HIPAA and Employer Group Health Plans: Nothing is Simple

Similar documents
HIPAA Privacy Compliance Checklist

Privacy in Health Care

LIMITED DATA SET REQUEST AND DATA USE AGREEMENT

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

W. Reece Hirsch Davis Wright Tremaine LLP (415) (206)

HIPAA Privacy For our Group Customers and Business Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A

SCHEDULE D HIPPA BUSINESS PARTNER AGREEMENT

HIPAA Compliance Under the Magnifying Glass

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

HIPAA s Medical Privacy Standards:

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

NOTICE OF PRIVACY PRACTICES

SCHOOLS SELF-INSURANCE OF CONTRA COSTA COUNTY NOTICE OF PRIVACY PRACTICES

BUSINESS ASSOCIATE AGREEMENT

HIPAA: Impact on Corporate Compliance

Privacy Regulations HIPAA-Administrative Simplification Internal Assessment

Business Associate Contracts: Time Is Running Out...

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Highlights of the Omnibus HIPAA/HITECH Final Rule

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

To: Our Clients and Friends January 25, 2013

SCOTTSDALE CENTER FOR PLASTIC SURGERY NOTICE OF PRIVACY PRACTICES

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Business Associate Agreement

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Kay Concrete Materials, Inc.

Negotiating Business Associate Agreements

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA PRIVACY AND SECURITY AWARENESS

Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT

Central Susquehanna Region School Employees Health and Welfare Trust

Give you this notice of our legal duties and privacy practices related to the use and disclosure of your protected health information

NOTICE OF AVAILABILITY OF HIPAA PRIVACY NOTICE. If you have any questions on this Notice, please contact Human Resources.

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

All subscribers of the Long Beach Unified School District s Self-Insured Health Plan

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

BUSINESS POLICY AND PROCEDURE MANUAL

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

HIPAA Business Associate Agreement Passport to Languages

NOTICE OF PRIVACY PRACTICES

HIPAA BUSINESS ASSOCIATE AGREEMENT

Bloomington Bone & Joint Clinic ( BBJ )

ARTICLE 1. Terms { ;1}

NOTICE OF PRIVACY PRACTICES

Administrative Requirements

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Privacy Policy Training

HIPAA MANUAL Whole Child Pediatrics

Luedtke-Storm-Mackey Chiropractic Clinic S.C. Notice of Privacy Practices. Effective September 23, 2013

It s as AWESOME as You Think It Is!

SUMMARY OF PRIVACY PRACTICES

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

HIPAA The Health Insurance Portability and Accountability Act of 1996

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

Sample Privacy Notice

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

Southern Methodist University Health and Wellness Plan NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA Compliance Guide

HIPAA Notice of Privacy Practices

Consent for Purposes of Treatment, Payment and Healthcare Operations

HIPAA Background and History

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

and disclosure of your PHI for treatment, payment, and health care operations

~Cityof. ~~Corpu~ ~.--=.;: ChnstI City Policies HR29.0 NO.

Sponsored by Catholic Health Ministries

March 1. HIPAA Privacy Policy

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

2018 Legal Notice HIPAA Notice of Privacy Practice

Robert E. Parker, Ph.D., P.C st Ave S. #101 Normandy Park, WA (206)

Transcription:

HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003 2003 Dechert LLP

HIPAA Applicability Health Plans -- including employer group health plans Health Care Providers -- that transmit any health information in electronic form Health Care Clearinghouses 2

Health Plan Definition Health plan is broadly defined: An individual or group plan that provides, or pays the cost of, medical care Includes most ERISA employer welfare benefit plans, insured and self-funded, plus some non- ERISA plans 3

Privacy Rule Chronology Proposed Rule: November 1999 Final Rule: December 2000 Comment period: March 2001 Proposed Changes: March 2002 Final Final Rule: August 2002 Guidance released: December 2002 Compliance Date: April 14, 2003 (large plans) Compliance Date: April 14, 2004 (small plans) 4

Health Plans Health plans must comply with all the Privacy Standards that apply to Providers, plus certain Standards applicable only to health plans 5

Health Plans Health Plans must comply with: Restrictions on Uses and Disclosures of PHI Plan Member Rights Requirements Administrative Requirements Firewall Requirements Separation between the plan and plan sponsor 6

Restrictions on Uses and Disclosures Covered entities may not use or disclose PHI, except as permitted or required under the Standards Treatment, payment, and health care operations (TPO) 7

Restrictions on Uses and Disclosures Authorizations For uses and disclosures not otherwise permitted by the rule Authorizations are necessary for some, but not all, purposes other than TPO Authorization content -- core elements 8

Restrictions on Uses and Disclosures Minimum Necessary Standard Business Associate Requirements, including recontracting De-identification requirements limited data set 9

Uses and Disclosures without Authorization or Opportunity to Agree Certain public health authorities Government authorities authorized to receive reports on child abuse or neglect FDA reporting, tracking and surveillance 10

continued Uses and Disclosures without Authorization or Opportunity to Agree Health oversight activities Judicial or administrative proceedings Law enforcement 11

Business Associate Definition A person who, on behalf of a covered entity, performs a function involving the use or disclosure of IHI (includes claims processing, data analysis, utilization review, quality assurance, billing, benefit management, and repricing) OR 12

Business Associate Definition A person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where this service involves disclosure of IHI 13

Liability A health plan may be found liable if: the plan knew of a pattern of activity of a business associate that violates the business associate s obligation under its contract with the plan, unless the plan took reasonable steps to end the violation 14

Liability If such steps were unsuccessful, the plan Terminated the contract, if feasible, or If termination was not feasible, reported the problem to the Secretary of DHHS 15

Business Associate Contracts Satisfactory assurance requirement Plans must have contracts with business associates that include many specified terms (includes plan administrators) Transition period 16

Member Rights Right to Notice of Privacy Practices Strict content requirements Self-funded plans must provide notice to members by the compliance date After compliance date, to new members at the time of enrollment 17

Member Rights Notice Insured plans that do not create or receive PHI -- notice is provided by insurer/hmo Insured Plans that create or receive PHI must maintain a notice and provide it upon request 18

Member Rights Right to request restrictions on uses and disclosures Plans are not required to agree to requested restrictions More confidential mode of communication 19

Member Rights Right to access PHI Members have the right to access, inspect, and copy their health information Strict deadlines and procedures 20

Member Rights Right to amend PHI Plans may deny requests for amendment if the PHI: Was not created by the plan; Is accurate and complete 21

Member Rights Right to an accounting of certain disclosures of PHI made by plan during the previous 6 years Exceptions 22

Administrative Requirements Appoint a privacy officer Designate a contact person or office responsible for receiving privacy-related complaints 23

Administrative Requirements Plan workforce training Policies and procedures Retraining -- if the policies and procedures change materially Documentation Combine with Security training 24

Administrative Requirements Privacy safeguards Install appropriate administrative, technical, and physical safeguards Scalability Intersection with Security Rule 25

Administrative Requirements Complaints Process Documentation 26

Administrative Requirements Sanctions Establish and apply appropriate sanctions against plan workforce members who violate the plan s privacy policies and procedures or the Privacy Standards 27

Administrative Requirements Mitigation Mitigate, if practicable, any harmful effect resulting from a violation of the plan s policies and procedures or the Standards 28

Administrative Requirements Privacy policies and procedures 29

Firewall Requirements HIPAA applies to health plans, not plan sponsors For this reason, the Standards focus on plans, and force plans to impose certain requirements on plan sponsors 30

FIREWALL REQUIREMENTS Right brain vs. Left Brain Brain firewall Right hand vs. Left Hand Wearing different hats while performing different functions Is training important? 31

Firewall Requirements Plan sponsors may access identifiable health information only for plan administration purposes 32

Firewall Requirements Plan sponsors may NOT access PHI for employment-related actions without written permission from the plan member 33

Firewall Requirements Recent Clarification: Employment records are not considered Protected Health Information 34

Firewall Requirements Plan Documents If Plan Sponsors receive PHI other than summary and enrollment/disenrollment information, they must amend their plan documents to include specified terms 35

Firewall Requirements Exceptions: Group health plans may give plan sponsors: Summary health information Enrollment/Disenrollment information 36

Firewall Requirements Summary Information (mostly de-identified) may be disclosed to a plan sponsor for the purpose of Obtaining bids Modifying, amending, or terminating the plan 37

Plan Documents GHP may disclose PHI to the PS only upon receipt of a certification that the plan documents have been amended to include the following: Permitted and required uses and disclosures of such information by PS 38

Plan Documents PS agrees not to use or further disclose the information other than as permitted or required by the plan documents or as required by law 39

Plan Documents PS agrees to ensure that any agents, including subcontractors, to whom it gives PHI agree to the same restrictions 40

Plan Documents PS agrees not to use or disclose PHI for employmentrelated actions or in connection with any other benefit or employee benefit plan PS agrees to report to GHP any use or disclosure inconsistent with these requirements 41

Plan Documents PS agrees to make available PHI for employee access, amendment, and accounting rights PS agrees to make its internal practices and records relating to the PHI available to DHHS for determining Plan s compliance with the Standards 42

Plan Documents When no longer needed, PS agrees to return or destroy all information received from GHP If not feasible to return or destroy the information, PS agrees to limit any further uses and disclosures of the information 43

Plan Documents Plan documents also must establish adequate separation between the GHP and PS by Describing those employee positions (or other persons under control of PS) who may access the information Individuals who use identifiable information relating to payment or health care operations of GHP 44

Plan Documents Restrict access to and use by such employees and other persons to the plan administration functions that the PS performs for the GHP 45

Plan Document Plan documents also must provide an effective mechanism for resolving issues of noncompliance by those designated persons 46

Firewall Requirements Reminder: Written authorization from the member is required for disclosure of PHI to a plan sponsor for Employment-related actions Actions relating to any other benefit or plan maintained by the plan sponsor 47

Insured Plans Insured plans that do NOT receive PHI (other than summary and enrollment/disenrollment) are exempt from many requirements, including: 48

Insured Plans Exempt from: Privacy officer Workforce training Privacy safeguards Complaints Workforce sanctions Mitigation 49

Insured Plans Exempt from: Policies and procedures Notice of privacy practices Patient rights of access, amendment and accounting Why? Individuals enrolled in these plans have these rights through the insurer/hmo 50

Insured Plans Do you create or receive PHI? From the Administrator/Insurer? From Plan members? E.g., Assistance with claims Keep plan sponsor employees outside the Plan firewall 51

GHP Action Plan Develop a HIPAA Group Health Plan privacy [and security] action plan Phases may include assessment, strategic analysis, and implementation 52

GHP Action Plan Outline discrete tasks for each phase, including re-negotiating business associate contracts Set timelines 53

Initial Documents Inventory/Assessment Questionnaires? Plan document amendments Policies and Procedures Notice of Privacy Practices Forms/Logs 54

Policies and Procedures What types of Plan policies and procedures are needed? Overall privacy policy addressing handling of PHI and adequate separation Must be consistent with plan documents May address minimum necessary standard 55

Policies and Procedures Plan member rights (detailed) Plan Member Privacy Complaints Plan Workforce Training Privacy-related Workforce Sanctions 56

Policies and Procedures Policy on Safeguards for Protecting PHI -- detailed Policy on Plan Documentation and Retention of Certain Records Policy on Authorizations (including Authorization form) 57

Do s and Don ts of Policy Drafting Avoid overly broad, absolute pronouncements about security and privacy Avoid extraneous detail Avoid overstating protections and safeguards Never ensure 58

Do s and Don ts of Policy Drafting Allow flexibility for practice variation and innovation if permitted under the Privacy Standards Do not adopt a policy or procedure that will not be, or is not capable of being, implemented 59

Selected Issues Telephone inquiries from spouses/others regarding a member s benefits/claims Systems issue Customer service problem Employee/union issues Creative solutions 60

Selected Issues What is the Plan workforce? Which employees are Plan workforce members? Consequences/potential liability related to wearing two hats Training and workable sanctions Clear policies and procedures 61

Selected Issues Notice of Privacy Practices Self-funded plans must send this notice soon Will the TPA also be sending a notice? Will plan members get two different notices with different privacy complaint contacts? 62

Selected Issues Re-negotiation of third party administrator agreements Add required business associate terms Consider adding/modifying other related terms Transition period 63

Selected Issues Can a self-funded Plan use a TPA for all required tasks and not have policies and procedures, privacy officer, etc? No -- You can delegate tasks, but can t delegate all HIPAA responsibilities 64

Compliance Dates Small health plans (with annual receipts of $5 million or less) April 14, 2004 Other (not small health plans) April 14, 2003 65

Penalties Violating the privacy rule can create both civil and criminal liability Nice HIPAA HIPAA for crooks 66

Penalties Civil penalties: $100 per violation Capped at $25,000 per person, per year, per standard 67

Penalties Criminal penalties: up to $250,000 and prison sentences of up to 10 years, if: Offense is committed with an intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm 68

Case Law In May 2001, a federal judge noted that although compliance is not required until April 2003, the HIPAA privacy regulations are persuasive in that they demonstrate a strong federal policy of protection for patient medical records. U.S. v. Sutherland The judge applied the HIPAA regulations to that case Another judge recently did the same 69

Enforcement A new standard of care for how health plans (employers) should handle identifiable health information? 70

Beth L. Rubin Dechert LLP 4000 Bell Atlantic Tower 1717 Arch Street Philadelphia, PA 19103 beth.rubin@dechert.com 215.994.2535 71

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback