as
patient, resident, consumer, recipient, student, or customer.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 2 of 14
Consent: Permission given to a DHHS agency by a client or a client’s personal representative, prior
to the client receiving health care services, participating in a research study, or prior to the client’s
health information being used by staff in the agency. Written consent is required, except in
emergencies situations when verbal consent is acceptable until written consent may be obtained.
Contrary: When used to compare a provision of a state law to a federal standard, requirement, or
implementation specification, means:
1.
2.
A covered health care component would find it impossible to comply with both the state and
federal requirements; or
The provision of state law stands as an obstacle to the accomplishment and execution of the
full purposes and objectives of the federal requirement.
Correctional Institution: Any facility that provides punishment, control, and rehabilitation
services to inmates and is operated by, or under contract to, the United States, a State, a territory, a
political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of
persons charged with or convicted of a criminal offense or other persons held in lawful custody
(including juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation, persons
committed to mental institutions through the criminal justice system, witnesses, or others awaiting
charges or trial).
Covered Entity: One of the following organizations that is subject to the HIPAA regulations:



A health plan;
A health care clearinghouse; or
A health care provider who transmits any health information in electronic form in
connection with a transaction that is subject to the Health Insurance Portability
Accountability Act (HIPAA) of 1996.
Covered Functions: Those functions of a covered entity the performance of which makes the entity
a health plan, health care provider, or health care clearinghouse.
Covered Health Care Component: An agency or a portion of an agency within DHHS (a hybrid
entity) that performs a HIPAA covered function and is thereby considered a covered health plan,
health care clearinghouse, or a health care provider; OR, a DHHS agency or portion of an agency
that performs a covered function for, or on behalf of, a DHHS covered health care component and is
thereby considered an internal business associate.
Data Use Agreement: Refers to a documented arrangement between a covered health care
component and another entity concerning the permitted uses and disclosures of a limited data set of
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 3 of 14
individually identifying health information that will be received by the entity from the covered
entity. Entities that receive limited data sets can only use the information for the purposes of
research, public health, or health care operations. If a data use agreement is in place, the limited data
set of individually identifying health information can be used without obtaining client authorization.
De-identified Information: Health information that does not specifically identify a client and there
is no reasonable basis to believe that the de-identified information alone could be used to identify the
client. De-identified information is not considered protected health information and can be released
without patient authorization and in compliance with other federal or state laws.
Department: The NC Department of Health and Human Services (DHHS).
Designated Record Set: A group of records maintained, collected, used, or disseminated by or for a
covered entity that contains individually identifiable health information and is used to make
decisions about clients. Individually identifiable health information contained in any form of client
record, operational or financial database, or billing system constitutes a designated record set.
Direct Treatment Relationship: Refers to treatment received by a client directly from a health care
provider.
Disclosure: The dissemination of information by a covered health care component maintaining the
information to entities outside the covered health care component.
Extended Workforce: Contractors, volunteers, trainees, students, and other persons whose
conduct, in the performance of work for a DHHS agency that maintains individually identifying
health information, is under the direct control of such entity, whether or not they are paid by that
agency. Extended workforce members must follow DHHS and agency policies and procedures.
External Business Associate: A public/private contractor or a state government department or
agency outside of DHHS that performs activities for, or on behalf of, a DHHS covered health care
component that involves the use or disclosure of individually identifiable health information. For
example, the NC Office of the Attorney General in the Department of Justice provides legal services,
a covered function, for DHHS agencies.
Family Educational Rights Privacy Act (FERPA): A federal law [20 United States Code (USC) §
1232g; 34 Code of Federal Regulations (CFR) Part 99] that sets forth the rights of a student’s parents
and of students, and the correlating duties of education agencies and institutions regarding education
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 4 of 14
records. The law applies to all schools that receive funds under an applicable program of the United
States (US) Department of Education.
Fundraising: The organized activity of raising funds for an agency’s cause.
Health Care: Services or supplies related to the health of an individual. Health care includes, but is
not limited to, the following:


Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care; and
counseling, service, assessment, or procedure with respect to the physical or mental
condition, or functional status, of an individual or that affects the structure or function
of the body; and
Sale or dispensing of a drug, device, equipment, or other item in accordance with a
prescription.
Health Care Clearinghouse: A public or private entity, including a billing service, repricing
company, a community health management information system or community health information
system, or “valid-added” networks or switches that perform or facilitate the conversion of health
information in nonstandard formats to standard formats for use in standard HIPAA transactions (and
vice versa). Health care clearinghouses are HIPAA covered entities.
Health Care Operations: Any of the activities listed below that are performed by or for a covered
entity to the extent that the activities are related to covered functions.








Quality assessment and improvement activities, population-based activities relating to
improving health or reducing health care costs, protocol development, case
management and care coordination, contacting of health care providers and patients
with information about treatment alternatives; and related functions that do not
include treatment.
Reviewing the competence, qualifications, or performance of health care providers or
the evaluation of a health plan performance.
Training students, trainees, or health care practitioners so that they can practice or
improve their skills as health care providers.
Training of non-health care professionals.
Accreditation, certification, licensing, or credentialing activities.
Underwriting, premium rating, and other activities relating to the creation, renewal or
replacement of a contract of health insurance or health benefits.
Conducting or arranging for medical review, legal services, and auditing functions,
including fraud and abuse detection and compliance programs.
Business planning and development.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 5 of 14





Customer service, including the provision of data analyses for policy holders, plan
sponsors, or other customers, provided that individually identifiable health
information is not disclosed.
Resolution of internal grievances.
Due diligence in connection with the sale or transfer of assets to a potential successor
in interest if the potential successor is a covered entity or, following completion of the
sale or transfer, will become a covered entity.
Creating de-identified health information.
Performing fundraising or marketing activities for the benefit of the covered entity for
which an individual authorization is not required.
Health Care Plan: An individual or group that provides or pays the cost of health care. A health
plan includes the following, singly or in combination:















Group health plan;
Health insurance issuer;
Health Maintenance Organization;
Part A or Part B of the Medicare program;
Medicaid;
Issuer of a Medicare supplemental policy;
Long-term care, excluding nursing home fixed-indemnity policies;
Employee welfare benefit plan established and maintained to offer or provide health
benefits for employees with two or more employers;
Health care for active military personnel and veterans;
Civilian Health and Medical Program of the Uniformed Services (CHAMPUS);
Indian Health Service (HIS) under the Indian Health Care Improvement Act;
Federal Employees Health Benefits Program;
An approved state child health care plan established in accordance with the Social
Security Act;
Medicare+ Choice program under the Social Security Act; and
A high risk pool that is a mechanism established by a state to provide health
insurance coverage or comparable coverage to eligible individuals.
Health care plans exclude:

Any policy, plan, or program that pays for the following benefits:

Coverage only for accident or disability income insurance, or any combination
thereof;

Coverage issued as a supplement to liability insurance;

Liability insurance, including general liability insurance and automobile
liability insurance;

Workers' compensation or similar insurance;

Automobile medical payment insurance;
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 6 of 14




Credit-only insurance;
Coverage for on-site medical clinics; or
Other similar insurance coverage, specified in regulations, under which
benefits for medical care are secondary or incidental to other insurance
benefits; and
A government funded program:

Whose principal purpose is other than providing or paying for the cost of
health care; or

Whose principal activity is the direct provision of health care to individuals or
the making of grants to fund the direct provision of health care to individuals.
Health Care Provider: Refers to individuals such as physicians, nurses, psychotherapists, and
other persons; and entities such as hospitals, nursing homes, clinical labs, and pharmacies that
furnish, bill, or are paid for health care.
Health Information: Any information, whether oral or recorded in any form or medium, that:


Is created, maintained, or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university, or health care
clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or future
payment for the provision of health care services to an individual.
Health Record: An official written documentary of a client’s history, illness, and treatment during
a specified period of time, which is compiled and maintained by the health care provider.
HHS: The United States Department of Health and Human Services
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (August 21), Public Law
104-191, which amends the Internal Revenue Service Code of 1986. HIPAA was enacted to:




Improve portability and continuity of health insurance coverage in the group and
individual markets;
Combat waste, fraud, and abuse in health insurance and health care delivery;
Promote the use of medical savings accounts;
Improve access to long-term care services and coverage;
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 7 of 14


Simplify the administration of health insurance through the standardization of
electronic client health, administrative and financial data, and unique health
identifiers for individuals, employers, health plans, and health care providers;
Create national privacy and security standards to protect the confidentiality and
integrity of past, present, and future individually identifiable health information.
Hybrid Entity: A single legal entity:


That is a covered entity whose business functions include both covered and noncovered functions; and
That identifies and designates the covered health care components within the entity.
DHHS has been designated as a Hybrid Entity.
Incident: Any happening that is not consistent with the routine operation of a health care provider
or the routine care of a client.
Incidental Access or Disclosure: An unpredictable exposure to individually identifying health
information that occurs as a result of an activity taking place where individually identifying health
information is created, used, received, transmitted, or stored. For example, a cleaning lady may
enter the office of a health care provider while that provider is reviewing X-rays and inadvertently
see the name of the client on the film.
Indirect Treatment Relationship: An association between a client and a health care provider in
which:


The indirect provider delivers health care to the client based on the orders of a direct
health care provider; and
The indirect provider typically provides services or products, and reports the
diagnosis or results to the direct health care provider, who in turn provides the
diagnosis or results directly to the client.
Individual: The person who is the subject of individually identifying health information.
Individually Identifiable Health Information (IIHI): A subset of health information that is
collected from a client, including demographic information, and:

Is created or received by a health care provider, health plan, employer, or health care
clearinghouse;
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 8 of 14

Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or future
payment for the provision of health care to an individual; and

Identifies the individual; or

There is a reasonable basis to believe the information can be used to identify
the individual.
NOTE: According to the HHS Office of Civil Rights (OCR), the identification of a health care
provider/facility is considered to be indicative of the provision of health care services; therefore, if
an individual identifier for a DHHS client is combined with the name of a health care provider, such
information is considered individually identifiable health information.
Inmate: A person who is committed, under sentence to, or confined in a penal or correctional
institution.
Institutional Review Board (IRB): A board, committee, or other group formally designated by an
institution to review, to approve the initiation of, and to conduct periodic review of biomedical
research involving humans as subjects. The primary purpose of such review is to assure the
protection of the rights and welfare of the human subjects. IRBs also have the authority to approve
requests to alter or waive the HIPAA authorization requirement for research purposes.
IRBs have authority to approve, require modification to, disapprove, and conduct periodic reviews of
all research activities covered by the Common Rule and FDA Protection of Human Subjects
Regulations (45 CFR 46, Subpart A and 21 CFR 50, respectively). Requirements concerning the
composition and procedures of an IRB are defined in 45 CFR 46 (for research subject to 45 CFR 46)
and in 21 CFR 56 for research subject to 21 CFR 50.
Internal Business Associate: A DHHS division or office or component within a DHHS division or
office that performs activities for or on behalf of a DHHS covered health care component that
involves the use or disclosure of individually identifiable health information. An internal business
associate can be in the same or different agency as the covered health care component. For example,
the Central Billing Office in the DHHS Office of the Controller is an internal business associate of
the DMH/DD/SAS facilities because the Central Billing Office provides a billing service for those
facilities.
Institution: Any penal or correctional facility, including but not limited to a facility for the
mentally ill or mentally defective, in which inmates may lawfully be confined. In the case of DHHS
mental institutions, clients may also be voluntarily admitted.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 9 of 14
Limited Data Set: A set of data to be used only in public health, health care operations or research
that excludes specified direct identifiers about individuals, their relatives, their employers, or
members of their households. Limited data sets may be disclosed pursuant to written “Data Use
Agreements” and are exempt from the accounting of disclosure requirements.
Long Term Care Ombudsman: An advocate in the DHHS Division of Aging for residents in
nursing homes and adult care homes (rest homes/assisted living) throughout North Carolina.
Ombudsmen receive and investigate complaints made by or on behalf of long term care residents
and work for their resolution. The Ombudsman Program is an advocacy program, not a regulatory
agency.
Marketing: Communication about a product or service, the purpose of which encourages clients to
purchase or use the product or service. The following communications are NOT considered
marketing:




Describing a product or service provided by the agency;
Reviewing treatment of a client;
Discussing case management or coordination of care; and
Recommending alternative treatments.
Minimum Necessary: The least amount of health information necessary to accomplish the intended
purpose of a use, disclosure, or request.
More Stringent: When used in the context of a comparison between a provision in a state law and a
federal standard, requirement, or implementation specification, the determination of a restriction or
permission as to which imposes the most rigorous standards or provides the greater privileges.
Non-covered Health Care Component: A DHHS agency, or a portion of an agency, that maintains
individually identifiable health information but has been exempted from complying with HIPAA
requirements. Such agencies are required to comply with specific DHHS privacy policies.
Notice of Privacy Practices: A document created by a covered health care component that informs
clients of their privacy rights and the covered health care component’s responsibilities with respect
to the use and disclosure of their health information.
Office of Civil Rights (OCR): The agency within the US Department of Health and Human
Services that is responsible for enforcing the HIPAA Privacy Regulations.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 10 of 14
Payment: Activities undertaken by:


A health plan to obtain premiums or to determine or fulfill its responsibility for
coverage and provision of benefits under the health plan; or
A covered health care provider or health plan to obtain or provide reimbursement for
the provision of health care.
Payment activities relate to the client to whom health care is provided and include, but are not
limited to:






Determinations of eligibility or coverage (including coordination of benefits) and
claims adjudication;
Risk adjustments;
Billing, claims management, and collection activities;
Medical necessity review and/or justification of charges;
Utilization review activities; and
Disclosure to consumer reporting agencies of any of the following individually
identifying health information relating to collection of premiums or reimbursement:

Name and address;

Date of birth;

Social Security Number

Payment history;

Account number; and

The name and address of the health care provider and/or health plan.
Personal Representative: A person who has been granted specific authority by law or custody
order to act for another individual, who is, in some manner, considered incapacitated. A personal
representative is the same as a ‘legally responsible person’ as defined in NC General Statute 122C-3
(20); ‘health care power of attorney’ as defined in Article 3 of NC General Statute 32A; or ‘guardian
of the person’ as defined by NC General Statute 35A-1202.
Privacy: According to Webster, privacy means: “1.a. The quality or condition of being secluded
from the presence or view of others. b. The state of being free from unsanctioned intrusion: a
person’s right to privacy. 2. The state of being concealed; secrecy.”
Privacy of health information refers to the legal right to, or public expectation of, confidentiality in
the collection and sharing of an individual’s identifying health information. Privacy problems exist
wherever individually identifiable health information that is collected and stored is disclosed for
purposes other than that for which it was gathered or against the express wishes of the client.
The challenge in health information privacy is to share data for valid purposes (e.g., state mandated
health reporting, health screening, disease registries), while protecting the individually identifiable
health information from improper use. In the majority of cases, individuals should retain the right to
decide to whom and under what circumstances their individually identifiable health information will
be disclosed.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 11 of 14
Privacy Board: A review board that has the authority to approve requests to alter or waive the
HIPAA authorization requirement for a research protocol. (NOTE: all other reviews related to
research on human subjects must be conducted by an Institutional Review Board). A Privacy Board
must be comprised of:



Members with varying backgrounds and appropriate professional competency as
necessary to review the effect of the research protocol on the individual’s privacy
rights and related interests;
At least one member who is not affiliated with the covered entity, not affiliated with
any entity conducting or sponsoring the research, and not related to any person who is
affiliated with any of such entities; and
No members participating in a review of any project in which the member has a
conflict of interest.
Protected Health Information (PHI): A term used in the HIPAA Privacy Regulations that has the
same meaning as ‘individually identifiable health information’. The term ‘individually identifiable
health information’ was used in the DHHS Privacy Policies to describe any information, including
demographic information, that has the potential of tying the identity of a client to his/her health
information.
Psychotherapy Notes: Notes recorded in any medium by a mental health care provider
documenting or analyzing the contents of conversation during a private or a group, joint, or family
counseling session and that are separated from the rest of a client’s health record. Psychotherapy
notes exclude medication prescriptions and monitoring, counseling session start and stop times, the
modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the
following items:






Diagnosis;
Functional status;
Treatment plan;
Symptoms;
Prognosis; and
Progress to date.
Required by Law: In this context, a mandate contained in state or federal law that compels an
entity to make a use or disclosure of individually identifying health information and that is
enforceable in a court of law. Includes, but is not limited to, court orders and court-ordered
warrants; subpoenas or summons; a civil or an authorized investigative demand; conditions for
health care providers participating in the Medicare program; and statutes or regulations that require
the production of the information.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 12 of 14
Research: A systematic investigation, including research development, testing and evaluation,
designed to develop or contribute to generalizable knowledge. HIPAA further defines research as
the development of research repositories and research databases.
Safeguards: Precautionary measures established to provide protections of individually identifiable
health information from unauthorized use or disclosure and to further protect such information from
tampering, loss, alteration, or damage. Such measures include development and implementation of
policies and procedures, as well as the implementation of physical and technical mechanisms
determined necessary to provide adequate protections.
Signature: The act of signing one’s own name. A signature may also be valid by making a ‘mark’
or impressing some other sign or symbol on a paper by which the signature, though written by
another for him, may be identified.
Treatment: The provision, coordination, or management of health care and related services by one
or more health care providers, including:



The coordination or management of health care by a health care provider with a third
party;
Consultation between health care providers relating to a patient; or
The referral of a patient for health care from one health care provider to another.
Use: The sharing of individually identifiable health information about clients within an agency by
the agency workforce in carrying out their roles and responsibilities.
Waiver/Alteration of Authorization: The removal or modification of the requirement to obtain
authorization from research subjects prior to the use or disclosure of their individually identifying
health information for a particular research protocol.
Workforce: Full and part time employees of a DHHS agency.
Workstation: Administrative and treatment areas in a facility where individually identifiable health
information is routinely used. A workstation typically includes a computer and other office
equipment, as needed.
References: 45 CFR 160.103; 45 CFR 164.103; 45 CFR 164.501; 45 CFR 164.512(i)(1)(i)(B);
NCGS 148-120; NCGS 122C-53(a); NCGS 122C-57; 10 NCAC 14G.0102; 10A
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 13 of 14
NCAC 26B.0103; NCGS 108A-70.14; Webster's Revised Unabridged Dictionary, ©
1996, 1998 MICRA, Inc.
Section VIII:
Title:
Chapter:
Current Effective Date:
Security and Privacy
Privacy Manual
Definitions
December 5, 2003
Page 14 of 14
Download