2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele
What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules Violating HIPAA Minimizing Impact of HIPAA
Important Basic Concepts
What Is HIPAA? Health Insurance Portability and Accountability Act of 1996. Intended to make it easier to share information electronically Can share information for certain purposes All other purposes prohibited without authorization
Protected Health Information Individually identifiable health information used by a health plan Any form: written, electronic or oral Includes information relating to: Physician health Mental health Payment for health care
Health Plans Subject to HIPAA Medical plans Dental plans Vision plans Health flexible spending accounts Employee assistance programs Wellness programs
What Is Not A Health Plan? Employment records Leaves of absence, FMLA records ADA claims On the job injuries Workers compensation Fitness for duty exams Drug screening
What Is Not A Health Plan? Life insurance Disability (STD & LTD) Some wellness programs
What is not a health plan? Life insurance Disability plans Workers Compensation plans Leaves of absence FMLA records
What is not a health plan? ADA claims On the job injuries Drug screening
Who Needs to Worry About HIPAA?
Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary health information Minimum compliance obligations: Do not require enrollees to waive HIPAA rights Do not retaliate against enrollees who exercise HIPAA rights Compliance burden is on insurers/hmos
Self-Insured Benefits Must fully comply with HIPAA Privacy rules Security rules Transaction rules Breach notification rules Hiring a TPA does NOT relieve you of your compliance obligation But it can help relieve the burden
Complying with the Privacy Rule
Protected Health Information (PHI) Individually identifiable health information used by a health plan. Any form: written, electronic or oral Includes information relating to: Physical health Mental health Provision of and payment for health care
What is not PHI? Information that does not come from or is not given to health plans Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI Same information that employee shares with supervisor for FMLA purposes IS NOT PHI
What is not PHI? Enrollment Records Enrollment records maintained in employment records not PHI Enrollment records reported to the health plan is PHI.
Restrictions on PHI Health plans may not use or disclose PHI unless: The Privacy Rule specifically allows the use/disclosure The individual who is the subject of the PHI specifically allows it
Restrictions on PHI Cannot use PHI for: Making personnel decisions Administrating other employee benefit programs Cannot use or disclose for marketing purposes without authorization Cannot sell PHI
Permitted Uses of PHI TPO Treatment Payment Health care operations Complying with Law Any other use or disclosure generally requires authorization
Minimum Necessary Rule Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose. Do not use a fire hydrant when a garden hose will suffice HITECH clarification Default rule: use aggregate data only Must justify use of more detailed information
Privacy Rule Requirements Designate a privacy officer Implement written privacy policies Train those who work with PHI Discipline those who violate privacy policies Investigate and respond to complaints
Privacy Rule Requirements Include provisions in health plan document that: Describe permitted uses and disclosures Identify who is permitted to have access to PHI Require compliance with privacy rules Plan sponsor must certify compliance with HIPAA privacy rules Distribute a Notice of Privacy Practices Retain HIPAA compliance records for at least six years
Privacy Rule Requirements Respect individual rights Right to access PHI in health plan records Right to request amendments of PHI Right to an accounting of disclosures Right to request additional restrictions Right to request confidential communications Verify identity and authority of those seeking access to PHI
Business Associates Person or organization who: Performs a function or activity for the health plan; or Assists the plan sponsor in performing a health plan function or activity Function or activity involves use or disclosure of PHI. Employees are not business associates HMOs/insurers are not business associates
Examples of Business Associates Third-party administrators (TPAs) COBRA administrators Outside attorneys and accountants Benefits consultants Insurance agents Utilization review organizations Computer service technicians Software vendors
Business Associate Agreements Must have written contract Establishes permitted uses and disclosures Require compliance with HIPAA requirements Require reporting of: Unauthorized uses/disclosures Security incidents Security breaches
Business Associates If learn that business associate has materially violated terms of BAA: Must investigate Demand BA to end violation and mitigate harm If BA does not end breach or cannot cure: Terminate contract, or Report BA to HHS
Family Members/Representatives May disclose PHI to family, relatives, friends involved in individual s care/payment for care Can use professional judgment Give individuals ability to designate someone/revoke designation Personal representatives can exercise all rights of individuals
Complying with the Transaction Rule
Transaction Rule Goal: standardize electronic transactions relating to payment for health care Streamline payment for health care Technical rule for how to structure the transaction
Transaction Rule Applies to electronic transactions by health plan with: Health care providers Other health plans Generally, an issue for TPAs BAAs must require compliance with transaction standards
Complying with the Security Rule
Scope of Security Rules Apply to electronic forms of PHI Databases Spreadsheets E-mail communications Copy machines with hard drives Does not apply to: Paper records Telephone and fax transmissions (but do apply to voice mail and stored fax documents)
Risk Assessments Must conduct a risk assessment Identify where ephi is stored and used Identify the threats to confidentiality, integrity and accessibility of ephi Identify the likelihood that vulnerability will lead to unauthorized use/disclosure Identify risks that need to be addressed Must update on a regular basis
Administrative Safeguards Designate a Security Officer Train and discipline workforce Manage workforce s access to ephi Monitor for and report on security incidents Establish contingency plans (backup, disaster recovery, emergency modes, etc.) Periodic evaluation of safeguards
Physical Security Control access to physical equipment using/storing ephi Workstation use/security Device and media controls
Technical Safeguards Unique user IDs/authentication Automatic logoff Emergency access procedures Encryption & transmission security Audit controls Mechanisms to prevent improper alteration/destruction
Business Associates Handle most ephi for health plans Must now contractually agree to implement policies and procedures that comply with these requirements Examine transmissions with business associates
Complying with Breach Notification Rule
Breach Notification Before HITECH: no clear duty to notify of a breach under HIPAA HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery Applies to all forms of unsecured PHI
Breach Notification Analysis Was There a breach? Unauthorized: Acquisition Access Use Disclosure
Breach Notification Analysis Was the data secured with respect to the individual with unauthorized access? Electronic data: was it encrypted? Data at rest Data in motion Media: was it properly destroyed? Paper, film, other hard copy media Electronic data
Breach Notification Analysis Does the incident fall within an exception? Person would not reasonably have been able to retain the information Employee s unintentional access of record in good faith Inadvertent disclosure within same organization by and to individual authorized to access PHI
Breach Notification Analysis Could there be a significant risk of harm? Who received/access the information? How detailed was the information? Were steps taken to recall/destroy the information and mitigate harm? Was information returned/destroyed before being improperly accessed?
Breach Notification Methods of providing notice: Written notice to last known address (or e-mail if specified by the individual) If contact information is insufficient or out-dated, alternative notice If more than 10 individuals: Prominent posting on website; or Notice in major print or broadcast media In urgent situations, may supplement with telephone or other means, if appropriate
Breach Notification Notice to prominent media outlets if more than 500 individuals within state affected. Notification to Secretary of Health & Human Services: At time of incident, if more than 500 individuals are affected If less than 500 individuals, must submit to HHS annually http://www.hhs.gov/ocr/privacy/hipaa/administrati ve/breachnotificationrule/brinstruction.html
Breach Notification Content of notification: Brief description of what happened, including: Date of breach (if known) Date breach discovered Description of types of unsecured PHI involved in the breach Steps individuals should take to protect themselves from potential harm What covered entity is doing to investigate, mitigate losses and protect against further breaches Contact procedures to ask questions or learn more. Deadline: without unreasonable delay, but in any case within 60 days
Breach Notification Does not preempt state security breach notification laws. SSNs Drivers license numbers Financial account information May have to comply with both
Breach Notification Business Associates also subject to breach notification provisions Default rule: provide notice to the covered entity Must include identification of each individual whose PHI has been or is reasonably believed to have been breached. Covered entities can contract for different arrangement Duty may be different under State law
Consequences of HIPAA Violations
Pre-HITECH enforcement No more than $100 per violation per day Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year. HHS pursued informal enforcement
HITECH enhanced enforcement New tiered structure for each violation: unknown violations: $100 - $50,000 reasonable cause violations: $1,000- $50,000 willful neglect violations (if corrected within 30 days): $10,000 - $50,000 willful neglect violations (if uncorrected within 30 days): $50,000 New cap: $1.5 million for all violations of the same type during a calendar year
New enforcement strategies Individuals who wrongfully disclose PHI now clearly subject to criminal penalties Requires HHS to conduct audits State Attorneys General and FTC given enforcement authority
Minimizing the Impact of HIPAA
Try not to have PHI Try to keep it from becoming PHI. Keep enrollment data in employment records Work with enrollment data as much as possible Limit info TPAs report to you Get de-identified or summary health info only Have health plan participants and beneficiaries deal directly with TPA Have TPAs handle benefits appeals
If you must handle PHI Limit the number of people with access Minimize the amount of information you receive Be sure those who handle the information are trained Be sure policies and procedures are in sync with practices Try not to have ephi
Questions? Norbert F. Kugele nkugele@wnj.com 616.752-2186