Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®

Similar presentations

Presentation on theme: "1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®"— Presentation transcript:

1 1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®

2 2 What We’re Going to Cover  Important basic concepts  Who needs to worry about HIPAA?  Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules  Violating HIPAA  Minimizing impact of HIPAA En-Hantz Your Workplace®

3 3 Important Basic Concepts En-Hantz Your Workplace®

4 4 What is HIPAA?  Health Insurance Portability and Accountability Act of 1996.  Intended to make it easier to share information electronically  Can share information for certain purposes  All other purposes prohibited without authorization En-Hantz Your Workplace®

5 5 Protected Health Information  Individually identifiable health information used by a health plan  Any form: written, electronic or oral  Includes information relating to: Physical health Mental health Payment for health care En-Hantz Your Workplace®

6 6 How Does HIPAA (not Hippo) Apply to Employers’ Group Health Plans? En-Hantz Your Workplace®

7 7 Effect on Employers  HIPAA regulates all covered entities.  “Covered Entity” includes all health plans.  A “health plan” is an individual or group plan that provides or pays for the cost of health services, including self-funded and insured group health plans of private and government employers.  The definition of health plan specifically includes employee welfare benefit plans as defined by ERISA.  If your organization offers a group health plan for your employees, the group health plan must comply with HIPAA. En-Hantz Your Workplace®

8 8 Health Plans Subject to HIPAA  Medical plans  Dental plans  Vision plans  Health flexible spending accounts  Employee assistance programs  Wellness programs En-Hantz Your Workplace®

9 9 What is Not a “Health Plan ”?  Employment records  Leaves of absence, FMLA records  ADA claims  On the job injuries  Workers’ compensation  Fitness for duty exams  Drug screening En-Hantz Your Workplace®

10 10 What is Not a “Health Plan”?  Life insurance  Disability (STD & LTD)  Some wellness programs En-Hantz Your Workplace®

11 11 What is Not a “Health Plan”?  ADA claims  On the job injuries  Drug screening En-Hantz Your Workplace®

12 12 Who Needs to Worry About HIPAA? En-Hantz Your Workplace®

13 13 The Plan v. The Employer  Technically it is the group health plan that must comply with HIPAA, but practically speaking the employer/plan sponsor will have to make sure the health plan is in compliance.  An employer’s employee records are excluded from the definition of PHI.  Employers or plan sponsors may not use PHI for employment-related functions without authorization from the individual.  The group health plan must determine which PHI uses and disclosures will be needed to administer the group health plan and then amend the plan document accordingly to indicate that the group health plan will comply with the permitted and required uses and disclosures. En-Hantz Your Workplace®

14 14 A Narrow Exception  A very limited exemption exists for small self- administered plans.  Your group health plan must have fewer than 50 participants; and  Your organization must have established, maintain and administer the plan, [i.e. you do not use a third party administrator (TPA) or other entity to help administer the plan].  Few health plans will actually qualify for this exception. En-Hantz Your Workplace®

15 15 Fully-Insured Benefits  Can take a hands-off approach.  Handle only enrollment information and summary health information  Minimum compliance obligations: Do not require enrollees to waive HIPAA rights Do not retaliate against enrollees who exercise HIPAA rights  Compliance burden is on insurers/HMOs En-Hantz Your Workplace®

16 16 “Hands-Off” Approach  Summary health information for plan sponsor functions  Summary health information is: information that may be individually identifiable health information and: summarizes the claims history, claims expenses or type of claims experienced by individuals for whom the plan sponsor has provided health benefits under the group health plan, and from which identifying information (18 specific identifiers) has been deleted (basically de ‑ identified PHI) (except that the geographic information may only be aggregated to the level of a 5 ‑ digit zip code).  Enrollment/Disenrollment information En-Hantz Your Workplace®

17 17 Self-Insured Benefits  Must fully comply with HIPAA  Privacy rules  Security rules  Transaction rules  Breach notification rules  Hiring a TPA does NOT relieve you of your compliance obligation  But it can help relieve the burden En-Hantz Your Workplace®

18 18 Complying with the Privacy Rule En-Hantz Your Workplace®

19 19 Protected Health Information (PHI)  Individually identifiable health information used by a health plan.  Any form: written, electronic or oral  Includes information relating to: Physical health Mental health Provision of and payment for health care En-Hantz Your Workplace®

20 20 What is Not PHI?  Information that does not come from or is not given to health plans  Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI  Same information that employee shares with supervisor for FMLA purposes IS NOT PHI En-Hantz Your Workplace®

21 21 What is Not PHI?  Enrollment Records  Enrollment records maintained in employment records not PHI  Enrollment records reported to the health plan is PHI. En-Hantz Your Workplace®

22 22 Restrictions on PHI  Health plans may not use or disclose PHI unless:  The Privacy Rule specifically allows the use/disclosure  The individual who is the subject of the PHI specifically allows it En-Hantz Your Workplace®

23 23 Restrictions on PHI  Cannot use PHI for:  Making personnel decisions  Administrating other employee benefit programs  Cannot use or disclose for marketing purposes without authorization  Cannot sell PHI En-Hantz Your Workplace®

24 24 Permitted Uses of PHI  “TPO”  Treatment  Payment  Health care operations  Complying with Law  Any other use or disclosure generally requires authorization En-Hantz Your Workplace®

25 25 Minimum Necessary Rule  Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.  Do not use a fire hydrant when a garden hose will suffice  HITECH clarification Default rule: use aggregate data only Must justify use of more detailed information En-Hantz Your Workplace®

26 26 Privacy Rule Requirements  Designate a privacy officer  Implement written privacy policies  Train those who work with PHI  Discipline those who violate privacy policies  Investigate and respond to complaints En-Hantz Your Workplace®

27 27 Privacy Rule Requirements  Include provisions in health plan document that:  Describe permitted uses and disclosures  Identify who is permitted to have access to PHI  Require compliance with privacy rules  Plan sponsor must certify compliance with HIPAA privacy rules  Distribute a Notice of Privacy Practices  Retain HIPAA compliance records for at least six years En-Hantz Your Workplace®

28 28 Privacy Rule Requirements  Respect individual rights  Right to access PHI in health plan records  Right to request amendments of PHI  Right to an accounting of disclosures  Right to request additional restrictions  Right to request confidential communications  Verify identity and authority of those seeking access to PHI En-Hantz Your Workplace®

29 29 Business Associates  Person or organization who:  Performs a function or activity for the health plan; or  Assists the plan sponsor in performing a health plan function or activity  Function or activity involves use or disclosure of PHI  Employees are not business associates  HMOs/insurers are not business associates En-Hantz Your Workplace®

30 30 Examples of Business Associates  Third-party administrators (TPAs)  COBRA administrators  Outside attorneys and accountants  Benefits consultants  Insurance agents  Utilization review organizations  Computer service technicians  Software vendors En-Hantz Your Workplace®

31 31 Business Associate Agreements  Must have written contract  Establishes permitted uses and disclosures  Require compliance with HIPAA requirements  Require reporting of: Unauthorized uses/disclosures Security incidents Security breaches En-Hantz Your Workplace®

32 32 Business Associates  If learn that business associate has materially violated terms of BAA:  Must investigate  Demand BA to end violation and mitigate harm  If BA does not end breach or cannot cure: Terminate contract, or Report BA to HHS En-Hantz Your Workplace®

33 33 Family Members/Representatives  May disclose PHI to family, relatives, friends involved in individual’s care/payment for care  Can use professional judgment  Give individuals ability to designate someone/revoke designation  Personal representatives can exercise all rights of individuals En-Hantz Your Workplace®

34 34 Complying with the Transaction Rule En-Hantz Your Workplace®

35 35 Transaction Rule  Goal: standardize electronic transactions relating to payment for health care  Streamline payment for health care  Technical rule for how to structure the transaction En-Hantz Your Workplace®

36 36 Transaction Rule  Applies to electronic transactions by health plan with:  Health care providers  Other health plans  Generally, an issue for TPAs  BAAs must require compliance with transaction standards En-Hantz Your Workplace®

37 37 Complying with the Security Rule En-Hantz Your Workplace®

38 38 Scope of Security Rules  Apply to electronic forms of PHI  Databases  Spreadsheets  E-mail communications  Copy machines with hard drives  Does not apply to:  Paper records  Telephone and fax transmissions (but do apply to voice mail and stored fax documents) En-Hantz Your Workplace®

39 39 Risk Assessments  Must conduct a risk assessment  Identify where ePHI is stored and used  Identify the threats to confidentiality, integrity and accessibility of ePHI  Identify the likelihood that vulnerability will lead to unauthorized use/disclosure  Identify risks that need to be addressed  Must update on a regular basis En-Hantz Your Workplace®

40 40 Administrative Safeguards  Designate a Security Officer  Train and discipline workforce  Manage workforce’s access to ePHI  Monitor for and report on security incidents  Establish contingency plans (backup, disaster recovery, emergency modes, etc.)  Periodic evaluation of safeguards En-Hantz Your Workplace®

41 41 Physical Security  Control access to physical equipment using/storing ePHI  Workstation use/security  Device and media controls En-Hantz Your Workplace®

42 42 Technical Safeguards  Unique user IDs/authentication  Automatic logoff  Emergency access procedures  Encryption & transmission security  Audit controls  Mechanisms to prevent improper alteration/destruction En-Hantz Your Workplace®

43 43 Business Associates  Handle most ePHI for health plans  Must now contractually agree to implement policies and procedures that comply with these requirements  Examine transmissions with business associates En-Hantz Your Workplace®

44 44 Complying with Breach Notification Rule En-Hantz Your Workplace®

45 45 Breach Notification  Before HITECH: no clear duty to notify of a breach under HIPAA  HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery  Applies to all forms of unsecured PHI En-Hantz Your Workplace®

46 46 Breach Notification Analysis  Was there a “breach”?  Unauthorized: Acquisition Access Use Disclosure En-Hantz Your Workplace®

47 47 Breach Notification Analysis  Was the data secured with respect to the individual with unauthorized access?  Electronic data: was it encrypted? Data at rest Data in motion  Media: was it properly destroyed? Paper, film, other hard copy media Electronic data En-Hantz Your Workplace®

48 48 Breach Notification Analysis  Does the incident fall within an exception?  Person would not reasonably have been able to retain the information  Employee’s unintentional access of record in good faith  Inadvertent disclosure within same organization by and to individual authorized to access PHI En-Hantz Your Workplace®

49 49 Breach Notification Analysis  Could there be a significant risk of harm?  Who received/access the information?  How detailed was the information?  Were steps taken to recall/destroy the information and mitigate harm?  Was information returned/destroyed before being improperly accessed? En-Hantz Your Workplace®

50 50 Breach Notification  Methods of providing notice:  Written notice to last known address (or e-mail if specified by the individual)  If contact information is insufficient or out-dated, alternative notice If more than 10 individuals: Prominent posting on website; or Notice in major print or broadcast media  In urgent situations, may supplement with telephone or other means, if appropriate En-Hantz Your Workplace®

51 51 Breach Notification  Notice to prominent media outlets if more than 500 individuals within state affected.  Notification to Secretary of Health & Human Services:  At time of incident, if more than 500 individuals are affected  If less than 500 individuals, must submit to HHS annually  eachnotificationrule/brinstruction.html eachnotificationrule/brinstruction.html En-Hantz Your Workplace®

52 52 Breach Notification  Content of notification:  Brief description of what happened, including: Date of breach (if known) Date breach discovered  Description of types of unsecured PHI involved in the breach  Steps individuals should take to protect themselves from potential harm  What covered entity is doing to investigate, mitigate losses and protect against further breaches  Contact procedures to ask questions or learn more.  Deadline: without unreasonable delay, but in any case within 60 days En-Hantz Your Workplace®

53 53 Breach Notification  Does not preempt state security breach notification laws.  SSNs  Drivers license numbers  Financial account information  May have to comply with both En-Hantz Your Workplace®

54 54 Breach Notification  Business Associates also subject to breach notification provisions  Default rule: provide notice to the covered entity  Must include identification of each individual whose PHI has been or is reasonably believed to have been breached.  Covered entities can contract for different arrangement  Duty may be different under State law En-Hantz Your Workplace®

55 55 Consequences of HIPAA Violations En-Hantz Your Workplace®

56 56 Pre-HITECH Enforcement  No more than $100 per violation per day  Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year.  HHS pursued “informal” enforcement En-Hantz Your Workplace®

57 57 HITECH Enhanced Enforcement  New tiered structure for each violation:  “unknown” violations: $100 - $50,000  “reasonable cause” violations: $1,000- $50,000  “willful neglect” violations (if corrected within 30 days): $10,000 - $50,000  “willful neglect” violations (if uncorrected within 30 days): $50,000  New cap: $1.5 million for all violations of the same type during a calendar year En-Hantz Your Workplace®

58 58 N ew Enforcement Strategies  Individuals who wrongfully disclose PHI now clearly subject to criminal penalties  Requires HHS to conduct audits  State Attorneys General and FTC given enforcement authority En-Hantz Your Workplace®

59 59 Minimizing the Impact of HIPAA En-Hantz Your Workplace®

60 60 Try not to have PHI  Try to keep it from becoming PHI.  Keep enrollment data in employment records  Work with enrollment data as much as possible  Limit info TPAs report to you  Get de-identified or summary health info only  Have health plan participants and beneficiaries deal directly with TPA  Have TPAs handle benefits appeals En-Hantz Your Workplace®

61 61 If you must handle PHI  Limit the number of people with access  Minimize the amount of information you receive  Be sure those who handle the information are trained  Be sure policies and procedures are in sync with practices  Try not to have ePHI En-Hantz Your Workplace®

62 62 Questions? Contact info En-Hantz Your Workplace®

Download ppt "1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®"

Similar presentations

Ads by Google