Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

Similar documents
Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) SUMMARY OF OUR NOTICE OF PRIVACY PRACTICES. Health Plan Responsibilities

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

HIPAA Privacy Compliance Checklist

**CONTINUATION COVERAGE RIGHTS UNDER COBRA**

1. Does the plan exist for purposes of providing or paying for the cost of medical care?

SCHOOLS SELF-INSURANCE OF CONTRA COSTA COUNTY NOTICE OF PRIVACY PRACTICES

HIPAA s Medical Privacy Standards:

Agent Instruction Sheet for the MRA Plan Document

NOTICE OF PRIVACY PRACTICES

USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION

NOTICE OF AVAILABILITY OF HIPAA PRIVACY NOTICE. If you have any questions on this Notice, please contact Human Resources.

Surviving a Federal Audit

SUMMARY OF PRIVACY PRACTICES

Notice of Privacy Practices Linn County Employee Health Care and Health Related Benefits Programs

UNIVERSITY OF ARKANSAS SYSTEM

How to Survive a Welfare Plan Audit

Central Susquehanna Region School Employees Health and Welfare Trust

Kay Concrete Materials, Inc.

HIPAA Policy Minimum Necessary Use December 1, 2015

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

New Federal Legislation Affecting Health Plans

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

Robert E. Parker, Ph.D., P.C st Ave S. #101 Normandy Park, WA (206)

Grayson and Associates, P. C.

Plan Document: Appendix B

Non-Union. Health Plan Notices IMPORTANT NOTICE

Compliance for Health & Welfare Plans

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

PPG INDUSTRIES, INC. NOTICE OF PRIVACY PRACTICES

Chevron Phillips Chemical Company LP Health & Welfare Benefit Plan

Cross River Bank Health Reimbursement Arrangement (HRA) Plan. Summary Plan Description

Health Plan Identifier ( HPID ) Requirements. By Larry Grudzien Attorney at Law

Health and Welfare Plan Compliance Checklist

Notice of HIPAA Privacy Rights

2015 Employer Compliance Checklist

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA AND LANGUAGE SERVICES IN HEALTH CARE 1

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

Compliance Checklist

HIPAA Privacy Release Form

The Basics of HIPAA Business Partner and Chain of Trust Agreements Coverage and Requirements

ERISA Requirements for Employee Welfare Benefit Plans. Presented By: Judy Griffith Kegel Kelin Almy & Lord LLP

Compliance Checklist (100+ Participants)

Let s get started with the module HIPAA and Data Sharing.

Marketing This authorization authorizes marketing activities for which this medical practice will will not receive direct or indirect compensation.

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

HIPAA Privacy For our Group Customers and Business Partners

SBAM Health & Welfare Benefits Compliance Checklist Including ERISA, ACA, Section 125, HIPAA, and other applicable federal statutes and regulations

Consent for Purposes of Treatment, Payment and Healthcare Operations

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

Trinity Family Physicians

EEOC Issues Proposed Rule on Employer- Sponsored Wellness Programs

SANDHILLS CENTER MH/DD/SAS NOTICE OF PRIVACY PRACTICES

CSU, CHICO RESEARCH FOUNDATION WELFARE FLEXIBLE BENEFITS PLAN. Summary Plan Description Effective January 1, 2014

Handbook. TreeHouse Foods, Inc. Health and Welfare Benefits Plan. Non-union Employees. Effective January 1, 2017

Employee Assistance Program (EAP)

Check Plan Type: Check Enrollment Type: Fill Out Sections: q KP/HSA Small Group Employee Enrollment Form q Multi-Choice

ERISA FAQs. What Is ERISA? What Employers are Subject to ERISA? Why Should an Employer Comply With ERISA? Which Benefit Plans are ERISA Plans?

HIPAA PRIVACY MONITORING REQUIREMENTS

Covered Entity Guidance

CHAPTER 33 HIPAA PRIVACY REGULATIONS

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

ERISA & DOL Audits. BeneFLEX Services. Most Recently Added Services. July 2016 Affordable Care Act (ACA) Reporting

CREEKSIDE DENTAL REGISTRATION FORM. Please Print PATIENT INFORMATION. Patient s Last Name: First: Middle:

American Bar Association. Technical Session Between the Centers for Medicare and Medicaid Services and the Joint Committee on Employee Benefits

Effective Date: March 23, 2016

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

EmployBridge Holding Company Associates Welfare Benefits Plan

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

Designing a Compliant Wellness Program

HIPAA Basic Training for Health & Welfare Plan Administrators

INFORMATION FORM. Page 1 of 17

Summary Plan Description For Alyeska Pipeline Service Company Retiree Medicare Eligible Reimbursement Health Plan

Employer Healthcare Reform Requirements in the Near-Term

SUMMARY PLAN DESCRIPTION for the Verso Corporation Health and Welfare Benefit Plan

The Legal Duty of the Office of Administration s SEAP Office (OA-SEAP)

Flexible Spending and Premium Cafeteria Plan Summary Plan Description And Plan Document

MassMutual AAP February 2013 Page 1 of 21

FERRIS STATE UNIVERSITY HEALTH PLAN SUPPLEMENTAL INFORMATION. Bargaining Unit Employees

HIPAA Portability Common Questions

Summary Plan Description For Flexible Benefit Plan Document. Amended and Restated Effective. January 1, 2006

Benefits After Separation 2018 PLAN YEAR. A Guide in Transfer, Termination, & Retirement

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

MACRI DENTAL LLC 4380 S. Syracuse St. Suite 502 Denver, CO Patient Registration Form

1, 2, 3 Ways Compliance Makes Brokers Indispensable. Dan Bond, Principal

Proposed Form 5500 Changes and Implications for H&W Plans

WELLNESS PROGRAMS UNDER FINAL HIPAA/PPACA, ADA, AND GINA REGULATIONS

Health Reimbursement Arrangement (HRA) Plan Checklist DO NOT USE THIS CHECKLIST IN LIEU OF THE PLAN DOCUMENT.

HIPAA Administrative Simplification Provisions

HIPAA Privacy Overview

Cafeteria Plans: Participant Contributions

Luedtke-Storm-Mackey Chiropractic Clinic S.C. Notice of Privacy Practices. Effective September 23, 2013

Employee Benefits Compliance Update

Required CMS Contract Clauses Revised 8/28/14 CMS MCM Guidance Chapter 21

Dear State of Florida Retiree:

Federal Group Health Plan Mandates

Patient Protection and Affordable Care Act

BUSINESS FIRST BANK WELFARE BENEFIT PLAN WRAP SUMMARY PLAN DESCRIPTION

NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION GROUP BENEFITS PROGRAM

Transcription:

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations 2004 ABA Annual Meeting Section of Labor and Employment Law August 10, 2004

Presented by: Phyllis C. Borzi Of Counsel O Donoghue & O Donoghue LLP Washington, DC and Research Professor Department of Health Policy School of Public Health and Health Services George Washington University Medical Center borziph@gwu.edu Scotty Shively Cross, Gunter, Witherspoon & Galchus, PC Little Rock, Arkansas sshively@cgwg and Mary Joyce Carlson Service Employees International Union (SEIU) Washington, DC 2004 Phyllis C. Borzi

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Three major parts: Insurance reforms curtailed preexisting condition limitations and exclusions prohibited discrimination based on healthrelated factors Fraud and abuse Administrative simplification

What Does Administrative Simplification Include? Transaction standards for electronic data interchange (EDI) Uniform code sets standards for medical information Unique identifiers for employers, plans, providers and individuals Medical privacy Security

Key Compliance Dates for Medical Privacy Rules April 14, 2003 for covered entities April 14, 2004 for small health plans (less than $5 million in annual receipts) For insured group health plans, annual receipts means premiums paid For self-insured group health plans, annual receipts means total claims paid for plan s last full fiscal year

Where To Find HIPAA Medical Privacy Rules Final rule, 65 Fed. Reg. 82462 (Dec. 28, 2000) Final rule modifying the December 28, 2000 rule, 67 Fed. Reg. 53182 (Aug. 14, 2002) Text of these rules as well as additional guidance about medical privacy is also available on the HHS website at http://www.dhhs.gov/ocr/hipaa HHS Summary of the Rule also at website above

What Other HIPAA Compliance Dates Are Coming Up? July 30, 2004 Employer Identifier Standard All covered entities (except for small health plans) April 20, 2005 Final Compliance with Security Rule (except for small health plans) August 1, 2005 Employer Identifier Standard for small health plans April 21, 2006 Final compliance with Security Rule for small health plans May 23, 2007 Final compliance re: National Provider Identifier for all but small health plans May 23, 2008 Final compliance re: National Provider Identifier for small health plans

Key Issues Addressed by HIPAA Privacy Rules Disclosure and use of protected health information Individual rights regarding protected health information Special rules for plan sponsors (employers and multiemployer plan trustees), and service providers to health plans

Basic Rule Covered entities may only use protected health information (PHI) or disclose it: To the individual who is the subject of the information To carry out treatment, payment or health care operations activities of the covered entity Pursuant to a valid written authorization of the individual who is the subject of the information, or Pursuant to an enumerated exception found in the regulation (e.g., disclosure required by law)

Basic Rule, cont. Only disclosure to the individual (or the individual s personal representative) is mandatory; the others are permissible Even if disclosure is permissible, generally only the minimum necessary information may be disclosed This restriction does not apply to disclosures to individual, individual s personal representative, or pursuant to written authorization

Basic Rule, cont. Protections apply regardless of form of information (electronic, written, oral) PHI is protected: for life of individual, and as long as covered entity maintains PHI

Defining Key Terms: What s A Covered Entity? Covered entity Health plan Health care clearinghouse Health care provider that transmits PHI in electronic form in connection with a HIPAA transaction

What About Others That Use PHI? Non-covered entities, include: Employers and other plan sponsors (trustees of multiemployer health and welfare funds) Unions, business managers and agents Other insurance carriers (workers compensation, life, disability) Other employee benefit plans (pension, disability) Service providers/vendors, including TPAs Lawyers, consultants, etc. Insurance brokers and agents

General Rule for Non-Covered Entities Unless the use or disclosure of PHI by the covered entity to the non-covered entity is: For treatment, payment or health care operations of the covered entity (i.e., group health plan) Or otherwise permitted under the rule Non-covered entities can only access PHI held by a covered entity with a valid individual authorization

What is Protected Health Information or PHI? Individually identifiable health information created or received by a covered entity transmitted or maintained by electronic media or maintained in any other form or medium related to an individual s past, present or future physical or mental condition provision of health care payment for the provision of health care PHI includes demographic information held by the health plan

Some Employer-Held Information is Not PHI Information maintained by a covered entity or plan sponsor as an employer is not PHI Examples: Medical information submitted by employees for purposes of ADA, FMLA, workers compensation, disability benefits (including disability retirement), life insurance Drug screening Fitness for duty exams OSHA surveillance and screening

OSHA Surveillance & Screening Covered entity may disclose to ER if Providing healthcare at ER s request. Relate to work-related condition or workplace surveillance ER needs info to comply with OSHA Written notice to employee that PHI will be disclosed to ER

PHI, cont. Biggest sources of confusion about PHI: Information can be PHI even if it is not clinical or medical information (demographic information) Unless information is created or received by a covered entity, it is not PHI, even if it is medical information Examples: Electronic file with an employee s name, address, social security number, and eligibility information contains PHI Medical information revealed by participant to employer or union rep is not PHI

What is Treatment? Provision, coordination, or management of health care and related services by one or more health care providers Treatment includes: Coordination or management with a third party Consultation between providers Referrals from one provider to another

What Is Payment? Activities of a health plan to obtain premiums or fulfill coverage or benefit responsibilities Activities of a provider to obtain reimbursement

Typical Payment Activities Payment activities include: Eligibility determinations and coverage decisions Risk adjustment Billing, claims management, collection and related data processing Review for medical necessity Claims adjudication Utilization review Disclosure to consumer reporting services

What Is Health Care Operations? Activities of a covered entity relating to covered functions, including: Quality assessment and improvement Licensing and credentialing Underwriting and premium rating Medical review, legal and compliance reviews and audits Business planning, development, management Customer service and internal grievances Due diligence

HIPAA s Effect on Employers Although employers are not covered entities, they can be affected by HIPAA s privacy rules if they sponsor a group health plan for their employees The extent of HIPAA compliance that will be required depends on the extent to which employer has access to PHI However, employers may not access PHI for non-health plan purposes, especially not for employment-related purposes

Who Has Primary Compliance Responsibility? If group health plan is: Fully insured and employer/plan sponsor doesn t receive PHI, most of administrative requirements of HIPAA don t apply to plan Self-insured, all HIPAA rules apply to plan If administered by TPA, make sure TPA is compliant If self-administered, compliance burden is on plan (usually carried out by the employer s HR department by only after HIPAA s group health plan rules are adopted)

What Type of a Plan Is It? Is it a group health plan GHP covered by HIPAA at all? Under 50 participants and self-administered (NO) Provides excepted benefits (NO) FSAs (YES) HSAs, HRAs (MAYBE) Is it one plan or multiple plans? If one plan, can one self-insured feature knock you out of the fully-insured plan rule?

Compliance Steps for Self- Insured Plans Appoint a privacy officer Determine whether to use group health plan special rules to share PHI with employer/plan sponsor and if so, amend the plan to include required provisions Identify all business associates who use PHI and negotiate business associate contracts or amendments to existing contracts Develop and enforce written privacy policies and procedures Establish a complaint mechanism for participants Send Notice of Privacy Policies to all participants Conduct training programs Establish firewalls to assure that PHI is not used for general corporate or employment-related purposes or for other benefits or benefit plans that are sponsored by the employer

Disclosure to Plan Sponsors: Group Health Plan Rules Disclosure of PHI to Employers/Plan Sponsors is only permitted if the HIPAA group health plan rules have been followed, including: Plan documents have been amended to allow use or disclosure of PHI to employer/plan sponsor (not required for access to enrollment information or summary health information) Individuals with access to PHI are identified in the plan by name, category or function

Group Health Plan Rules, cont. Purposes of the access are described in detail in the plan (e.g., use to decide benefit appeals, to conduct provider audits, etc.) Employer/Plan Sponsor certifies that: All applicable requirements are met It will be bound by the same restrictions on use or disclosure of PHI that are applicable to covered entities, and It will safeguard any PHI it receives

Employer/Plan Sponsor Certification, cont. Adequate separation exists between the employer/plan sponsor and the GHP so that PHI cannot be used for employment-related purposes or for other benefits or benefit plans the employer/plan sponsor provides Firewalls must be created to restrict access to PHI so that it is used only for group health plan administration Required Notice to Participants has been given

Compliance Steps for Fully- Insured Plans Situation 1: Hands-off Approach to PHI If: Health benefits are provided solely through insurance contract with an insurer or HMO, and Employer/Plan sponsor does not create or receive PHI However, employer/plan sponsor may receive and use Enrollment/disenrollment information Summary health information to obtain premium bids or modify, amend or terminate plan or de-identified information and does not create or receive PHI

Fully-Insured plans, cont. HIPAA obligations under Hands-off Approach to PHI: Employer/Plan sponsor cannot: retaliate against or intimidate an employee for exercising his or her rights under the privacy regulation require employee to waive his or her right to file a complaint with HHS as a condition of eligibility or participation in the plan.

Fully-Insured Plans, cont. If fully-insured plan shares any PHI with employer/plan sponsor, plan document must be amended pursuant to HIPAA group health plan rules

Fully-Insured Plans, cont. Situation 2: Hands-on Approach to PHI: If plan creates or receives PHI in addition to enrollment/disenrollment information or summary information, plan is generally subject to all of the HIPAA privacy requirements that would apply to a selfinsured plan

Business Associates What is a business associate? Person or entity who performs covered functions for the covered entity using PHI Employees of the covered entity are not business associates Employees of the employer/plan sponsor are not employees of the covered entity (but the GHP rules must be adopted to share PHI with them)

Typical Business Associates Third Party Administrators (TPAs) Lawyers Consultants Independent Medical Reviewers and Utilization Review Entities Pharmacy Benefit Managers (PBMs) Vendors who perform payroll services or data processing or who administer COBRA, flexible benefit plans, dental, vision, EAP, wellness, disease management, mental health or substantance abuse plans

Business Associates, cont. Before sharing PHI with business associates, the covered entity must have a legally binding written contract with the BA that complies with the HIPAA privacy requirements

Business Associates, cont. Covered entities should: Review current contracts Draft amendments to include privacy requirements Consider using or adapting sample business associate contract language provided by HHS See the Appendix to the Preamble of the guidance issued on August 14, 2002 (67 Fed. Reg. at 5364)

What New Rights Do Individuals Have Under HIPAA? Review and copy their own PHI Amend and correct their own PHI Automatically receive notice and a description of covered entity s privacy use and disclosure policies and practices Receive and accounting for disclosures (other than those for treatment, payment or health care operations and those pursuant to written individual authorization) by covered entity in prior 6 years Initiate complaint to covered entity s privacy officer or Secretary of HHS

Accomodating Traditional Uses of PHI Member services Benefit appeals Bargaining

Member Services Key issues include: What s the GHP s policy regarding benefit inquiries? How does the GHP verify the identity of the person seeking PHI? When is an authorization necessary? What are the rights of parents to access their children s PHI?

Benefit Inquiries Review current practices for handling benefit inquiries: In person On the phone In writing By fax and e-mail

Benefit Inquiries, cont. Only the person who is the subject of the PHI (and that individual s personal representative) is entitled to the PHI GHP must establish procedures to verify identity of person seeking PHI GHI should establish procedures for dealing with inquires by spouses, parents, other family members, providers, other third parties

When Is An Authorization Necessary? When someone other than the patient seeks the patient s PHI, a written authorization is generally necessary Exceptions: Emergency Legal incapacity Personal representative: one who under applicable law has the authority to act on behalf of patient in health care matters (i.e., guardian, parent of minor child, holder of health care power of attorney)

When Is An Authorization Necessary?, cont. PHI is PHI Regulations do not establish different rules re: need for an authorization for routine or sensitive PHI But rules allow for implied authorization to reveal PHI to third part if patient present and, when offered the opportunity to object, does not

What Must An Authorization Contain? An authorization must be in writing and include the following: A specific description of the PHI to be disclosed and the purpose of the disclosure Specific designation of the person to whom the PHI may be disclosed An expiration date or event Signature of patient and date Clear statement of patient s right to revoke and description of procedure for revocation Statement that if PHI is to be disclosed to non-covered entity, it will no longer be protected

Tips for Dealing With Authorizations Consider offering opportunity for mutual authorizations by spouses in advance Include a default expiration date Statements that authorization is valid as long as patient is covered under the plan are permissible (but check state law) Consider including an authorization form in enrollment materials Facilitate access to both authorization and revocation forms

Rights of Parents As Personal Representatives of Minors Parents are presumed to be personal representatives of minor children with full access and control of their PHI Exceptions: If state law grants minor right to obtain a particular health service without parental consent, minor controls access to PHI, not parent

Parents As Personal Representatives, cont. Exceptions: If parent has agreed to minor obtaining confidential treatment, minor controls access to PHI If covered provider is concerned about abuse or harm to minor child, provider can refuse to recognize parent as personal representative

Benefit Appeals If GHP rules are followed, the decisionmaker for benefit appeals (even if also employer/plan sponsor) can have access to PHI, but is access is limited to the minimum necessary PHI to decide the appeal What does that mean in the appeal context?

Benefit Appeals, cont. Applying the minimum necessary standard probably means that identifying information should be redacted, including: Name, address, phone, fax, e-mail Social Security number Date of birth (age in years and months OK) Other identifying information, such as work site identifier, geographic identifiers, local union number, worker classification, or retiree/active status (unless it affects the appeal)

Workers Compensation Issues Not a covered entity Not a business associate Uniformity of electronic transactions not required but may want to use Raises privacy awareness/expectation No authorization needed, but minimum necessary applies

Litigation Issues Does HIPAA create any new causes of action? No private right of action under HIPAA, but what about state law? If HIPAA group health plan rules are followed, participants may have cause of action under ERISA 502

Litigation Issues, cont. When can covered entities honor subpoenas?

Implications for Bargaining What information can the union get for bargaining purposes From the GHP From the employer (particularly if the employer received the information from the GHP) From employees themselves Special bargaining issues for employees of covered entities

Coming Attractions Security Standard April 2005 Governs security of electronic PHI Same covered entities and non-covered entities Requires a risk analysis of existing systems Implement necessary physical, administrative and technical safeguards Document why you meet or do not have to meet the specific safeguards Appoint Security Officer

Where To Find Additional Information The Administrative Simplification Rules of HIPAA are primarily administered by the U.S. Department of Health and Human Services, but different topics are handled by different offices, such as: Privacy topics Office of Civil Rights(OCR/HHS www.dhhs.gov/ocr/hippa EDI, Security topics Centers for Medicare and Medicaid Services (CMS/HHS) www.cms.hhs/gov/hipaa/default.asp

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback