HIPAA Basic Training for Health & Welfare Plan Administrators

Similar documents
HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

ARE YOU HIP WITH HIPAA?

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

ARRA s Amendments to HIPAA Privacy & Security Rules

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

BREACH NOTIFICATION POLICY

HIPAA Privacy Compliance Checklist

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Fifth National HIPAA Summit West

Determining Whether You Are a Business Associate

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA Background and History

Interim Date: July 21, 2015 Revised: July 1, 2015

March 1. HIPAA Privacy Policy

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Changes to HIPAA Privacy and Security Rules

HIPAA Privacy Overview

HIPAA Compliance Under the Magnifying Glass

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

HIPAA & The Medical Practice

HIPAA: Impact on Corporate Compliance

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Management Alert Final HIPAA Regulations Issued

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

ALERT. November 20, 2009

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

x Major revision of existing policy Reaffirmation of existing policy

H E A L T H C A R E L A W U P D A T E

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

2016 Business Associate Workforce Member HIPAA Training Handbook

Compliance Steps for the Final HIPAA Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA and Lawyers: Your stakes have just been raised

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Compliance Guide

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Privacy and Security Rules

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

AFTER THE OMNIBUS RULE

1 Security 101 for Covered Entities

Getting a Grip on HIPAA

HIPAA Notice of Privacy Practices

Business Associate Agreement

HIPAA Privacy & Security. Transportation Providers 2017

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

ARTICLE 1. Terms { ;1}

New Federal Legislation Affecting Health Plans

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA, Privacy, and Security Oh My!

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

March 29, 2018 Key Principles in HIPAA Compliance

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

HIPAA Privacy, Breach, & Security Rules

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

The Privacy Rule. Health insurance Portability & Accountability Act

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

To: Our Clients and Friends January 25, 2013

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA The Health Insurance Portability and Accountability Act of 1996

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

Compliance Steps for the Final HIPAA Rule

Transcription:

2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele

What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules Violating HIPAA Minimizing Impact of HIPAA

Important Basic Concepts

What Is HIPAA? Health Insurance Portability and Accountability Act of 1996. Intended to make it easier to share information electronically Can share information for certain purposes All other purposes prohibited without authorization

Protected Health Information Individually identifiable health information used by a health plan Any form: written, electronic or oral Includes information relating to: Physician health Mental health Payment for health care

Health Plans Subject to HIPAA Medical plans Dental plans Vision plans Health flexible spending accounts Employee assistance programs Wellness programs

What Is Not A Health Plan? Employment records Leaves of absence, FMLA records ADA claims On the job injuries Workers compensation Fitness for duty exams Drug screening

What Is Not A Health Plan? Life insurance Disability (STD & LTD) Some wellness programs

What is not a health plan? Life insurance Disability plans Workers Compensation plans Leaves of absence FMLA records

What is not a health plan? ADA claims On the job injuries Drug screening

Who Needs to Worry About HIPAA?

Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary health information Minimum compliance obligations: Do not require enrollees to waive HIPAA rights Do not retaliate against enrollees who exercise HIPAA rights Compliance burden is on insurers/hmos

Self-Insured Benefits Must fully comply with HIPAA Privacy rules Security rules Transaction rules Breach notification rules Hiring a TPA does NOT relieve you of your compliance obligation But it can help relieve the burden

Complying with the Privacy Rule

Protected Health Information (PHI) Individually identifiable health information used by a health plan. Any form: written, electronic or oral Includes information relating to: Physical health Mental health Provision of and payment for health care

What is not PHI? Information that does not come from or is not given to health plans Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI Same information that employee shares with supervisor for FMLA purposes IS NOT PHI

What is not PHI? Enrollment Records Enrollment records maintained in employment records not PHI Enrollment records reported to the health plan is PHI.

Restrictions on PHI Health plans may not use or disclose PHI unless: The Privacy Rule specifically allows the use/disclosure The individual who is the subject of the PHI specifically allows it

Restrictions on PHI Cannot use PHI for: Making personnel decisions Administrating other employee benefit programs Cannot use or disclose for marketing purposes without authorization Cannot sell PHI

Permitted Uses of PHI TPO Treatment Payment Health care operations Complying with Law Any other use or disclosure generally requires authorization

Minimum Necessary Rule Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose. Do not use a fire hydrant when a garden hose will suffice HITECH clarification Default rule: use aggregate data only Must justify use of more detailed information

Privacy Rule Requirements Designate a privacy officer Implement written privacy policies Train those who work with PHI Discipline those who violate privacy policies Investigate and respond to complaints

Privacy Rule Requirements Include provisions in health plan document that: Describe permitted uses and disclosures Identify who is permitted to have access to PHI Require compliance with privacy rules Plan sponsor must certify compliance with HIPAA privacy rules Distribute a Notice of Privacy Practices Retain HIPAA compliance records for at least six years

Privacy Rule Requirements Respect individual rights Right to access PHI in health plan records Right to request amendments of PHI Right to an accounting of disclosures Right to request additional restrictions Right to request confidential communications Verify identity and authority of those seeking access to PHI

Business Associates Person or organization who: Performs a function or activity for the health plan; or Assists the plan sponsor in performing a health plan function or activity Function or activity involves use or disclosure of PHI. Employees are not business associates HMOs/insurers are not business associates

Examples of Business Associates Third-party administrators (TPAs) COBRA administrators Outside attorneys and accountants Benefits consultants Insurance agents Utilization review organizations Computer service technicians Software vendors

Business Associate Agreements Must have written contract Establishes permitted uses and disclosures Require compliance with HIPAA requirements Require reporting of: Unauthorized uses/disclosures Security incidents Security breaches

Business Associates If learn that business associate has materially violated terms of BAA: Must investigate Demand BA to end violation and mitigate harm If BA does not end breach or cannot cure: Terminate contract, or Report BA to HHS

Family Members/Representatives May disclose PHI to family, relatives, friends involved in individual s care/payment for care Can use professional judgment Give individuals ability to designate someone/revoke designation Personal representatives can exercise all rights of individuals

Complying with the Transaction Rule

Transaction Rule Goal: standardize electronic transactions relating to payment for health care Streamline payment for health care Technical rule for how to structure the transaction

Transaction Rule Applies to electronic transactions by health plan with: Health care providers Other health plans Generally, an issue for TPAs BAAs must require compliance with transaction standards

Complying with the Security Rule

Scope of Security Rules Apply to electronic forms of PHI Databases Spreadsheets E-mail communications Copy machines with hard drives Does not apply to: Paper records Telephone and fax transmissions (but do apply to voice mail and stored fax documents)

Risk Assessments Must conduct a risk assessment Identify where ephi is stored and used Identify the threats to confidentiality, integrity and accessibility of ephi Identify the likelihood that vulnerability will lead to unauthorized use/disclosure Identify risks that need to be addressed Must update on a regular basis

Administrative Safeguards Designate a Security Officer Train and discipline workforce Manage workforce s access to ephi Monitor for and report on security incidents Establish contingency plans (backup, disaster recovery, emergency modes, etc.) Periodic evaluation of safeguards

Physical Security Control access to physical equipment using/storing ephi Workstation use/security Device and media controls

Technical Safeguards Unique user IDs/authentication Automatic logoff Emergency access procedures Encryption & transmission security Audit controls Mechanisms to prevent improper alteration/destruction

Business Associates Handle most ephi for health plans Must now contractually agree to implement policies and procedures that comply with these requirements Examine transmissions with business associates

Complying with Breach Notification Rule

Breach Notification Before HITECH: no clear duty to notify of a breach under HIPAA HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery Applies to all forms of unsecured PHI

Breach Notification Analysis Was There a breach? Unauthorized: Acquisition Access Use Disclosure

Breach Notification Analysis Was the data secured with respect to the individual with unauthorized access? Electronic data: was it encrypted? Data at rest Data in motion Media: was it properly destroyed? Paper, film, other hard copy media Electronic data

Breach Notification Analysis Does the incident fall within an exception? Person would not reasonably have been able to retain the information Employee s unintentional access of record in good faith Inadvertent disclosure within same organization by and to individual authorized to access PHI

Breach Notification Analysis Could there be a significant risk of harm? Who received/access the information? How detailed was the information? Were steps taken to recall/destroy the information and mitigate harm? Was information returned/destroyed before being improperly accessed?

Breach Notification Methods of providing notice: Written notice to last known address (or e-mail if specified by the individual) If contact information is insufficient or out-dated, alternative notice If more than 10 individuals: Prominent posting on website; or Notice in major print or broadcast media In urgent situations, may supplement with telephone or other means, if appropriate

Breach Notification Notice to prominent media outlets if more than 500 individuals within state affected. Notification to Secretary of Health & Human Services: At time of incident, if more than 500 individuals are affected If less than 500 individuals, must submit to HHS annually http://www.hhs.gov/ocr/privacy/hipaa/administrati ve/breachnotificationrule/brinstruction.html

Breach Notification Content of notification: Brief description of what happened, including: Date of breach (if known) Date breach discovered Description of types of unsecured PHI involved in the breach Steps individuals should take to protect themselves from potential harm What covered entity is doing to investigate, mitigate losses and protect against further breaches Contact procedures to ask questions or learn more. Deadline: without unreasonable delay, but in any case within 60 days

Breach Notification Does not preempt state security breach notification laws. SSNs Drivers license numbers Financial account information May have to comply with both

Breach Notification Business Associates also subject to breach notification provisions Default rule: provide notice to the covered entity Must include identification of each individual whose PHI has been or is reasonably believed to have been breached. Covered entities can contract for different arrangement Duty may be different under State law

Consequences of HIPAA Violations

Pre-HITECH enforcement No more than $100 per violation per day Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year. HHS pursued informal enforcement

HITECH enhanced enforcement New tiered structure for each violation: unknown violations: $100 - $50,000 reasonable cause violations: $1,000- $50,000 willful neglect violations (if corrected within 30 days): $10,000 - $50,000 willful neglect violations (if uncorrected within 30 days): $50,000 New cap: $1.5 million for all violations of the same type during a calendar year

New enforcement strategies Individuals who wrongfully disclose PHI now clearly subject to criminal penalties Requires HHS to conduct audits State Attorneys General and FTC given enforcement authority

Minimizing the Impact of HIPAA

Try not to have PHI Try to keep it from becoming PHI. Keep enrollment data in employment records Work with enrollment data as much as possible Limit info TPAs report to you Get de-identified or summary health info only Have health plan participants and beneficiaries deal directly with TPA Have TPAs handle benefits appeals

If you must handle PHI Limit the number of people with access Minimize the amount of information you receive Be sure those who handle the information are trained Be sure policies and procedures are in sync with practices Try not to have ephi

Questions? Norbert F. Kugele nkugele@wnj.com 616.752-2186

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback