HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1
REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information Potential for abuse and concern that employers would misuse health information 2
What are the Purposes of the Privacy Rule? Consumer Control Over Health Information - Participant education on privacy protections. - Ensuring patient access to medical records. - Receiving patient authorization before information is released. - Providing recourse if privacy protections are violated. 3
What are the Purposes of the Privacy Rule? To Establish Boundaries on the Use and Release of Medical Records - Ensuring that health information is not used for improper purposes. - Providing the minimum amount of information necessary. 4
What are the Purposes of the Privacy Rule? To Establish Accountability for the Use and Release of Medical Records - Civil penalties - Federal criminal penalties 5
What Information Is HIPAA Designed to Protect? Protected Health Information ( PHI ) Protected Health Information encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. 6
PHI Covered Entity A health plan, a health plan provider, and health care clearinghouse. Note: Employers are NOT covered entities, and employment files are not subject to the HIPAA privacy requirements. 7
How Does HIPAA Impact Employment Medical Files? HIPAA does not cover the employer s medical files containing ADA, FMLA, Workers Compensation, Sick Leave, Doctor s Excuses for Absences, etc. In applying normal procedures for those leave/accommodation requests, medical providers will require an authorization from the individual to release information to Mohawk (because providers are subject to HIPAA). 8
HEALTH PLAN Health Plan Any plan or program that provides or pays the cost of medical care. 9
Mohawk HIPAA Plans: Group Health Plan Group Dental Plan Health Care Flexible Spending Account Plan Others 10
Mohawk Plans Not Subject to HIPAA Other plans or programs that do not provide coverage for medical expenses 11
What are the Authorization Requirements? PHI may be used by covered entities for purposes of treatment, payment and health care operations ( TPO ) without authorization. PHI must be disclosed to the government in the case of a HIPAA investigation. Otherwise, participant authorization is required. 12
What Must a Plan do to Ensure Privacy? Privacy policies must be developed to ensure that only the minimum necessary amount of information to achieve the purpose of the disclosure is provided to a third person and that the other HIPAA requirements are satisfied. 13
What Must a Plan do to Ensure Privacy? A Notice of Privacy Practices must be distributed to inform Plan participants of their rights under HIPAA. Physical security measures must be put in place to protect PHI (secured file cabinets, software encryption, password protected databases). 14
What Must a Plan do to Ensure Privacy? Designate a Privacy Officer to be in charge of monitoring compliance with HIPAA requirements. 15
What Must a Plan do to Ensure Privacy? HIPAA covered plans must train individuals who may come into contact with PHI as to the HIPAA requirements and employer and plan procedures for maintaining the privacy of PHI. E.g., all PHI information, questions or problems should be faxed, e-mailed or directed to the Privacy Officer at private fax numbers. 16
Procedures for Handling Employee Inquiries Employees will be advised to contact the appropriate Privacy Officer or designated individuals for help with plan issues. Other Human Resources staff, supervisors, etc. will not have access to PHI and cannot provide assistance. Any inquiry that may involve PHI should be referred to the Privacy Officer. 17
CIVIL PENALTIES Tier 1: If person is not aware of the violation (and would not have known with reasonable diligence), penalty is at least $100/violation, not to exceed $25,000 for all violations of the same requirement in the same calendar year. Tier 2: If violation is due to reasonable cause (but not willful neglect), penalty is at least $1,000/violation, not to exceed $100,000 for all violations of the same requirement in the same calendar year. 18
CIVIL PENALTIES Tier 3: If violation is due to willful neglect and is corrected in 30 days, penalty is at least $10,000/violation, not to exceed $250,000 for all violations of the same requirement in the same calendar year. Tier 4: If violation is due to willful neglect and is not corrected in 30 days, penalty is at least $50,000/violation, not to exceed $1.5 million for all violations of the same requirement in the same calendar year. 19
CIVIL PENALTIES State AGs. State AGs are authorized to bring a civil action for HIPAA violations to enjoin violations and seek damages on behalf of residents. Damages calculated by multiplying number of violations by $100. Not to exceed $25,000 for all violations of an identical requirement during a calendar year. Court may award costs and reasonable attorneys fees to State. 20
CIVIL PENALTIES Individual Compensation. Mechanism for individuals to recover portion of HHS civil penalty or monetary settlements. Effective Date: Regulations relating to methodology were to be issued by February 2012, but have yet to be released. 21
CRIMINAL PENALTIES Up to $50,000 and 1 year in prison for obtaining or disclosing PHI Up to $100,000 and up to 5 years in prison for obtaining PHI under false pretenses Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm 22
Increased Enforcement Mechanisms Increased Audits. HHS will conduct periodic audits of CEs and BAs, even if no complaint filed. Willful Neglect: Audit required if preliminary investigation of complaint indicates willful neglect. HHS is required to impose a penalty for violations due to willful neglect. 23
Notification of Breach Requirements If security is breached, Plan must provide notice without unreasonable delay and within 60 days after discovery of breach: To the impacted individual: Individual written notice sent to last known address (with special rules if imminent misuse is possible or individual s address is unknown). To the Media: If breach involves more than 500 individuals in state or jurisdiction, notice through major media outlets. 24
Notification of Breach Requirements To HHS: If breach involves more than 500 individuals, Plan notifies HHS immediately, and HHS will identify CE on its website. If breach involves less than 500 individuals, Plan logs the breach and provides the log to HHS on an annual basis. If BA discovers breach, notifies Plan. 25
Conclusion Compliance with the HIPAA privacy requirements requires significant cultural and procedural changes. Some employees will require additional training. Training is MANDATED for all individuals who may have access to PHI. Update all BAA s and policies for HITECH. 26