Chapter I – HIPAA Overview
HIPAA Compliance for Employers
I
What is it?
I
What is it supposed to do?
I
Why should you care?
I
Who does it apply to?
I
What does it cover?
Patricia C. Shea, Esq.
717.231.5870
2
What is HIPAA?
The Privacy Regulations – Why?
Health Insurance Portability and Accountability
Act of 1996
1.
1.
Standards for Privacy of Individually Identifiable Health
Information – proposed 1999; final August 14, 2002
Address inconsistent or nonexistent state laws
regarding standards of privacy for patient data
2.
2.
Security & Electronic Signature Standards – final
February 20, 2003 (physical/technological requirements
to secure protected health information)
Address inconsistent or nonexistent state laws
regarding patient’s rights regarding their data
3.
Address the exponential increase in availability
and scope of patient data
3.
Electronic Transactions & Code Set Standards – final
(requirement for conducting designated electronic
transactions involving protected health information)
3
Common HIPAA Misperception
HIPAA applies only to doctors, hospitals,
and insurance companies.
5
4
The Penalties …
I
Civil ($100 per violation, capped at
$25,000 per year).
I
Criminal (from $5,000 to $250,000 and/or
1 to 10 years in jail)
I
Potential for Private lawsuits
6
1
HIPAA Applies to …
Health Plans include …
Covered Entities
I
I
I
I
I
Health care providers (e.g., doctors) who
transmit health information electronically
Health care clearinghouses
Health plans
I
160.103
HMOs
Indemnity insurers
Group health plans, that are:
- Fully insured or self insured; and
- Have 50 or more participants;
OR
- Administered by an entity other than the
employer that established and maintains the
plan
160.103
7
8
Health Plans include …
I
I
What is Covered?
An employee welfare benefit plan or any other
arrangement that is established or maintained for the
purpose of offering or providing health benefits to the
employees of two or more employers
Protected Health Information (PHI)
(i)
Individually identifiable health information that
is (see next slide)
Any other individual or group plan, or combination of
individual or group plans, that provides or pays for
the cost of medical care
(ii)
Transmitted by electronic media;
(iii)
Maintained in any electronic medium; or
(iv)
Transmitted or stored in any other form or
medium; and
(v)
Is not excluded.
160.103
9
164.501
10
What is covered? (cont) …
Exclusions …
Individually identifiable health information
Individually identifiable health information in:
(i)
Information created or received;
(i)
(ii)
Relates to past, present, or future
physical/mental health condition, treatment or
payment for care of the individual
Education records covered by the Family
Educational Right and Privacy Act; and
(ii)
Records described at 20 USC 1232(a)(4)(B)(iv)
(iii)
Employment records held by a covered
entity in its role as an employer
(iii)
Identifies the individual
(iv)
Reasonable basis to identify the individual
160.103
11
164.501
12
2
“Use” means…
General Rule of HIPAA
Covered entities may not use or disclose
protected health information unless the Privacy
Regulations permit or require them to do so.
With respect to individually identifiable health
information, the sharing, employment,
application, utilization, examination or analysis
of such information within an entity that
maintains such information.
164.501
13
14
“Disclosure” means …
Goal for Employers …
The release, transfer, provision of access to, or
divulging in any manner of information outside
the entity holding the information.
1.
Know when the HIPAA General Rule applies to
the operations of a group health plan;
2.
Know the corresponding requirements;
3.
Know the boundaries of the requirements.
164.501
15
Chapter II – HIPAA & Group Health Plans
16
Step 1: Identify the plans.
Step 1: Identify the applicable health plans.
HIPAA Privacy Rule Applies To:
Step 2: Determine the employer’s role(s) with
respect to each plan.
1.
Medical plans
2.
Dental plans
3.
Vision plans
4.
Employee assistance plans
5.
Etc.
Step 3: Identify the key characteristic of each plan.
Step 4: Determine the corresponding HIPAA
requirements for each plan.
Step 5: Implement the corresponding HIPAA
requirements for each plan.
17
18
3
Step 1: Identify the plans (cont)…
HIPAA Privacy Rule Does Not Apply To:
1.
Accident or disability income insurance or any
combination thereof
2.
Coverage to supplement liability insurance
3.
Liability insurance, including general liability insurance
and auto liability insurance
4.
Workers’ compensation insurance
5.
Auto medical payment insurance
6.
Coverage for on site medical clinics
7.
Other similar insurance coverage, …under which benefits
for medical care are secondary or incidental to other
insurance benefits.
Step 1: Identify the plans (cont)…
Flexible spending accounts???
19
Step 2: Determine the employer’s role(s).
20
Step 2: Determine the employer’s role(s).
Plan Sponsor – establish plan; amend plan; terminate
plan; facilitate enrollment and disenrollment; obtain
premium insurance bids
(i) employer when the plan is established or maintained
by a single employer
(ii) in the case of a plan established or maintained by two
or more employers or jointly by one or more employers
and one or more employee organizations, the association,
committee, joint board of trustees or other similar group
of representatives of the parties who establish or maintain
the plan
164.501; 42 USC 1002(16)(B)
Plan Administrator – performs aspects of plan
operations including claims assistance; quality assurance;
auditing; monitoring; management; claims processing;
claims payment
(i) the person specifically so designated by the terms of
the instrument under which the plan is operated;
(ii) if an administrator is not so designated, the plan
sponsor ….
42 USC 1002(16)(A)
21
Caution:
22
Step 3: Identify plan characteristics.
It is easy to slip from a plan sponsor role into a
plan administrator role.
23
I
Fully insured or self funded?
I
Who administers it?
I
How many participants in the plan?
I
What is the annual amount of receipts for the
plan?
I
Who receives protected health information
regarding the plan? From where?
I
How does the plan use protected health
information?
24
4
Step 3: Identify plan characteristics (cont).
Step 3: Identify plan characteristics (cont).
Beware of Protected Health Information:
1.
2.
Plan Administrators use or disclose protected
health information to perform the plan
administration functions.
Plan Sponsors may receive protected health
information that they do not use or need.
Start thinking about “Firewalls.”
Means of safeguarding the protected health information
(operationally and physically)
I
Identifying the employees or classes of employees who
will have access to protected health information;
I
Restricting access solely to the employees identified and
only for the functions performed on behalf of the Plan.
(i) Do you really need the information?
(See Administrative Requirements Checklist)
(ii) Can summary health information work?
25
Step 4: Determine HIPAA requirements.
The Two Key Variables:
1.
What role does the employer play with respect
to the health plan?
2.
What information must the employer use and
disclose in carrying out these roles?
26
Step 4: Determine HIPAA requirements
(cont)...
1.
Comply with HIPAA administrative
requirements.
2.
Amend Plan documents.
3.
Provide Plan certification that Plan documents
have been amended.
4.
Prepare and/or provide Notice of Privacy
Practices.
5.
Enter into agreements with business associates.
See Plan Sponsor Checklist.
27
Step 4: Determine HIPAA requirements
(cont)...
HIPAA Administrative Requirements – 164.530
Designate privacy officer
Establish other policies
Train workforce
Establish documentation policy
Establish safeguards
Establish non-waiver of rights
Establish complaint process
policy
Establish sanctions policy
Establish mitigation policy
Establish non-retaliation policy
See Administrative Requirements Checklist
29
28
Step 4: Determine HIPAA requirements
(cont)...
Amend Plan Documents
(i)
Not to use or further disclose other than as
permitted by plan or required by law;
(ii)
Ensure that agents, etc., that plan provides PHI
regarding the plan agree to the same restrictions
that apply to the sponsor
(iii)
Not use PHI for employment-related actions or
in connection with any other benefit or
employee benefit plan of the plan sponsor.
30
5
Step 4: Determine HIPAA requirements
(cont)...
(iv)
(v)
(vi)
(vii)
Amend the Plan Documents
Report inconsistent uses and disclosures to the
plan of which the sponsor may become aware
Provide individuals with access to their PHI
Provide the information necessary to provide an
accounting
Make internal practices, books, records and
policies and procedures available to the
Secretary of the HHS to determine plan’s
compliance with HIPAA requirements
Step 4: Determine HIPAA requirements
(cont)...
Amend the Plan Documents
(viii) If
feasible, return or destroy all PHI received
from the group health plan and retain no
copies…
(ix)
Ensure that there is adequate separate between
the group health plan and the plan sponsor
164.504(f)(2)(ii)
31
Step 4: Determine HIPAA requirements
(cont)...
32
Step 4: Determine HIPAA requirements
(cont)...
Prepare Notice of Privacy Practices
Certify the “Fact” of the Amendments
To the Plan
1.
Understand how the Plan will use and disclose
protected health information before preparing
the notice.
2.
Include the specified items identified in the
regulations. See Notice of Privacy Practices
Requirements Checklist.
33
Step 4: Determine HIPAA requirements
(cont)...
34
Step 4: Determine HIPAA requirements
(cont)...
Business Associates
Think About the Notice of Privacy Practices
1.
2.
The Plan will probably have to create policies
and procedures in addition to the administrative
requirements policies to address the information
that must be included in the Notice.
Examples:
1.
Identify them.
2.
Execute agreements with them.
3.
“Monitor” them.
Individual’s right for an accounting
Individual’s right to inspect
Individual’s right to amend, etc….
35
36
6
Step 4: Determine HIPAA requirements
(cont)...
I
perform or assist a covered entity (e.g., the Plan)
in performing
I
a function or activity
I
involving the use or disclosure of individually
identifiable health information
37
Step 4: Determine HIPAA requirements
(cont)...
Business Associates must provide “satisfactory
assurances” that they will safeguard the
information, by:
I
Using the information only for the intended
purpose (e.g., health care operations)
I
Safeguard the information
I
Assist with providing individuals with access to
the protected health information
38
Time is Running Out…
Step 5: Implementation.
1.
Draft the necessary policies and procedures.
2.
Train personnel.
3.
Amend plan documents and provide
certification, as necessary.
4.
Prepare and/or provide the Notice of Privacy
Practices.
5.
Create the physical firewalls.
6.
Document everything….
39
Compliance Date = April 2003
Small Plans = April 2004
40
7