HIPAA Privacy Rule Training

•

©SHRM 2008 2

Introduction

The Employee Benefits Security Administration (EBSA) administers several health care laws under the Employee Retirement Income Security Act (ERISA). One of the health care laws is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA includes provisions that regulate portability and continuity of health insurance, health information privacy, administration of health insurance, medical savings accounts and long-term care insurance.

This sample presentation addresses only health information privacy. It is intended for presentation to supervisors. It is designed to be presented by an individual who is knowledgeable about the HIPAA privacy rule and the employer’s own policies and practices.

This is a sample presentation that must be customized to match state laws and the employer’s own culture, policies and practices.

©SHRM 2008 3

Objectives

At the close of this session, you will be able to:

• Understand the HIPAA privacy rule• Determine who enforces the HIPAA privacy rule• Determine who must comply• Understand employer roles and responsibilities • Understand employee rights• Understand the liability for HIPAA privacy violations

©SHRM 2008 4

What Is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that regulates portability and continuity of health insurance, health information privacy, administration of health insurance, medical savings accounts and long-term care insurance.

This presentation only addresses health information privacy under the HIPAA privacy rule.

©SHRM 2008 5

What Is the HIPAA Privacy Rule?

The HIPAA privacy rule gives an individual rights over how their health information may be used or disclosed and protects the unauthorized disclosure of certain medical information known as protected health information (PHI). The HIPAA privacy rule requires covered entities to carefully handle PHI.

It sets rules on who can view and receive your health information whether it is in in an electronic, written or oral form.

The U.S. Department of Health and Human Services enforces the HIPAA privacy rule (http://www.hhs.gov).

©SHRM 2008

What Is Protected Health Information (PHI)?

PHI:

•Relates to the physical or mental health condition of an individual, at any time, past, present or future.

•Identifies or can be used to identify an individual (e.g. name, address, birth date, Social Security number, account number).

•Is in the possession of or has been created by covered entities.

6

©SHRM 2008

What Is PHI? (cont.)

PHI may be included in:

•Health care claims or encounter information. •Health care payment and remittance advice.

•Coordination of benefits.

•Health care claim status.

•Enrollment or disenrollment in a health plan.

•Eligibility for a health plan.

•Health plan premium payments.

•Referral certification and authorization.

7

©SHRM 2008

Who Must Comply?

Entities that must follow the HIPAA privacy rules are called covered entities. Covered entities include the following:

Health Care Providers • Those who transmit health information electronically either directly

or through a business associate, including those who furnish, bill and are paid for health care services such as doctors, dentists, hospitals, nursing homes and pharmacies.

Health Care Clearinghouses • Health care management organizations that process nonstandard

health information into a standard or vice versa such as billing services.

Health Plans • Health insurance companies, HMOs, Medicaid, Medicare and

employer-sponsored health plans that have 50 or more participants or are administered by a third party (e.g. an insurance carrier)

8

©SHRM 2008

Who Must Comply? (cont.)

An employer is not a covered entity based on being an employer alone.

•An employer must sponsor an Employment Retirement Income Security Act (ERISA) group health plan.

> An ERISA group health plan is an employee welfare benefit plan that provides medical care to employees and/or their dependents/ spouse directly or through insurance, reimbursement or otherwise.

•The group health plan is the covered entity, but the employer may need to comply with the HIPAA privacy rules as the plan sponsor or administrator.

•An employer may be a covered entity if it operates in the capacity of a health care provider, health care clearinghouse or health plan (e.g., an employer may be a covered entity if it has an on-site health clinic for employees).

9

©SHRM 2008

Roles

Think of the employer has having two different roles:

Employer

Plan Sponsor

10

©SHRM 2008

Employer Role

Employers do not need to comply with the HIPAA privacy rule when acting in the employer role—for example: •Employer requests a doctor’s note from an employee upon return from an absence consistent with the company’s policies or practices.

•Employer obtains medical information from employees to administer leave programs such as FMLA, requests for ADA accommodation, workers’ compensation, wellness programs and health insurance (e.g., employers may use health information that excludes PHI for amending plans or obtaining bids for health insurance).

•Employer includes employee names and injury information on OSHA logs.

•Employer obtains information from medical providers related to drug tests and fitness-for-duty-exams.

11

©SHRM 2008

Employer Role (cont.)

More examples of employer role:

•Employer corresponds with workers’ compensation carriers and health care providers in the administration of a workers’ compensation claim.

•Employer shares summarized health information for purposes of amending plan benefits as long as all identifying information such as names, birth dates and Social Security numbers is removed.

•Employer discloses information related to the birth of a child or health condition of an employee if the information comes from an employee and not from a group health plan.

12

©SHRM 2008

Plan Sponsor Role

When the covered entity is the group health plan, an employer may be obligated to comply with the HIPAA privacy rule in its role as the plan sponsor.

Employers may be covered by the HIPAA privacy rule when they:

•Participate in the administration of a group health plan.

•Are active in the decision-making process of a group health plan.

•Participate in the operation or control of the provisions of a group health plan.

13

©SHRM 2008

Plan Sponsor Responsibilities

Employers acting in a plan sponsor role may need to:

•Have written PHI procedures.

•Limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose.

•Designate a privacy officer.

•Require business associates to ensure confidentiality of PHI through written contracts or agreements.

•Establish administrative, technical and physical safeguards to protect the privacy of PHI.

14

©SHRM 2008

Plan Sponsor Responsibilities (cont.)

Employers acting in a plan sponsor role may need to:

•Train employees on the HIPAA privacy rule.

•Provide a process for filing complaints.

•Ensure that PHI is not used for making employment or benefits decisions, marketing or fundraising.

15

©SHRM 2008

Employees’ Rights

Employers acting in a plan sponsor role for a group health plan (covered entity) may not share employee PHI without written authorization unless it is shared:

•With the individual who is the subject of the PHI.

•For treatment and care coordination.

•To pay for employee health care services.

•With individuals who are designated by employees and who are involved with the employee’s health care or paying for health care bills.

•In public health situations.

16

©SHRM 2008

Employees’ Rights (cont.)

Employers acting in a plan sponsor role for a group health plan (covered entity) may not share employee PHI without written authorization unless it is shared:

•For court and agency proceedings (e.g., workers’ compensation).

•Based on agency requirements (e.g., OSHA audit).

•Based on law enforcement requests or compliance.

•In emergencies.

•In identification of deceased individuals.

•In national security-related situations.

17

©SHRM 2008

Employees’ Rights (cont.)

Employees have a right to:

•A copy of their medical records (a reasonable fee for copying and mailing records may be assessed).

•Restrict who can obtain their PHI.

•Change incorrect information in their medical records.

•A report of when and why PHI was used.

•Choose communication methods.

•File complaints.

18

©SHRM 2008 19

HIPAA Privacy Violations

Violations of the HIPAA privacy rule may result in

•Civil penalties of $100 per violation.

•Maximum civil penalties of $25,000 per year, per person, per standard.

•Criminal penalties for willful offenses of $50,000 to $250,000 and imprisonment.

•Additional penalties under state law.

•Lawsuits.

©SHRM 2008 20

Summary

Medical information maintained by employers is not always considered PHI.

An employer must determine where the information was obtained and whether the information is maintained under the role of employer or plan sponsor of a group health plan, thereby making an employer a covered entity.

Regardless of the role, employers should carefully handle all employee medical information.

©SHRM 2008 21

Questions? Comments?

©SHRM 2008 22

Course Evaluation

Please be sure to complete and leave the evaluation sheet you received with your handouts

Thank you for your attention and interest!