Reflections on the State of Privacy Risk Management in Health Care Benefits Administration (one year and counting …) Mark Lutes, Esq. Partner Epstein Becker.

Slides:



Advertisements
Similar presentations
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Advertisements

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Health Insurance Portability and Accountability Act.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
Key Issues For Your Remaining HIPAA Compliance Time – The Health Plan Perspective Kimberly GrayKirk J. Nahra Chief Privacy OfficerWiley Rein & Fielding.
Health Insurance Portability and Accountability Act (HIPAA)
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
U.S. Benefits Group Fifth National HIPAA Summit A Case Study in Employer HIPAA Privacy Compliance Approaches Fred J. Thiele, JD, MBA Legal Compliance Manager.
HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
U.S. Benefits Group HIPAA Summit Audioconference A Case Study in Employer HIPAA Privacy Compliance Approaches Fred J. Thiele, JD, MBA Legal Compliance.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
The Law Offices of Sheila Deselich Cohen. Generally subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Two main types of plans:
What is HIPAA? Health Insurance Portability and Accountability Act of HIPAA is a major law primarily concentrating on the prolongation of health.
HIPAA Privacy Rule Training
Health Insurance Portability and Accountability Act of 1996
DOL Employee Benefit Plan Audits & How to Prepare
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
Health Care: Privacy in a Digital Age
Lesson 1  7 Basic Components of an Effective Compliance Plan
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Enforcement and Policy Challenges in Health Information Privacy
HIPAA Policy & Procedure Strategies
Making Your IRBs and Clinical Investigators HIPAA-Ready
The Health Insurance Portability and Accountability Act
Presentation transcript:

Reflections on the State of Privacy Risk Management in Health Care Benefits Administration (one year and counting …) Mark Lutes, Esq. Partner Epstein Becker & Green, P.C. Washington, DC (202)

Are We Aiming At The Right Target? Reputational Risk Class Action litigation? Employment discrimination suits? Office of Civil Rights (HHS) risk?

Misdirected Efforts Committee meetings galore (“activity mistaken for progress”) Gap Analysis mania –Does anyone really expect that the old forms would meet the new standards? –GAP work product: unprotected and dangerous if exposures are unremediated Dangers in HIPAA compliance focus v. privacy risk management focus

Real Exposures That Are Rarely Appreciated Breach of fiduciary duty - Bureau of Indian Affairs case (sound familiar to anyone running an ERISA plan?) Overpromises to patients and members –Glib privacy policy statement –Inaccurate web site statements –Lesson of Eli Lilly consent order ERISA, ADA and other claims around employer use of employee health benefit information

The HIPAA Answer Is Not Always The Best Risk Management E.g., the HIPAA privacy rule suggests that health plans might pass up gaining consent for mainstream uses and disclosures E.g., HIPAA countenances uses that would be commonly understood as marketing without an opt-out E.g., preamble countenances more health plan disclosures to subscribers re: spouses than good risk management suggests

Practical Privacy Risk Management The rule’s proliferation of technical requirements obscures the fact that covered entities need to carry out due diligence as to their “uses” and “disclosures” of PHI. Whether the covered entity or business associate uses a paper or software tool, long term privacy risk management depends on periodic review of “Us&Ds” The U&D inventory protects your professional reputation and that of your organization.

Inventory System Solution to Privacy Compliance Inventory CQI - changes to policy & procedure Compliance Committee meetings considers minimum necessary and other standards Data base Changes to work procedures

Practical Privacy Risk Management Prioritize tasks according to the real exposures –Create a record of diligence –Create a record of continuous quality improvement against the minimum necessary and other standards –Address everyday exposures such as customer service disclosures to telephone or web inquiries –Address key risk issues like access of subscriber to records of spouse –Manage the risk of disclosure of employee PHI to employer Ask yourself whether your program meets these tests!

Major Policy Decision for Plan Sponsor Will the plan sponsor be content to receive deidentified information and summary information for plan settlor functions or obtaining premium bids? –If so it can avoid the plan document changes and the firewalls (and the risk management challenges they pose)

Plan Sponsor Decision Tree Receive only summary health information and use it only for premium bidding and settlor functions Fully insureSelf fund including through FSA No requirement for plan to maintain privacy officer, have complaint policy, training program, notice of privacy practices, etc. Use and disclosure rules still apply. Appoint privacy officer, conduct training, have complaint policy, publish notice of privacy practices. Use and disclosure rules still apply. Receive summary health information for settlor functions and receive PHI for: Plan administrative purposes Other purposes Make Section 504(f) disclosures and give Section 504(f) certification Get Section 508 complaint authorization Receive non summary PHI information for: Plan administration Other purposes ©Mark Lutes Epstein Becker & Green, P.C. 2002

Practical Privacy Risk Management Employee Welfare Benefit Plan Data: Do analysis of options as to the receipt of PHI ((a.) none; (b.) only summary for plan administration purposes; or (c.) all PHI) Consider whether Benefits Administration should stay where it is in company structure Provide necessary safeguards in Benefits Administration Disclosures in ERISA plan documents Evidence of employee training program and enforcement mechanism Has this work begun at your company?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.