North Carolina

To make the decision about BCHC’s covered entity status, program staff directly involved in HIPAA implementation and issues related to protected health information (PHI) carried out a systematic review process. BCHC staff responsible for this process included the Privacy Officer and the Quality Improvement Coordinator and Compliance Officer, in addition to program supervisors who were more familiar with the PHI used in their specific programs. The Assistant Health Director served as the liaison with the County and also met with County officials, the County Attorney and the County Manager. The Assistant Health Director also represented the health department, bringing forth findings to the County and responding to questions from the County. Overall, the role of the Assistant Health Director was to ensure that the County was involved in the decision-making process to the extent possible.

The covered entity status determination process included the following steps:

• Staff reviewed the definition of covered entity status, verifying how various services are addressed under the two coverage scenarios (i.e., fully-covered, hybrid).
• Staff determined whether the HIPAA Privacy Rule or other federal law governed activities conducted by the Center. For example, school nurses offer health care services in the school setting. Since they work for the school, they are covered by the Federal Education and Privacy Law, not HIPAA.
• Staff interviewed each program supervisor and went through a checklist with each supervisor to identify where protected health information (PHI) existed. The checklist was used to further identify where PHI was stored, shared and used.

During the examination of the various federal laws and data collection from program supervisors, BCHC staff consulted a number of resources to facilitate the covered-entity decision-making process. The Institute of Government (University of North Carolina – Chapel Hill) provided white papers that BCHC used to assist with their covered entity decision. The resources are located on the Institute of Government’s HIPAA Privacy Web site (HIPAA Medical Privacy Rule: Information for NC Public Agencies) and includes links to white papers on specific provisions of the Privacy Rule, such as covered entity status. The Institute of Government also provided in-person workshops for Buncombe County and surrounding counties, as well as video conferences on HIPAA. BCHC used resources from NCHICA (http://www.nchica.org) and the North Carolina Association of Local Health Directors white papers (http://www.ncalhd.org/) as well to assist them in their covered entity decision making process.

After conducting its review process, BCHC designated itself a fully-covered entity. Since the health center collaborates among different programs (some of which need not be covered entities on their own) for their various public health functions (e.g., outbreaks, issues at schools), it was easier for BCHC to designate itself a fully-covered entity. The health center avoided the cumbersome amount of administrative paperwork and extra trainings for staff that would have been necessary as a hybrid entity, as well as the need to create numerous firewalls. As a fully-covered entity, BCHC was not required to designate a staff member to answer questions from others who were having problems implementing the hybrid status. As a covered entity, the entire agency was under the same organizational structure. After making its covered entity decision, BCHC informed the County. After BCHC’s decision to be a fully-covered entity, the County designated itself a hybrid entity.

Although BCHC is responsible for many issues pertaining to the HIPAA Privacy Rule, the County Information Technology Department is responsible for information security requirements for all networks and servers to ensure that they were secure and separate from other counties. Previously, financial information with PHI was transferred to the County Finance Department on paper. As a result of HIPAA, it was necessary for BCHC to transition to an electronic system in order to transmit billing information to the County for outside vendor payment justification. After HIPAA, the County only receives the minimum amount of information necessary, which is protected.

As they began implementation of the Privacy Rule, BCHC staff found it challenging to identify the records that the Center maintained that should be included in the “Designated Records Set” (DRS), as defined by HIPAA. The DRS contains medical, mental health, and billing records about patients. In many cases, BCHC’s patient records included information that would qualify for inclusion in the DRS, as well as other information. Since the DRS includes anything that is used to make decisions about the client/patient, the challenge for BCHC was to identify all of the information residing in patient records and determine whether they could be used to make decisions about the client/patient.

As used in this subpart, the following terms have the following meanings:

Designated record set means:

(1) A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

§ 164.524 Access of individuals to protected health information.

(a) Standard: access to protected health information.

(1) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:

(i) Psychotherapy notes;

(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and

(iii) Protected health information maintained by a covered entity that is:

(A) Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or

(B) Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).

(2) Unreviewable grounds for denial. A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances.

(i) The protected health information is excepted from the right of access by paragraph (a)(1) of this section.

(ii) A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate’s request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.

(iii) An individual’s access to protected health information created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research.

(iv) An individual’s access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. § 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.

(v) An individual’s access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

(3) Reviewable grounds for denial. A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances:

(i) A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;

(ii) The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or

(iii) The request for access is made by the individual’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

(4) Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section.

(b) Implementation specifications: requests for access and timely action.

(1) Individual’s request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.

(2) Timely action by the covered entity.

(i) Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access no later than 30 days after receipt of the request as follows.

(A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section.

(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section.

(ii) If the request for access is for protected health information that is not maintained or accessible to the covered entity on-site, the covered entity must take an action required by paragraph (b)(2)(i) of this section by no later than 60 days from the receipt of such a request.

(iii) If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) or (ii) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that:

(A) The covered entity, within the time limit set by paragraph (b)(2)(i) or (ii) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and

(B) The covered entity may have only one such extension of time for action on a request for access.

(c) Implementation specifications: provision of access. If the covered entity provides an individual with access, in whole or in part, to protected health information, the covered entity must comply with the following requirements.

(1) Providing the access requested. The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the protected health information once in response to a request for access.

• Where is information maintained?
• What record types do people keep?
• Do they use the information to make decisions about the patient?

Information collected from the department heads was used to determine whether specific PHI should be provided as part of the DRS and if so, in what manner the PHI should be stored and collected. In instances when BCHC staff determined that certain information not be included in the DRS, a clear protocol was defined for collecting and storing that data, including a justification for its exclusion from the DRS. This clear delineation prevented ambiguity regarding what information was or was not included.

BCHC provided training to all of their staff regarding PHI and the DRS. Staff were instructed on the proper method to collect and store data for entry into the DRS. For information that was not part of patient care, staff were instructed to follow specific procedures to ensure that the data was collected and stored properly. The training ensured that staff all had the same understanding of the process for dealing with patient information, thereby facilitating consistent action among all staff.

BCHC staff attended the following trainings which included information on designated records sets:

• Trainings on HIPAA implementation
• Online Training with Health Stream
• American Health Information Management Association Training
• North Carolina Healthcare Information and Communications Alliance (NCHICA) Training
• North Carolina Health Information Management (NCHIMA) Training
• Center for Medicare & Medicaid Services/ Audio Conferences
• Institute of Government (IOG) Satellite and Video Conference

As with many local health departments, BCHC struggled with the challenge of determining when to employ the federal HIPAA Privacy Rule and when they were bound by more stringent state law. For example, according to North Carolina law, all mental health information in a patient’s record must be removed before showing it to the other members of the treatment team (i.e., those not responsible for mental health care) or for referral purposes. As a result, mental health information could not be shared in the same manner as other medical information (with exceptions for emergency care). Since BCHC had mental health care services integrated into the primary care setting, this issue was directly relevant. The challenge for BCHC was not only determining whether HIPAA or the North Carolina mental health law would be adhered to, but also how the other might still play a role.

For purposes of this subpart, the following terms have the following meanings:

Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:

(1) A covered entity would find it impossible to comply with both the State and federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable.

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or

(ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.

(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information. Relates to the privacy of individually identifiable health information means, with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way. State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

(1) Read the HIPAA Privacy Rule and verified where state law (in general) was referenced. There were a few areas where actions were permissible under state law, while there were other areas where the state law was more stringent;

(2) Read the state law and the administrative code;

(3) Compared the state and federal laws;

(4) Defined terms and nomenclature since terminology in the HIPAA law was often different than state law;

(5) Decided which definitions of terms would be used by the BCHC;

(6) Created the Notice of Privacy Practices based on the BCHC definitions and inserted all necessary information into document;

(7) Based on the services provided through the health center, determined what roles the health center served under the HIPAA Privacy Rule (i.e., covered entity status);

(8) Researched and created a crosswalk of the various roles of the health center to state and federal law;

(9) Created comparison tables that referenced sections of both laws, documented questions on complicated issues, and listed answers to the questions, once they were available;

(10) Appointed a HIPAA Implementation Team that included representatives from all the service areas within the health center; and

(11) Created a Continuous Quality Improvement Team that included people from the different sections of the health center that would be using the new information.

During the time BCHC began their in-depth analysis of HIPAA and state law, BCHC also began providing mental health services. As a result, it was necessary for BCHC to include state and federal laws related to the provision of mental health services into their review. In order to determine which actions were necessary to comply with the various laws, BCHC staff researched all applicable laws, and consulted with the Institute of Government (IOG). The Federal Substance Abuse Law, HIPAA, FERPA, and North Carolina Statutes 130A and 122C all affected what they decided to do as part of the state preemption analysis process.

After conducting their analysis of state and federal law,> BCHC staff determined that the North Carolina mental health laws did, in fact, supercede the HIPAA Privacy Rule. Based on this decision, BCHC staff determined that additional information must be obtained. Specifically, BCHC staff asked the following questions to help clarify to what information did individual team members have access:

• Who is the treatment team?

BCHC staff determined that the treatment team includes any health care provider who establishes a treatment relationship with the individual (i.e. the providers who have a client in common).

• To what information would the treatment team have access?

BCHC staff determined that a mental health provider would have access to any information in the medical record. However, because of North Carolina statute 122C and The Federal Confidentiality Regulations, various restrictions might apply for other health care providers.

The Institute of Government (IOG) advised BCHC to obtain the consent for use of PHI relating to mental health treatment for treatment/referral purposes and for use or disclosure of PHI for payment and health care operations. Using the information from the IOG and based on the answers to their questions, BCHC decided to obtain a consent form from everyone and an authorization form as appropriate. Specifically, BCHC staff created a policy requiring their mental health providers to obtain written consent from mental health clients for use and disclosure in-house of PHI for TPO on an annual basis.

BCHC decided that they needed to get an authorization form from each client to release mental health information in the chart, which specifically stated that mental health information would be shared.< The authorization was necessary for each disclosure for treatment purposes because many of their records contained mental health information. The authorization contained the elements required and some examples of most frequent reasons to disclose PHI plus a place for the individual to initial so that BCHC could disclose information about mental health.

The consent form allowed mental health information to be released. If the client does not sign the authorization form releasing the information, then BCHC staff are required to black-out that information before sharing the information internally with the medical health treatment team or for external referrals. Since psychotherapy notes had always been kept separate, it was not necessary to deal with that issue in regards to North Carolina mental health laws. It was imperative for BCHC to ensure that the mental health provider was aware of the difference between mental health progress notes and psychotherapy notes.

Though one form would likely have been adequate, BCHC designed three different consent forms for use and disclosure - the main consent, a consent for the School Based Health Centers, and a consent for the immunization clinic. Some staff felt parents at the school based health center would not let their children use the services if the consent mentioned sexually transmitted diseases and pregnancy. Since the immunization clinic did not bill for most immunizations, the clinic felt that a reference to billing would be misleading to clients.

The Institute of Government provided many valuable resources to BCHC, such as:

• Attorneys who provided research and advice;
• White papers that addressed HIPAA Privacy Rule issues specific to North Carolina, including; school health, jail health, authorization for disclosure, treatment, payment and health care operation, right to know and right to request access. In cases where there was no relevant North Carolina law, white papers were available on the federal law
• A LISTSERV that allowed individuals to post questions and share experiences
• Satellite broadcasts that transmitted one year prior to HIPAA and prior to the release of guidance from the U.S. Department of Health and Human services (HHS). after HHS provided information, the Institute of government revised the information provided to the local agencies;
• HIPAA Privacy Web site that included resources useful to agencies; and
• Questions and answers - the Institute of government (IOG) was available for direct questions. IOG would research the questions and then provide guidance on the topic.

North Carolina Association of Local Health Directors

The North Carolina Association of Local Health Directors (NCALHD) hired a consultant to answer questions and design documents for several smaller agencies. BHCH had access to this information used by the majority of counties in North Carolina and used it for comparison purposes with it own forms.

Workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI-SNIP)

Buncombe County referenced white papers created by WEDI-SNIP to identify differences between the state and federal law.

Centers for Disease Control and Prevention (CDC)

CDC provided information comparing public health law to HIPAA. BCHC used this information in its analysis of state and federal law.

Feedback from staff

Staff members at Buncombe County Health Center continuously asked questions regarding the proper use of the consent form. As new issues arose, BCHC was able to adapt the consent form to accommodate changing policies and procedures. Client requests for family members to have access to financial and billing information resulted in a revision.

Despite the decision that North Carolina mental health law superceded HIPAA, BCHC still had to make sure that the format of the consent forms used to maintain compliance with state law was HIPAA compliant. In other words, HIPAA requires authorization forms to include specific information. This slowed-down the process for developing the consent forms as BCHC staff had to continually verify that their forms were correctly formatted.

Difficulties with data collection

BCHC staff had difficulty learning the new process of documenting the consent for use and disclosure and the acknowledgement of receipt of the Notice of Privacy Practices.

In large part, the issue of consent form language has been resolved now that the forms are in place and being used. However, when changes are required, BCHC staff must still spend time to ensure that any modifications are compliant with both state law and HIPAA.

Difficulties with data collection

In order to ensure that all the proper forms had been distributed and signed, BCHC devised a band-aid called an ‘alert’ in the electronic patient management system to indicate that a consent was signed.

Legal counsel – From the Institute of Government; provided research and advice

LISTSERV – From the Institute of Government; allowed individuals to post questions and share experiences

Specific Resources

Institute of Government – The state university school of government that provides various resources such as a listserv and the availability of their legal counsel to answer individual questions.

HIPAA Medical Privacy Rule: Information for NC Public Agencies – This HIPAA Privacy website created by the Institute of Government<, includes links to white papers, explanations and presentations on provisions of the Privacy Rule, and business associate requirements.

North Carolina Association of Local Health Directors – Provides links to frequently asked questions and answers about HIPAA

North Carolina Healthcare Information and Communication Alliance (NCHICA) – Includes various resources on implementing HIPAA Privacy, such as sample documents, HIPAA event calendar, workgroups and presentations

North Carolina Department of Health and Human Services – Provides policies and procedures for implementing HIPAA Privacy at the state health department

Centers for Disease Control and Prevention (CDC) – Presents information on how to compare public health law and the provisions of the HIPAA Privacy Rule

Workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI-SNIP) – provides link to Security and Privacy White Papers

Office for Civil Rights – The federal agency responsible for administering the HIPAA Privacy Rule; includes general background information on the Privacy Rule, educational materials and compliance and enforcement instructions

The three consent forms are constantly in use and periodically revised based on feedback from staff who use them.