The American Recovery Reinvestment Act. and Health Care Reform Puzzle

Similar documents
The American Recovery Reinvestment Act and Health Care Reform Puzzle. Presentation Overview 2/27/2012

BREACH NOTIFICATION POLICY

Changes to HIPAA Privacy and Security Rules

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

AFTER THE OMNIBUS RULE

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Compliance Steps for the Final HIPAA Rule

Management Alert Final HIPAA Regulations Issued

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA OMNIBUS FINAL RULE

ARRA s Amendments to HIPAA Privacy & Security Rules

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Compliance Steps for the Final HIPAA Rule

OMNIBUS RULE ARRIVES

H E A L T H C A R E L A W U P D A T E

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Breach Notification Case Studies on What to Do and When to Report

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HITECH Poses Important Challenges... Are You Compliant?

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HITECH and Stimulus Payment Update

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Business Associate Agreement

Highlights of the Omnibus HIPAA/HITECH Final Rule

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Summary Comparison of Current Senate Data Security and Breach Notification Bills

Fifth National HIPAA Summit West

FACT Business Associate Agreement

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA BUSINESS ASSOCIATE AGREEMENT

The HHS Breach Final Rule Is Out What s Next?

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Public Act No

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

HIPAA, Privacy, and Security Oh My!

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

NETWORK PARTICIPATION AGREEMENT

ALERT. November 20, 2009

x Major revision of existing policy Reaffirmation of existing policy

HIPAA Basic Training for Health & Welfare Plan Administrators

Changes to HIPAA Under the Omnibus Final Rule

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

2016 Business Associate Workforce Member HIPAA Training Handbook

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Practical. PPACA, HIPAA and Federal Health Benefit Mandates:

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

EXCERPT. Do the Right Thing R1112 P1112

HIPAA Business Associate Agreement

ARE YOU HIP WITH HIPAA?

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Getting a Grip on HIPAA

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

MEMORANDUM. Kirk J. Nahra, or

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

503 SURVIVING A HIPAA BREACH INVESTIGATION

BUSINESS ASSOCIATE AGREEMENT

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

Effective Date: 4/3/17

HIPAA BUSINESS ASSOCIATE ADDENDUM

The Impact of the Stimulus Act on HIPAA Privacy and Security

Determining Whether You Are a Business Associate

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

ARTICLE 1. Terms { ;1}

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Transcription:

The American Recovery Reinvestment Act and Health Care Reform Puzzle Carolyn Heyman-Layne Alaska HCCA Conference March 1, 2012

Comparison of Breach Notification Provisions in the HITECH Act 1 and the Alaska Personal Information Protection Act Standard HITECH/HIPAA AK PIPA Reporting Trigger Definition of Breach Exceptions to Breach Discovery of breach of unsecured protected health information (PHI). Unsecured PHI is PHI that is not secured through a means that HHS has approved as rendering the PHI unusable or unreadable to unauthorized persons. 2 The acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. 4 Breach excludes unintentional acquisition, access or use of PHI by a person working under the authority of a covered entity or business associate, if made in good faith, within the scope of authority and does not result in further use or disclosure of the PHI. Also excluded are disclosures between persons at the same covered entity, business associate or organized health care arrangement if persons are authorized and information will not be further used or disclosed in an impermissible manner. Finally, the last exclusion is for a disclosure of PHI where the covered entity or business associate has the good faith belief that the information could not have been retained. Discovery or notification of a breach, if there is a reasonable likelihood that harm to the consumers has resulted or will result from the breach. 3 Unauthorized acquisition, or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information. 5 Notification not required for good faith acquisition of information by an employee or agent for a legitimate purpose, as long as the information is not used for an illegitimate purpose and is not further disclosed. 1 The Health Information Technology for Economic and Clinical Health Act, which modified the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations regarding breach reporting are still in interim form, regs expected 3/2012. 2 Please note that even if your data is with a program that meets HHS standards and thus generally secured, you could still have unsecured PHI floating on jump drives, cds, home laptops, etc. Guidance can be found at 74 Fed. Reg. 42740 (Aug. 24, 2009). 3 Determination of whether this will result in harm should be documented in writing and maintained for five years. 4 For the purposes of this definition, compromises the security or privacy of the PHI means poses a significant risk of financial, reputational or other harm to the individual. 5 Personal information means information in any form on an individual that is not encrypted or redacted, or is encrypted and the key has been accessed, and that consists of a combinations of an individual s name and one or more of the following: SSN, driver s license or state ID, account numbers, credit card numbers, debit card numbers, personal code, security code, password or personal identification number.

Standard HITECH/HIPAA AK PIPA Type of Notification What to do if Contact Information is not Sufficient? What if Notice is Cost Prohibitive? Number of Persons Affected that Triggers Notification to Media When to Send Notice Written notification to each individual by first class mail. If contact information is not sufficient for more than 10 individuals, notification must also be on the home page of the covered entity website or in major media (print or broadcast). Not addressed. More than 500 residents of a state or jurisdiction. Within 60 calendar days after discovery. Discovery occurs when the breach is known or should reasonably have been known. Written notification or electronic means if the primary method of communication with the individual is electronic or if it is consistent with the Electronic Signatures in Global and National Commerce Act. Notice may be provided by email, if an email address is available. It must also be clearly posted on the website and provided to major statewide media. If cost would exceed $150,000 and number of affected individuals exceeds 300,000, then notice can be provided by email, and should be clearly posted on the website and provided to major statewide media. Any amount, if contact information is insufficient. Otherwise, 300,000. In the most expeditious time possible and without unreasonable delay as necessary to determine the scope of the breach and restore the integrity of the information system.

Standard HITECH/HIPAA AK PIPA Information to be Included in Notice Notice to Government and Third Parties Who is responsible for notice? Delay Permitted? 1. Brief description of breach, including date of breach and date of discovery. 2. Description of the types of PHI involved. 3. Steps the individual should take to protect themselves. 4. Brief description of what the entity is doing to mitigate, investigate and protect. 5. Contact procedures for questions or additional information, including a tollfree telephone number, email, Web site or address. Required notice to HHS, immediately if more than 500 persons, and in an annual log if less than 500 persons affected. Covered Entity. Business Associates are required to report to Covered Entities, who are then responsible for notice (unless otherwise agreed upon in the business associate agreement). Yes, for law enforcement, if a law enforcement official states that notice would impede a criminal investigation or otherwise cause damage to national security. Only for 30 days, unless law enforcement request is in writing. Not addressed. If more than 1,000 state residents affected, shall provide general notice to consumer credit reporting agencies. Information distributor or information collector. Information recipients are required to notify the information distributor. Yes, if a law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. Effective Date of Breach Notification Provisions September 15, 2009 July 1, 2009

Providing Health Insurance What are the costs? # Description Penalties Cost 1. Provide PPACA compliant health coverage for all employees. 2. Provide limited health plan to employees. 3. Continue to provide no insurance for employees. None Penalty A = $3,000/yr. x (# of full-time equivalent employees receiving the tax credit - 30) Penalty B = $2,000/yr. x (# of full-time equivalent employees 30) Cost of health insurance plan that pays for at least 60% of covered health care expenses, with employee cost limited to 9.5% of family income or less. Cost of limited health insurance plan for those employees who choose the plan + Penalty A. Penalty A Example 1: If Employer has 100 full-time equivalents and 80 select the employer plan and 20 select the tax credit for alternate coverage, then there would be no penalty because the number of employees receiving tax credit does not exceed 30. Penalty A Example 2: If Employer has 100 full-time equivalents and 50 select the employer plan and 50 select the tax credit for alternate coverage, then the penalty would equal $3,000 x (50-30) = $60,000. Penalty A Example 3: If Employer has 100 full-time equivalents and 10 select the employer plan and 90 select the tax credit for alternate coverage, then the penalty would exceed the total for Penalty B below ($3,000 x 90-30 = $180,000) and so Penalty A would equal Penalty B: $140,000. Employer would pay this penalty in addition to the cost for the ten employees who selected the plan. Penalty B Penalty B Example: If Employer has 100 full-time equivalents, it would pay $2,000 x (100-30) = $140,000

Calculating the Penalty: Is providing health insurance worth it? Cost of fully PPACA compliant health plan < Penalty B = Implement compliant plan. Cost of fully PPACA compliant health plan > Penalty B = Conduct additional analysis of limited health plan costs. A few examples: Estimated cost of limited plan + Penalty A < Penalty B = Offer limited plan. Estimated cost of limited plan + Penalty A > Penalty B = Offer nothing. 1. Employer X has 50 employees. He contacted his insurance broker and determined that providing PPACA compliant health insurance would cost $10,000 per year, per employee. a. Cost of PPACA compliant health plan = $10,000 x 50 = $500,000 Penalty B = $2,000 x (50-30) = $40,000 Cost of PPACA compliant health plan ($500,000) > Penalty B ($40,000) Therefore, conduct additional analysis of limited health plan costs b. Limited health plan would cost $2,000 per year, per employee and Employer X estimates that ½ the employees would choose the limited plan and ½ would receive the tax credit Est. cost of ltd. plan + Penalty A = ($2,000 x 25) + (25-30<0, so no Pen A) = $50,000 Penalty B = $40,000 Est. cost of ltd. plan + Penalty A = $50,000 > Penalty B ($40,000) Therefore, Employer X is financially better off offering nothing, if he thinks he correctly estimated the number of employees choosing each option. 2. Employer X has 100 employees. He contacted his insurance broker and determined that providing PPACA compliant health insurance would cost $10,000 per year, per employee. He also thinks that ½ the employees will choose the limited option and the other half would choose the credit. a. Cost of PPACA compliant health plan = $10,000 x 100 = $1,000,000 Penalty B = $2,000 x (100-30) = $140,000 Cost of PPACA compliant health plan ($1,000,000) > Penalty B ($140,000) Therefore, conduct additional analysis of limited health plan costs

b. Limited health plan would cost $1,000 per year, per employee Est. cost of ltd. plan + Penalty A = ($1,000 x 50) + ($3,000 x (50-30)) = $110,000 Penalty B = $140,000 Est. cost of ltd. plan + Penalty A ($110,000) < Penalty B ($140,000) Therefore, Employer X is financially better off providing a limited plan, if he thinks he correctly estimated the number of employees choosing each option. 3. Employer X has 100 employees. He contacted his insurance broker and determined that providing PPACA compliant health insurance would cost $10,000 per year, per employee. He believes that 10 employees will choose the limited plan and 90 will choose the credit. a. Cost of PPACA compliant health plan = $10,000 x 100 = $1,000,000 Penalty B = $2,000 x (100-30) = $140,000 Cost of PPACA compliant health plan ($1,000,000) > Penalty B ($140,000) Therefore, conduct additional analysis of limited health plan costs b. Limited health plan would cost $1,000 per year, per employee Est. cost of ltd. plan + Penalty A = ($1,000 x 10) + ($3,000 x (90-30)) = $190,000 Penalty B = $140,000 Est. cost of ltd. plan + Penalty A ($190,000) > Penalty B ($140,000) Therefore, Employer X is financially better off offering nothing, if he thinks he correctly estimated the number of employees choosing each option. If the employer has no idea whether his employees will choose the limited option or the tax credit, it will be extremely difficult to determine what option to select.

Health Reform Resources: General Summaries: o Kaiser Foundation: http://healthreform.kff.org/ o Government website: http://www.healthcare.gov/law/index.html o White House: http://www.whitehouse.gov/healthreform/healthcareoverview IRS Guidance on W-2 requirement: o Notice 2011-28: http://www.irs.gov/pub/irs-drop/n-11-28.pdf o FAQs: http://www.irs.gov/newsroom/article/0,,id=237894,00.html Affordable Care Act Tax Provisions: http://www.irs.gov/newsroom/article/0,,id=220809,00.html Great flowchart on employer requirements: http://healthreform.kff.org/~/media/files/khs/flowcharts/require ment_flowchart_2.pdf Robert Wood Johnson Health Policy Brief Series on Health Reform Issues: http://12.26.46.21/coverage/product.jsp?id=43708

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback