1 Eighth National HIPAA Summit Baltimore, MD PreConference I: HIPAA Boot Camp: The Basics of HIPAA for Providers, Health Plans, Employers and Patients.

Slides:



Advertisements
Similar presentations
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Advertisements

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
North Carolina State University Health Information Privacy 4/16/03.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 Sixth National HIPAA Summit The Health Lawyer as Business Associate March 28, 2003 Session VI 3:00 pm Gerald E. DeLoss, Esquire Barnwell Whaley Patterson.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA (health insurance portability and accountability act)
HIPAA – How Will the Regulations Impact Research?.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
06/20/03- revised1 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators,
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA and RESEARCH 5 th Thursday May 31, Page 2.
HIPAA Training Workshop #2 Trainer: Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
Permitted Uses & Disclosures of PHI
HIPAA Pros - Disclosures
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy & Security: Medical Research Context
Issues in HIPAA Research Compliance
Presentation transcript:

1 Eighth National HIPAA Summit Baltimore, MD PreConference I: HIPAA Boot Camp: The Basics of HIPAA for Providers, Health Plans, Employers and Patients Employer and Group Health Plan Issues By Gerald E. DeLoss, Esquire Barnwell Whaley Patterson & Helms, LLC Charleston, South Carolina

2 HIPAA and Employers Only Certain Health Care Providers, Health Plans, and Health Care Clearinghouses Are Covered Entities Employers Not Generally Covered Unless Fall Under Above Definitions Caveat: Medical Information Provided to Employers and Employer Sponsored Group Health Plans

3 Employment Records and PHI Definition of Protected Health Information (“PHI”) Specifically Excludes: –Employment Records Held by a Covered Entity in its Role as Employer 45 C.F.R. § Example: Drug Testing or Fitness for Duty –Must be Provided to CE in Capacity as Employer –If Conducting Testing, Must Get Authorization to Transmit to HR Example: Professional Sports Teams’ Player Information

4 Employer Issues Covered Entity May Disclose to an Employer About an Employee or Workforce Member of Employer, If: –Covered Entity is a Covered Health Care Provider Who is a Member of the Employer’s Workforce or Who Provides Health Care to Employee or Member At Request of Employer to Conduct Evaluation Relating to Medical Surveillance of Workplace; or Evaluate Whether the Employee or Member Has a Work- Related Illness or Injury –45 C.F.R. § (b)(v)

5 Employer Issues The PHI Disclosed Concerns a Work-Related Illness or Injury or Work-Related Medical Surveillance; or The Employer Needs Findings for OSHA Requirements; and Notice is Provided to Employee or Member –By Giving a Copy of Notice of Privacy Practices, or –Posting of Notice if in Same Worksite 45 C.F.R. § (b)(v)

6 Group Health Plan Definition of Health Plan Includes: –Employee Welfare Benefit Plan or any Other Arrangement that is Established or Maintained for the Purpose of Offering or Providing Health Benefits to the Employees of Two or More Employers 45 C.F.R. §

7 Group Health Plan Means an Employee Welfare Benefit Plan (as Defined Under ERISA), Including Insured and Self-Insured Plans to Extent the Plan Provides Medical Care to Employees or Their Dependents, Directly or Through Insurance, That: –Has 50 or More Participants; or –Is Administered by a Third Party 45 C.F.R. §

8 Third Party Administrators Third Party Administrator Not Generally a Covered Entity Under HIPAA –Most Likely Considered a Business Associate of Group Health Plan DHHS FAQ No. 365

9 Group Health Plan Plan Sponsor means: –The Employer if a Single Employer; –The Employee Organization; –Where Two or More Employers or Employee Organizations, the Association, Committee, Joint Board, or Other Similar Representatives Who Establish or Maintain the Plan 29 U.S.C. § 1002(16)(B)

10 Group Health Plan as Small Health Plan Many Group Health Plans Fall Under Definition of Small Health Plan –Means a Health Plan with Annual Receipts of $5 Million or Less Small Health Plan Compliance Deadline is April 14, 2004 –45 C.F.R. § (b)

11 Group Health Plan – Flexible Spending Accounts/Cafeteria Plans According to DHHS: –To the Extent That a Flexible Spending Account or a Cafeteria Plan Meets Definition of an Employee Welfare Benefit Plan Under ERISA and Pays for Medical Care, It Is a Group Health Plan –Unless It Has Fewer Than 50 Participants and Is Self-administered DHHS FAQ No. 421

12 Group Health Plan – Flexible Spending Accounts/Cafeteria Plans FSA or Cafeteria Plan Could Be Considered Group Health Plan –Fully Insured or Self Insured? –Summary Health Information or PHI? –To Extent Qualifies, Must Satisfy Group Health Plan Requirements

13 Group Health Plan Business Associate Requirements –Generally Covered Entity may Only Disclose to a Business Associate PHI, or Allow Business Associate to Create or Receive PHI, if Agreement –Requirement Does Not Apply to Disclosures by a Group Health Plan or Insurer, to the Plan Sponsor if Other Requirements Met 45 C.F.R. § (f)

14 Disclosures for Group Health Plan To Disclose PHI to Plan Sponsor or To Permit Health Insurer or HMO to Disclose PHI to Plan Sponsor Must Ensure Plan Documents Restrict Uses and Disclosures 45 C.F.R. § (f)(1)(i)

15 Disclosures for Group Health Plan Group Health Plan, Insurer, or HMO May Disclose Summary Health Information to Plan Sponsor for –Obtaining Premium Bids From Health Plans for Providing Health Insurance under Group Plan –Modifying, Amending, or Terminating the Group Health Plan Group Health Plan or Insurer or HMO May Disclose Enrollment Information to Plan Sponsor 45 C.F.R. § (f)(1)(ii), (iii)

16 Disclosures for Group Health Plan Summary Health Information –Summarizes Claims History, Claims Expenses, or Types of Claims Experienced by Individuals for Whom the Plan Sponsor Provided Benefits Under the Group Health Plan –Must Exclude Most Identifying Features, But Not Truly De-Identified Geographic Information May be Aggregated to 5 digit Zip Code Level –45 C.F.R. § (a)

17 Disclosures for Group Health Plan Amendment of Plan Documents –Permitted and Required Uses and Disclosures –Certification by Plan Sponsor: Not Further Use or Disclose PHI Subcontractors Comply NOT Use or Disclose for Employment Decisions Report Any Breach Make PHI Available for Access, Amendment & Accounting Make Records Available for Investigation Return or Destroy PHI –45 C.F.R. § (f)(2)(i), (ii)

18 Disclosures for Group Health Plan Adequate Separation Between Group Health Plan and Plan Sponsor –Plan Sponsor Employees Who Will Access –Only for Plan Administration Functions –Mechanism for Complaints/Noncompliance –45 C.F.R. § (f)(2)(iii)

19 Group Health Plan Uses and Disclosures Group Health Plan May: –Disclose PHI to Plan Sponsor for Plan Administration Functions Consistent with Above –Not Permit an Insurer or HMO to Disclose PHI to Plan Sponsor Except as Provided Above –Not Disclose or Permit Insurer or HMO to Disclose PHI to Plan Sponsor Unless in Notice of Privacy Practices –Not Disclose PHI to Plan Sponsor for Employment Related Actions –45 C.F.R. § (f)(3)

20 Group Health Plan – Other Uses or Disclosures 45 C.F.R. § (a) Use and Disclosure for Treatment, Payment, and Health Care Operations (“TPO”) –Covered Entity Generally May Use and Disclose PHI for TPO –No Consent – Now Notice of Privacy Practices –Treatment Use or Disclose to Any Provider –Payment Use or Disclose Minimum Necessary to Any Other

21 Group Health Plan -- Other Uses or Disclosures 45 C.F.R. § Health Care Operations –Quality Assurance Activities Quality Assessment and Guidelines, Case Mgmt. –Professional Competency Activities Accreditation, Credentialing, Licensing –Insurance Activities Underwriting, Premium Rating –Compliance Activities Fraud and Abuse Compliance –Business Activities Legal, Auditing, Business Planning, Sale of Practice

22 Group Health Plan – Other Uses or Disclosures 45 C.F.R. § De-Identified Information –Not PHI –May Statistically Determine That PHI has Been De-Identified Qualified Individual Offer Professional Conclusion Mathematically Not Identifiable

23 Group Health Plan – Other Uses or Disclosures De-Identified Information Safe Harbor –Names –Geographic Subdivisions –Dates –Telephone Numbers –Facsimile Numbers – Address –Social Security Numbers –Medical Record Numbers –Health Plans Numbers

24 Group Health Plan – Other Uses or Disclosures De-Identified Information Safe Harbor –Account Numbers –License Numbers –Vehicle Identifiers –Device Identifiers –URLs –Internet Addresses –Biometric – Finger and Voice Prints –Facial Photographs –Etc.

25 Authorization 45 C.F.R. § Elements –Meaningful Description of PHI –Identify Entities or Class Disclosing –Identify Entities or Class Receiving –Purpose –Expiration Date or Event –Individual’s Rights – Revocation –Marketing = Remuneration –Dated and Signed

26 Authorization Typically Cannot Condition Treatment Upon Execution Allowed to Condition if for Third Party – Fitness for Duty, etc. Health Plan May Condition for Underwriting or Risk Rating Provider May Condition for Research

27 Authorization Psychotherapy Notes Require Marketing Requires Research Typically Requires Any Use or Disclosure Not Addressed by the Rule

28 Other Uses or Disclosures Requiring Opportunity to Object 45 C.F.R. § 510 Covered Entity may Use or Disclose PHI in Limited Situations Based Upon Informal Permission Disclose to Family Members, Relatives, Individuals Identified Who Are Involved in Care or Treatment Use or Disclose for Facility Directory to Anyone Asking for by Name, Clergy

29 Opportunity to Object Permission in Advance No Documentation Required If Emergency, May Disclose to Those Involved in Care, if Professional Judgment Exercised Covered Entity May Release X-Rays, Rxs, Supplies to Person Acting on Individual’s Behalf, if Professional Judgment

30 Other Uses or Disclosures Without Opportunity to Object 45 C.F.R. § Covered Entity Must Verify Identity of Requester and Authority Where Required by Law Public Health Activities –Reporting Disease –Reporting Vital Statistics –Reporting to FDA –Reporting to Employer –Reporting Communicable Diseases

31 Disclosures Without Objection Victims of Abuse, Neglect, or Domestic Violence –Reasonably Believes and Required/Allowed by Law –No Consent or Notification From/to Individual if Danger –Notice to Personal Representative Unless Harm

32 Disclosures Without Objection Health Oversight Activities –Audits –Civil or Criminal Investigations –Not Where Individual’s Health is at Issue

33 Disclosures Without Objection Law Enforcement –Where Required by Law –Information Must be Relevant –Minimum Necessary Disclosed

34 Disclosures Without Objection Decedents –Disclose to Coroners, Medical Examiners, and Funeral Directors to Carry out Duties Organ, Eye, or Tissue Donation –Use or Disclose PHI to Procurement Organizations

35 Disclosures Without Objection Research Purposes –Must Satisfy Conditions With Respect to IRB Waiver To Avert Serious Threat to Public Certain Specialized Governmental Functions: National Security, VA, Military, Secret Service Workers Compensation Act

36 Disclosures to Attorneys Subpoenas –Notice and Opportunity to Object or Move for Qualified Protective Order (“QPO”) –QPO Not a Good Choice Would Appear to Require Return or Destruction No “Not Feasible” Language in the Order

37 Subpoenas Proposed Procedure –Notice Letter to Patient/Patient’s Attorney Allow for Reasonable Time (14 Days) to File Objection Dispute Over Notice to Attorney Only? –Upon Conclusion of Time Period Send Subpoena, Copy of Notice Letter, and Cover Letter to Covered Entity One Package, Not Waiting on Objections

38 Group Health Plan Notice of Privacy Practices Individual Enrolled in a Group Health Plan Has Right to Notice: –From Group Health Plan if no Insurer of HMO, i.e., Self Insured –From Insurer or HMO if Fully Insured –45 C.F.R. § (a)(2)

39 Group Health Plan Notice of Privacy Practices Group Health Plan Which is Fully Insured and Creates or Receives PHI Above and Beyond Summary Health Information and/or Enrollment/Disenrollment, Must: –Maintain Notice of Privacy Practices –Provide Notice Upon Request If Group Health Plan is Fully Insured and Only Summary Health Information, Then No Notice Required 45 C.F.R. § (a)(2)

40 Group Health Plan Administrative Requirements Group Health Plan Which is Fully Insured and Creates or Receives Only Summary Health Information and/or Enrollment/Disenrollment Has Only Limited Administrative Obligations 45 C.F.R. § (k)(1)

41 Group Health Plan Administrative Requirements Fully Insured Group Health Plan Not Required to: –Designate Privacy Officer –Train Workforce –Implement Safeguards –Complaint Process –Sanctions for Workforce –Mitigate Violations –Implement Policies and Procedures –Only Maintain Documentation of Amended Plan Documents –45 C.F.R. § (k)(1),(2)

42 Group Health Plan Personal Rights Privacy Rule Does Not Explicitly Exclude Group Health Plans Which Are Fully Insured and Receive Only Summary Health Information From Personal Rights Obligations –Access, Amendment, Accounting, Restrictions, Confidential Communications –Guidance States Are Excluded 65 Fed. Reg (December 28, 2000)

43 Access to PHI 45 C.F.R. § Individual Has Right of Access and Inspection No Right to Psychotherapy Notes, Information Compiled for Legal Proceeding, or Exempt Under CLIA May Deny Without Review if For Above, if For Inmate, if During Research, if Under Privacy Act, or if Obtained From Another Party

44 Right of Access Must Provide Review if Refused Due to Endangerment, Due to Mention Another Person, or if Access by Personal Representative a Danger Response to Request Within 30 Days + 30 Day Extension If Reasonable, Must be in Requested Format or Summary if Acceptable; Cost-based Fee

45 Denial of Access Provide Access to Non-Objectionable PHI Written Denial, in Plain Language, of Basis and Complaint Process Notify Individual of Location if Not With Covered Entity

46 Right to Amendment 45 C.F.R. § Individual May Request Amendment to PHI Covered Entity May Deny if Not Its Record, Not Available for Access, or if Accurate Covered Entity May Require That in Writing and Provide Reason 60 Day Time Limit + 30 Day Extension

47 Acceptance of Amendment Covered Entity Must Amend/Append Record Covered Entity Must Notify Individual Covered Entity Must Notify Third Parties and Business Associates of Amendment

48 Denial of Amendment Must Provide Individual With Written Denial Provide Individual to Submit Statement in Disagreement Copies Sent Out to Third Parties Covered Entity May Submit Rebuttal Statement

49 Accounting of Disclosures 45 C.F.R. § Right to Listing of Disclosures During Prior 6 Years, or Less if Specified Excluded –For TPO –To Individuals –Incidental Disclosures –If Authorization –For Facility Directory or Care or Notification –National Security or Law Enforcement –Prior to April 14, 2003

50 Providing the Accounting Date of Disclosure Name of Party Receiving Description of PHI Brief Statement of Purpose for Disclosure or Copy of the Request 60 Day Time Limit + 30 Day Extension

51 Request for Restriction on Use or Disclosure of PHI 45 C.F.R. § (a) Request for Restrictions on Any Aspect Covered Entity Need Not Comply with Request If Agree, Then may Not Disclose Except in Emergency –Must Obtain Assurance from Recipient That Will Not Further Disclose –Not a Bar to Disclosures for Facility Directory May Terminate Orally if Documented and Post-PHI Only

52 Confidential Communications 45 C.F.R. § (b) Individual May Request Alternate or Confidential Communications –Binding Upon Covered Entity if Reasonable Providers May Not Request Reason Health Plans May Request Reason and Only Comply if Endanger Individual May Require Payment Arrangements

53 Conclusion Non-Health Care Employers Still May Be Caught Up in HIPAA –Obtaining Health Information from Covered Entities –Group Health Plans Necessary for All Interested Parties to Learn of the Promise and Pitfalls of the Privacy Rule

54 Conclusion/Questions Gerald “Jud” E. DeLoss Barnwell Whaley Patterson & Helms, LLC 885 Island Park Drive (29492) Post Office Drawer H Charleston, South Carolina (843) Telephone (843) Facsimile

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.