Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.

Published byLance Fewkes Modified over 9 years ago

Similar presentations

Presentation on theme: "Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics."— Presentation transcript:

1 Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics

2 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 2 HIPAA n Health Insurance Portability and Accountability Act of 1996 (HIPAA) o Portability of health benefit policies, pre-existing conditions, fraud and abuse o Administrative simplification n 1994 health care reform efforts n Standardize electronic claims

3 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 3 Components of Legislation n Standardized electronic transactions n Standardized code sets n Standardized unique identifiers n Security n Privacy and confidentiality

4 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 4 HIPAA Applicability n Health Plans -- including employer group health plans n Health Care Providers -- that transmit any health information in electronic form n Health Care Clearinghouses

5 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 5 Health Plan Definition n “Health plan” is broadly defined: o An “individual or group plan that provides, or pays the cost of, medical care” n Includes most ERISA employer welfare benefit plans, insured and self-funded, plus some non- ERISA plans

6 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 6 Health Plan n Includes medical, dental, vision n Likely includes FSAs for health care n Does not include workers’ compensation Does not include disability

7 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 7 Health Plans n Health plans must comply with all the Privacy Standards that apply to Providers, plus certain Standards applicable only to health plans

8 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 8 Health Plans Health Plans must comply with: n Restrictions on Uses and Disclosures of PHI n Plan Member Rights Requirements n Administrative Requirements Firewall Requirements – Separation between the plan and plan sponsor

9 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 9 Restrictions on Uses and Disclosures n Covered entities may not use or disclose PHI, except as permitted or required under the Standards n Treatment, payment, and health care operations (TPO)

10 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 10 Restrictions on Uses and Disclosures n Authorizations o For uses and disclosures not otherwise permitted by the rule o Authorizations are necessary for most, but not all, purposes other than TPO o Authorization content -- core elements

11 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 11 Restrictions on Uses and Disclosures n “Minimum Necessary” Standard n Business Associate Requirements, including re-contracting n De-identification requirements

12 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 12 Uses and Disclosures without Authorization n Certain public health authorities n Health oversight activities n Judicial or administrative proceedings n Law enforcement

13 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 13 Business Associate Definition n A person who, on behalf of a covered entity, performs a function involving the use or disclosure of IHI (includes claims processing, data analysis, utilization review, quality assurance, billing, benefit management, and repricing) OR

14 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 14 Business Associate Definition n A person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where this service involves disclosure of IHI

15 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 15 Business Associate Contracts n “Satisfactory assurance” requirement o Plans must have contracts with business associates that include many specified terms (includes plan administrators)

16 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 16 Member Rights n Right to Notice of Privacy Practices o Strict content requirements o Self-funded plans o Insured plans

17 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 17 Member Rights n Right to request restrictions on uses and disclosures o Plans are not required to agree to requested restrictions o More confidential mode of communication

18 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 18 Member Rights n Right to access PHI o Members have the right to access, inspect, and copy their health information o Strict deadlines and procedures

19 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 19 Member Rights n Right to amend PHI o Plans may deny requests for amendment if the PHI: n Was not created by the plan; Is accurate and complete

20 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 20 Member Rights n Right to an accounting of certain disclosures of PHI made by plan during the previous 6 years o Exceptions

21 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 21 Administrative Requirements n Appoint a privacy officer n Designate a contact person or office responsible for receiving privacy- related complaints

22 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 22 Administrative Requirements n Plan workforce training o Policies and procedures o Combine with Security training

23 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 23 Administrative Requirements n Privacy safeguards o Install appropriate administrative, technical, and physical safeguards o Scalability o Intersection with Security Rule

24 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 24 Administrative Requirements n Complaints o Process o Documentation

25 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 25 Administrative Requirements n Sanctions o Establish and apply appropriate sanctions against plan workforce members who violate the plan’s privacy policies or the Privacy Standards

26 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 26 Administrative Requirements n Mitigation o Mitigate, if practicable, any harmful effect resulting from a violation of the plan’s policies and procedures or the Privacy Standards

27 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 27 Administrative Requirements n Privacy policies and procedures

28 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 28 Firewall Requirements n HIPAA applies to health plans, not plan sponsors n For this reason, the Standards focus on plans, and force plans to impose certain requirements on plan sponsors

29 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 29 Firewall Requirements Plan sponsors may access identifiable health information only for plan administration purposes

30 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 30 Firewall Requirements n Plan sponsors may NOT access PHI for employment-related actions without written permission from the plan member

31 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 31 Firewall Requirements n Clarification: o Employment records are not considered Protected Health Information

32 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 32 Firewall Requirements n Plan Documents o If Plan Sponsors receive PHI other than summary and enrollment/disenrollment information, they must amend their plan documents to include specified terms, including:

33 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 33 Plan Documents n GHP may disclose PHI to the PS only if plan documents have been amended to include: o How the Plan Sponsor may use and disclose PHI

34 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 34 Plan Documents o PS agrees not to use or further disclose the information other than as permitted or required by the plan documents or as required by law

35 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 35 Plan Documents o PS agrees not to use or disclose PHI for employment-related actions or in connection with any other benefit or employee benefit plan

36 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 36 Plan Documents n Plan documents also must establish “adequate separation” between the GHP and PS by o Describing those employee positions who may access PHI n Employees who use PHI for payment or health care operations of the plan

37 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 37 Plan Document o Plan documents also must provide an effective mechanism for resolving issues of noncompliance by those designated persons

38 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 38 Firewall Requirements Reminder: n Written authorization from the member is required for disclosure of PHI (related to the health plan) to a plan sponsor for o Employment-related actions o Actions relating to any other benefit or plan (including workers’ compensation) maintained by the plan sponsor

39 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 39 Insured Plans n Insured plans that do NOT receive PHI (other than summary and enrollment/disenrollment) are exempt from many requirements, including:

40 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 40 Insured Plans n Exempt from: o Privacy officer o Workforce training o Privacy safeguards o Complaints o Workforce sanctions o Mitigation

41 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 41 Insured Plans n Exempt from: o Policies and procedures o Notice of privacy practices o Patient rights of access, amendment and accounting Why? Individuals enrolled in these plans have these rights through the insurer/HMO

42 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 42 Insured Plans n Do you create or receive PHI? o From the Administrator/Insurer? o From Plan members? n E.g., plan sponsor assistance with claims n Keep plan sponsor employees outside the Plan firewall

43 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 43 Policies and Procedures n What types of Plan policies and procedures are needed? o Overall privacy policy addressing handling of PHI and “adequate separation”

44 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 44 Policies and Procedures o Plan member rights (detailed) o Plan Member Privacy Complaints o Plan Workforce Training  Privacy-related Workforce Sanctions

45 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 45 Policies and Procedures o Policy on Safeguards for Protecting PHI -- detailed o Policy on Plan Documentation and Retention of Certain Records o Policy on Authorizations (including Authorization form)

46 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 46 Selected Issues n Re-negotiation of third party administrator agreements o Add required business associate terms o Consider adding/modifying other related terms

47 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 47 Selected Issues n Can a self-funded Plan use a TPA for all required tasks and not have policies and procedures, privacy officer, etc? o No -- You can delegate tasks, but can’t delegate all HIPAA responsibilities

48 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 48 Compliance Dates n Small health plans (with annual receipts of $5 million or less) o April 14, 2004 n Other (not small health plans) o April 14, 2003

49 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 49 Penalties n Violating the privacy rule can create both civil and criminal liability o “Nice HIPAA” o “HIPAA for crooks”

50 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 50 Penalties n Civil penalties: $100 per violation o Capped at $25,000 per person, per year, per standard

51 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 51 Penalties n Criminal penalties: up to $250,000 and prison sentences of up to 10 years, if: o Offense is committed with an intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm

52 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 52 Case Law n In May 2001, a federal judge noted that although compliance is not required until April 2003, the HIPAA privacy regulations are “persuasive in that they demonstrate a strong federal policy of protection for patient medical records.” U.S. v. Sutherland n The judge applied the HIPAA regulations to that case n Another judge did the same

53 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 53 Enforcement n A new “standard of care” for how health plans (employers) should handle identifiable health information?

54 © 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 54 Beth L. Rubin Dechert LLP 4000 Bell Atlantic Tower 1717 Arch Street Philadelphia, PA 19103 215.994.2535 beth.rubin@dechert.com slides: www.dechert.com (look up “Rubin” under “Lawyers”)

Download ppt "Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
Advanced Issues in HIPAA Research Compliance The Sixth National HIPAA Summit March 27, 2003 Kim P. Gunter Senior Consultant.

Advanced Issues in HIPAA Research Compliance The Sixth National HIPAA Summit March 27, 2003 Kim P. Gunter Senior Consultant.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Custom Services and Training Provider Details Chapter 4.

Custom Services and Training Provider Details Chapter 4.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
1 ON- LINE TRAINING EVENT HIPAA (Health Insurance Portability & Accountability Act) ENTER.

1 ON- LINE TRAINING EVENT HIPAA (Health Insurance Portability & Accountability Act) ENTER.
Break Time Remaining 10:00.

Break Time Remaining 10:00.
PP Test Review Sections 6-1 to 6-6

PP Test Review Sections 6-1 to 6-6
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.

Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.

Similar presentations

Ads by Google