No. 37679 (Amendment): Rule R380-250. HIPAA Privacy Rule Implementation  

(Amendment)

DAR File No.: 37679
Filed: 06/03/2013 09:56:28 AM

RULE ANALYSIS

Purpose of the rule or reason for the change:

S.B. 20, State Security Standards for Personal Information, was passed by the Legislature in the 2013 General Session. The bill requires that a health care provider shall, as part of the notice of privacy practices (NPP) required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), provide notice to the patient or the patient's personal representative that the health care provider either has, or may submit, personally identifiable information (PII) about the patient to the Medicaid eligibility database and to the Children's Health Insurance Program (CHIP) eligibility database. S.B. 20 also requires Medicaid to withhold provider access to the Medicaid eligibility database and to the CHIP eligibility database unless the health care provider's NPP includes a statement that it will or may submit PII to these databases.

Summary of the rule or change:

This amendment limits access to the Medicaid database and to the CHIP eligibility database to providers who include in their NPP a statement that complies with Section 26-18-17.

State statutory or constitutional authorization for this rule:

• Section 26-18-17

Anticipated cost or savings to:

the state budget:

State-funded entities such as the State Developmental Center and University Hospitals and Clinics may incur costs in printing or changing their NPP to comply with this new requirement. There is no data, however, to estimate what those costs will be and how those costs will vary by each state-funded entity.

local governments:

Local governments that fund hospitals and providers may incur costs in printing or incur other costs associated with this new NPP requirement. There is no data, however, to estimate what those costs will be and how those costs will vary by each local government.

small businesses:

Medicaid and CHIP providers in small businesses may incur costs in printing or changing their NPP to comply with this new requirement. There is no data, however, to estimate what those costs will be and how those costs will vary by each small business.

persons other than small businesses, businesses, or local governmental entities:

Some Medicaid and CHIP providers may incur costs in printing or changing their NPP to comply with this new requirement. There is no data, however, to estimate what those costs will be and how those costs will vary by provider group or type. This amendment does not affect Medicaid and CHIP services for clients and further enhances client privacy rights.

Compliance costs for affected persons:

A Medicaid provider or a CHIP provider may incur costs in printing or changing their NPP to comply with this new requirement. There is no data, however, to estimate what those costs will be and how those costs will vary by provider group or type.

Comments by the department head on the fiscal impact the rule may have on businesses:

There may be a minimal one-time cost to providers when they modify their Notice of Privacy Practice. The notices are modified frequently to conform to federal law.

David Patton, PhD, Executive Director

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

• Craig Devashrayee at the above address, by phone at 801-538-6641, by FAX at 801-538-6099, or by Internet E-mail at cdevashrayee@utah.gov

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

07/31/2013

This rule may become effective on:

08/07/2013

Authorized by:

David Patton, Executive Director

R380. Health, Administration.

R380-250. HIPAA Privacy Rule Implementation.

R380-250-2. Definitions.

As used in this rule:

(1) "Access" means an eligibility query either telephonically or electronically. This does not include direct access to databases.

([1]2) "Covered program" means the smallest agency or program unit within the Department responsible for carrying out a covered function as that term is used in 45 CFR 164.501.

([2]3) "HIPAA Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information found in 45 CFR Part 160 and Subparts A and E of Part 164.

([3]4) "Individual" means a natural person. In the case of a individual without legal capacity or a deceased person, the personal representative of the individual.

R380-250-12. Provider Notice of Privacy Practices.

A Medicaid provider or a Children's Health Insurance Program (CHIP) provider shall not access the Medicaid database or the CHIP eligibility database, unless the provider's notice of privacy practices contains a statement that the provider either has, or may submit personally identifiable information about the patient to the Medicaid eligibility database or to the CHIP eligibility database.

KEY: HIPAA, privacy

Date of Enactment or Last Substantive Amendment: [June 9, 2003]2013

Notice of Continuation: May 6, 2013

Authorizing, and Implemented or Interpreted Law: 26-1-5; 26-1-17