Download presentation
Presentation is loading. Please wait.
1
Iowa State Association of Counties
HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan Meade & Brian Annulis Michael Best & Friedrich LLC Chicago, IL (312) September 17, 2002 © Michael Best & Friedrich LLC
2
© Michael Best & Friedrich LLC
Overview 1. Hybrid Entity Analysis 2. Affiliated Covered Entities 3. Organized Health Care Arrangements 4. Government Agency as Health Plan 5. Iowa State Law Preemption Issues September 17, 2002 © Michael Best & Friedrich LLC
3
© Michael Best & Friedrich LLC
Overview 6. Government Entities as Business Associates of other Government Entities 7. Workers Compensation & Employee Health Records 8. A note on the modified Privacy Rules: To consent or not to consent? 9. Employee Health Plans September 17, 2002 © Michael Best & Friedrich LLC
4
1. Hybrid Entity Analysis
5
Hybrid Entity Analysis
The first question in any HIPAA analysis is: What is my organization? Health care provider? Health plan? Health care clearinghouse? Business Associate? Hybrid? A combination of any or all of the above? September 17, 2002 © Michael Best & Friedrich LLC
6
© Michael Best & Friedrich LLC
Definitions (42 CFR ) Covered Functions: functions which make an entity a health care provider, health plan or health care clearinghouse. Hybrid: a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates health care components. Health Care Component: a component or combination of components of a hybrid entity designated by a hybrid entity. September 17, 2002 © Michael Best & Friedrich LLC
7
© Michael Best & Friedrich LLC
Hybrid Rules A covered entity can limit “HIPAA creep” by recognizing itself as a hybrid entity and designating health care components. The entity must then wall-off its health care components from non-health care components with respect to use or disclosure of Protected Health Information (PHI). The entity must establish safeguards to avoid disclosure of PHI from the health care components to non-health care components. The divisions within the entity must be treated as separate entities for HIPAA privacy purposes. September 17, 2002 © Michael Best & Friedrich LLC
8
© Michael Best & Friedrich LLC
Hybrid Rules The hybrid entity operates for HIPAA purposes as 2 separate entities and must treat each use or disclosure of PHI with this idea of a dual world in mind. If disclosure of PHI from the health care component divisions would need an authorization if PHI disclosed outside of entity, then health care component division must obtain authorization before disclosing PHI to a non-health care component division. Benefits of a hybrid entity: Limits the effects of HIPAA to the health care divisions. Eases administrative burdens. Minimizes undue confusion for divisions which have no interaction with health information but might otherwise need to be trained in HIPAA or adopt HIPAA privacy rules. September 17, 2002 © Michael Best & Friedrich LLC
9
What divisions may be health care components?
MUST be designated a health care component: any division that would qualify as a covered entity (health plan, health care clearinghouse or health care provider that engages in standard transactions). MAY be designated a health care component: any division that engages in health care provider activities but does not use standard transactions. any division that would qualify as a business associate to the county’s covered entity functions if that division were a separate legal entity. September 17, 2002 © Michael Best & Friedrich LLC
10
Your Hybrid Status is a Strategic Decision
A hybrid entity must choose how to draw its “hybrid entity” line. Do you want non-covered entity covered functions designated as a health care component? Do you want business associate-oriented divisions designated as a health care component? Strategic questions: How much interaction will divisions have with PHI held by a covered entity division? What is the burden of making non-covered entity divisions covered by HIPAA? September 17, 2002 © Michael Best & Friedrich LLC
11
© Michael Best & Friedrich LLC
County Hybrid Issues Counties are often single legal entities with a variety of covered functions and non-covered functions. Analysis: Who interacts with PHI within the county? Who performs covered functions? Consider the status of: (not an exhaustive list) county hospitals health clinics social services child welfare correctional facilities police/sheriff county controller county attorneys September 17, 2002 © Michael Best & Friedrich LLC
12
© Michael Best & Friedrich LLC
What Must Be Done? To determine a county’s hybrid status and “draw” the hybrid line: Identify divisions within county Identify whether a division engages in a covered function Identify whether a covered function division qualifies as a covered entity division Identify whether a division provides services to a covered entity division and interacts with PHI (serving in a business associate role) Identify divisions that use PHI from a covered function division Identify which divisions must be designated health care components Identify which divisions may be designated health care components Analyze burdens/benefits in designating each optional health care component Strategically designate a county’s health care components to “wall-off” HIPAA and avoid “HIPAA creep” September 17, 2002 © Michael Best & Friedrich LLC
13
2. Affiliated Entities
14
Affiliated Covered Entities
The Privacy Rule generally requires separate Covered Entities to individually adhere to the Privacy Rule's implementation rules and standards. This, as a general matter, for separate Covered Entities that do not participate in an organized health care arrangement, joint consents and joint privacy notices are not permitted. EXCEPTION: Affiliated Covered Entities (upon designation) September 17, 2002 © Michael Best & Friedrich LLC
15
Affiliated Covered Entities
Legally separate, but affiliated covered entities that designate themselves as a single covered entity can engage in "joint" compliance. 42 CFR "Affiliated" means 5% or more ownership, or power to influence significantly policies or actions. September 17, 2002 © Michael Best & Friedrich LLC
16
Affiliated Covered Entities
To act as an affiliated covered entity: the designation must be documented the affiliated entities must act as a "multiple function covered entity" under the Privacy Rules September 17, 2002 © Michael Best & Friedrich LLC
17
Affiliated Covered Entities
Affiliated Covered Entities may undertake a joint compliance initiative. Separate consents and privacy notices need not be maintained, providing use or disclosure of PHI is within the same covered function (e.g., a separate consent would need to be obtained if PHI was collected for treatment purposes but the Affiliated Covered Entities wanted to use the PHI for health plan purposes. September 17, 2002 © Michael Best & Friedrich LLC
18
Affiliated Covered Entities
Important questions for counties: What entities does the county control? Does the county have management agreements with other covered entities? Are any county health care components managed (or controlled) by other covered entities? September 17, 2002 © Michael Best & Friedrich LLC
19
3. Organized Health Care Arrangements
20
Organized Health Care Arrangements
Integrated health care or health benefits arrangement Clinically-integrated care setting (e.g., hospital and medical staff) Organized system held out as joint arrangement and conducting utilization management or risk sharing (e.g., IPA, PHO) Group health plan and health insurer or HMO that underwrites benefits September 17, 2002 © Michael Best & Friedrich LLC
21
Organized Health Care Arrangements
Participants may share protected health information for arrangements’ health care operations Subject to minimum necessary limitation September 17, 2002 © Michael Best & Friedrich LLC
22
Organized Health Care Arrangements
Advantages: Allows participants to rely upon joint notices and joint consents Avoids need for execution of multiple consents by patients and receipt of multiple privacy notices September 17, 2002 © Michael Best & Friedrich LLC
23
Organized Health Care Arrangements
Disadvantages: Revocation process Apparent agency/apparent authority issues Complexity of joint consent and joint notice if some independent medical staff refuse to use joint consent and joint notice September 17, 2002 © Michael Best & Friedrich LLC
24
Organized Health Care Arrangements
In determining whether an Organized Health Care Arrangement is applicable or suitable for a county, consider: Does the county have relationships with independent providers who do not act on behalf of the county (and are not paid by the county) but provide health care at a county site? What is the counties relationship with independent… physicians dentists nurses therapists social workers September 17, 2002 © Michael Best & Friedrich LLC
25
4. Government Entity as a Health Plan
26
Government Entity as a Health Plan
Can government entities be considered health plans under the HIPAA? HIPAA does not exempt government entities from being considered a health plan. Determining whether a county engages in health plan activities involves examining county activities against the definition of a health plan. September 17, 2002 © Michael Best & Friedrich LLC
27
Government Entity as a Health Plan
A government entity can be considered a health plan according to the definition of “health plan” (42 CFR ). Most relevant: if a government program is specifically named within the definition of health plan any individual plan that provides or pays for the cost of medical care Definition of health plan excludes a government funded program: whose principal purpose is not for paying for health care; or makes grants to fund direct provision of health care September 17, 2002 © Michael Best & Friedrich LLC
28
5. Iowa State Law Preemption Issues
29
Iowa State Law Preemption Issues
HIPAA provides a federal floor for privacy protection and generally preempts state privacy law. BUT, the HIPAA Privacy Rule does not preempt state law which is contrary to the Privacy Rule and is more stringent than the Privacy Rule September 17, 2002 © Michael Best & Friedrich LLC
30
Iowa State Law Preemption Issues
More stringent means: the state law imposes greater privacy protections the state law imposes greater privacy administrative obligations grants the individual who is the subject of PHI greater rights Questions to be asked: Does the state law allow an individual greater control or access to his or her PHI? Does the state law require the county to do more than HIPAA requires to protect the individual’s privacy? If YES, then the state law survives September 17, 2002 © Michael Best & Friedrich LLC
31
Iowa State Law Preemption Issues
State law means ANY government directive that has the force and effect of law: Iowa Constitution Iowa Code (statutes) Iowa Administrative Code (regulations) Certain Executive Orders County ordinances and rules City ordinances and rules Any other government body’s rules Case Law September 17, 2002 © Michael Best & Friedrich LLC
32
Iowa State Law Preemption Issues
An example of HIPAA preemption in Iowa: Iowa AIDS confidentiality Iowa AIDS Confidentiality Law (IA ADC 141A.9) Basic rule: “Any information, including reports and records, obtained, submitted, and maintained pursuant to this chapter is strictly confidential medical information. The information shall not be released, shared with an agency or institution, or made public upon subpoena, search warrant, discovery proceedings, or by any other means except as provided in this chapter...Information shall be made available for release to the following individuals or under the following circumstances….” September 17, 2002 © Michael Best & Friedrich LLC
33
Iowa State Law Preemption Issues
Provision: AIDS information may be released “to any person who secures a written release of test results executed by the subject of the test or the subject's legal guardian.” Impact: Iowa allows only the individual or his/her legal guardian to sign written permission to disclose AIDS information. HIPAA allows anyone who qualifies as an individual’s personal representative to sign an authorization to disclose PHI. Personal representatives include legal guardians as well as anyone who has health care treatment decision making authority for the individual. Iowa is more stringent in limiting the types of personal representatives who may sign authorizations for disclosure of AIDS PHI. September 17, 2002 © Michael Best & Friedrich LLC
34
Iowa State Law Preemption Issues
Provision: AIDS information may be released “to an authorized agent or employee of a health facility or health care provider... and the agent or employee has a medical need to know such information.” Impact: Iowa law only allows AIDS information to be used without written permission within a health care provider by individuals who need to know for medical reasons. HIPAA allows PHI to be used without an authorization within a health care provider by individuals who need to use the information for treatment, payment or health care operations. Iowa is more stringent and health care providers must continue to obtain written permission from the individual before using AIDS PHI for payment or health care operations. September 17, 2002 © Michael Best & Friedrich LLC
35
6. Government Entities as Business Associates of other Government Entities
36
© Michael Best & Friedrich LLC
Government Entities as Business Associates of other Government Entities Government entities that serve as business associates of other government entities may enter into “Memorandum of Understanding” which set out the basic requirements of a business associate contract. HIPAA Memoranda of Understanding needed when counties serve as business associate of other counties or the state. (or the reverse). If a county or other government entity is required by law to serve as a business associate, then the Memorandum of Understanding does not need termination provisions. (Note: reports to HHS may be more frequent in government to government business associate relationships). September 17, 2002 © Michael Best & Friedrich LLC
37
7. Workers Compensation & Employee Health Records
38
Workers Compensation & Employee Health Records
Workers compensation plans are excluded from the definition of “health plan” Workers compensation plan activities by the county are exempted from HIPAA providing the division that deals with workers compensation is not designated a health care component. “Employment records held by the covered entity in its role as employer” are excluded from the definition of PHI and are not covered by the Privacy Rules CFR September 17, 2002 © Michael Best & Friedrich LLC
39
8. To Consent or Not to Consent?
40
A note on the modified Privacy Rule: To consent or not to consent?
The modifications to the Privacy Rule from August 14, 2002 eliminated a health care provider’s obligation to obtain consent before using or disclosing PHI for treatment, payment or health care operations purposes. Obtaining a HIPAA consent is now OPTIONAL. Should a county’s health care provider division elect to use a HIPAA consent? a business decision for the county risks should be weighed: how likely will errors occur? why take on risks and liabilities that a county does not need to? September 17, 2002 © Michael Best & Friedrich LLC
41
9. Employee Health Plans
42
© Michael Best & Friedrich LLC
Employee Health Plans Employee group health plans (GHP) are health plans under HIPAA and are covered entities covered by the Privacy Rule. A GHP operates as a separate entity. HIPAA requires the employer to respect the “privacy walls” around the employee GHP. Understanding HIPAA’s impact on employee GHPs is a matter of understanding relationships. September 17, 2002 © Michael Best & Friedrich LLC
43
© Michael Best & Friedrich LLC
Group Health Plans Basic Terminology Group Health Plan Plan Sponsor Employer Administration Fully Funded GHP (Insured GHP) Self-Funded GHP Important questions: What type of GHP does the employer have? What is the employer’s interaction with the GHP’s PHI? September 17, 2002 © Michael Best & Friedrich LLC
44
Insured Group “Plan Sponsor” = Employer Insurer
Employees “Group Health Plan” = Employees and Dependents HR Dept Insurer underwriting risk for premiums PHI PHI September 17, 2002 © Michael Best & Friedrich LLC
45
Self-Funded Group: ASO
“Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept ASO (Business Associate) PHI PHI Business Associate Contract September 17, 2002 © Michael Best & Friedrich LLC
46
Employer Administration
Certification “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept Plan Document Amendment PHI Use ASO (Business Associate) Insurer (OHCA) PHI September 17, 2002 © Michael Best & Friedrich LLC
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.