This presentation addresses both key priorities and unique issues faced by public health departments in Ohio in their HIPAA compliance efforts. Health departments will benefit from a "hybrid entity" designation under HIPAA and must attend to significant state law compliance matters. While this presentation addresses Ohio law, these concepts apply to health departments in other states. For more information, see EagleConsultingPartners.com.

1. HIPAA Update 2019
OPHA
Public Health Nursing Section
Gary Pritts
Eagle Consulting Partners, Inc.
6779 Memphis Ave.
Brooklyn, OH 44144
(216) 503-0355
Gpritts@eagleconsultingpartners.com

2. Agenda
◼ Introduction
◼ HIPAA for Ohio Health Districts
◼ HIPAA “Hybrid entity” concept
◼ Ohio Law re: Health Districts
◼ HIPAA Priorities
◼ Policies and Procedures
◼ Security Risk Assessment
◼ Questions

3. The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
HIPAA
Insurance Reform
-Limits on pre-existing
condition clauses
-Illegal to discriminate
based on health status
-Other reforms
Administrative
Simplification
-Standard electronic
transactions and
identifiers
-Privacy and Security
Provisions

4. Civil Penalties
◼ 4 Tiers based on severity of violation
◼ Tier A - $100/violation max $25,000
◼ Tier B - $1,000/violation max $100,000
◼ Tier C - $10,000/violation max $250,000
◼ Tier D - $50,000/violation max $1,500,000
◼ Highest tier for “willful neglect”
◼ Enforcement by HHS OCR and State
Attorney Generals

5. HIPAA
Considerations
for Public
Health Districts

6. Health District as HIPAA
“Hybrid Entity”
HR Water
Quality
Maternal &Child
Health
SolidWaste
Vital Statistics HealthyHomes Pest Control Tattooing
FoodSafety Immunizations Communicable
Disease
STD&HIV
Clinics
HealthDistrict
Health Care Component

7. Hybrid Entity Rules
◼ A hybrid entity designation is optional
◼ If elected, must designate in “health care
components”:
◼ Services which are “health care providers”, e.g.
child and maternal care services
◼ Designation must be in writing
◼ “Health Care Components” must treat rest of
organization as if it were a separate entity

8. Benefits of Hybrid Entity
Strategy
◼ Any “protected health information” in other
service areas, e.g. Healthy Homes, is NOT
regulated by HIPAA
◼ Risks of fines from federal government reduced
◼ Note that Ohio law requires confidentiality of all
protected health information
◼ Ohio law does not specify the stiff fines/penalties
that HIPAA does. RISK REDUCTION
◼ Reduced training costs – only staff in
health care component require training

9. HIPAA
and
Ohio Law
For Health
Districts *
*

10. HIPAA / State Law Interaction
◼ HIPAA preempts contrary state laws,
except for
◼ State laws which are more stringent, which
must be followed. More stringent means
◼ Offer greater protection of confidential
information
◼ Provide the patient more rights to their info
◼ Where HIPAA and Ohio law does not
conflict, both must be followed

11. State of Ohio Law
◼ Multiple Statutes Govern Confidentiality
◼ Ohio Law – Harmonized with HIPAA
◼ Terminology – “Protected Health Information”
◼ Release restricted without individual’s permission
◼ Complexities to determine whether HIPAA or
Ohio law applies
◼ Health District policies comply with both
HIPAA and State law
*
*

12. Select Ohio Revised Code
Statutes
◼ 3701.17 Protected Health Information – main law
governing Confidentiality
◼ 3701.243 Restrictions / special provisions for
disclosing HIV/AIDS info
◼ 149.143 Public Records Laws – note that PHI and
certain records are exempt from disclosure
◼ 307.629 Confidentiality of Child Fatality Review Board
Records
◼ 3701.028 Confidentiality of BCMH Records

13. HHS Office of Civil Rights
HIPAA Priorities
◼ HIPAA Policies and Procedures
◼ Security Risk Assessment
◼ Encryption

14. HIPAA Policies and Procedures
1) EagleConsultingPartners.com
2) HIPAA Policy Template Store
3) HIPAA Privacy and Security Policy
Templates for Public Health
Departments
4) “Add to Cart”

15. *

16. Risk Assessment
◼ One methodology is NIST SP 800-30
◼ Foundation of a Security Program
◼ Explores [at minimum] 45 regulations
◼ Identifies Priorities for “Risk Management”
◼ Repeat

17. Risk Assessment
◼ HIPAA Security Requirements
◼ Confidentiality
◼ Integrity
◼ Availability
◼ Questions To Ask
◼ What bad things could happen?
◼ How could they happen?
◼ For each bad thing, what is the probability?
◼ If it did happen, how bad would it be?

18. Terminology, end-to-end
◼ Threat Agent gives rise to
◼ Threat, which exploits
◼ Vulnerability, which leads to
◼ Risk, which damages an
◼ Asset, causing
◼ Exposure, which can be mitigated with a
◼ Safeguard

19. What to do with Risk
◼ Accept it (if it happens,
we'll just deal with it, e.g.,
risk of earthquake in Ohio)
◼ Transfer it (e.g., through
insurance)
◼ Mitigate it (through a
control)

20. Top Risks
◼ Your cloud vendor screws up
◼ Phishing attacks
◼ Loss of data/downtime from
ransomware
◼ Hacking / cyberattacks
◼ Loss/theft of portable device
◼ Insider error/malicious insider

21. Practical Matters / Challenges
◼ Small department in large agency
◼ Complexity / nuances of public health
◼ Templates available (e.g. ONC SRA Tool) but
often poor or hard to use
◼ Difficult to quantify probabilities
◼ Consultants
◼ Wide variation in quality
◼ Computer folks often don’t understand SRA

22. Questions
* = Images by vecteezy.com
*