Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Hipaa Mrpa PDF

    Hochgeladen von

    David Alexander
    75 Ansichten2 Seiten

    Originaltitel

    HIPAA-MRPA.pdf

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    75 Ansichten2 Seiten

    Hipaa Mrpa PDF

    Hochgeladen von

    David Alexander

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 2

    MEMORANDUM

    TO: DEBORAH HOLLAND, ASSISTANT VICE PROVOST FOR RESEARCH


    FROM: DAVID ALEXANDER, ASSISTANT GENERAL COUNSEL
    SUBJECT: TEXAS MEDICAL RECORDS PRIVACY ACT COMPLIANCE
    DATE: MARCH 9, 2017
    CC: CHRIS HOLMES, DOUG WELCH

    In a meeting on February 28, 2017, you requested guidance from the Office of General
    Counsel regarding compliance with the Texas Medical Records Privacy Act (MRPA)(H.B.300) in the
    absence of meaningful guidance from the State of Texas.

    Your office has identified several Baylor units that are HIPAA-covered entities, and more
    that have access to Protected Health Information (PHI) and are therefore subject to the MRPA but
    are not HIPAA entities. You are prepared to undertake HIPAA compliance training to those units
    that are subject to HIPAA, and you suggested that identical training should be given to the MRPA-
    covered units. This would have numerous benefits from an operational standpoint, and for some
    units would aid in their educational mission. However, you identified at least two problems with this
    approach:

    1. The State has provided no guidance clearly stating that HIPAA-compliant privacy
    procedures will satisfy the requirements of the MRPA; and

    2. The OCR has given some indication that adoption of HIPAA-compliant procedures for
    non-HIPAA entities could result in those entities becoming subject to OCR
    enforcement.

    You also requested clarification regarding whether your office should be tasked with providing
    MRPA training. Given the discussion below, which concludes that MRPA policies should be
    substantially identical to HIPAA policies, and given your greater expertise in HIPAA matters, it is
    OGCs suggestion that your office should provide all HIPAA and MRPA training. We are of course
    available to assist in any way that you may require, and I for one would be interested in sitting
    through your HIPAA training at the earliest opportunity.

    Additional questions are also discussed below.

    1. Adoption of HIPAA-compliant privacy policies to meet MRPA requirements.

    A review of the MRPA suggests that it was intended to expand HIPAA-compliant rules to a broader
    range of entities and more types of records. It clearly indicates an intent that its requirements be read
    consistently with HIPAA. For instance, 181.005 authorizes the Commissioner to adopt rules
    consistent with HIPAA; 181.102 requires covered entities to provide access to EHR unless HIPAA
    rules permit access to be denied; 181.205 permits evidence of a covered entitys compliance with
    HIPAA rules to be considered in mitigation of the penalties for a violation of MRPA.

    Other than the expansion of coverage of privacy and security rules to a broader range of entities,
    MRPA does not itself place many positive obligations on covered entities. Entities shall comply with
    HIPAA (181.004); shall train employees (181.101); shall provide access to EHR (181.102); shall give
    notice and obtain authorization prior to disclosure of PHI (181.154). Specific rules and guidance are
    left to the discretion of state regulators, who have not yet produced any.

    Thus, the principal requirement of MRPA, given the present lack of rules or other guidance, is for all
    MRPA covered entities to adopt privacy practices that would comply with HIPAA rules.

    It therefore the opinion of the General Counsel Office that, in the absence of contrary guidance,
    training should be given to all covered entities, including those only covered by MRPA, and that the
    training for all units should be consistent with HIPAA rules and practices.

    2. Adoption of HIPAA-compliant policies in non-HIPAA entities.

    While the handling and protection of records subject to MRPA but not HIPAA should be consistent
    with HIPAA requirements, care should be taken to avoid any statement to the effect that non-
    HIPAA entities comply with HIPAA requirements. MRPA-only entities should state that they
    comply with MRPA requirements.

    3. Are FERPA records exempt from MRPA coverage?

    Consistency between HIPAA and MRPA compliance would, in General Counsels opinion, include
    consistency in the treatment of records that are covered by FERPA and therefore excepted from
    HIPAA coverage. Such records should also be treated as exempt from MRPA coverage.

    4. Are communications with prospective students relating to health and medical issues
    covered by FERPA or MRPA?

    If the prospective student enrolls and becomes a student, those communications are FERPA records.
    Communications with a prospective student who does not matriculate to Baylor may be MRPA
    records, and should be treated as such, and destroyed at the earliest opportunity. We should have no
    significant record retention requirement for documents relating to students who do not enroll.

    Das könnte Ihnen auch gefallen