Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Similar documents
Determining Whether You Are a Business Associate

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Privacy Compliance Checklist

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

AFTER THE OMNIBUS RULE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Compliance Steps for the Final HIPAA Rule

HIPAA Basic Training for Health & Welfare Plan Administrators

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Business Associate Agreement

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Overview

H E A L T H C A R E L A W U P D A T E

Workplace Wellness Compliance. Barbara J. Zabawa, JD, MPH The Center for Health and Wellness Law, LLC

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

EEOC Issues Proposed Rule on Employer- Sponsored Wellness Programs

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA: Impact on Corporate Compliance

Texas Tech University Health Sciences Center HIPAA Privacy Policies

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Compliance Under the Magnifying Glass

DISCRIMINATION. (Equal Opportunity) Legally Incentivizing Health Assessment and Biometric Screen Participation. Agenda. Wellness Program Laws

Interim Date: July 21, 2015 Revised: July 1, 2015

Management Alert Final HIPAA Regulations Issued

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Final Regulations Shed Light on Wellness Programs

BREACH NOTIFICATION POLICY

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Compliance Steps for the Final HIPAA Rule

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HHS, Office for Civil Rights. IAPP October 11, 2012

Effective Date: March 23, 2016

"HIPAA RULES AND COMPLIANCE"

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Changes to HIPAA Privacy and Security Rules

BUSINESS POLICY AND PROCEDURE MANUAL

WELLNESS PROGRAMS UNDER FINAL HIPAA/PPACA, ADA, AND GINA REGULATIONS

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

Changes to HIPAA Under the Omnibus Final Rule

HIPAA & The Medical Practice

Fifth National HIPAA Summit West

HIPAA OMNIBUS FINAL RULE

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

HIPAA Background and History

HIPAA, Privacy, and Security Oh My!

x Major revision of existing policy Reaffirmation of existing policy

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Breach Notification Case Studies on What to Do and When to Report

LINKS AND RESOURCES APPLICABLE LAWS EXAMPLES OF MEDICAL CARE. Provided by Ronstadt Insurance, Inc. Workplace Wellness Programs ERISA, COBRA and HIPAA

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Effective Date: 4/3/17

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

OMNIBUS RULE ARRIVES

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA and Lawyers: Your stakes have just been raised

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA Privacy, Breach, & Security Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

The Impact of the Stimulus Act on HIPAA Privacy and Security

Palmetto Paralegal Association

NETWORK PARTICIPATION AGREEMENT

HIPAA Omnibus Rule Compliance

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Transcription:

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance 2015 National Wellness Conference Barbara J. Zabawa, JD, MPH Center for Health Law Equity, LLC Agenda Health Data Exposure ADA, GINA and EEOC Proposed Rules on ADA and Workplace Wellness Privacy/Security Who is Subject to Case Examples Significance of Being Subject to State Privacy Laws Health Data Exposure Anthem, CareFirst Breaches Fitness Tracker Data 1

Americans with Disabilities Act (ADA) Prohibits discrimination by employers on basis of disability in regard to terms, conditions and privileges of employment. Discrimination includes: Requiring medical examinations; and Making inquiries as to whether employee has disability unless such exam or inquiry is: Job-related and consistent with business necessity Medical exams = procedures and tests that seek information about an employee s health. ADA Requires confidentiality of medical exam/disability inquiry records. Must use separate forms and keep in separate medical files. Accessing employee health information directly through personnel file no different than asking about health status. GINA Title II Title II generally prohibits employers from discriminating against employees or applicants because of genetic information. Prohibits employers from requesting, requiring or purchasing genetic information. 2

GINA Title II Exception for voluntary wellness programs. Individual must provide prior knowing, voluntary and written authorization. Authorization may be electronic; Describes what genetic information will be obtained and the purposes for which it will be obtained; That the individually identifiable information is not accessible to coworkers/supervisors. GINA Title II If employer has genetic information, it must keep this information separate from personnel files. Can maintain in same file as medical information obtained under ADA. ADA & GINA Employee health information should be: SEPARATE & CONFIDENTIAL 3

EEOC Proposed ADA Rules Three primary changes: 1. Aligns ADA with ACA by imposing 30% incentive 2. Imposes incentive limit on participatory programs 3. Requires employee notice and privacy/security protections with regard to wellness information EEOC Proposed ADA Rules Programs that collect medical information must provide employees with notice. EEOC Proposed ADA Rules Employers and vendors must protect health information confidentiality 4

EEOC Proposed ADA Rules EEOC expects group health plan programs to abide by privacy/security rules Employer certification requirements for those who administer programs Best practice: separate those who handle individually identifiable health information from those who make employment-related decisions Use of a third-party vendor may help EEOC Proposed ADA Rules Employers and Vendors should have clear privacy policies and procedures related to medical information: Collection Storage Disclosure EEOC Proposed ADA Rules Discusses proper training of individuals who handle medical information: ADA Other privacy laws Discipline employees who improperly disclose health information. Terminate vendors responsible for breaches of confidentiality. 5

EEOC Proposed ADA Rules Online systems/technology should guard against unauthorized access: Encryption Employers that administer own wellness program need firewalls to prevent unintended disclosures. Report and investigate breaches. EEOC Proposed ADA Rules IF COVERED BY PRIVACY/SECURITY RULE, FOLLOW IT! The Privacy Regulations protect Protected Health Information or PHI. 6

PHI is Individually Identifiable Health Information that is transmitted or maintained in any form or medium. PHI excludes: - education records - student medical records - employment records Applies to Covered Entities Covered Entities: Health Plans Providers who conduct one or more of the -defined transactions electronically KEY: does not apply to entities that don t engage in covered electronic transactions Clearinghouses 7

Health Plans Individual Group Must provide medical care directly or through insurance. Group health plans must have 50+ participants or be administered by TPA. Excepted benefits are not health plans. What is medical care? Amounts paid for: a. diagnosis, cure, mitigation, treatment, or prevention of disease; b. the purpose of affecting any structure or function of the body; c. transportation primarily for and essential to purposes (a) or (b); or d. insurance covering (a) or (b). Examples of health plans in wellness context: Wellness program offered by health insurer; Wellness program offered by Medicare or Medicaid; Wellness program offered by employer as part of its employee health coverage plan; Wellness program that provides medical care to more than 50 participants. 8

Who are Providers? Any person or organization who furnishes, bills, or is paid for health care in the normal course of business, AND Who transmits any health information in electronic form in a covered transaction directly or through a business associate. What is health care? Care, services, or supplies related to the health of an individual, including: Preventive Diagnostic Therapeutic Maintenance Counseling Assessment With respect to the physical or mental condition, functional status of an individual or that affects the structure or function of the body. Covered Transactions Claims for payment Encounter information to report health care Plan eligibility or coverage inquiries Prior authorizations Plan enrollment information Premium payment processing Coordination of benefit determinations 9

Possible of health providers in wellness context (Remember: 2 elements): Wellness organization that provides: Flu shots Health Assessments Biometric Screens Coaching Yoga or fitness classes Do these services qualify as health care? If health care, then is there a covered transaction? Likely candidates are: a. Eligibility inquiries to health plan b. Encounter information for reporting health care Example for b : Small employer hires vendor to conduct health assessments of workforce. Asks vendor to email names of participants. Covered Entity Provider status will likely hinge on whether you conduct a covered transaction. 10

Many parts also apply to: Business Associates What is a Business Associate? Not a member of the CE s workforce who, with respect to a CE: 1. Performs a function or activity using individually identifiable health information involving: Claims processing or administration Data analysis, processing or administration Utilization review QA Billing Benefit management Practice management Repricing 32 2. Performs any other function or activity regulated by ; or 3. Provides any of the following services to or for the CE (and which involves the disclosure of individually identifiable health information): Legal Actuarial Accounting Consulting Data aggregation Management Administrative Accreditation Financial 33 11

BA also includes: Companies that maintain PHI on behalf of a CE Data storage company Patient safety organizations Companies that transmit PHI to a CE 34 More BA examples: PHR vendors Subcontractors to BAs that create, receive, maintain or transmit PHI on behalf of the BA. 35 Wellness vendors most likely subject to either as a: Provider (Covered Entity) Covered transaction key Business Associate Workplace wellness programs most likely health plans. 12

Confused? Case Example 1 WECare Plan contracts with WellWays, a wellness vendor, to provide health assessment and biometric screens of plan participants. No follow-up with participant will occur. WellWays will only provide results. Is WellWays subject to, and if so, how? Case Example 2 WellWays contracts with ACME, Inc. to provide diet and fitness services at ACME s onsite clinic. Employees interested in attending just show up; no preregistration is required. Is WellWays subject to and if so, how? 13

Case Example 3 ACME, an employer with 25 employees, contracts with WellWays to administer flu shots to its employees. ACME pays WellWays based on the number of shots administered. Employees volunteer to receive the shots (no incentives). WellWays administers the program, and collects and keeps the records of who received the shots. Is WellWays subject to, and if so, how? Case Example 4 A local parochial school contracts with WellWays to provide flu shots to its students (whose parents sign permission slips). WellWays administers the program, and collects and keeps the records. Is WellWays subject to, and if so, how? Case Example 5 St. Mary s Hospital hires WellWays to offer health coaching and fitness classes to its health plan participants who are over a certain BMI. Participants who attend coaching sessions and/or fitness classes will have a lower premium payment. Is WellWays subject to, and if so, how? 14

Case Example 6 Law firm allows local massage therapist to offer 15 minute chair massages for $20 to self-paying employees each Friday. Is massage therapist subject to, and if so, how? Subject to So What? Covered Entities: Privacy and Security Policies & Procedures Privacy and Security Official Notice of Privacy Practices Patient Authorizations Business Associate Agreements Minimum Necessary Standards Breach Standards Plan Sponsor Disclosure Standards Subject to - So What? Business Associates must: Comply with the Business Associate Agreement (BAA) Comply with Security Rule Implement Security Policies and Procedures Enter into a BAA with their subcontractors. Cooperate with government investigations into compliance Designate a Security Official Notify CE s of breaches 45 15

Subject to So What? What do Privacy and Security Policies Cover? Privacy Passwords Email Use Access to PHI Employee Training BAAs Employee Discipline Breaches Authorizatons Security Internet Use Email Use Workforce Access Facility Security Risk Analysis Data Backup BAAs Breaches Subject to So What? CE and BA must: Implement policies and procedures designed to comply with the Breach and Privacy and/or Security Rules. Change policies and procedures as necessary to comply with changes in the law; Document all changes made to policies and procedures and maintain all policies for 6 years; Train employees on changes made to policies and procedures. Subject to So What? CEs and BAs must execute Business Associate Agreements (BAAs). 16

Subject to So What? BAA amendments (as of 2013): Require BAs to comply with Security Rule Require BA to report to CE Breach of Unsecured PHI Require BA to enter into BAA with subcontractor Require BA to comply with Privacy Rule to extent BA must carry out a CE s obligation under Privacy rule 49 BAA Examples Software vendor for a Covered Entity BAA required? Disclosures to health plan sponsor (such as employer) by a group health plan BAA required? BAA Examples Good resource: http://www.hhs.gov/ocr/privacy/hipaa/ faq/business_associates/index.html 17

Subject to - So What? Notice of Privacy Practices (NPP) Summarizes how Covered Entity uses and discloses patient s PHI. Details patient s rights with respect to their PHI. Subject to So What? Usually need patient authorization for uses/disclosures. Exceptions for: Treatment Payment Health care operations Worker s Compensation Other mandatory disclosures by law Subject to So What? minimum necessary standard generally requires that providers and insurers make reasonable efforts to limit uses and disclosures of protected health information to the minimum necessary to accomplish the intended purpose. Exceptions for: treatment disclosures to patient disclosures to DHHS 18

Subject to So What? CEs with unsecured PHI to notify an individual, HHS and in some cases the media in the event of a breach. BAs must also notify CEs of a breach 55 Subject to So What? "Breach" is the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Subject to So What? PHI is "unsecured" if not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology approved by HHS. Encryption and Destruction are the two ways to secure PHI. Access controls and firewalls do not make electronic data secure, and redaction of paper documents does not make them secure. 57 19

Subject to So What? An impermissible use or disclosure of PHI is assumed to be a breach unless the CE or BA demonstrates there is a low probability that PHI has been compromised. No definition of compromised. 58 Subject to So What? To determine low probability that PHI has been compromised, conduct a risk assessment considering the following four factors: Nature and extent of PHI involved Who used the PHI or to whom was it disclosed? Was PHI actually acquired or viewed? To what extent has the risk to the PHI been mitigated? Document risk assessment to demonstrate why no PHI has not been compromised. 59 Subject to So What? Four exceptions for situations when a "breach would otherwise occur: 1. Breach of secured PHI. 2. Unintentional acquisition, access or use of PHI by employee or individual acting under authority of a CE or BA. 3. Inadvertent disclosure of PHI from one person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA. 4. Unauthorized disclosures in which unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information. 60 20

Subject to So What? Upon breach, CE must notify each individual whose information has been or is reasonably believed to have been breached within 60 calendar days of the discovery of the breach by the CE. A breach is "discovered" the first day on which the breach is known or should reasonably have been known. If a BA experiences a breach of unsecured PHI, it must notify the CE within 60 days after discovery of a breach and identify the individuals affected so that the CE can timely inform the individuals. 61 Subject to So What? If a breach affects 500 or more individuals, the CE must provide notice to HHS and prominent media outlets within 60 days after discovery of breach. The CE must maintain a log of all breaches during the year and annually submit the log to HHS not later than 60 days after the end of the CY in which breach was discovered. 62 Subject to So What? Plan Sponsor Disclosure Standards CEs may disclose PHI, without patient authorization, to plan sponsor that administers aspects of plan if: Employer certifies to plan it will safeguard PHI and not improperly use or share it. CEs may disclose de-identified, aggregate information from wellness program to employer. 21

Subject to So What? Willful Neglect: The conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 45 CFR s. 160.401 Know that merely sets a floor of protection. More stringent requirement Allows more stringent state law to govern. More stringent means provides patients with greater rights of access or greater privacy protection of health information. 22

State privacy laws tend to be: Entity specific (health care providers); or Condition specific (HIV/Mental Health/Substance Abuse) Wisconsin law example: subpoena insufficient; need court order. Other Privacy Privacy compliance may not be enough. Penn State Take Care of Your Health example. Questions? For more information, contact: Barbara J. Zabawa, JD, MPH The Center for Health Law Equity, LLC Phone: 608-579-1267 Email: bzabawa@cfhle.com 69 23

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback