2017 HIPAA Entity Status Assessment

Health Insurance Portability and Accountability Act (HIPAA) California State Organizations’ 2017 HIPAA Entity Status Assessment

The California Office of Health Information Integrity (CalOHII) has statutory responsibility to provide oversight and review of state departments’ compliance with the federal Health Insurance Portability and Accountability Act (HIPAA) regulations (45 C.F.R. §§ 160 – 164.534). As part of those statutory requirements, CalOHII uses this assessment process to determine whether departments, organizations, or programs may be subject to HIPAA. The first statewide assessment of state programs and departments was performed in 2001, with subsequent assessments performed in later years. Because of changes in federal and state law, as well as possible business process changes within departments, state entities may be affected by HIPAA differently than before. CalOHII assesses all State entities every few years in order to provide assistance in meeting the requirements imposed by HIPAA. Please complete this assessment as it applies to your programs, business processes, data collection, and automated systems.

Department, Board, or Commission Name:

Contact Name:

Title:

Phone:

Email:

1 | P a g e Please answer the following questions for your entire organization (including all programs). If you answer Yes to any question(s), please list the programs in the Impacted Programs column. Planned Business Current Business Practices Impacted Programs Questions Practice (within the next 5 (if answer is yes, please list the programs and estimated years) start date) Yes No Unsure Yes No Unsure 1. Does your Organization/Program arrange for, coordinate, manage, offer, perform, or make referrals for any of the following: Please check the box next to the description(s) listed below that are associated with your Yes answer a. Conducting Quality assessment and improvement b. Population based activities relating to improving health or reducing health care costs, or research c. Case management or care coordination d. Reviewing the competence or qualifications of health/mental health care professionals e. Evaluate health/mental health care providers, or health plan performance f. Train health/mental health care, or non-health care professionals g. Accreditation activities h. Certification activities i. Licensing activities j. Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits k. Ceding (arranging for another entity to share the financial risk), securing, or placing a contract for reinsurance or risk relating to health/mental health care claims l. Conducting or arranging for medical review (such as 2nd opinions, medical board reviews) m. Legal services n. Program auditing services, including fraud and abuse detection and compliance programs o. Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the organization/program

2 | P a g e Planned Business Current Business Practices Impacted Programs Questions Practice (within the next 5 (if answer is yes, please list the programs and estimated years) start date) Yes No Unsure Yes No Unsure p. Business management and general administrative activities including those related to: i. Implementing and complying with the privacy rule and other administrative simplification rules ii. Customer service iii. Resolution of internal grievances iv. Sale or transfer of assets v. Creating de-identified Health Information1 or a limited data set vi. Fundraising for the benefit of the organization/program q. Any of the following, with respect to the physical or mental condition, or the functional status of an individual, or that affects the structure or function of the body i. Preventative care/treatment/services ii. Diagnostic care/treatment/services iii. Rehabilitative care/treatment/services iv. Maintenance care/treatment/services v. Palliative care/treatment/services vi. Counseling service, assessment or procedures r. Sell or dispense a drug, device, equipment, supplies or other item, in accordance with a prescription s. Aggregating, de-identifying, analyzing Health information and data (including data mining) t. Claims or encounter processing u. Enrollment or disenrollment in a program or health plan

1 Health Information: Any name in combination with any other information related to the provision of health care that can lead a person to reasonably identify the patient. The CA SHIPM (http://www.chhs.ca.gov/OHII/Pages/SHIPM.aspx) definition incorporates and synthesizes State of CA and federal definitions, including but not limited to: 1) Protected Health Information; 2) Electronic Protected Health Information; 3) Individually Identifiable Health Information; 4) Personal Information; 5) Medical Information; 6) Confidential and Private Information

3 | P a g e Planned Business Current Business Practices Impacted Programs Questions Practice (within the next 5 (if answer is yes, please list the programs and estimated years) start date) Yes No Unsure Yes No Unsure 2. Is your Organization/Program paid2 for any of the activities listed in Question #1 (above) by another entity?

3. Does your Organization/Program pay another entity to arrange for, coordinate, manage, offer, perform, or make referrals for any of the activities listed in Question #1 (above)?

4. Does your Organization/Program create, send or receive any of the following transactions, electronically? Please check the box next to the transaction description(s) listed below that are associated with your Yes answer a. Healthcare claims or equivalent encounter information – to request payment or report provided health/mental care or treatment b. Healthcare payment and remittance advice – for an explanation of benefits or remittance c. Coordination of benefits – for the purpose of determining the relative payment responsibilities of the health plan d. Healthcare claim status – to determine the status of a health/mental care related claim, or a response about the status of a health/mental care related claim e. Enrollment or disenrollment in a health plan – to establish or terminate coverage f. Eligibility inquiry for a health plan – to obtain eligibility to receive health/mental care treatment, or coverage of health/mental care or treatment g. Health plan premium payments – from the entity that is arranging for the provision of health/mental care, or is providing health/mental care coverage payments h. Referral certification and authorization – for the review of health/mental care or treatment, or to obtain an authorization for that care, or for obtaining authorization for referring patient to another provider, or a response to those request i. Queries and responses – to or regarding any of the transactions identified above (this includes email requests and responses) 5. Does your Organization/Program pay or contract with another organization/entity to create, send or receive any of the electronic transactions listed in Question #4 (above)?

2 Paid/Pay/Contract: includes funded, grants, premiums, reimbursed in any way (including receiving credit), or contracted with/or an agreement for services

4 | P a g e Planned Business Current Business Practices Impacted Programs Questions Practice (within the next 5 (if answer is yes, please list the programs and estimated years) start date) Yes No Unsure Yes No Unsure 6. Does your Organization/Program create, receive, transmit, or maintain Health Information (in paper or electronic form) for any other organization/program?

7. Does your Organization/Program use or disclose Health Information?

8. Does your Organization/Program process or facilitate the processing of Health Information, received from another entity, in either of the following ways? Please check the box next to the description(s) listed below that are associated with your Yes answer a. Receive a non-standard3 format or containing non-standard data content, and convert it into standard data elements or a standard transaction, OR b. Receive a standard transaction and convert it into a non-standard format or non-standard data content for the receiving party 9. Does your Organization/Program pay another organization/program for the processing of Health Information in either of the ways described in Question #8 (above)?

10. Is your Organization/Program one of the following government-funded health plans? Please check the box next to the description(s) listed below that are associated with your Yes answer a. Medicare program under Title XVII of the Social Security Act (Parts A, B, and C) b. Medicaid program under Title XIX of the Social Security Act c. A health program for active military personnel d. A veteran’s health care program

3 Standard/Non-Standard refers to electronic transactions and data content 5 | P a g e Planned Business Current Business Practices Impacted Programs Questions Practice (within the next 5 (if answer is yes, please list the programs and estimated years) start date) Yes No Unsure Yes No Unsure e. A Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) f. An Indian Health Service program under the Indian Health Care Improvement Act g. An approved state child health program under Title XXI of the Social Security Act (SCHIP) 11. Is your Organization/Program an individual or group plan that provides or pays the cost of medical care?

12. Does your Organization/Program securely store and segregate Health Information, and limit access of that information to only authorized entities/programs/individuals within your Organization/Program?

13. Has your Organization/Program designated itself as a HIPAA Hybrid Entity4?

14. Has your Organization/Program executed a Business Associate Agreement (BAA)/Memorandum of Understanding (MOU)/Interagency Agreement (IAA) with another organization/program that is performing any of the listed services from Question #1 (above), on your behalf? 15. Has your Organization/Program executed a BAA/MOU/IAA with another organization/entity, for your organization/program to perform any of the listed services from Question #1 (above) on their behalf? 16. If Health Information in your possession (in paper or electronic form) is compromised, such as a Breach or Incident, is your Organization/Program required to report such compromise(s) to any of the following? Please check the box next to the description(s) listed below that are associated with your Yes answer

4 Hybrid Entity: Single legal entities that perform both covered functions and non-covered functions. That is, functions that relate to the entity's operation of a health plan, health care provider, or health care clearinghouse are considered covered functions. 6 | P a g e Planned Business Current Business Practices Impacted Programs Questions Practice (within the next 5 (if answer is yes, please list the programs and estimated years) start date) Yes No Unsure Yes No Unsure a. The individual/patient whose information was Breached b. U.S. Department of Health and Human Services (HHS) c. California Department of Justice (CA DOJ) d. California Information Security Office (CA CISO)/California Highway Patrol (CHP) – via Cal-CSIRS e. California Office of Health Information Integrity (CalOHII)

7 | P a g e This 2017 HIPAA Covered Entity assessment must be signed by a Deputy Director (or equivalent) of your organization.

After signing, please scan and email or fax your document to the contact person listed below.

Signature: ______

Print Name: ______

Title: ______

Date: ______

Return the complete assessment by April 14, 2017 to Nicole Shields:

Email: [email protected] -or- Fax: (916) 653-9588

8 | P a g e APPENDIX A: Definitions

9 | P a g e Covered Entities

Health Care Provider A provider of services, including medical or health services, as defined under federal law, or any other person or entity who furnishes, bills, or is paid for health care services in the normal course of business BUT only if they transmit any information in an electronic form in connection with a transaction for which the U.S. Health and Human Services has adopted a standard. Examples include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.

Health Care Clearinghouse A public or private entity ─ including a billing service; repricing company; community health management information system or community health information system; or “value-added” networks and switches─ that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health Plan An individual or group plan that provides, or pays the cost of, medical care. This includes: . Health insurance companies . Health Maintenance Organizations (HMOs) . Company health plans . Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs.

Business Associate A person or entity that performs certain functions or activities that involve the use and disclosure of PHI on behalf of, or provides service to, a covered entity. A Business Associate includes: . A health information organization, e-prescribing gateway, or other person that provides data transmission to a covered entity and that requires routine access to PHI. . A person that offers a personal health record to one or more individuals on behalf of the business associate. . A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. It does not include: . A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of an individual. . A plan sponsor, with respect to disclosures by a group health plan to the plan sponsor. . A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting PHI for such purposes, to the extent authorized by law. . A covered entity participating in an organized health care arrangement.

10 | P a g e Hybrid Entity A hybrid entity is a covered entity whose business activities include both covered and non-covered functions, that has chosen to restrict the application of the HIPAA Privacy Rule to certain parts of its organization and that has designated health care components within its organization.

Other Entities

 Trading Partner A trading partner is an external entity with which electronic data is exchanged. In most cases, trading partners are providers and health plans that exchange electronic transactions.

 Impacted by Data Content Data Content refers to all the data elements and code sets inherent to a transaction, but not related to the format of the transaction. This includes any set of codes (e.g. CPT or ICD-9) used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

A code set includes the codes and the descriptors of the codes. Departments, counties, insurance carriers, and providers use HIPAA-standard code sets to bill, collect data and report with.

 Health Oversight Agency A health oversight agency is a government agency authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Health oversight agencies are not, in and of themselves, covered or impacted entities.

11 | P a g e