Embed Size (px)
Citation preview
HIPAA Refresher—What’s New for 2010
Peter Marathas,
BAN Compliance Director
January 20, 2010
2
Key HIPAA Requirements
• Privacy Officer
• Policies & Procedures
• Amended Plan Documents
• Business Associates
• Training
Today’s program designed to be used by Plan Sponsors as key component of “Training” Requirement
• Penalties
3
HIPAA Training
• Health plans must train all participants of its workforce with access to PHI (“HIPAA Personnel”) regarding HIPAA privacy policies and procedures as necessary and appropriate for the participants of the workforce to carry out their job duties
Each new participant who has access to PHI must be trained within a reasonable period of time after their hire date
• All training must be documented
Download slides and/or recording and file Supplement general training program with Company-specific
guidance
4
HIPAA Background
• HIPAA is a federal law that was enacted in 1996
• The first final version of the rules was issued by HHS in late 2000, amended in 2002
• Compliance with the 2000 HIPAA privacy rules was required by April 14, 2003 for most plans
• Changes to HIPAA were made in the federal stimulus law (Feb. 17, 2009) – American Recovery and Reinvestment Act of 2009 (known as “ARRA”) – section dealing with privacy, security and health information technology is referred to as the HITECH Act
5
To Whom Do the Privacy Rules Apply?
• The HIPAA Privacy rules apply (although sometimes in different ways) to all “covered entities:”
i. health plans;
ii. health care clearinghouses; and
iii. health care providers who transmit any health information in electronic form in connection with one of the transactions covered by HIPAA
• And, under 2009 ARRA, Business Associates
6
Covered Entities: Health Plans
• What is a Health Plan under HIPAA?
Employer sponsored health plans with more than 50 participants (includes flexible spending accounts)
HMOs and health insurers are also health plans under HIPAA. Those fully-insured plans are responsible for HIPAA compliance and employers are also responsible
• What is NOT a health plan under HIPAA?
Pension and Disability insurers or benefits are NOT covered by HIPAA
Life, property or casualty insurers or benefits are NOT covered by HIPAA
Workers’ compensation insurers or benefits are NOT covered by HIPAA
7
What Type of Health Benefits Are Covered?
• Medical (physicians, hospitals)
• Vision
• Dental
• Hearing
• Behavioral Health
• Substance Abuse
• Prescription Drug Coverage
8
Covered Entities: Health Plans
• EmployersEmployers Are NotNot Covered Entities
• Which of these is governed by HIPAA:
Employee tells supervisor he is having back surgery
Field rep files report with HR that employee has had an accident that is subject to workers’ compensation
Spouse calls manager and informs manager that employee spouse has been injured in car accident and provides daily updates
EAP representative calls supervisor and reports that employee has cocaine addiction and is in treatment
9
HIPAA Penalties – New Rules under ARRANew Rules under ARRA
• ARRA increased the penalties for violations of HIPAA
• In determining the amount of the penalty, the Secretary of HHS must base it upon nature and extent of violation and extent of harm from violation
• Violator’s mental state, and whether violation has been corrected, will be a factor
10
HIPAA Penalties – New Rules under ARRA
• 4 Tiers:
Tier A: Offender didn’t know and by exercising reasonable diligence would not have known he/she violated the law: $100 per violation, up to a maximum of $25,000 per year for all violations of an identical requirement
Does not sound severe but could really add up; also a single HIPAA non-compliant action is likely to violate multiple provisions of the rules
11
HIPAA Penalties – New Rules under ARRA (cont.)
Tier B: Violation—due to reasonable cause and not willful neglect: $1,000 for each violation, up to a maximum of $100,000 per year for all violations of an identical requirement in a calendar year
Tier C: Violation—due to willful neglect but corrected: $10,000 for each violation, up to a maximum of $250,000 per year for all violations of an identical requirement in a calendar year
Tier D: Violation—due to willful neglect, and not corrected: $50,000 for each violation, up to a maximum of $1,500,000 per year for all violations of an identical requirement in a calendar year
12
Protecting Protected Health Information (“PHI”)
• The HIPAA Privacy Rules apply to Protected Health Information (“PHI”)
• PHI is individually identifiable health information that is in all forms – paper, oral, electronic
• PHI excludes employment records held by a plan sponsor in its role as an employer (e.g., physician’s note submitted by employee documenting reason for absence from office)
13
What is Health Information?
• Health information includes any information created by a health care provider or group health plan
and that relates to past, present, or future physical or mental health or condition of the individual,
the provision of health care to the individual, or
the past, present or future payment for health care to the individual
14
What Makes Health Information Individually Identifiable & Thus PHI?
• Name
• Dates: birth, admission to hospital, discharge from hospital, death
• Telephone and fax numbers
• Social Security Number
• Account number
• Vehicle identifiers including license plates
• Web URLs and IP address numbers
• Geographic unit (certain zip code information excepted)
• Ages over 89
• E-mail and other addresses
• Medical record numbers and health plan numbers
• Certificate or license number
• Device identifiers and serial numbers
• Biometric identifiers, including finger and voice prints and full face and other identifying photographic images
15
What is De-Identified Information?
• If a health plan removes all the identifiers listed on the previous page, the information is no longer protected by HIPAA.
• If a company’s HR Department seeks to disclose health and welfare plan information, or other financial information relating to the health plans, to those not part of “HIPAA workforce”, then the HR Department must de-identify the health plan information before making the disclosures
16
The Basics
• Health plans can use and disclose PHI for most routine uses and disclosures for payment for treatment and the operations
• Most other uses or disclosure of PHI require a signed, written authorization
• Health plans have to give certain rights to individuals. For example, right of access by a participant to his or her records, right to propose a change to the record, and accounting of unusual disclosures. The handling of these rights can be delegated to the third-party administrators
• Administrative Requirements: Training, privacy officer, privacy notice, many policies, procedures and sanctions for violations
17
Typical Allowable Uses and Disclosures Without Any Written Permission
• Enrollment
use internally, or
disclose to health plans' vendors
• Eligibility
use internally,
disclose to health plans’ vendors, or
disclose to health care providers
• Claims adjudication and payment
• Pre-certification and referral
18
Privacy Officer
• Your Group Health Plan must have designate a Privacy Officer
• The privacy officer is responsible for developing and implementing policies and procedures necessary to comply with HIPAA privacy rules, including training
• Companies should also designate a contact person to answer questions and receive complaints about HIPAA’s privacy rules, and to obtain the forms necessary for a participant to exercise any of his or her rights under HIPAA
• If you handle PHI, you should know who is serving as your company’s privacy officer and HIPAA contact person
19
Privacy Notice
• A privacy notice is required
Fully insured—insurers typically send
Self insured—employer must send (or third party)
• Notices can be delivered by email, if a participant agrees to electronic notice
• The privacy notice must be distributed upon enrollment to all new participants
• A company’s intranet should also include a copy of the privacy notice
20
Privacy Notice
• Participants are entitled to paper copies upon request
• Health plans cannot substantially change their information policies and procedures before updating its notice to reflect those revisions
• At least once every 3 years, health plans must remind participants of the availability of the privacy notice
21
Authorizations
• Written authorization is not required if PHI is being used by a health plan for treatment, payment or health care operations purposes (or for other disclosures permitted by the privacy rules)
• You should seek written authorization from the individual before releasing the individual’s PHI to most third parties
• You should seek written authorization from individuals before using PHI for reasons other than payment or health care operations
For example, if you want to use your company’s own health plan records to see if a participant is entitled to disability benefits, participant must sign an authorization
22
Interaction with Participants and Family
• Individuals may approach you for assistance with your company’s health plans benefits
• If (1) disclosure is to a family participant involved in the individual’s care or payment for that care, (2) disclosure is limited to that family participant’s involvement in the care or payment, and (3) the individual has not objected to the disclosure to the family participant, then it’s okay to disclose, but preferable to refer to your outside administrators
• With a complete authorization, or another legal document, such as a general power of attorney, you could disclose anything to the family participant
23
What Can I Discuss?
• HR employees can always pass on information from a spouse to your health plans or, if for purposes of payment or operations, to the health plans' vendors
• You can discuss the medical claims of a child (under 18) with either parent (subject to limited exceptions - e.g., records protected under federal laws on family planning), unless your company is notified that it is not appropriate to so share the information (e.g., domestic abuse)
24
“Minimum Necessary” Rule
• The “Minimum Necessary” Rule Whenever the health plans use or disclose PHI or requests
PHI from another plan or a physician, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure or request”
Thus, the minimum necessary rule covers The HR Department’s use of information Disclosure Requests for disclosure
Under ARRA, within 18 months, HHS must issue guidance clarifying minimum necessary rules
25
“Minimum Necessary” Rule (cont’d)
• The minimum necessary rule does not apply to:
Disclosures to or requests by a health care provider for treatment
Disclosures to the individual or pursuant to an authorization
Disclosures to government for enforcement of privacy rules
Other uses or disclosures required by law
26
Minimum Necessary - Limiting Employee Access to PHI
• The HR Department should identify those persons or classes of persons in its “HIPAA workforce” (should be referred to as “HIPAA Personnel” in the HIPAA Privacy Policy) who need access to PHI to carry out their duties:
• Privacy Officer
• Other members of the HR Staff to the extent that they handle benefits, including HR Operations staff and HR business partners
• Members of the IT Department may have access to PHI, upon specific request of other HIPAA workforce, for the sole purpose of assisting in servicing the electronic versions of PHI on the company network servers
27
Limiting Employee Access to PHI
• On a limited basis, any of your company’s personnel involved in audit or legal issues may, on a case-by-case basis, be designated as HIPAA workforce solely for purposes of their handling audit and legal issues relating to administration of the Plan
• Only those HIPAA Personnel may have electronic and physical access to PHI maintained in your HR Department
28
Limiting Employee Access to PHI
• Your HIPAA Personnel may use and disclose the Plan’s protected health information only for plan administrative functions. The amount of PHI disclosed must be limited to the minimum amount necessary to perform the relevant plan administrative functions
• Generally, HIPAA Personnel may not disclose protected health information to company employees other than other members of HIPAA Personnel
29
Safeguards to Protect Privacy
• PHI may be filed in the same files as any other employee benefits information or any other human resources information, including personnel records, and electronic access must be restricted to only HIPAA Personnel
• Some companies have created access control lists on the domain side, to control all access to HR data. This list allows only HIPAA Personnel to access electronic files containing Plan information
• Some companies have mandated that HIPAA Personnel have their own computer passwords and user domain account passwords accessible only to HIPAA Personnel, and they may not share passwords
• Locked cabinets and doors to the offices that contain health plan records
30
Individual Rights
• Right to Inspect and Copy PHI in your company’s health plans' records
• Right to Propose an Amendment to Correct PHI in the health plans' records
• Right to an Accounting of Disclosures
• Right to Request Restrictions on PHI Use & Disclosure
• Has handling of these rights been delegated to vendors?
31
Individual Rights: Copying and Proposing Amendments
• Participants and dependents have the following rights under HIPAA:
To access, inspect and copy their health information records in the health plans' records
To copy any enrollment, payment, claims adjudication, and case or medical management records system that includes PHI and that is maintained by or for the health plans or used in whole or in part by the health plans to make decisions about individuals
Right to propose an amendment to the PHI or a record about the participant (or dependent) in the health plans' record sets
32
Individual Rights: Copying and Proposing Amendments
Under ARRA, individuals may ask covered entity to transmit information to designated entities; request restrictions on disclosure of PHI to the plan for purposes of payment or health care operations if PHI relates to an item or service for which individual paid a doctor out-of-pocket costs in full
33
Individual Rights: Accounting of Disclosures
• Participants have a right to request from the health plans an accounting of the disclosures of their PHI
Health Plans must keep a log of disclosures of PHI made within 6 years prior to the request (as long as the 6 years starts after April 2003), and be able to give that log to a participant upon request
34
Individual Rights: Accounting of Disclosures
Log excludes disclosures: to participants (or dependents) who request their own records; and to persons involved in the participant’s care (e.g., spouse); or disclosed in accordance with the participant’s signed written authorization
DOES include disclosures to IRS or DOL if you disclose the participant’s name and PHI
35
Individual Rights: Accounting of Disclosures
• Your company may require health plans employees to keep track of additional disclosures
• Under ARRA, new notification requirement for breach of “unsecured” PHI
In general, upon breach, complex notice requirements within 60 days unless PHI was encrypted
Determine whether your PHI is encrypted
36
What is a Business Associate?
• Definition:
A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity
• Includes anyone with health information from your health plans (could include attorneys, consultants, TPAs, auditors, computer software service companies)
37
What are the Business Associate Rules?
• General Rules
Need specific HIPAA-dictated language in a contract with all business associates
Language includes privacy protections as well as the extension to service providers of individuals’ HIPAA rights.
Under ARRA, all of the HIPAA rules apply directly to business associates
So, when entering into a new agreement with a third party administrator or a benefits consultant to audit your vendors, the Privacy Officer must arrange to have this language in your agreement
38
Handling Complaints
• The Privacy Notice advises everyone that they have a right to complain about violations of their HIPAA rights
• If an employee (or covered dependent) complains his or her health plan privacy rights have been violated, the person complaining should be directed to the Privacy Officer, or if any employee wants to complain about a health plan privacy violation by someone else (including by your vendors), all those receiving such a complaint should make a written report to the Privacy Officer
• The HIPAA Policies must include forms for making privacy complaints
• All complaints will be investigated by the Privacy Officer
• Retaliation for making privacy complaints is prohibited
39
Employee Sanctions for Violations
• Your company is required by HIPAA to have and apply appropriate sanctions against the health plans' workforce who fail to comply with the health plans' privacy policies and procedures or the privacy requirements of HIPAA
• As member of HR Department, know what the disciplinary rules and mitigation rules are
40
Checklist
• If you work with PHI:
Determine whether any state privacy laws apply to the group health plan
Identify current uses and disclosures of PHI
Identify how has access to PHI
Assess using Minimum Necessary Standard
Assess which current uses and disclosures are permitted and under what circumstances
Review group health plan documents for amendment
41
Checklist
• If you work with PHI:
Identify Business Associates—update BA agreements for HiTech
Discuss standards with privacy officer and how they apply to you
Read privacy policies and procedures
Read privacy notice
Review safeguards for protecting PHI from accidental or intentional use in violation of the privacy standards
