2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC
3 Portability Part One – Portability, access, and renewability requirements
Copyright 2010 MHM Resources LLC4 Administrative Simplification Part Two – Administrative Simplification Standards for maintenance and transmission of health information
Copyright 2010 MHM Resources LLC5 Privacy Part Three – Privacy The privacy regulations govern how individually identifiable medical information must be protected.
Security Part Four – Security Regulates how health plans and other covered entities that electronically maintain or transmit PHI implement reasonable and appropriate safeguards for the availability and protection of electronic protected health information (PHI) Copyright 2010 MHM Resources LLC6
Breach Notification Part Five – Breach Notification Health Information Technology for Economic and Clinical Health (HITECH) Act Outlines how affected individuals must be notified if there is a breach of their “unsecured” PHI Disclosure Log Effective September 23, 2009 Copyright 2010 MHM Resources LLC7
8 Flexible Benefit Plans The Health Flexible Spending Account (FSA), or unreimbursed medical portion of a cafeteria plan; or a Health Reimbursement Arrangement (HRA) are considered to be health and welfare benefit plans.
Copyright 2010 MHM Resources LLC9 HIPAA Definitions Covered Entity A healthcare provider that conducts certain transactions in electronic form A healthcare clearinghouse A health plan - includes all the employer's welfare benefit plans like health insurance, a Health FSA within a cafeteria plan, and any HRAs.
Copyright 2010 MHM Resources LLC10 HIPAA Definitions If you are an employer, you are generally not a covered entity. Employees, the plan, and its Business Associates may not freely share information with the employer unless firewalls exist to contain the information.
Copyright 2010 MHM Resources LLC11 HIPAA Definitions Covered Transactions Healthcare or dental claims administration Healthcare eligibility Benefits enrollment and maintenance Payroll deduction and group premium payment Retail pharmacy transactions
Copyright 2010 MHM Resources LLC12 HIPAA Definitions Business Associate A person, business, or agency that conducts covered transactions for another legal entity.
Copyright 2010 MHM Resources LLC13 HIPAA Definitions Business Associate Agreement The health plan must engage in a Business Associate Agreement with all Business Associates.
Copyright 2010 MHM Resources LLC14 HIPAA Definitions Protected Health Information (PHI) Individually identifiable medical information in any form, including oral communication that is created or received by a covered entity or employer.
Breach of Unsecured PHI A breach is the unauthorized access, use or disclosure of unsecured PHI. PHI must be encrypted or destroyed In motion, in use, at rest Access controls do not make PHI secure Copyright 2010 MHM Resources LLC15 HIPAA Definitions
Significant risk of harm to individual Immediate steps were taken to obtain guarantee that PHI will not be used or disclosed PHI returned prior to be accessed Determine type or amount of PHI disclosed Copyright 2010 MHM Resources LLC16 HIPAA Definitions
Copyright 2010 MHM Resources LLC17 HIPAA Overview Individuals “own” their PHI HIPAA defines what PHI is Privacy notice tells employees how their PHI will be used and disclosed. No other notice is required Privacy notice gives employees certain rights to their PHI
Copyright 2010 MHM Resources LLC18 Where does PHI Come From? Mail Fax Front desk Phones Electronically Orally, in person
Copyright 2010 MHM Resources LLC19 Who Can See PHI? Covered entities with privacy policies in place Business Associates that have signed Business Associate Agreements in place with the covered entities and also have privacy policies in place Individual employees may review and change their own PHI
Copyright 2010 MHM Resources LLC20 When Can You Reveal PHI? Healthcare operations Payment Treatment As permitted or required by law Pursuant to an authorization
Copyright 2010 MHM Resources LLC21 When Can You Reveal PHI? Identify individual with whom you are speaking Verify SSN, gender, birth date, and/or address Authorization signed by participant “Minimum Necessary” standard Reveal the minimum necessary information when releasing information
Copyright 2010 MHM Resources LLC22 Applies to All Covered Entities Employers are generally not covered entities A covered entity may not freely share an individual's PHI with the employer or a non-health plan.
Copyright 2010 MHM Resources LLC23 Protect PHI in Your Office Train all workers with access to PHI Don’t enter PHI into a software system or program unless information encrypted while at rest or in transit Create a “clean desk” policy Store PHI under lock and key Don’t discuss an individual’s health information in public Identify callers
Copyright 2010 MHM Resources LLC24 Protect PHI in Your Office Letters to participants should not contain their SSNs Offsite storage Retain complete list of claim forms, etc. offsite Use security tape on boxes to reveal unauthorized entry. Trash Shredding
Copyright 2010 MHM Resources LLC25 Protect Participant’s Privacy Right to inspect and copy Accounting of disclosures Amend Request restrictions Request confidential communications Right to receive a paper copy of the privacy notice
Copyright 2010 MHM Resources LLC26 Employers Employer puts in place HIPAA privacy policies and procedures Plan documents and Summary Plan Descriptions for all employer-sponsored health plans Assign a HIPAA Compliance Official Employer must certify to plan that HIPAA privacy rules are being followed
Employers The health plan must distribute a notice of privacy practices for employees Business Associate Agreements must be in place Train workforce on HIPPA compliance Train workforce on breach reporting Copyright 2010 MHM Resources LLC27
Breach Notification Accounting for Disclosures of PHI PHI may be disclosed for public policy and safety reasons and other mandatory disclosures listed below without an individual’s authorization These disclosures must be logged since they were disclosed without the individual’s knowledge. The disclosure log must be made available to the individual upon request. Copyright 2010 MHM Resources LLC28
Breach Notification Individuals must be notified if their PHI has been disclosed and the information is unsecured PHI Safe harbor to avoid breach notification: Encryption whether PHI is at rest, in use or in transit Destruction http://www.hhs.gov/ocr/privacy/hipaa/admi nistrative/breachnotificationrule/ Copyright 2010 MHM Resources LLC29
Copyright 2010 MHM Resources LLC30 Plan Service Provider HIPAA privacy policies and procedures Business Associate Agreements must be in place between the plan service provider (Business Associate) and the plan.
Copyright 2010 MHM Resources LLC31 Exception to Compliance Self-administered health plans with fewer than 50 participants are exempt from privacy compliance
Copyright 2010 MHM Resources LLC32 Civil and Criminal Penalties Substantial civil and criminal penalties apply to noncompliance of HIPAA regulations Be aware of your state laws Get legal counsel