September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan.

Slides:



Advertisements
Similar presentations
H OGAN & H ARTSON, L.L.P.
Advertisements

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.
 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.
HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 Sixth National HIPAA Summit The Health Lawyer as Business Associate March 28, 2003 Session VI 3:00 pm Gerald E. DeLoss, Esquire Barnwell Whaley Patterson.
Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.
2 H. Westley Clark, M.D., J.D., M.P.H., CAS, FASAM Director Center for Substance Abuse Treatment Substance Abuse Mental Health Services Administration.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA – Developing an Understanding
Enhancing Communication Among Health Care and Educational Programs How Privacy Regulations Impact Delivery of Effective Services by Karl R. White National.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September.
Michael R. Costa, Esq., M.P.H. Greenberg Traurig, LLP One International Place, 3 rd Floor Boston, MA (fax)
HIPAA – How Will the Regulations Impact Research?.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
HIPAA and Academic Medical Centers, Colleges and Universities Presented By: Michael L. Blau, Esq.Tina S. Sheldon McDermott, Will & EmeryAssistant Compliance.
HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?
© 2004 Moses & Singer LLP HIPAA and Patient Privacy Issues Raised by the New Medicare Prescription Drug Program National Medicare Prescription Drug Congress.
Federal Preemption, and State Healthcare Privacy and Data Security Law and Regulation Fifth National HIPAA Summit October 30 – November 1, 2002 Mark Barnes.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Human Subjects Update E. Wethington, Chair, UCHS.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
HIPAA Privacy Rule Training
Iowa State Association of Counties
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
HIPAA Pros - Disclosures
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
2003 Immunization Registry Conference
National Congress on Health Care Compliance
The Health Insurance Portability and Accountability Act
Analysis of Final HIPAA Privacy Modification Rule
Presentation transcript:

September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan Meade & Brian Annulis Michael Best & Friedrich LLC Chicago, IL (312)

September 17, 2002© Michael Best & Friedrich LLC2 Overview 1. Hybrid Entity Analysis 2. Affiliated Covered Entities 3. Organized Health Care Arrangements 4. Government Agency as Health Plan 5. Iowa State Law Preemption Issues

September 17, 2002© Michael Best & Friedrich LLC3 Overview 6. Government Entities as Business Associates of other Government Entities 7. Workers Compensation & Employee Health Records 8. A note on the modified Privacy Rules: To consent or not to consent? 9. Employee Health Plans

4 1. Hybrid Entity Analysis

September 17, 2002© Michael Best & Friedrich LLC5 Hybrid Entity Analysis The first question in any HIPAA analysis is: What is my organization? –Health care provider? –Health plan? –Health care clearinghouse? –Business Associate? –Hybrid? –A combination of any or all of the above?

September 17, 2002© Michael Best & Friedrich LLC6 Definitions (42 CFR ) Covered Functions: functions which make an entity a health care provider, health plan or health care clearinghouse. Hybrid: a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates health care components. Health Care Component: a component or combination of components of a hybrid entity designated by a hybrid entity.

September 17, 2002© Michael Best & Friedrich LLC7 Hybrid Rules A covered entity can limit “HIPAA creep” by recognizing itself as a hybrid entity and designating health care components. The entity must then wall-off its health care components from non- health care components with respect to use or disclosure of Protected Health Information (PHI). The entity must establish safeguards to avoid disclosure of PHI from the health care components to non-health care components. The divisions within the entity must be treated as separate entities for HIPAA privacy purposes.

September 17, 2002© Michael Best & Friedrich LLC8 Hybrid Rules The hybrid entity operates for HIPAA purposes as 2 separate entities and must treat each use or disclosure of PHI with this idea of a dual world in mind. If disclosure of PHI from the health care component divisions would need an authorization if PHI disclosed outside of entity, then health care component division must obtain authorization before disclosing PHI to a non-health care component division. Benefits of a hybrid entity: –Limits the effects of HIPAA to the health care divisions. –Eases administrative burdens. –Minimizes undue confusion for divisions which have no interaction with health information but might otherwise need to be trained in HIPAA or adopt HIPAA privacy rules.

September 17, 2002© Michael Best & Friedrich LLC9 What divisions may be health care components? MUST be designated a health care component: –any division that would qualify as a covered entity (health plan, health care clearinghouse or health care provider that engages in standard transactions). MAY be designated a health care component: –any division that engages in health care provider activities but does not use standard transactions. –any division that would qualify as a business associate to the county’s covered entity functions if that division were a separate legal entity.

September 17, 2002© Michael Best & Friedrich LLC10 Your Hybrid Status is a Strategic Decision A hybrid entity must choose how to draw its “hybrid entity” line. Do you want non-covered entity covered functions designated as a health care component? Do you want business associate-oriented divisions designated as a health care component? Strategic questions: –How much interaction will divisions have with PHI held by a covered entity division? –What is the burden of making non-covered entity divisions covered by HIPAA?

September 17, 2002© Michael Best & Friedrich LLC11 County Hybrid Issues Counties are often single legal entities with a variety of covered functions and non-covered functions. Analysis: Who interacts with PHI within the county? Who performs covered functions? Consider the status of: (not an exhaustive list) county hospitals health clinics social services child welfare correctional facilities police/sheriff county controller county attorneys

September 17, 2002© Michael Best & Friedrich LLC12 What Must Be Done? To determine a county’s hybrid status and “draw” the hybrid line: –Identify divisions within county –Identify whether a division engages in a covered function –Identify whether a covered function division qualifies as a covered entity division –Identify whether a division provides services to a covered entity division and interacts with PHI (serving in a business associate role) –Identify divisions that use PHI from a covered function division –Identify which divisions must be designated health care components –Identify which divisions may be designated health care components –Analyze burdens/benefits in designating each optional health care component –Strategically designate a county’s health care components to “wall- off” HIPAA and avoid “HIPAA creep”

13 2. Affiliated Entities

September 17, 2002© Michael Best & Friedrich LLC14 The Privacy Rule generally requires separate Covered Entities to individually adhere to the Privacy Rule's implementation rules and standards. This, as a general matter, for separate Covered Entities that do not participate in an organized health care arrangement, joint consents and joint privacy notices are not permitted. EXCEPTION: Affiliated Covered Entities (upon designation) Affiliated Covered Entities

September 17, 2002© Michael Best & Friedrich LLC15 Affiliated Covered Entities –Legally separate, but affiliated covered entities that designate themselves as a single covered entity can engage in "joint" compliance. 42 CFR –"Affiliated" means 5% or more ownership, or power to influence significantly policies or actions.

September 17, 2002© Michael Best & Friedrich LLC16 To act as an affiliated covered entity: –the designation must be documented –the affiliated entities must act as a "multiple function covered entity" under the Privacy Rules Affiliated Covered Entities

September 17, 2002© Michael Best & Friedrich LLC17 Affiliated Covered Entities may undertake a joint compliance initiative. Separate consents and privacy notices need not be maintained, providing use or disclosure of PHI is within the same covered function (e.g., a separate consent would need to be obtained if PHI was collected for treatment purposes but the Affiliated Covered Entities wanted to use the PHI for health plan purposes. Affiliated Covered Entities

September 17, 2002© Michael Best & Friedrich LLC18 –Important questions for counties: What entities does the county control? Does the county have management agreements with other covered entities? Are any county health care components managed (or controlled) by other covered entities? Affiliated Covered Entities

19 3. Organized Health Care Arrangements

September 17, 2002© Michael Best & Friedrich LLC20 Organized Health Care Arrangements Integrated health care or health benefits arrangement –Clinically-integrated care setting (e.g., hospital and medical staff) –Organized system held out as joint arrangement and conducting utilization management or risk sharing (e.g., IPA, PHO) –Group health plan and health insurer or HMO that underwrites benefits

September 17, 2002© Michael Best & Friedrich LLC21 Organized Health Care Arrangements Participants may share protected health information for arrangements’ health care operations –Subject to minimum necessary limitation

September 17, 2002© Michael Best & Friedrich LLC22 Organized Health Care Arrangements Advantages: –Allows participants to rely upon joint notices and joint consents –Avoids need for execution of multiple consents by patients and receipt of multiple privacy notices

September 17, 2002© Michael Best & Friedrich LLC23 Disadvantages: –Revocation process –Apparent agency/apparent authority issues –Complexity of joint consent and joint notice if some independent medical staff refuse to use joint consent and joint notice Organized Health Care Arrangements

September 17, 2002© Michael Best & Friedrich LLC24 Organized Health Care Arrangements In determining whether an Organized Health Care Arrangement is applicable or suitable for a county, consider: –Does the county have relationships with independent providers who do not act on behalf of the county (and are not paid by the county) but provide health care at a county site? –What is the counties relationship with independent… physicians dentists nurses therapists social workers

25 4. Government Entity as a Health Plan

September 17, 2002© Michael Best & Friedrich LLC26 Government Entity as a Health Plan Can government entities be considered health plans under the HIPAA? HIPAA does not exempt government entities from being considered a health plan. Determining whether a county engages in health plan activities involves examining county activities against the definition of a health plan.

September 17, 2002© Michael Best & Friedrich LLC27 Government Entity as a Health Plan A government entity can be considered a health plan according to the definition of “health plan” (42 CFR ). Most relevant: –if a government program is specifically named within the definition of health plan –any individual plan that provides or pays for the cost of medical care Definition of health plan excludes a government funded program: –whose principal purpose is not for paying for health care; or –makes grants to fund direct provision of health care

28 5. Iowa State Law Preemption Issues

September 17, 2002© Michael Best & Friedrich LLC29 Iowa State Law Preemption Issues HIPAA provides a federal floor for privacy protection and generally preempts state privacy law. BUT, the HIPAA Privacy Rule does not preempt state law which is contrary to the Privacy Rule and is more stringent than the Privacy Rule

September 17, 2002© Michael Best & Friedrich LLC30 Iowa State Law Preemption Issues More stringent means: –the state law imposes greater privacy protections –the state law imposes greater privacy administrative obligations –grants the individual who is the subject of PHI greater rights Questions to be asked: –Does the state law allow an individual greater control or access to his or her PHI? –Does the state law require the county to do more than HIPAA requires to protect the individual’s privacy? –If YES, then the state law survives

September 17, 2002© Michael Best & Friedrich LLC31 Iowa State Law Preemption Issues State law means ANY government directive that has the force and effect of law: –Iowa Constitution –Iowa Code (statutes) –Iowa Administrative Code (regulations) –Certain Executive Orders –County ordinances and rules –City ordinances and rules –Any other government body’s rules –Case Law

September 17, 2002© Michael Best & Friedrich LLC32 Iowa State Law Preemption Issues An example of HIPAA preemption in Iowa: Iowa AIDS confidentiality Iowa AIDS Confidentiality Law (IA ADC 141A.9) –Basic rule: “ Any information, including reports and records, obtained, submitted, and maintained pursuant to this chapter is strictly confidential medical information. The information shall not be released, shared with an agency or institution, or made public upon subpoena, search warrant, discovery proceedings, or by any other means except as provided in this chapter...Information shall be made available for release to the following individuals or under the following circumstances….”

September 17, 2002© Michael Best & Friedrich LLC33 Iowa State Law Preemption Issues Provision: AIDS information may be released “ to any person who secures a written release of test results executed by the subject of the test or the subject's legal guardian.” Impact: Iowa allows only the individual or his/her legal guardian to sign written permission to disclose AIDS information. HIPAA allows anyone who qualifies as an individual’s personal representative to sign an authorization to disclose PHI. Personal representatives include legal guardians as well as anyone who has health care treatment decision making authority for the individual. Iowa is more stringent in limiting the types of personal representatives who may sign authorizations for disclosure of AIDS PHI.

September 17, 2002© Michael Best & Friedrich LLC34 Iowa State Law Preemption Issues Provision: AIDS information may be released “to an authorized agent or employee of a health facility or health care provider... and the agent or employee has a medical need to know such information.” Impact: Iowa law only allows AIDS information to be used without written permission within a health care provider by individuals who need to know for medical reasons. HIPAA allows PHI to be used without an authorization within a health care provider by individuals who need to use the information for treatment, payment or health care operations. Iowa is more stringent and health care providers must continue to obtain written permission from the individual before using AIDS PHI for payment or health care operations.

35 6. Government Entities as Business Associates of other Government Entities

September 17, 2002© Michael Best & Friedrich LLC36 Government Entities as Business Associates of other Government Entities Government entities that serve as business associates of other government entities may enter into “Memorandum of Understanding” which set out the basic requirements of a business associate contract. HIPAA Memoranda of Understanding needed when counties serve as business associate of other counties or the state. (or the reverse). If a county or other government entity is required by law to serve as a business associate, then the Memorandum of Understanding does not need termination provisions. (Note: reports to HHS may be more frequent in government to government business associate relationships).

37 7. Workers Compensation & Employee Health Records

September 17, 2002© Michael Best & Friedrich LLC38 Workers Compensation & Employee Health Records Workers compensation plans are excluded from the definition of “health plan” Workers compensation plan activities by the county are exempted from HIPAA providing the division that deals with workers compensation is not designated a health care component. “Employment records held by the covered entity in its role as employer” are excluded from the definition of PHI and are not covered by the Privacy Rules. 42 CFR

39 8. To Consent or Not to Consent?

September 17, 2002© Michael Best & Friedrich LLC40 A note on the modified Privacy Rule: To consent or not to consent? The modifications to the Privacy Rule from August 14, 2002 eliminated a health care provider’s obligation to obtain consent before using or disclosing PHI for treatment, payment or health care operations purposes. Obtaining a HIPAA consent is now OPTIONAL. Should a county’s health care provider division elect to use a HIPAA consent? –a business decision for the county –risks should be weighed: how likely will errors occur? –why take on risks and liabilities that a county does not need to?

41 9. Employee Health Plans

September 17, 2002© Michael Best & Friedrich LLC42 Employee Health Plans Employee group health plans (GHP) are health plans under HIPAA and are covered entities covered by the Privacy Rule. A GHP operates as a separate entity. HIPAA requires the employer to respect the “privacy walls” around the employee GHP. Understanding HIPAA’s impact on employee GHPs is a matter of understanding relationships.

September 17, 2002© Michael Best & Friedrich LLC43 Group Health Plans Basic Terminology Group Health Plan Plan Sponsor Employer Administration Fully Funded GHP (Insured GHP) Self-Funded GHP Important questions: What type of GHP does the employer have? What is the employer’s interaction with the GHP’s PHI?

September 17, 2002© Michael Best & Friedrich LLC44 Insured Group “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept Insurer underwriting risk for premiums PHI PHI

September 17, 2002© Michael Best & Friedrich LLC45 Self-Funded Group: ASO “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept ASO (Business Associate) PHIPHI Business Associate Contract

September 17, 2002© Michael Best & Friedrich LLC46 Employer Administration “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept Plan Document Amendment PHI Use Certification ASO (Business Associate) Insurer(OHCA) PHI PHI PHI