Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Refresher—What’s New for 2010 Peter Marathas, BAN Compliance Director January 20, 2010.

Similar presentations

Presentation on theme: "HIPAA Refresher—What’s New for 2010 Peter Marathas, BAN Compliance Director January 20, 2010."— Presentation transcript:

1 HIPAA Refresher—What’s New for 2010 Peter Marathas, BAN Compliance Director January 20, 2010

2 2 Key HIPAA Requirements Privacy Officer Policies & Procedures Amended Plan Documents Business Associates Training ­ Today’s program designed to be used by Plan Sponsors as key component of “Training” Requirement Penalties

3 3 HIPAA Training Health plans must train all participants of its workforce with access to PHI (“HIPAA Personnel”) regarding HIPAA privacy policies and procedures as necessary and appropriate for the participants of the workforce to carry out their job duties ­ Each new participant who has access to PHI must be trained within a reasonable period of time after their hire date All training must be documented ­ Download slides and/or recording and file ­ Supplement general training program with Company-specific guidance

4 4 HIPAA Background HIPAA is a federal law that was enacted in 1996 The first final version of the rules was issued by HHS in late 2000, amended in 2002 Compliance with the 2000 HIPAA privacy rules was required by April 14, 2003 for most plans Changes to HIPAA were made in the federal stimulus law (Feb. 17, 2009) – American Recovery and Reinvestment Act of 2009 (known as “ARRA”) – section dealing with privacy, security and health information technology is referred to as the HITECH Act

5 5 To Whom Do the Privacy Rules Apply? The HIPAA Privacy rules apply (although sometimes in different ways) to all “covered entities:” plans; care clearinghouses; and care providers who transmit any health information in electronic form in connection with one of the transactions covered by HIPAA And, under 2009 ARRA, Business Associates

6 6 Covered Entities: Health Plans What is a Health Plan under HIPAA? ­ Employer sponsored health plans with more than 50 participants (includes flexible spending accounts) ­ HMOs and health insurers are also health plans under HIPAA. Those fully-insured plans are responsible for HIPAA compliance and employers are also responsible What is NOT a health plan under HIPAA? ­ Pension and Disability insurers or benefits are NOT covered by HIPAA ­ Life, property or casualty insurers or benefits are NOT covered by HIPAA ­ Workers’ compensation insurers or benefits are NOT covered by HIPAA

7 7 What Type of Health Benefits Are Covered? Medical (physicians, hospitals) Vision Dental Hearing Behavioral Health Substance Abuse Prescription Drug Coverage

8 8 Covered Entities: Health Plans EmployersNotEmployers Are Not Covered Entities Which of these is governed by HIPAA: ­ Employee tells supervisor he is having back surgery ­ Field rep files report with HR that employee has had an accident that is subject to workers’ compensation ­ Spouse calls manager and informs manager that employee spouse has been injured in car accident and provides daily updates ­ EAP representative calls supervisor and reports that employee has cocaine addiction and is in treatment

9 9 New Rules under ARRA HIPAA Penalties – New Rules under ARRA ARRA increased the penalties for violations of HIPAA In determining the amount of the penalty, the Secretary of HHS must base it upon nature and extent of violation and extent of harm from violation Violator’s mental state, and whether violation has been corrected, will be a factor

10 10 HIPAA Penalties – New Rules under ARRA 4 Tiers: ­ Tier A: Offender didn’t know and by exercising reasonable diligence would not have known he/she violated the law: $100 per violation, up to a maximum of $25,000 per year for all violations of an identical requirement ­ Does not sound severe but could really add up; also a single HIPAA non-compliant action is likely to violate multiple provisions of the rules

11 11 HIPAA Penalties – New Rules under ARRA (cont.) ­ Tier B: Violation—due to reasonable cause and not willful neglect: $1,000 for each violation, up to a maximum of $100,000 per year for all violations of an identical requirement in a calendar year ­ Tier C: Violation—due to willful neglect but corrected: $10,000 for each violation, up to a maximum of $250,000 per year for all violations of an identical requirement in a calendar year ­ Tier D: Violation—due to willful neglect, and not corrected: $50,000 for each violation, up to a maximum of $1,500,000 per year for all violations of an identical requirement in a calendar year

12 12 Protecting Protected Health Information (“PHI”) The HIPAA Privacy Rules apply to Protected Health Information (“PHI”) PHI is individually identifiable health information that is in all forms – paper, oral, electronic PHI excludes employment records held by a plan sponsor in its role as an employer (e.g., physician’s note submitted by employee documenting reason for absence from office)

13 13 What is Health Information? Health information includes any information created by a health care provider or group health plan ­ and that relates to past, present, or future physical or mental health or condition of the individual, ­ the provision of health care to the individual, or ­ the past, present or future payment for health care to the individual

14 14 What Makes Health Information Individually Identifiable & Thus PHI? Name Dates: birth, admission to hospital, discharge from hospital, death Telephone and fax numbers Social Security Number Account number Vehicle identifiers including license plates Web URLs and IP address numbers Geographic unit (certain zip code information excepted) Ages over 89 E-mail and other addresses Medical record numbers and health plan numbers Certificate or license number Device identifiers and serial numbers Biometric identifiers, including finger and voice prints and full face and other identifying photographic images

15 15 What is De-Identified Information? If a health plan removes all the identifiers listed on the previous page, the information is no longer protected by HIPAA. If a company’s HR Department seeks to disclose health and welfare plan information, or other financial information relating to the health plans, to those not part of “HIPAA workforce”, then the HR Department must de-identify the health plan information before making the disclosures

16 16 The Basics Health plans can use and disclose PHI for most routine uses and disclosures for payment for treatment and the operations Most other uses or disclosure of PHI require a signed, written authorization Health plans have to give certain rights to individuals. For example, right of access by a participant to his or her records, right to propose a change to the record, and accounting of unusual disclosures. The handling of these rights can be delegated to the third-party administrators Administrative Requirements: Training, privacy officer, privacy notice, many policies, procedures and sanctions for violations

17 17 Typical Allowable Uses and Disclosures Without Any Written Permission Enrollment ­ use internally, or ­ disclose to health plans' vendors Eligibility ­ use internally, ­ disclose to health plans’ vendors, or ­ disclose to health care providers Claims adjudication and payment Pre-certification and referral

18 18 Privacy Officer Your Group Health Plan must have designate a Privacy Officer The privacy officer is responsible for developing and implementing policies and procedures necessary to comply with HIPAA privacy rules, including training Companies should also designate a contact person to answer questions and receive complaints about HIPAA’s privacy rules, and to obtain the forms necessary for a participant to exercise any of his or her rights under HIPAA If you handle PHI, you should know who is serving as your company’s privacy officer and HIPAA contact person

19 19 Privacy Notice A privacy notice is required ­ Fully insured—insurers typically send ­ Self insured—employer must send (or third party) Notices can be delivered by email, if a participant agrees to electronic notice The privacy notice must be distributed upon enrollment to all new participants A company’s intranet should also include a copy of the privacy notice

20 20 Privacy Notice Participants are entitled to paper copies upon request Health plans cannot substantially change their information policies and procedures before updating its notice to reflect those revisions At least once every 3 years, health plans must remind participants of the availability of the privacy notice

21 21 Authorizations Written authorization is not required if PHI is being used by a health plan for treatment, payment or health care operations purposes (or for other disclosures permitted by the privacy rules) You should seek written authorization from the individual before releasing the individual’s PHI to most third parties You should seek written authorization from individuals before using PHI for reasons other than payment or health care operations ­ For example, if you want to use your company’s own health plan records to see if a participant is entitled to disability benefits, participant must sign an authorization

22 22 Interaction with Participants and Family Individuals may approach you for assistance with your company’s health plans benefits If (1) disclosure is to a family participant involved in the individual’s care or payment for that care, (2) disclosure is limited to that family participant’s involvement in the care or payment, and (3) the individual has not objected to the disclosure to the family participant, then it’s okay to disclose, but preferable to refer to your outside administrators With a complete authorization, or another legal document, such as a general power of attorney, you could disclose anything to the family participant

23 23 What Can I Discuss? HR employees can always pass on information from a spouse to your health plans or, if for purposes of payment or operations, to the health plans' vendors You can discuss the medical claims of a child (under 18) with either parent (subject to limited exceptions - e.g., records protected under federal laws on family planning), unless your company is notified that it is not appropriate to so share the information (e.g., domestic abuse)

24 24 “Minimum Necessary” Rule The “Minimum Necessary” Rule ­ Whenever the health plans use or disclose PHI or requests PHI from another plan or a physician, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure or request” ­ Thus, the minimum necessary rule covers ­ The HR Department’s use of information ­ Disclosure ­ Requests for disclosure ­ Under ARRA, within 18 months, HHS must issue guidance clarifying minimum necessary rules

25 25 “Minimum Necessary” Rule (cont’d) The minimum necessary rule does not apply to: ­ Disclosures to or requests by a health care provider for treatment ­ Disclosures to the individual or pursuant to an authorization ­ Disclosures to government for enforcement of privacy rules ­ Other uses or disclosures required by law

26 26 Minimum Necessary - Limiting Employee Access to PHI The HR Department should identify those persons or classes of persons in its “HIPAA workforce” (should be referred to as “HIPAA Personnel” in the HIPAA Privacy Policy) who need access to PHI to carry out their duties: Privacy Officer Other members of the HR Staff to the extent that they handle benefits, including HR Operations staff and HR business partners Members of the IT Department may have access to PHI, upon specific request of other HIPAA workforce, for the sole purpose of assisting in servicing the electronic versions of PHI on the company network servers

27 27 Limiting Employee Access to PHI On a limited basis, any of your company’s personnel involved in audit or legal issues may, on a case-by-case basis, be designated as HIPAA workforce solely for purposes of their handling audit and legal issues relating to administration of the Plan Only those HIPAA Personnel may have electronic and physical access to PHI maintained in your HR Department

28 28 Limiting Employee Access to PHI Your HIPAA Personnel may use and disclose the Plan’s protected health information only for plan administrative functions. The amount of PHI disclosed must be limited to the minimum amount necessary to perform the relevant plan administrative functions Generally, HIPAA Personnel may not disclose protected health information to company employees other than other members of HIPAA Personnel

29 29 Safeguards to Protect Privacy PHI may be filed in the same files as any other employee benefits information or any other human resources information, including personnel records, and electronic access must be restricted to only HIPAA Personnel Some companies have created access control lists on the domain side, to control all access to HR data. This list allows only HIPAA Personnel to access electronic files containing Plan information Some companies have mandated that HIPAA Personnel have their own computer passwords and user domain account passwords accessible only to HIPAA Personnel, and they may not share passwords Locked cabinets and doors to the offices that contain health plan records

30 30 Individual Rights Right to Inspect and Copy PHI in your company’s health plans' records Right to Propose an Amendment to Correct PHI in the health plans' records Right to an Accounting of Disclosures Right to Request Restrictions on PHI Use & Disclosure Has handling of these rights been delegated to vendors?

31 31 Individual Rights: Copying and Proposing Amendments Participants and dependents have the following rights under HIPAA: ­ To access, inspect and copy their health information records in the health plans' records ­ To copy any enrollment, payment, claims adjudication, and case or medical management records system that includes PHI and that is maintained by or for the health plans or used in whole or in part by the health plans to make decisions about individuals ­ Right to propose an amendment to the PHI or a record about the participant (or dependent) in the health plans' record sets

32 32 Individual Rights: Copying and Proposing Amendments ­ Under ARRA, individuals may ask covered entity to transmit information to designated entities; request restrictions on disclosure of PHI to the plan for purposes of payment or health care operations if PHI relates to an item or service for which individual paid a doctor out-of-pocket costs in full

33 33 Individual Rights: Accounting of Disclosures Participants have a right to request from the health plans an accounting of the disclosures of their PHI ­ Health Plans must keep a log of disclosures of PHI made within 6 years prior to the request (as long as the 6 years starts after April 2003), and be able to give that log to a participant upon request

34 34 Individual Rights: Accounting of Disclosures ­ Log excludes disclosures: to participants (or dependents) who request their own records; and to persons involved in the participant’s care (e.g., spouse); or disclosed in accordance with the participant’s signed written authorization ­ DOES include disclosures to IRS or DOL if you disclose the participant’s name and PHI

35 35 Individual Rights: Accounting of Disclosures Your company may require health plans employees to keep track of additional disclosures Under ARRA, new notification requirement for breach of “unsecured” PHI ­ In general, upon breach, complex notice requirements within 60 days unless PHI was encrypted ­ Determine whether your PHI is encrypted

36 36 What is a Business Associate? Definition: ­ A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity Includes anyone with health information from your health plans (could include attorneys, consultants, TPAs, auditors, computer software service companies)

37 37 What are the Business Associate Rules? General Rules ­ Need specific HIPAA-dictated language in a contract with all business associates ­ Language includes privacy protections as well as the extension to service providers of individuals’ HIPAA rights. ­ Under ARRA, all of the HIPAA rules apply directly to business associates ­ So, when entering into a new agreement with a third party administrator or a benefits consultant to audit your vendors, the Privacy Officer must arrange to have this language in your agreement

38 38 Handling Complaints The Privacy Notice advises everyone that they have a right to complain about violations of their HIPAA rights If an employee (or covered dependent) complains his or her health plan privacy rights have been violated, the person complaining should be directed to the Privacy Officer, or if any employee wants to complain about a health plan privacy violation by someone else (including by your vendors), all those receiving such a complaint should make a written report to the Privacy Officer The HIPAA Policies must include forms for making privacy complaints All complaints will be investigated by the Privacy Officer Retaliation for making privacy complaints is prohibited

39 39 Employee Sanctions for Violations Your company is required by HIPAA to have and apply appropriate sanctions against the health plans' workforce who fail to comply with the health plans' privacy policies and procedures or the privacy requirements of HIPAA As member of HR Department, know what the disciplinary rules and mitigation rules are

40 40 Checklist If you work with PHI:  Determine whether any state privacy laws apply to the group health plan  Identify current uses and disclosures of PHI  Identify how has access to PHI  Assess using Minimum Necessary Standard  Assess which current uses and disclosures are permitted and under what circumstances  Review group health plan documents for amendment

41 41 Checklist If you work with PHI:  Identify Business Associates—update BA agreements for HiTech  Discuss standards with privacy officer and how they apply to you  Read privacy policies and procedures  Read privacy notice  Review safeguards for protecting PHI from accidental or intentional use in violation of the privacy standards

42 42 Proskauer Rose Presented by: Peter J. Marathas, Jr. 617 526 9704

Download ppt "HIPAA Refresher—What’s New for 2010 Peter Marathas, BAN Compliance Director January 20, 2010."

Similar presentations

Ads by Google