Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan.

Published byGertrude McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan."— Presentation transcript:

1 September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan Meade & Brian Annulis Michael Best & Friedrich LLC Chicago, IL (312) 222-0800

2 September 17, 2002© Michael Best & Friedrich LLC2 Overview 1. Hybrid Entity Analysis 2. Affiliated Covered Entities 3. Organized Health Care Arrangements 4. Government Agency as Health Plan 5. Iowa State Law Preemption Issues

3 September 17, 2002© Michael Best & Friedrich LLC3 Overview 6. Government Entities as Business Associates of other Government Entities 7. Workers Compensation & Employee Health Records 8. A note on the modified Privacy Rules: To consent or not to consent? 9. Employee Health Plans

4 4 1. Hybrid Entity Analysis

5 September 17, 2002© Michael Best & Friedrich LLC5 Hybrid Entity Analysis The first question in any HIPAA analysis is: What is my organization? –Health care provider? –Health plan? –Health care clearinghouse? –Business Associate? –Hybrid? –A combination of any or all of the above?

6 September 17, 2002© Michael Best & Friedrich LLC6 Definitions (42 CFR 164.504) Covered Functions: functions which make an entity a health care provider, health plan or health care clearinghouse. Hybrid: a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates health care components. Health Care Component: a component or combination of components of a hybrid entity designated by a hybrid entity.

7 September 17, 2002© Michael Best & Friedrich LLC7 Hybrid Rules A covered entity can limit “HIPAA creep” by recognizing itself as a hybrid entity and designating health care components. The entity must then wall-off its health care components from non- health care components with respect to use or disclosure of Protected Health Information (PHI). The entity must establish safeguards to avoid disclosure of PHI from the health care components to non-health care components. The divisions within the entity must be treated as separate entities for HIPAA privacy purposes.

8 September 17, 2002© Michael Best & Friedrich LLC8 Hybrid Rules The hybrid entity operates for HIPAA purposes as 2 separate entities and must treat each use or disclosure of PHI with this idea of a dual world in mind. If disclosure of PHI from the health care component divisions would need an authorization if PHI disclosed outside of entity, then health care component division must obtain authorization before disclosing PHI to a non-health care component division. Benefits of a hybrid entity: –Limits the effects of HIPAA to the health care divisions. –Eases administrative burdens. –Minimizes undue confusion for divisions which have no interaction with health information but might otherwise need to be trained in HIPAA or adopt HIPAA privacy rules.

9 September 17, 2002© Michael Best & Friedrich LLC9 What divisions may be health care components? MUST be designated a health care component: –any division that would qualify as a covered entity (health plan, health care clearinghouse or health care provider that engages in standard transactions). MAY be designated a health care component: –any division that engages in health care provider activities but does not use standard transactions. –any division that would qualify as a business associate to the county’s covered entity functions if that division were a separate legal entity.

10 September 17, 2002© Michael Best & Friedrich LLC10 Your Hybrid Status is a Strategic Decision A hybrid entity must choose how to draw its “hybrid entity” line. Do you want non-covered entity covered functions designated as a health care component? Do you want business associate-oriented divisions designated as a health care component? Strategic questions: –How much interaction will divisions have with PHI held by a covered entity division? –What is the burden of making non-covered entity divisions covered by HIPAA?

11 September 17, 2002© Michael Best & Friedrich LLC11 County Hybrid Issues Counties are often single legal entities with a variety of covered functions and non-covered functions. Analysis: Who interacts with PHI within the county? Who performs covered functions? Consider the status of: (not an exhaustive list) county hospitals health clinics social services child welfare correctional facilities police/sheriff county controller county attorneys

12 September 17, 2002© Michael Best & Friedrich LLC12 What Must Be Done? To determine a county’s hybrid status and “draw” the hybrid line: –Identify divisions within county –Identify whether a division engages in a covered function –Identify whether a covered function division qualifies as a covered entity division –Identify whether a division provides services to a covered entity division and interacts with PHI (serving in a business associate role) –Identify divisions that use PHI from a covered function division –Identify which divisions must be designated health care components –Identify which divisions may be designated health care components –Analyze burdens/benefits in designating each optional health care component –Strategically designate a county’s health care components to “wall- off” HIPAA and avoid “HIPAA creep”

13 13 2. Affiliated Entities

14 September 17, 2002© Michael Best & Friedrich LLC14 The Privacy Rule generally requires separate Covered Entities to individually adhere to the Privacy Rule's implementation rules and standards. This, as a general matter, for separate Covered Entities that do not participate in an organized health care arrangement, joint consents and joint privacy notices are not permitted. EXCEPTION: Affiliated Covered Entities (upon designation) Affiliated Covered Entities

15 September 17, 2002© Michael Best & Friedrich LLC15 Affiliated Covered Entities –Legally separate, but affiliated covered entities that designate themselves as a single covered entity can engage in "joint" compliance. 42 CFR 164.504 –"Affiliated" means 5% or more ownership, or power to influence significantly policies or actions.

16 September 17, 2002© Michael Best & Friedrich LLC16 To act as an affiliated covered entity: –the designation must be documented –the affiliated entities must act as a "multiple function covered entity" under the Privacy Rules Affiliated Covered Entities

17 September 17, 2002© Michael Best & Friedrich LLC17 Affiliated Covered Entities may undertake a joint compliance initiative. Separate consents and privacy notices need not be maintained, providing use or disclosure of PHI is within the same covered function (e.g., a separate consent would need to be obtained if PHI was collected for treatment purposes but the Affiliated Covered Entities wanted to use the PHI for health plan purposes. Affiliated Covered Entities

18 September 17, 2002© Michael Best & Friedrich LLC18 –Important questions for counties: What entities does the county control? Does the county have management agreements with other covered entities? Are any county health care components managed (or controlled) by other covered entities? Affiliated Covered Entities

19 19 3. Organized Health Care Arrangements

20 September 17, 2002© Michael Best & Friedrich LLC20 Organized Health Care Arrangements Integrated health care or health benefits arrangement –Clinically-integrated care setting (e.g., hospital and medical staff) –Organized system held out as joint arrangement and conducting utilization management or risk sharing (e.g., IPA, PHO) –Group health plan and health insurer or HMO that underwrites benefits

21 September 17, 2002© Michael Best & Friedrich LLC21 Organized Health Care Arrangements Participants may share protected health information for arrangements’ health care operations –Subject to minimum necessary limitation

22 September 17, 2002© Michael Best & Friedrich LLC22 Organized Health Care Arrangements Advantages: –Allows participants to rely upon joint notices and joint consents –Avoids need for execution of multiple consents by patients and receipt of multiple privacy notices

23 September 17, 2002© Michael Best & Friedrich LLC23 Disadvantages: –Revocation process –Apparent agency/apparent authority issues –Complexity of joint consent and joint notice if some independent medical staff refuse to use joint consent and joint notice Organized Health Care Arrangements

24 September 17, 2002© Michael Best & Friedrich LLC24 Organized Health Care Arrangements In determining whether an Organized Health Care Arrangement is applicable or suitable for a county, consider: –Does the county have relationships with independent providers who do not act on behalf of the county (and are not paid by the county) but provide health care at a county site? –What is the counties relationship with independent… physicians dentists nurses therapists social workers

25 25 4. Government Entity as a Health Plan

26 September 17, 2002© Michael Best & Friedrich LLC26 Government Entity as a Health Plan Can government entities be considered health plans under the HIPAA? HIPAA does not exempt government entities from being considered a health plan. Determining whether a county engages in health plan activities involves examining county activities against the definition of a health plan.

27 September 17, 2002© Michael Best & Friedrich LLC27 Government Entity as a Health Plan A government entity can be considered a health plan according to the definition of “health plan” (42 CFR 160.103). Most relevant: –if a government program is specifically named within the definition of health plan –any individual plan that provides or pays for the cost of medical care Definition of health plan excludes a government funded program: –whose principal purpose is not for paying for health care; or –makes grants to fund direct provision of health care

28 28 5. Iowa State Law Preemption Issues

29 September 17, 2002© Michael Best & Friedrich LLC29 Iowa State Law Preemption Issues HIPAA provides a federal floor for privacy protection and generally preempts state privacy law. BUT, the HIPAA Privacy Rule does not preempt state law which is contrary to the Privacy Rule and is more stringent than the Privacy Rule

30 September 17, 2002© Michael Best & Friedrich LLC30 Iowa State Law Preemption Issues More stringent means: –the state law imposes greater privacy protections –the state law imposes greater privacy administrative obligations –grants the individual who is the subject of PHI greater rights Questions to be asked: –Does the state law allow an individual greater control or access to his or her PHI? –Does the state law require the county to do more than HIPAA requires to protect the individual’s privacy? –If YES, then the state law survives

31 September 17, 2002© Michael Best & Friedrich LLC31 Iowa State Law Preemption Issues State law means ANY government directive that has the force and effect of law: –Iowa Constitution –Iowa Code (statutes) –Iowa Administrative Code (regulations) –Certain Executive Orders –County ordinances and rules –City ordinances and rules –Any other government body’s rules –Case Law

32 September 17, 2002© Michael Best & Friedrich LLC32 Iowa State Law Preemption Issues An example of HIPAA preemption in Iowa: Iowa AIDS confidentiality Iowa AIDS Confidentiality Law (IA ADC 141A.9) –Basic rule: “ Any information, including reports and records, obtained, submitted, and maintained pursuant to this chapter is strictly confidential medical information. The information shall not be released, shared with an agency or institution, or made public upon subpoena, search warrant, discovery proceedings, or by any other means except as provided in this chapter...Information shall be made available for release to the following individuals or under the following circumstances….”

33 September 17, 2002© Michael Best & Friedrich LLC33 Iowa State Law Preemption Issues Provision: AIDS information may be released “ to any person who secures a written release of test results executed by the subject of the test or the subject's legal guardian.” Impact: Iowa allows only the individual or his/her legal guardian to sign written permission to disclose AIDS information. HIPAA allows anyone who qualifies as an individual’s personal representative to sign an authorization to disclose PHI. Personal representatives include legal guardians as well as anyone who has health care treatment decision making authority for the individual. Iowa is more stringent in limiting the types of personal representatives who may sign authorizations for disclosure of AIDS PHI.

34 September 17, 2002© Michael Best & Friedrich LLC34 Iowa State Law Preemption Issues Provision: AIDS information may be released “to an authorized agent or employee of a health facility or health care provider... and the agent or employee has a medical need to know such information.” Impact: Iowa law only allows AIDS information to be used without written permission within a health care provider by individuals who need to know for medical reasons. HIPAA allows PHI to be used without an authorization within a health care provider by individuals who need to use the information for treatment, payment or health care operations. Iowa is more stringent and health care providers must continue to obtain written permission from the individual before using AIDS PHI for payment or health care operations.

35 35 6. Government Entities as Business Associates of other Government Entities

36 September 17, 2002© Michael Best & Friedrich LLC36 Government Entities as Business Associates of other Government Entities Government entities that serve as business associates of other government entities may enter into “Memorandum of Understanding” which set out the basic requirements of a business associate contract. HIPAA Memoranda of Understanding needed when counties serve as business associate of other counties or the state. (or the reverse). If a county or other government entity is required by law to serve as a business associate, then the Memorandum of Understanding does not need termination provisions. (Note: reports to HHS may be more frequent in government to government business associate relationships).

37 37 7. Workers Compensation & Employee Health Records

38 September 17, 2002© Michael Best & Friedrich LLC38 Workers Compensation & Employee Health Records Workers compensation plans are excluded from the definition of “health plan” Workers compensation plan activities by the county are exempted from HIPAA providing the division that deals with workers compensation is not designated a health care component. “Employment records held by the covered entity in its role as employer” are excluded from the definition of PHI and are not covered by the Privacy Rules. 42 CFR 164.501

39 39 8. To Consent or Not to Consent?

40 September 17, 2002© Michael Best & Friedrich LLC40 A note on the modified Privacy Rule: To consent or not to consent? The modifications to the Privacy Rule from August 14, 2002 eliminated a health care provider’s obligation to obtain consent before using or disclosing PHI for treatment, payment or health care operations purposes. Obtaining a HIPAA consent is now OPTIONAL. Should a county’s health care provider division elect to use a HIPAA consent? –a business decision for the county –risks should be weighed: how likely will errors occur? –why take on risks and liabilities that a county does not need to?

41 41 9. Employee Health Plans

42 September 17, 2002© Michael Best & Friedrich LLC42 Employee Health Plans Employee group health plans (GHP) are health plans under HIPAA and are covered entities covered by the Privacy Rule. A GHP operates as a separate entity. HIPAA requires the employer to respect the “privacy walls” around the employee GHP. Understanding HIPAA’s impact on employee GHPs is a matter of understanding relationships.

43 September 17, 2002© Michael Best & Friedrich LLC43 Group Health Plans Basic Terminology Group Health Plan Plan Sponsor Employer Administration Fully Funded GHP (Insured GHP) Self-Funded GHP Important questions: What type of GHP does the employer have? What is the employer’s interaction with the GHP’s PHI?

44 September 17, 2002© Michael Best & Friedrich LLC44 Insured Group “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept Insurer underwriting risk for premiums PHI PHI

45 September 17, 2002© Michael Best & Friedrich LLC45 Self-Funded Group: ASO “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept ASO (Business Associate) PHIPHI Business Associate Contract

46 September 17, 2002© Michael Best & Friedrich LLC46 Employer Administration “Plan Sponsor” = Employer Employees “Group Health Plan” = Employees and Dependents HR Dept Plan Document Amendment PHI Use Certification ASO (Business Associate) Insurer(OHCA) PHI PHI PHI

Download ppt "September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.

Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.
 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.

 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.
HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development.

HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Similar presentations

Ads by Google