Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reflections on the State of Privacy Risk Management in Health Care Benefits Administration (one year and counting …) Mark Lutes, Esq. Partner Epstein Becker.

Published byBethanie Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "Reflections on the State of Privacy Risk Management in Health Care Benefits Administration (one year and counting …) Mark Lutes, Esq. Partner Epstein Becker."— Presentation transcript:

1 Reflections on the State of Privacy Risk Management in Health Care Benefits Administration (one year and counting …) Mark Lutes, Esq. Partner Epstein Becker & Green, P.C. Washington, DC (202) 861-1824 mlutes@ebglaw.com

2 Are We Aiming At The Right Target? Reputational Risk Class Action litigation? Employment discrimination suits? Office of Civil Rights (HHS) risk?

3 Misdirected Efforts Committee meetings galore (“activity mistaken for progress”) Gap Analysis mania –Does anyone really expect that the old forms would meet the new standards? –GAP work product: unprotected and dangerous if exposures are unremediated Dangers in HIPAA compliance focus v. privacy risk management focus

4 Real Exposures That Are Rarely Appreciated Breach of fiduciary duty - Bureau of Indian Affairs case (sound familiar to anyone running an ERISA plan?) Overpromises to patients and members –Glib privacy policy statement –Inaccurate web site statements –Lesson of Eli Lilly consent order ERISA, ADA and other claims around employer use of employee health benefit information

5 The HIPAA Answer Is Not Always The Best Risk Management E.g., the HIPAA privacy rule suggests that health plans might pass up gaining consent for mainstream uses and disclosures E.g., HIPAA countenances uses that would be commonly understood as marketing without an opt-out E.g., preamble countenances more health plan disclosures to subscribers re: spouses than good risk management suggests

6 Practical Privacy Risk Management The rule’s proliferation of technical requirements obscures the fact that covered entities need to carry out due diligence as to their “uses” and “disclosures” of PHI. Whether the covered entity or business associate uses a paper or software tool, long term privacy risk management depends on periodic review of “Us&Ds” The U&D inventory protects your professional reputation and that of your organization.

7 Inventory System Solution to Privacy Compliance Inventory CQI - changes to policy & procedure Compliance Committee meetings considers minimum necessary and other standards Data base Changes to work procedures

8 Practical Privacy Risk Management Prioritize tasks according to the real exposures –Create a record of diligence –Create a record of continuous quality improvement against the minimum necessary and other standards –Address everyday exposures such as customer service disclosures to telephone or web inquiries –Address key risk issues like access of subscriber to records of spouse –Manage the risk of disclosure of employee PHI to employer Ask yourself whether your program meets these tests!

9 Major Policy Decision for Plan Sponsor Will the plan sponsor be content to receive deidentified information and summary information for plan settlor functions or obtaining premium bids? –If so it can avoid the plan document changes and the firewalls (and the risk management challenges they pose)

10 Plan Sponsor Decision Tree Receive only summary health information and use it only for premium bidding and settlor functions Fully insureSelf fund including through FSA No requirement for plan to maintain privacy officer, have complaint policy, training program, notice of privacy practices, etc. Use and disclosure rules still apply. Appoint privacy officer, conduct training, have complaint policy, publish notice of privacy practices. Use and disclosure rules still apply. Receive summary health information for settlor functions and receive PHI for: Plan administrative purposes Other purposes Make Section 504(f) disclosures and give Section 504(f) certification Get Section 508 complaint authorization Receive non summary PHI information for: Plan administration Other purposes ©Mark Lutes Epstein Becker & Green, P.C. 2002

11 Practical Privacy Risk Management Employee Welfare Benefit Plan Data: Do analysis of options as to the receipt of PHI ((a.) none; (b.) only summary for plan administration purposes; or (c.) all PHI) Consider whether Benefits Administration should stay where it is in company structure Provide necessary safeguards in Benefits Administration Disclosures in ERISA plan documents Evidence of employee training program and enforcement mechanism Has this work begun at your company?

Download ppt "Reflections on the State of Privacy Risk Management in Health Care Benefits Administration (one year and counting …) Mark Lutes, Esq. Partner Epstein Becker."

Similar presentations

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

Similar presentations

Ads by Google