HIPAA Basic Training for Health & Welfare Plan Administrators

Transcription

1 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele

2 What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules Violating HIPAA Minimizing Impact of HIPAA

3 Important Basic Concepts

4 What Is HIPAA? Health Insurance Portability and Accountability Act of Intended to make it easier to share information electronically Can share information for certain purposes All other purposes prohibited without authorization

5 Protected Health Information Individually identifiable health information used by a health plan Any form: written, electronic or oral Includes information relating to: Physician health Mental health Payment for health care

6 Health Plans Subject to HIPAA Medical plans Dental plans Vision plans Health flexible spending accounts Employee assistance programs Wellness programs

7 What Is Not A Health Plan? Employment records Leaves of absence, FMLA records ADA claims On the job injuries Workers compensation Fitness for duty exams Drug screening

8 What Is Not A Health Plan? Life insurance Disability (STD & LTD) Some wellness programs

9 What is not a health plan? Life insurance Disability plans Workers Compensation plans Leaves of absence FMLA records

10 What is not a health plan? ADA claims On the job injuries Drug screening

11 Who Needs to Worry About HIPAA?

12 Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary health information Minimum compliance obligations: Do not require enrollees to waive HIPAA rights Do not retaliate against enrollees who exercise HIPAA rights Compliance burden is on insurers/hmos

13 Self-Insured Benefits Must fully comply with HIPAA Privacy rules Security rules Transaction rules Breach notification rules Hiring a TPA does NOT relieve you of your compliance obligation But it can help relieve the burden

14 Complying with the Privacy Rule

15 Protected Health Information (PHI) Individually identifiable health information used by a health plan. Any form: written, electronic or oral Includes information relating to: Physical health Mental health Provision of and payment for health care

16 What is not PHI? Information that does not come from or is not given to health plans Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI Same information that employee shares with supervisor for FMLA purposes IS NOT PHI

17 What is not PHI? Enrollment Records Enrollment records maintained in employment records not PHI Enrollment records reported to the health plan is PHI.

18 Restrictions on PHI Health plans may not use or disclose PHI unless: The Privacy Rule specifically allows the use/disclosure The individual who is the subject of the PHI specifically allows it

19 Restrictions on PHI Cannot use PHI for: Making personnel decisions Administrating other employee benefit programs Cannot use or disclose for marketing purposes without authorization Cannot sell PHI

20 Permitted Uses of PHI TPO Treatment Payment Health care operations Complying with Law Any other use or disclosure generally requires authorization

21 Minimum Necessary Rule Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose. Do not use a fire hydrant when a garden hose will suffice HITECH clarification Default rule: use aggregate data only Must justify use of more detailed information

22 Privacy Rule Requirements Designate a privacy officer Implement written privacy policies Train those who work with PHI Discipline those who violate privacy policies Investigate and respond to complaints

23 Privacy Rule Requirements Include provisions in health plan document that: Describe permitted uses and disclosures Identify who is permitted to have access to PHI Require compliance with privacy rules Plan sponsor must certify compliance with HIPAA privacy rules Distribute a Notice of Privacy Practices Retain HIPAA compliance records for at least six years

24 Privacy Rule Requirements Respect individual rights Right to access PHI in health plan records Right to request amendments of PHI Right to an accounting of disclosures Right to request additional restrictions Right to request confidential communications Verify identity and authority of those seeking access to PHI

25 Business Associates Person or organization who: Performs a function or activity for the health plan; or Assists the plan sponsor in performing a health plan function or activity Function or activity involves use or disclosure of PHI. Employees are not business associates HMOs/insurers are not business associates

26 Examples of Business Associates Third-party administrators (TPAs) COBRA administrators Outside attorneys and accountants Benefits consultants Insurance agents Utilization review organizations Computer service technicians Software vendors

27 Business Associate Agreements Must have written contract Establishes permitted uses and disclosures Require compliance with HIPAA requirements Require reporting of: Unauthorized uses/disclosures Security incidents Security breaches

28 Business Associates If learn that business associate has materially violated terms of BAA: Must investigate Demand BA to end violation and mitigate harm If BA does not end breach or cannot cure: Terminate contract, or Report BA to HHS

29 Family Members/Representatives May disclose PHI to family, relatives, friends involved in individual s care/payment for care Can use professional judgment Give individuals ability to designate someone/revoke designation Personal representatives can exercise all rights of individuals

30 Complying with the Transaction Rule

31 Transaction Rule Goal: standardize electronic transactions relating to payment for health care Streamline payment for health care Technical rule for how to structure the transaction

32 Transaction Rule Applies to electronic transactions by health plan with: Health care providers Other health plans Generally, an issue for TPAs BAAs must require compliance with transaction standards

33 Complying with the Security Rule

34 Scope of Security Rules Apply to electronic forms of PHI Databases Spreadsheets communications Copy machines with hard drives Does not apply to: Paper records Telephone and fax transmissions (but do apply to voice mail and stored fax documents)

35 Risk Assessments Must conduct a risk assessment Identify where ephi is stored and used Identify the threats to confidentiality, integrity and accessibility of ephi Identify the likelihood that vulnerability will lead to unauthorized use/disclosure Identify risks that need to be addressed Must update on a regular basis

36 Administrative Safeguards Designate a Security Officer Train and discipline workforce Manage workforce s access to ephi Monitor for and report on security incidents Establish contingency plans (backup, disaster recovery, emergency modes, etc.) Periodic evaluation of safeguards

37 Physical Security Control access to physical equipment using/storing ephi Workstation use/security Device and media controls

38 Technical Safeguards Unique user IDs/authentication Automatic logoff Emergency access procedures Encryption & transmission security Audit controls Mechanisms to prevent improper alteration/destruction

39 Business Associates Handle most ephi for health plans Must now contractually agree to implement policies and procedures that comply with these requirements Examine transmissions with business associates

40 Complying with Breach Notification Rule

41 Breach Notification Before HITECH: no clear duty to notify of a breach under HIPAA HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery Applies to all forms of unsecured PHI

42 Breach Notification Analysis Was There a breach? Unauthorized: Acquisition Access Use Disclosure

43 Breach Notification Analysis Was the data secured with respect to the individual with unauthorized access? Electronic data: was it encrypted? Data at rest Data in motion Media: was it properly destroyed? Paper, film, other hard copy media Electronic data

44 Breach Notification Analysis Does the incident fall within an exception? Person would not reasonably have been able to retain the information Employee s unintentional access of record in good faith Inadvertent disclosure within same organization by and to individual authorized to access PHI

45 Breach Notification Analysis Could there be a significant risk of harm? Who received/access the information? How detailed was the information? Were steps taken to recall/destroy the information and mitigate harm? Was information returned/destroyed before being improperly accessed?

46 Breach Notification Methods of providing notice: Written notice to last known address (or if specified by the individual) If contact information is insufficient or out-dated, alternative notice If more than 10 individuals: Prominent posting on website; or Notice in major print or broadcast media In urgent situations, may supplement with telephone or other means, if appropriate

47 Breach Notification Notice to prominent media outlets if more than 500 individuals within state affected. Notification to Secretary of Health & Human Services: At time of incident, if more than 500 individuals are affected If less than 500 individuals, must submit to HHS annually ve/breachnotificationrule/brinstruction.html

48 Breach Notification Content of notification: Brief description of what happened, including: Date of breach (if known) Date breach discovered Description of types of unsecured PHI involved in the breach Steps individuals should take to protect themselves from potential harm What covered entity is doing to investigate, mitigate losses and protect against further breaches Contact procedures to ask questions or learn more. Deadline: without unreasonable delay, but in any case within 60 days

49 Breach Notification Does not preempt state security breach notification laws. SSNs Drivers license numbers Financial account information May have to comply with both

50 Breach Notification Business Associates also subject to breach notification provisions Default rule: provide notice to the covered entity Must include identification of each individual whose PHI has been or is reasonably believed to have been breached. Covered entities can contract for different arrangement Duty may be different under State law

51 Consequences of HIPAA Violations

52 Pre-HITECH enforcement No more than $100 per violation per day Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year. HHS pursued informal enforcement

53 HITECH enhanced enforcement New tiered structure for each violation: unknown violations: $100 - $50,000 reasonable cause violations: $1,000- $50,000 willful neglect violations (if corrected within 30 days): $10,000 - $50,000 willful neglect violations (if uncorrected within 30 days): $50,000 New cap: $1.5 million for all violations of the same type during a calendar year

54 New enforcement strategies Individuals who wrongfully disclose PHI now clearly subject to criminal penalties Requires HHS to conduct audits State Attorneys General and FTC given enforcement authority

55 Minimizing the Impact of HIPAA

56 Try not to have PHI Try to keep it from becoming PHI. Keep enrollment data in employment records Work with enrollment data as much as possible Limit info TPAs report to you Get de-identified or summary health info only Have health plan participants and beneficiaries deal directly with TPA Have TPAs handle benefits appeals

57 If you must handle PHI Limit the number of people with access Minimize the amount of information you receive Be sure those who handle the information are trained Be sure policies and procedures are in sync with practices Try not to have ephi

58 Questions? Norbert F. Kugele