Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP.

Published byMervin Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP."— Presentation transcript:

1 HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP

2 2 HIPAA Applicability n Health Plans -- including employer group health plans n Health Care Providers -- that transmit any health information in electronic form n Health Care Clearinghouses

3 3 Health Plan Definition n “Health plan” is broadly defined: o An “individual or group plan that provides, or pays the cost of, medical care” n Includes most ERISA employer welfare benefit plans, insured and self-funded, plus some non- ERISA plans

4 4 Privacy Rule Chronology n Proposed Rule: November 1999 n Final Rule: December 2000 n Comment period: March 2001 n Proposed Changes: March 2002 n Final Final Rule: August 2002 n Guidance released: December 2002 n Compliance Date: April 14, 2003 (large plans) n Compliance Date: April 14, 2004 (small plans)

5 5 Health Plans n Health plans must comply with all the Privacy Standards that apply to Providers, plus certain Standards applicable only to health plans

6 6 Health Plans Health Plans must comply with: n Restrictions on Uses and Disclosures of PHI n Plan Member Rights Requirements n Administrative Requirements Firewall Requirements – Separation between the plan and plan sponsor

7 7 Restrictions on Uses and Disclosures n Covered entities may not use or disclose PHI, except as permitted or required under the Standards n Treatment, payment, and health care operations (TPO)

8 8 Restrictions on Uses and Disclosures n Authorizations o For uses and disclosures not otherwise permitted by the rule o Authorizations are necessary for some, but not all, purposes other than TPO o Authorization content -- core elements

9 9 Restrictions on Uses and Disclosures n “Minimum Necessary” Standard n Business Associate Requirements, including re- contracting n De-identification requirements o limited data set

10 10 Uses and Disclosures without Authorization or Opportunity to Agree n Certain public health authorities n Government authorities authorized to receive reports on child abuse or neglect n FDA reporting, tracking and surveillance

11 11 Uses and Disclosures without Authorization or Opportunity to Agree n Health oversight activities n Judicial or administrative proceedings n Law enforcement continued

12 12 Business Associate Definition n A person who, on behalf of a covered entity, performs a function involving the use or disclosure of IHI (includes claims processing, data analysis, utilization review, quality assurance, billing, benefit management, and repricing) OR

13 13 Business Associate Definition n A person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where this service involves disclosure of IHI

14 14 Liability n A health plan may be found liable if: o the plan “knew” of a pattern of activity of a business associate that violates the business associate’s obligation under its contract with the plan, unless the plan took reasonable steps to end the violation

15 15 Liability o If such steps were unsuccessful, the plan n Terminated the contract, if feasible, or n If termination was not feasible, reported the problem to the Secretary of DHHS

16 16 Business Associate Contracts n “Satisfactory assurance” requirement o Plans must have contracts with business associates that include many specified terms (includes plan administrators) o Transition period

17 17 Member Rights n Right to Notice of Privacy Practices o Strict content requirements o Self-funded plans must provide notice to members by the compliance date n After compliance date, to new members at the time of enrollment

18 18 Member Rights n Notice o Insured plans that do not create or receive PHI -- notice is provided by insurer/HMO o Insured Plans that create or receive PHI must maintain a notice and provide it upon request

19 19 Member Rights n Right to request restrictions on uses and disclosures o Plans are not required to agree to requested restrictions o More confidential mode of communication

20 20 Member Rights n Right to access PHI o Members have the right to access, inspect, and copy their health information o Strict deadlines and procedures

21 21 Member Rights n Right to amend PHI o Plans may deny requests for amendment if the PHI: n Was not created by the plan; Is accurate and complete

22 22 Member Rights n Right to an accounting of certain disclosures of PHI made by plan during the previous 6 years o Exceptions

23 23 Administrative Requirements n Appoint a privacy officer n Designate a contact person or office responsible for receiving privacy-related complaints

24 24 Administrative Requirements n Plan workforce training o Policies and procedures o Retraining -- if the policies and procedures change materially o Documentation o Combine with Security training

25 25 Administrative Requirements n Privacy safeguards o Install appropriate administrative, technical, and physical safeguards o Scalability o Intersection with Security Rule

26 26 Administrative Requirements n Complaints o Process o Documentation

27 27 Administrative Requirements n Sanctions o Establish and apply appropriate sanctions against plan workforce members who violate the plan’s privacy policies and procedures or the Privacy Standards

28 28 Administrative Requirements n Mitigation o Mitigate, if practicable, any harmful effect resulting from a violation of the plan’s policies and procedures or the Standards

29 29 Administrative Requirements n Privacy policies and procedures

30 30 Firewall Requirements n HIPAA applies to health plans, not plan sponsors n For this reason, the Standards focus on plans, and force plans to impose certain requirements on plan sponsors

31 31 FIREWALL REQUIREMENTS n Right brain vs. Left Brain o Brain firewall n Right hand vs. Left Hand n Wearing different hats while performing different functions n Is training important?

32 32 Firewall Requirements Plan sponsors may access identifiable health information only for plan administration purposes

33 33 Firewall Requirements n Plan sponsors may NOT access PHI for employment-related actions without written permission from the plan member

34 34 Firewall Requirements n Recent Clarification: o Employment records are not considered Protected Health Information

35 35 Firewall Requirements n Plan Documents o If Plan Sponsors receive PHI other than summary and enrollment/disenrollment information, they must amend their plan documents to include specified terms

36 36 Firewall Requirements n Exceptions : Group health plans may give plan sponsors: o Summary health information o Enrollment/Disenrollment information

37 37 Firewall Requirements n Summary Information (mostly de-identified) may be disclosed to a plan sponsor for the purpose of o Obtaining bids o Modifying, amending, or terminating the plan

38 38 Plan Documents n GHP may disclose PHI to the PS only upon receipt of a certification that the plan documents have been amended to include the following: o Permitted and required uses and disclosures of such information by PS

39 39 Plan Documents o PS agrees not to use or further disclose the information other than as permitted or required by the plan documents or as required by law

40 40 Plan Documents o PS agrees to ensure that any agents, including subcontractors, to whom it gives PHI agree to the same restrictions

41 41 Plan Documents o PS agrees not to use or disclose PHI for employment- related actions or in connection with any other benefit or employee benefit plan o PS agrees to report to GHP any use or disclosure inconsistent with these requirements

42 42 Plan Documents o PS agrees to make available PHI for employee access, amendment, and accounting rights o PS agrees to make its internal practices and records relating to the PHI available to DHHS for determining Plan’s compliance with the Standards

43 43 Plan Documents o When no longer needed, PS agrees to return or destroy all information received from GHP n If not feasible to return or destroy the information, PS agrees to limit any further uses and disclosures of the information

44 44 Plan Documents n Plan documents also must establish “adequate separation” between the GHP and PS by o Describing those employee positions (or other persons under control of PS) who may access the information n Individuals who use identifiable information relating to payment or health care operations of GHP

45 45 Plan Documents o Restrict access to and use by such employees and other persons to the plan administration functions that the PS performs for the GHP

46 46 Plan Document o Plan documents also must provide an effective mechanism for resolving issues of noncompliance by those designated persons

47 47 Firewall Requirements Reminder: n Written authorization from the member is required for disclosure of PHI to a plan sponsor for o Employment-related actions o Actions relating to any other benefit or plan maintained by the plan sponsor

48 48 Insured Plans n Insured plans that do NOT receive PHI (other than summary and enrollment/disenrollment) are exempt from many requirements, including:

49 49 Insured Plans n Exempt from: o Privacy officer o Workforce training o Privacy safeguards o Complaints o Workforce sanctions o Mitigation

50 50 Insured Plans n Exempt from: o Policies and procedures o Notice of privacy practices o Patient rights of access, amendment and accounting Why? Individuals enrolled in these plans have these rights through the insurer/HMO

51 51 Insured Plans n Do you create or receive PHI? o From the Administrator/Insurer? o From Plan members? n E.g., Assistance with claims n Keep plan sponsor employees outside the Plan firewall

52 52 GHP Action Plan n Develop a HIPAA Group Health Plan privacy [and security] action plan o Phases may include assessment, strategic analysis, and implementation

53 53 GHP Action Plan o Outline discrete tasks for each phase, including re-negotiating business associate contracts o Set timelines

54 54 Initial Documents n Inventory/Assessment Questionnaires? n Plan document amendments n Policies and Procedures n Notice of Privacy Practices n Forms/Logs

55 55 Policies and Procedures n What types of Plan policies and procedures are needed? o Overall privacy policy addressing handling of PHI and “adequate separation” n Must be consistent with plan documents n May address “minimum necessary” standard

56 56 Policies and Procedures o Plan member rights (detailed) o Plan Member Privacy Complaints o Plan Workforce Training  Privacy-related Workforce Sanctions

57 57 Policies and Procedures o Policy on Safeguards for Protecting PHI -- detailed o Policy on Plan Documentation and Retention of Certain Records o Policy on Authorizations (including Authorization form)

58 58 Do’s and Don’ts of Policy Drafting n Avoid overly broad, absolute pronouncements about security and privacy o Avoid extraneous detail o Avoid overstating protections and safeguards n Never “ensure”

59 59 Do’s and Don’ts of Policy Drafting o Allow flexibility for practice variation and innovation if permitted under the Privacy Standards o Do not adopt a policy or procedure that will not be, or is not capable of being, implemented

60 60 Selected Issues n Telephone inquiries from spouses/others regarding a member’s benefits/claims o Systems issue o Customer service problem o Employee/union issues o Creative solutions

61 61 Selected Issues n What is the Plan workforce? Which employees are Plan workforce members? o Consequences/potential liability related to wearing two hats o Training and workable sanctions o Clear policies and procedures

62 62 Selected Issues n Notice of Privacy Practices o Self-funded plans must send this notice soon o Will the TPA also be sending a notice? n Will plan members get two different notices with different privacy complaint contacts?

63 63 Selected Issues n Re-negotiation of third party administrator agreements o Add required business associate terms o Consider adding/modifying other related terms o Transition period

64 64 Selected Issues n Can a self-funded Plan use a TPA for all required tasks and not have policies and procedures, privacy officer, etc? o No -- You can delegate tasks, but can’t delegate all HIPAA responsibilities

65 65 Compliance Dates n Small health plans (with annual receipts of $5 million or less) o April 14, 2004 n Other (not small health plans) o April 14, 2003

66 66 Penalties n Violating the privacy rule can create both civil and criminal liability o “Nice HIPAA” o “HIPAA for crooks”

67 67 Penalties n Civil penalties: $100 per violation o Capped at $25,000 per person, per year, per standard

68 68 Penalties n Criminal penalties: up to $250,000 and prison sentences of up to 10 years, if: o Offense is committed with an intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm

69 69 Case Law n In May 2001, a federal judge noted that although compliance is not required until April 2003, the HIPAA privacy regulations are “persuasive in that they demonstrate a strong federal policy of protection for patient medical records.” U.S. v. Sutherland n The judge applied the HIPAA regulations to that case n Another judge recently did the same

70 70 Enforcement n A new “standard of care” for how health plans (employers) should handle identifiable health information?

71 71 Beth L. Rubin Dechert LLP 4000 Bell Atlantic Tower 1717 Arch Street Philadelphia, PA 19103 beth.rubin@dechert.com 215.994.2535

Download ppt "HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.

Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

Similar presentations

Ads by Google