Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.

Slides:

Advertisements

Similar presentations

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

Advertisements

Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.

ERISA Essentials and What to Advise Clients to Avoid Audits and be ACA Compliant.

HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA Understanding Medical Privacy in the Work Place © Copyright 2005 The Nugent Law Firm, P.C. All Rights Reserved.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

NAU HIPAA Awareness Training

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.

HIPAA Health Insurance Portability and Accountability Act.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Simplifying Insurance Insurance | Employee Benefits | Risk Management | Financial Strategies Surviving a Department of Labor (DOL) Audit.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Wrap Plan Document Language What to Know and What to Watch out For.

HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright South-Western College Publishing Module Why Study Employee Benefits? Benefits are a tool used by human resource management to attract.

Copyright Fleisher & Associates A HIPAA PRIMER FOR PUBLIC HEALTH PEOPLE CPHA-N Conference 2003 January 30, 2003 Presented by: Steven M. Fleisher,

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA – Developing an Understanding

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP.

Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?

LLP 50 Beaver Street Albany, New York (518) (Phone) (518) (Fax)

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.

IRS Circular 230 Disclosure: To insure compliance with Treasury Regulations, we are required to inform you that any tax advice contained in this communication.

 Health Insurance and Accountability Act Cornelius Villalon Jr.

GW&T © 2002 Garfunkel, Wild & Travis, P.C HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

Today’s webinar will begin shortly

HIPAA Privacy Rule Training

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

HIPAA CONFIDENTIALITY

HIPAA Administrative Simplification

Paul T. Smith Davis Wright Tremaine LLP

Disability Services Agencies Briefing On HIPAA

Business Associate Contracts: Time Is Running Out . . .

An Overview of HIPAA’s Applicability to Employers, and of Employer Responses (Beyond Fear and Loathing) Jon Neiditz October, 2002.

Advanced Issues in Business Associate Contracting

Presentation transcript:

Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams Davis Wright Tremaine 2600 Century Square 1501 Fourth Avenue Seattle WA (206) Fax: (206) September 15, 2003 Speaker Jason Froggatt Becky Williams Davis Wright Tremaine 2600 Century Square 1501 Fourth Avenue Seattle WA (206) Fax: (206)

Davis Wright Tremaine LLP 2 Case Study: Happy PT Happy Physical Therapy Associates Approximately 100 employees Operations in two states Self-insured medical/vision Insured dental; two insurers Health Flexible Spending Account EAP Happy Physical Therapy Associates Approximately 100 employees Operations in two states Self-insured medical/vision Insured dental; two insurers Health Flexible Spending Account EAP

Davis Wright Tremaine LLP 3 Case Study: Happy PT Happy PT Goals: HIPAA Compliance Limited Budget Employee-Friendly Happy PT Goals: HIPAA Compliance Limited Budget Employee-Friendly

Davis Wright Tremaine LLP 4 Approach to HIPAA 1.Covered entity analysis ─ Employer and Plan 2.Information flow analysis ─ determination of contact with PHI 3.Identification of internal compliance tasks 4.Address Use and Disclosure: business associate and other contractors 1.Covered entity analysis ─ Employer and Plan 2.Information flow analysis ─ determination of contact with PHI 3.Identification of internal compliance tasks 4.Address Use and Disclosure: business associate and other contractors

Davis Wright Tremaine LLP 5 Covered Entity Analysis: Employers What about Employers? Employers are not Covered Entities simply because of their status as employers Employers have unique responsibilities As the fiduciary of a Group Health Plan As a Plan Sponsor under Privacy Rules What about Employers? Employers are not Covered Entities simply because of their status as employers Employers have unique responsibilities As the fiduciary of a Group Health Plan As a Plan Sponsor under Privacy Rules

Davis Wright Tremaine LLP 6 Covered Entity Analysis: Health Plan Includes any individual or group plan, private or governmental, that provides or pays for medical care (including employer-sponsored group health plan) Essentially, in employer context, employee welfare benefit plan under ERISA Includes self-insured and insured plans Except self-administered employee health plans with fewer than 50 participants Except for some but not all “excepted benefits” Includes any individual or group plan, private or governmental, that provides or pays for medical care (including employer-sponsored group health plan) Essentially, in employer context, employee welfare benefit plan under ERISA Includes self-insured and insured plans Except self-administered employee health plans with fewer than 50 participants Except for some but not all “excepted benefits”

Davis Wright Tremaine LLP 7 Covered Plans Medical Benefit Plans Long-Term Care Dental Plans Vision Plans Prescription Drug Plans Most EAPs Health FSAs Covered Plans Medical Benefit Plans Long-Term Care Dental Plans Vision Plans Prescription Drug Plans Most EAPs Health FSAs Excluded Life Insurance AD&D STD and LTD Worker’s Compensation Auto Insurance Stop Loss/ Reinsurance Other Property/ Casualty Covered Entity Analysis: Health Plan

Davis Wright Tremaine LLP 8 Covered Entity Analysis HMO/ Insurer Group Health Plan Covered Entities Employer/ Plan Sponsor Employer HR/ Manage- ment Non-Covered Entities

Davis Wright Tremaine LLP 9 Covered Entity Analysis: Small Health Plan Small Health Plan Less Than $5,000,000 in receipts Insured Plan = Premiums Self-Insured Plan = Benefit Claims Paid Out Insured/Self Insured = Blend Prior Fiscal Year Compliance Date: April 14, 2004 Small Health Plan Less Than $5,000,000 in receipts Insured Plan = Premiums Self-Insured Plan = Benefit Claims Paid Out Insured/Self Insured = Blend Prior Fiscal Year Compliance Date: April 14, 2004

Davis Wright Tremaine LLP 10 Case Study: Covered Entity Determination 100 Employees $900,000 in Receipts Small Group Health Plan 100 Employees $900,000 in Receipts Small Group Health Plan

Davis Wright Tremaine LLP 11 Information Flow Identify where protected health information goes, and why Determine whether plan sponsor is hands-on or hands-off PHI Fully Insured Plans that receive no PHI No Individual Rights No Administrative Procedure Identify where protected health information goes, and why Determine whether plan sponsor is hands-on or hands-off PHI Fully Insured Plans that receive no PHI No Individual Rights No Administrative Procedure

Davis Wright Tremaine LLP 12 Compliance Tasks: HIPAA Privacy Rule Creates individual rights with respect to health information Mandates administrative actions for covered entities Imposes use, disclosure and receipt requirements for health information Creates individual rights with respect to health information Mandates administrative actions for covered entities Imposes use, disclosure and receipt requirements for health information

Davis Wright Tremaine LLP 13 Basic Compliance Tasks Appoint Privacy Official Amend Plan Documents (if necessary) Prepare Notice of Privacy Practices Business Associate Contracts Reasonable Policies and Procedures Varies depending on Information Flow Appoint Privacy Official Amend Plan Documents (if necessary) Prepare Notice of Privacy Practices Business Associate Contracts Reasonable Policies and Procedures Varies depending on Information Flow

Davis Wright Tremaine LLP 14 Individual Rights Right to Adequate Notice of Privacy Practices How much detail? Readability Right to Access Health Information Right to Request Amendment of Health Information Right to an Accounting of Disclosures Right to Request Restriction of Uses and Disclosures Right to Request Restrictions Communicating Health Information Right to Adequate Notice of Privacy Practices How much detail? Readability Right to Access Health Information Right to Request Amendment of Health Information Right to an Accounting of Disclosures Right to Request Restriction of Uses and Disclosures Right to Request Restrictions Communicating Health Information

Davis Wright Tremaine LLP 15 Administrative Procedures Covered Entities must have policies, procedures and systems in place to protect health information and individual rights. Designation of a privacy official Complaint mechanism/contact person Privacy training for employees Safeguards to prevent misuses of protected health information Sanctions for employee violations Covered Entities must have policies, procedures and systems in place to protect health information and individual rights. Designation of a privacy official Complaint mechanism/contact person Privacy training for employees Safeguards to prevent misuses of protected health information Sanctions for employee violations

Davis Wright Tremaine LLP 16 Generally, plan sponsor may only receive PHI from group health plan to carry out plan administrative functions if Amends plan documents Controls flow of PHI Issues a certification to the group health plan about protections for PHI Amendments and certification must: Establish uses and disclosures of PHI by plan sponsor Ensure adequate separation between group health plan and plan sponsor Permitted disclosures to plan sponsor must be described in plan’s privacy notice Generally, plan sponsor may only receive PHI from group health plan to carry out plan administrative functions if Amends plan documents Controls flow of PHI Issues a certification to the group health plan about protections for PHI Amendments and certification must: Establish uses and disclosures of PHI by plan sponsor Ensure adequate separation between group health plan and plan sponsor Permitted disclosures to plan sponsor must be described in plan’s privacy notice Use and Disclosure: Plan Sponsor

Davis Wright Tremaine LLP 17 If plan sponsor does not make required changes to plan document and practices or does not certify that it has done so Plan may only disclose “summary information” to plan sponsor to obtain premium bids for insurance coverage or to modify, amend or terminate the plan If plan sponsor does not make required changes to plan document and practices or does not certify that it has done so Plan may only disclose “summary information” to plan sponsor to obtain premium bids for insurance coverage or to modify, amend or terminate the plan Use and Disclosure: Plan Sponsor

Davis Wright Tremaine LLP 18 Case Study: Amend Plan One Plan Amendment Self-Insured Medical Plan Health FSA EAP Insured Dental Plans One Plan Amendment Self-Insured Medical Plan Health FSA EAP Insured Dental Plans

Davis Wright Tremaine LLP 19 Use and Disclosure: Business Associates May disclose PHI to its business associates if it obtains satisfactory assurances, through written contract, that the business associate will appropriately safeguard the information. Specific requirements for business associate contract May disclose PHI to its business associates if it obtains satisfactory assurances, through written contract, that the business associate will appropriately safeguard the information. Specific requirements for business associate contract

Davis Wright Tremaine LLP 20 Use and Disclosure: Business Associates Group Health Plan COBRA Administrators Vendors Consultants Auditors Lawyers Actuaries Accountants FSA Administrators TPAs Others

Davis Wright Tremaine LLP 21 Case Study: Business Associate Contracts Medical Plan TPA Health FSA TPA EAP – Health Care Provider Template for Attorneys, Accountants and Others Broker? Medical Plan TPA Health FSA TPA EAP – Health Care Provider Template for Attorneys, Accountants and Others Broker?

Davis Wright Tremaine LLP 22 Penalties Civil penalties $100 per violation $25,000 annual cap for violations of “identical” requirement Criminal penalties For profit/with malice: up to $250,000 and/or 10 yrs in jail Other “penalties” or liability Standard of care Reputation ERISA Breach of fiduciary duties Civil penalties $100 per violation $25,000 annual cap for violations of “identical” requirement Criminal penalties For profit/with malice: up to $250,000 and/or 10 yrs in jail Other “penalties” or liability Standard of care Reputation ERISA Breach of fiduciary duties

Davis Wright Tremaine LLP 23 Don’t Forget Analyze implications of Standard Transactions and Code Set Rules Plans must be able to accommodate standard transactions if requested Get commitments from insurance carriers/ TPAs Security Regulations Beware mini-security rule in Privacy Regulations State Law Analyze implications of Standard Transactions and Code Set Rules Plans must be able to accommodate standard transactions if requested Get commitments from insurance carriers/ TPAs Security Regulations Beware mini-security rule in Privacy Regulations State Law

Davis Wright Tremaine LLP 24 Questions