Iowa State Association of Counties

Slides:



Advertisements
Similar presentations
H OGAN & H ARTSON, L.L.P.
Advertisements

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.
 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.
HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 Sixth National HIPAA Summit The Health Lawyer as Business Associate March 28, 2003 Session VI 3:00 pm Gerald E. DeLoss, Esquire Barnwell Whaley Patterson.
Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA – Developing an Understanding
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September.
Michael R. Costa, Esq., M.P.H. Greenberg Traurig, LLP One International Place, 3 rd Floor Boston, MA (fax)
HIPAA – How Will the Regulations Impact Research?.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan.
HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?
Federal Preemption, and State Healthcare Privacy and Data Security Law and Regulation Fifth National HIPAA Summit October 30 – November 1, 2002 Mark Barnes.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Human Subjects Update E. Wethington, Chair, UCHS.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
HIPAA Privacy Rule Training
Health Insurance Portability and Accountability Act of 1996
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
HIPAA Pros - Disclosures
HIPAA Update J. T. Ash University of Hawaii System
Confidential Records and Protected Disclosures
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT
The HIPAA Privacy Rule and Research
2003 Immunization Registry Conference
National Congress on Health Care Compliance
Enforcement and Policy Challenges in Health Information Privacy
The Health Insurance Portability and Accountability Act
CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT
Analysis of Final HIPAA Privacy Modification Rule
HIPAA, The Next Level: HIPAA Preemption of State Laws
Presentation transcript:

Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan Meade & Brian Annulis Michael Best & Friedrich LLC Chicago, IL (312) 222-0800 September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC Overview 1. Hybrid Entity Analysis 2. Affiliated Covered Entities 3. Organized Health Care Arrangements 4. Government Agency as Health Plan 5. Iowa State Law Preemption Issues September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC Overview 6. Government Entities as Business Associates of other Government Entities 7. Workers Compensation & Employee Health Records 8. A note on the modified Privacy Rules: To consent or not to consent? 9. Employee Health Plans September 17, 2002 © Michael Best & Friedrich LLC

1. Hybrid Entity Analysis

Hybrid Entity Analysis The first question in any HIPAA analysis is: What is my organization? Health care provider? Health plan? Health care clearinghouse? Business Associate? Hybrid? A combination of any or all of the above? September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC Definitions (42 CFR 164.504) Covered Functions: functions which make an entity a health care provider, health plan or health care clearinghouse. Hybrid: a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates health care components. Health Care Component: a component or combination of components of a hybrid entity designated by a hybrid entity. September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC Hybrid Rules A covered entity can limit “HIPAA creep” by recognizing itself as a hybrid entity and designating health care components. The entity must then wall-off its health care components from non-health care components with respect to use or disclosure of Protected Health Information (PHI). The entity must establish safeguards to avoid disclosure of PHI from the health care components to non-health care components. The divisions within the entity must be treated as separate entities for HIPAA privacy purposes. September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC Hybrid Rules The hybrid entity operates for HIPAA purposes as 2 separate entities and must treat each use or disclosure of PHI with this idea of a dual world in mind. If disclosure of PHI from the health care component divisions would need an authorization if PHI disclosed outside of entity, then health care component division must obtain authorization before disclosing PHI to a non-health care component division. Benefits of a hybrid entity: Limits the effects of HIPAA to the health care divisions. Eases administrative burdens. Minimizes undue confusion for divisions which have no interaction with health information but might otherwise need to be trained in HIPAA or adopt HIPAA privacy rules. September 17, 2002 © Michael Best & Friedrich LLC

What divisions may be health care components? MUST be designated a health care component: any division that would qualify as a covered entity (health plan, health care clearinghouse or health care provider that engages in standard transactions). MAY be designated a health care component: any division that engages in health care provider activities but does not use standard transactions. any division that would qualify as a business associate to the county’s covered entity functions if that division were a separate legal entity. September 17, 2002 © Michael Best & Friedrich LLC

Your Hybrid Status is a Strategic Decision A hybrid entity must choose how to draw its “hybrid entity” line. Do you want non-covered entity covered functions designated as a health care component? Do you want business associate-oriented divisions designated as a health care component? Strategic questions: How much interaction will divisions have with PHI held by a covered entity division? What is the burden of making non-covered entity divisions covered by HIPAA? September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC County Hybrid Issues Counties are often single legal entities with a variety of covered functions and non-covered functions. Analysis: Who interacts with PHI within the county? Who performs covered functions? Consider the status of: (not an exhaustive list) county hospitals health clinics social services child welfare correctional facilities police/sheriff county controller county attorneys September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC What Must Be Done? To determine a county’s hybrid status and “draw” the hybrid line: Identify divisions within county Identify whether a division engages in a covered function Identify whether a covered function division qualifies as a covered entity division Identify whether a division provides services to a covered entity division and interacts with PHI (serving in a business associate role) Identify divisions that use PHI from a covered function division Identify which divisions must be designated health care components Identify which divisions may be designated health care components Analyze burdens/benefits in designating each optional health care component Strategically designate a county’s health care components to “wall-off” HIPAA and avoid “HIPAA creep” September 17, 2002 © Michael Best & Friedrich LLC

2. Affiliated Entities

Affiliated Covered Entities The Privacy Rule generally requires separate Covered Entities to individually adhere to the Privacy Rule's implementation rules and standards. This, as a general matter, for separate Covered Entities that do not participate in an organized health care arrangement, joint consents and joint privacy notices are not permitted. EXCEPTION: Affiliated Covered Entities (upon designation) September 17, 2002 © Michael Best & Friedrich LLC

Affiliated Covered Entities Legally separate, but affiliated covered entities that designate themselves as a single covered entity can engage in "joint" compliance. 42 CFR 164.504 "Affiliated" means 5% or more ownership, or power to influence significantly policies or actions. September 17, 2002 © Michael Best & Friedrich LLC

Affiliated Covered Entities To act as an affiliated covered entity: the designation must be documented the affiliated entities must act as a "multiple function covered entity" under the Privacy Rules September 17, 2002 © Michael Best & Friedrich LLC

Affiliated Covered Entities Affiliated Covered Entities may undertake a joint compliance initiative. Separate consents and privacy notices need not be maintained, providing use or disclosure of PHI is within the same covered function (e.g., a separate consent would need to be obtained if PHI was collected for treatment purposes but the Affiliated Covered Entities wanted to use the PHI for health plan purposes. September 17, 2002 © Michael Best & Friedrich LLC

Affiliated Covered Entities Important questions for counties: What entities does the county control? Does the county have management agreements with other covered entities? Are any county health care components managed (or controlled) by other covered entities? September 17, 2002 © Michael Best & Friedrich LLC

3. Organized Health Care Arrangements

Organized Health Care Arrangements Integrated health care or health benefits arrangement Clinically-integrated care setting (e.g., hospital and medical staff) Organized system held out as joint arrangement and conducting utilization management or risk sharing (e.g., IPA, PHO) Group health plan and health insurer or HMO that underwrites benefits September 17, 2002 © Michael Best & Friedrich LLC

Organized Health Care Arrangements Participants may share protected health information for arrangements’ health care operations Subject to minimum necessary limitation September 17, 2002 © Michael Best & Friedrich LLC

Organized Health Care Arrangements Advantages: Allows participants to rely upon joint notices and joint consents Avoids need for execution of multiple consents by patients and receipt of multiple privacy notices September 17, 2002 © Michael Best & Friedrich LLC

Organized Health Care Arrangements Disadvantages: Revocation process Apparent agency/apparent authority issues Complexity of joint consent and joint notice if some independent medical staff refuse to use joint consent and joint notice September 17, 2002 © Michael Best & Friedrich LLC

Organized Health Care Arrangements In determining whether an Organized Health Care Arrangement is applicable or suitable for a county, consider: Does the county have relationships with independent providers who do not act on behalf of the county (and are not paid by the county) but provide health care at a county site? What is the counties relationship with independent… physicians dentists nurses therapists social workers September 17, 2002 © Michael Best & Friedrich LLC

4. Government Entity as a Health Plan

Government Entity as a Health Plan Can government entities be considered health plans under the HIPAA? HIPAA does not exempt government entities from being considered a health plan. Determining whether a county engages in health plan activities involves examining county activities against the definition of a health plan. September 17, 2002 © Michael Best & Friedrich LLC

Government Entity as a Health Plan A government entity can be considered a health plan according to the definition of “health plan” (42 CFR 160.103). Most relevant: if a government program is specifically named within the definition of health plan any individual plan that provides or pays for the cost of medical care Definition of health plan excludes a government funded program: whose principal purpose is not for paying for health care; or makes grants to fund direct provision of health care September 17, 2002 © Michael Best & Friedrich LLC

5. Iowa State Law Preemption Issues

Iowa State Law Preemption Issues HIPAA provides a federal floor for privacy protection and generally preempts state privacy law. BUT, the HIPAA Privacy Rule does not preempt state law which is contrary to the Privacy Rule and is more stringent than the Privacy Rule September 17, 2002 © Michael Best & Friedrich LLC

Iowa State Law Preemption Issues More stringent means: the state law imposes greater privacy protections the state law imposes greater privacy administrative obligations grants the individual who is the subject of PHI greater rights Questions to be asked: Does the state law allow an individual greater control or access to his or her PHI? Does the state law require the county to do more than HIPAA requires to protect the individual’s privacy? If YES, then the state law survives September 17, 2002 © Michael Best & Friedrich LLC

Iowa State Law Preemption Issues State law means ANY government directive that has the force and effect of law: Iowa Constitution Iowa Code (statutes) Iowa Administrative Code (regulations) Certain Executive Orders County ordinances and rules City ordinances and rules Any other government body’s rules Case Law September 17, 2002 © Michael Best & Friedrich LLC

Iowa State Law Preemption Issues An example of HIPAA preemption in Iowa: Iowa AIDS confidentiality Iowa AIDS Confidentiality Law (IA ADC 141A.9) Basic rule: “Any information, including reports and records, obtained, submitted, and maintained pursuant to this chapter is strictly confidential medical information. The information shall not be released, shared with an agency or institution, or made public upon subpoena, search warrant, discovery proceedings, or by any other means except as provided in this chapter...Information shall be made available for release to the following individuals or under the following circumstances….” September 17, 2002 © Michael Best & Friedrich LLC

Iowa State Law Preemption Issues Provision: AIDS information may be released “to any person who secures a written release of test results executed by the subject of the test or the subject's legal guardian.” Impact: Iowa allows only the individual or his/her legal guardian to sign written permission to disclose AIDS information. HIPAA allows anyone who qualifies as an individual’s personal representative to sign an authorization to disclose PHI. Personal representatives include legal guardians as well as anyone who has health care treatment decision making authority for the individual. Iowa is more stringent in limiting the types of personal representatives who may sign authorizations for disclosure of AIDS PHI. September 17, 2002 © Michael Best & Friedrich LLC

Iowa State Law Preemption Issues Provision: AIDS information may be released “to an authorized agent or employee of a health facility or health care provider... and the agent or employee has a medical need to know such information.” Impact: Iowa law only allows AIDS information to be used without written permission within a health care provider by individuals who need to know for medical reasons. HIPAA allows PHI to be used without an authorization within a health care provider by individuals who need to use the information for treatment, payment or health care operations. Iowa is more stringent and health care providers must continue to obtain written permission from the individual before using AIDS PHI for payment or health care operations. September 17, 2002 © Michael Best & Friedrich LLC

6. Government Entities as Business Associates of other Government Entities

© Michael Best & Friedrich LLC Government Entities as Business Associates of other Government Entities Government entities that serve as business associates of other government entities may enter into “Memorandum of Understanding” which set out the basic requirements of a business associate contract. HIPAA Memoranda of Understanding needed when counties serve as business associate of other counties or the state. (or the reverse). If a county or other government entity is required by law to serve as a business associate, then the Memorandum of Understanding does not need termination provisions. (Note: reports to HHS may be more frequent in government to government business associate relationships). September 17, 2002 © Michael Best & Friedrich LLC

7. Workers Compensation & Employee Health Records

Workers Compensation & Employee Health Records Workers compensation plans are excluded from the definition of “health plan” Workers compensation plan activities by the county are exempted from HIPAA providing the division that deals with workers compensation is not designated a health care component. “Employment records held by the covered entity in its role as employer” are excluded from the definition of PHI and are not covered by the Privacy Rules. 42 CFR 164.501 September 17, 2002 © Michael Best & Friedrich LLC

8. To Consent or Not to Consent?

A note on the modified Privacy Rule: To consent or not to consent? The modifications to the Privacy Rule from August 14, 2002 eliminated a health care provider’s obligation to obtain consent before using or disclosing PHI for treatment, payment or health care operations purposes. Obtaining a HIPAA consent is now OPTIONAL. Should a county’s health care provider division elect to use a HIPAA consent? a business decision for the county risks should be weighed: how likely will errors occur? why take on risks and liabilities that a county does not need to? September 17, 2002 © Michael Best & Friedrich LLC

9. Employee Health Plans

© Michael Best & Friedrich LLC Employee Health Plans Employee group health plans (GHP) are health plans under HIPAA and are covered entities covered by the Privacy Rule. A GHP operates as a separate entity. HIPAA requires the employer to respect the “privacy walls” around the employee GHP. Understanding HIPAA’s impact on employee GHPs is a matter of understanding relationships. September 17, 2002 © Michael Best & Friedrich LLC

© Michael Best & Friedrich LLC Group Health Plans Basic Terminology Group Health Plan Plan Sponsor Employer Administration Fully Funded GHP (Insured GHP) Self-Funded GHP Important questions: What type of GHP does the employer have? What is the employer’s interaction with the GHP’s PHI? September 17, 2002 © Michael Best & Friedrich LLC

Insured Group “Plan Sponsor” = Employer Insurer Employees “Group Health Plan” = Employees and Dependents HR Dept Insurer underwriting risk for premiums PHI PHI September 17, 2002 © Michael Best & Friedrich LLC

Self-Funded Group: ASO “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept ASO (Business Associate) PHI PHI Business Associate Contract September 17, 2002 © Michael Best & Friedrich LLC

Employer Administration Certification “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept Plan Document Amendment PHI Use ASO (Business Associate) Insurer (OHCA) PHI September 17, 2002 © Michael Best & Friedrich LLC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.