Prvided by Brwn & Brwn f Luisiana, LLC HIPAA Privacy Rule The HIPAA Privacy Rule establishes natinal standards t prtect individuals medical recrds and ther persnal health infrmatin. The Privacy Rule applies t cvered entities health plans, health care clearinghuses and mst health care prviders and their business assciates. The HIPAA Privacy Rule: Sets limits and cnditins n the uses and disclsures f prtected health infrmatin (PHI) that can be made withut an individual s authrizatin; Gives individuals rights ver their PHI, including the right t receive a ntice frm cvered entities regarding their privacy practices; and Requires apprpriate safeguards t prtect the privacy f PHI. Althugh the Privacy Rule applies t bth self-funded and fully insured plans, special rules apply t fully insured plans that d nt have access t PHI fr plan administratin purpses. LINKS AND RESOURCES The Department f Health and Human Services (HHS) website includes a brief summary f the HIPAA Privacy Rule and links t the fficial regulatin text. AFFECTED ENTITIES The HIPAA Privacy Rule applies t cvered entities and business assciates. A cvered entity is a health plan, a health care clearinghuse r a health care prvider that cnducts certain transactins electrnically. In general, a business assciate is an entity that perfrms a functin, activity r specific service fr a cvered entity that invlves PHI. IMPACT ON EMPLOYERS The extent f a plan spnsr s bligatins under the Privacy Rule depends n whether the emplyer has access t PHI fr plan administratin. Spnsrs f fully insured plans that d nt have access t PHI have minimal bligatins under the Privacy Rule. This Cmpliance Overview is nt intended t be exhaustive nr shuld any discussin r pinins be cnstrued as legal advice.
AFFECTED ENTITIES The HIPAA Privacy Rule directly regulates these cvered entities: Health plans; Health care clearinghuses; and Health care prviders that cnduct certain transactins electrnically. Business Assciates Business assciates als must cmply with the Privacy Rule. Fr additinal prtectin, cvered entities and business assciates must enter int agreements requiring them t cmply with the HIPAA Privacy and Security Rules. If a business assciate delegates any f its functins t a subcntractr that creates, receives, maintains r transmits PHI n behalf f the business assciate, the business assciate must enter int a written cntract with the subcntractr t ensure that the subcntractr will agree t cmply with the HIPAA Privacy and Security Rules. Plan Spnsrs The Privacy Rule indirectly regulates emplyers as plan spnsrs. If an emplyer perfrms administrative functins fr its grup health plan (fr example, reviewing health FSA claims), the emplyer will usually need t access PHI frm the plan. When an emplyer receives PHI frm its grup health plan fr plan administrative purpses, the emplyer must agree t cmply with certain requirements f the HIPAA Privacy and Security Rules. PROTECTED INFORMATION The HIPAA Privacy Rule gverns PHI. What is PHI? Wh is a business assciate? In general, a business assciate is an entity that perfrms a functin, activity r specific service fr a cvered entity that invlves creating, receiving, maintaining r transmitting PHI. PHI is individually identifiable health infrmatin (in ral, written r electrnic frm) that is created r received fr a cvered entity and relates t the past, present r future physical r mental health r cnditin f an individual, the prvisin f health care t an individual, r the past, present r future payment fr the prvisin f health care t an individual. 2
PRIVACY PROTECTIONS While sme states have laws that prtect patients' privacy, the HIPAA Privacy Rule establishes a minimum level f privacy prtectins that must be given t all persnal health infrmatin cvered by the Privacy Rule. In summary, the Privacy Rule includes three main prtectins fr PHI: Use and Disclsure Rules Cvered entities may use and disclse PHI fr purpses f treatment, payment and health care peratins, subject t a minimum necessary standard. Unless an exceptin applies, a cvered entity must first btain an individual s written authrizatin befre using r disclsing PHI fr any ther purpse. Prviders and health plans must prvide individuals (fr example, health plan participants) with detailed written infrmatin that explains their privacy rights and hw their infrmatin will be used (a Ntice f Privacy Practices). Individuals als have the right t: Individual Rights Access their wn health recrds and request crrectins; Request restrictins n the uses and disclsures f their PHI, including that cmmunicatins cntaining PHI be sent t an alternate lcatin; and Obtain dcumentatin f certain disclsures made f their health care recrds. Administrative Safeguards Cvered entities must develp written privacy prcedures and implement apprpriate safeguards. Fr example, cvered entities must designate a privacy fficial, train emplyees and establish a system fr receiving cmplaints. Cvered entities must refrain frm intimidating r retaliatry acts, and they cannt require a waiver f HIPAA privacy rights. REQUIREMENTS FOR HEALTH PLAN SPONSORS The cmpliance requirements indirectly impsed upn a plan spnsr by the HIPAA Privacy Rule vary based n whether r nt the plan spnsr has access t PHI. Plan Spnsrs Offering a Fully Insured Grup Health Plan N Access t PHI A plan spnsr that ffers a fully insured grup health plan will be minimally impacted by the HIPAA Privacy Rule if its access t health infrmatin is limited t the fllwing plan spnsr functins: Assisting emplyees with claim disputes as permitted by the emplyees' written authrizatin; 3
Receiving summary health infrmatin (SHI) fr purpses f btaining premium bids r mdifying, amending r terminating the plan; and Cnducting enrllment and disenrllment activities. SHI summarizes claims histry, claims experience r type f claims experienced by individuals frm whm a plan spnsr has prvided health benefits under a grup health plan. The HIPAA Privacy Rule requires that certain identifiers such as name, Scial Security number and date f birth be excluded frm SHI. While insurance carriers are required t cmply with the majrity f requirements cntained within the HIPAA Privacy Rule n behalf f the grup health plan, plan spnsrs within this categry may nt: Require an individual t waive the rights affrded t him r her by the HIPAA Privacy Rule as a cnditin n the prvisin f treatment, payment, enrllment in a health plan r eligibility fr benefits; Intimidate, threaten, cerce, discriminate against r take ther retaliatry actin against an individual fr exercising his r her rights prvided by the HIPAA Privacy Rule; r Use PHI received in cnnectin with an emplyee benefit plan when making emplyment related decisins. Plan Spnsrs Offering a Fully Insured r Self-funded Grup Health Plan With Access t PHI Spnsrs f fully insured grup health plans that have access t PHI fr plan administratin functins will be required t cmply with the Privacy Rule s requirements. These requirements als apply t spnsrs f self-funded grup health plans. Where a plan spnsr has access t PHI in rder t perfrm plan administratin functins, the plan spnsr must d all f the fllwing: Amend the plan dcuments t include a descriptin f permitted uses and disclsures f PHI by the plan spnsr; Certify t the grup health plan that the plan dcuments have been amended; and Cmply with all f the administrative requirements cntained within the HIPAA Privacy Rule. Plan administratin functins include claims prcessing, quality imprvement and fraud detectin activities. 4
WHAT ARE THE ADMINISTRATIVE REQUIREMENTS OF THE HIPAA PRIVACY RULE? In general, the HIPAA Privacy Rule requires plan spnsrs with access t PHI, tgether with the grup health plan, t cmply with all f the fllwing administrative requirements cntained within the HIPAA Privacy Rule. Limit its use and disclsure f PHI t activities related t treatment, payment and health care peratins (unless specific patient authrizatin permits therwise), including the creatin f internal firewalls; Designate a privacy fficial; Train members f its wrkfrce n its plicies and prcedures with respect t PHI; Create plicies and prcedures designed t ensure cmpliance with the HIPAA Privacy Rule, including prviding plan participants with a right t: Access and cpy recrds cntaining their PHI; Amend recrds which cntain their PHI; An accunting f disclsures made cntaining their PHI during the last six years (an accunting is nt required fr disclsures made fr treatment, payment r health care peratins r pursuant t an authrizatin); and Request reasnable restrictins n the use and disclsure f PHI, including that cmmunicatins cntaining PHI be sent t an alternate lcatin. Prvide a ntice f privacy practices (Privacy Ntice) t all new plan participants at enrllment; Prvide a prcess fr individuals t make cmplaints cncerning its plicies and prcedures related t use and disclsure f PHI; Refrain frm taking retaliatry actin against an individual that makes a cmplaint with the plan spnsr, grup health plan r HHS alleging a vilatin f the HIPAA Privacy Rule; Require that any business assciate that is prvided access t PHI agrees t limit its use and disclsure f PHI as set frth in the HIPAA Privacy Rule; Establish and apply apprpriate sanctins against business assciates and members f its wrkfrce that fail t cmply with its privacy plicies and prcedures; Reprt t the grup health plan abut any vilatins f its privacy plicy and prcedures; Mitigate, t the extent pssible, the harmful effect f any vilatin f its privacy plicies; 5
Nt require individuals t waive their privacy rights as a cnditin f enrllment in the plan, eligibility fr benefits, treatment r payment; Refrain frm using PHI received in cnnectin with an emplyee benefit plan when making emplyment related decisins; and If feasible, return r destry all PHI when n lnger needed. In additin, all plan participants must als be ntified every three years that a Privacy Ntice is available and hw they may btain a cpy. Plan spnsrs f fully-insured plans with access t PHI must prvide a Privacy Ntice upn request. In rder fr a plan spnsr r ther third party t discuss a pending claim n behalf f the plan participant with an insurance carrier r third-party administratr, the HIPAA Privacy Rule requires that the insurance carrier r third-party administratr be prvided with the plan participant's written authrizatin. ENFORCEMENT HHS Office fr Civil Rights (OCR) is respnsible fr enfrcing the HIPAA Privacy Rule. OCR has increased its enfrcement f the HIPAA Privacy and Security Rules in recent years, with sme cstly utcmes fr cvered entities. OCR enfrces HIPAA s Privacy and Security Rules by investigating cmplaints that are filed with it, cnducting cmpliance reviews f cvered entities and business assciates and perfrming educatin and utreach t prmte cmpliance with the Rules requirements. OCR als wrks in cnjunctin with the Department f Justice (DOJ) t refer pssible criminal vilatins f HIPAA. An OCR investigatin may trigger civil penalties fr a cvered entity r business assciate. The penalty amunts vary based n the type f vilatin. Als, penalties may nt apply if the vilatin is crrected within 30 days f when the persn knw, r shuld have knwn, f the vilatin. Type f vilatin Each vilatin All vilatins f identical prvisin in a calendar year Did nt knw abut vilatin $100 $50,000 Vilatin due t reasnable cause Crrected vilatin caused by willful neglect Vilatin caused by willful neglect, nt crrected $1,000 $50,000 $10,000 $50,000 $50,000 n maximum $1.5 millin 6
The pssible criminal penalties that may be assessed fr vilatins f the HIPAA Privacy and Security Rules are $50,000 and ne year in prisn fr knwing vilatins, $100,000 and five years in prisn fr vilatins cmmitted under false pretenses, and $250,000 and 10 years in prisn fr ffenses cmmitted fr cmmercial r persnal gain. 7