COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law

Why are we holding this Webinar?  As a Service to our clients  To assist in complying with the HIPAA privacy requirements New final regulations released by HHS in January 2013 Health plans must comply by September 23,2013 New increased penalties for noncompliance Note: GriffinEstep is not a law firm and does not provide legal advice 2

What is HIPAA? Health Insurance Portability and Accountability (HIPAA)  Federal law enacted in 1996 and amended in 2003 that protects the security and privacy of an individual’s protected health information (PHI)  Most health care providers and health plans were required to be in compliance with HIPAA Privacy Rule by April 14, Small health plans were given until April 14, 2004, to be in compliance.  In 2009 Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was passed by congress. It substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA.  In January 2013 HHS issued amendments to the HIPAA Privacy Rule, Security Rule and the Breach Notification rule.  HIPAA also specifically protects the electronic transmission of PHI 3

Plan Sponsors  An employer’s Health Plan is considered a covered entity under HIPAA and must abide by the HIPAA rules  Vendors who provide services to the health plan must also comply with these Privacy rules (Business Associates)  These rules apply to anyone who maintains Protected Health Information (PHI) by or for a covered entity 4

HIPAA Non compliance Penalties  No Knowledge. Where a person does not know, and by exercising due diligence would not have known, that the person violated HIPAA's administrative simplification provisions, the minimum penalty is $100 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year.  Reasonable Cause. Where a violation is due to “reasonable cause” and not “willful neglect,” the minimum penalty is $1,000 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 5

HIPAA Non compliance Penalties  Willful Neglect (but Corrected). Where a violation is due to “willful neglect,” but was corrected, the minimum penalty is $10,000 to $50,000 per violation. The maximum penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year.  Willful Neglect (but not Corrected). Where a violation is due to “willful neglect,” but was not corrected, the minimum penalty is $50,000 per violation; there is no maximum per violation. The total penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 6

HIPAA Docs for Employers A HIPAA Privacy PolicyA Plan Amendment for Privacy Practices A HIPAA Use and Disclosure FormA Summary of Material Modifications to amend the Employer's SPD A Notice of Privacy PracticesA HIPAA Training Acknowledgment A Business Associates AgreementA Request for Alternative Communications An Authorization for Release of InformationA Request for an Accounting or Disclosure of Protected Health Information A HIPAA Security Standards ChecklistA Request to Amend or Correct Protected Health Information A Plan Sponsor Certification FormA Request to Inspect or Copy Protected Health Information. A HIPAA Privacy Compliance Checklist 7

HIPAA Privacy Policy  What is it? Most covered entities must implement policies with respect to PHI that are designed to comply with the privacy rule's requirements  Which groups need it? Any employer who stores or transmits PHI  Information in the Privacy policy includes the names of certain employees who have access to PHI 8

HIPAA Use and Disclosure Form  What is it? This form details how the covered entity will implement the adopted HIPAA Policy by establishing procedures.  Which groups need it? Any employer who stores or transmits PHI  These Use and Disclosure Procedures include two Parts:  A) Procedures for Use and Disclosure of PHI” includes the use and disclosure procedures that must be followed when PHI will be used or disclosed for the plan's own payment and health care operations purposes and when PHI will be disclosed to third parties (but not the individual).  B) Procedures for Complying With Individual Rights” includes procedures for complying with an individual's right to access, amendment, and accounting of PHI held in a designated record set. This section also includes procedures for addressing individual requests for confidential communications and for limits on use and disclosure. 9

HIPAA Notice of Privacy Practices  What is it? Discloses to the employees how the plan will use and protect PHI under the privacy rules, what steps it will take to protect PHI and the rights held by employees.  Which groups need it? Any employer who stores or transmits PHI  HIPAA requires that the Notice of Privacy Practices describe the uses and disclosures of PHI that may be made by the covered entity; the individual's rights; and the covered entity's legal duties with respect to the PHI.  All Self Insured employer plans must provide this notice to participants when they store or transmit PHI (Fully insured carriers will sometimes provide this notice on behalf of an employer’s plan) 10

Business Associates Agreement  What is it? It is an agreement with the outside vendor that the vendor agrees to protect PHI under the HIPAA Privacy Rules  Which groups need it? Any covered entity that shares or transmits PHI to an outside vendor such as a broker or a TPA.  A business associate can provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, if the performance of such services involves disclosure of PHI from the covered entity, or from another business associate of the covered entity or OHCA, to the service provider. 11

Authorization for Release of Information  What is it? An individual authorization for the use or disclosure of PHI is required whenever the use or disclosure is not otherwise permitted under the privacy rule.  Which groups need it? Anytime the disclosure or use of PHI is outside the Privacy policy.  An individual may wish to have PHI disclosed by a covered entity for a variety of reasons, including applications for life or disability insurance or for purposes of a lawsuit. A covered entity itself may request an authorization to use or disclose PHI that it maintains for a purpose other than one for which an authorization is not required. Finally, a covered entity may request an authorization that permits another covered entity to disclose information to the requesting covered entity. 12

HIPAA Security Standards Check List  What is it? It details how the covered entity will comply with the security requirements under HIPAA Privacy  Which groups need it? Any group that stores or transmits electronic PHI  Example: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA security requirements 13

Plan Sponsor Certification Form  What is it? Under HIPAA, a group health plan may not disclose PHI to a plan sponsor unless certain firewalls are in place and the plan document is amended to limit a plan sponsor’s use and disclosure of PHI received from a group health plan. A group health plan may rely on a plan sponsor’s certification that such an amendment is in place.  The Plan Sponsor Certification to Group Health Plan is designed for use by a group health plan that wishes to rely on a plan sponsor’s certification that an appropriate HIPAA privacy plan amendment is in place.  Which groups need it? Any employer that stores or transmits PHI 14

HIPAA Privacy Compliance Checklist  What is it? It details the employer’s efforts to comply with HIPAA Privacy rules  Which groups need it? Any group that is subject to the HIPAA rules  Example: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA privacy requirements 15

Plan Amendment for Privacy Practices  What is it? An employer’s plan document must be amended to provide a mention of the Privacy requirements  Which groups need it? Any employer subject to the HIPAA requirements  Example: HIPAA rules effective 1/1/2013 require this amendment to your Plan Document 16

Summary of Material Modification (SMM) to the SPD  What is it? Any employer Summary Plan Description must be amended to provide an explanation of HIPAA Privacy  Which groups need it? Any employer subject to the HIPAA requirements  Example: HIPAA rules effective 1/1/2013 require this amendment to your SPD 17

HIPAA Training Acknowledgment  What is it? There is a requirements that employees who handle HIPAA PHI must receive ongoing training.  Which groups need it? Any employer subject to the HIPAA requirements.  There is a requirement that those personnel who handle PHI must receive periodic training. This form shows evidence of that training. 18

Request for Alternative Communication  What is it? A health plan must permit individuals to request to receive communications of PHI from the plan by alternative means or at alternative locations, and it must accommodate such reasonable requests, if the individual clearly states that disclosure of all or part of that information could endanger the individual  Which groups need it? Any employer subject to the HIPAA requirements  An Employer group might be asked to not to send claim information to a home address but keep it at the office. 19

Request for Accounting or Disclosure of PHI  What is it? It is a request asking to whom the health plan disclosed PHI.  Which groups need it? Any employer subject to the HIPAA requirements  Example: An Employer group might be asked for an accounting of who they disclosed PHI to in the administration of the plan 20

Request to Amend or Correct PHI  What is it? An individual has the right to amend or correct PHI maintained in a designated record set if the PHI is inaccurate or incomplete.  Which groups need it? Any employer subject to the HIPAA requirements  Example: An Employer group might be asked to change their records to correct mistakes 21

Request to Inspect or Copy PHI  What is it? With a few exceptions, an individual has the right to inspect and copy his or her own PHI that is maintained in a designated record set. On May 31, 2012, the Director of OCR posted a message on the OCR website reminding consumers of their right to— ask to see and get a copy of their health records from most doctors, hospitals, and other health care providers such as pharmacies and nursing homes, as well as from their health plan; and get the records electronically or on paper if their plan or provider is able to do so  Which groups need it? Any employer subject to the HIPAA requirements  Example: An Employer group might be asked to review claim records. 22

HIPAA Resource Links

Request a template copy of these documents If you are interested, please request a copy of these template documents from : ___________________________  You will also be receiving an with this order information.  Once we receive your request, we will send you an order form (with signature line)  Once signed order is received, we will send you the documents.  Requests for these documents must be made by ______________  Questions about these documents must be addressed to your legal counsel. 24

THANK YOU!