Student Health Director Briefing
Frequently Asked Questions
HIPAA
May 23, 2012
1
• This training session is for educational purposes only and does not constitute legal advice. If as a result of this training session you have questions about your HIPAA status or your organizations privacy or security compliance, please contact your SUNY Counsel.
• This training session is not intended to cover all of the privacy and security laws/regulations training requirements. Slides are provided for informational purposes only.
2
• Frequently Asked Questions:
– Do electronic health record transactions make me
HIPAA covered?
– What type of billing activities make me HIPAA covered?
– Do transactions between my campus and my student health insurance company make me
HIPAA covered?
– My campus would like to engage in new revenue producing enterprises related to our Student
Health Centers, are there any issues that I need to address prior to implementing?
3
To answer these questions
• Understand the Basics of HIPAA
– What does HIPAA stand for?
• H ealth I nsurance P ortability & A ccountability A ct of
1996 (45 CFR Parts 160 & 164)
– Enacted August 21, 1996 which required the Secretary of
Health and Human Services “to publicize standards for the electronic exchange of health care data as well as privacy and security” measures for personally identifiable health information. ( known as Administrative
Simplification provisions)
• http://www.hhs.gov/ocr/hipaa
4
Administrative Simplification
• “ADMINISTRATIVE SIMPLIFICATION” (HIPAA
Rules)
– Title 42 The Public Health and Welfare U.S. Code
1320d-1 et seq.
• Subtitle F of Title II of HIPAA, Part C (HIPAA
Provisions)
• National standards to protect the confidentiality of patient health information via regulations in three areas:
–
Privacy ( Privacy Rule)
» Applies to information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral known as Protected Health Information (PHI)
–
Electronic Exchange (Transaction and Code Set Regulations)
–
Security measures (Security Rule)
5
Privacy Rule
• Excludes from protected health information
– Employment records
– Education records and other records as defined in, the Family Educational Rights and Privacy Act,
20 U.S.C. section 1232g
• Goal: Is to assure individuals that their health information with covered entities will be properly protected while allowing the flow of health information needed to provide and promote high quality health care .
6
Student Health Information -
Exclusion
• Employment Records: Are excluded from the definition of PHI, and therefore not subject to the protections of HIPAA. Other laws and regulations that cover uses and disclosures of information in such records may apply -- such as OSHA, Family and Medical Leave Act
(FMLA), workers' compensation, and alcohol and drug free workplace laws.
•
Education records covered by FERPA Records of students held by colleges and universities used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student’s request.
(These are specifically excluded from the definition of “education records.”) 45 CFR 164.501
• HHS expressly determined that it was not going to preempt FERPA, because FERPA provided a privacy framework for student records. So, if the records fit within the “HIPAA
FERPA” exception, must apply FERPA.
*HIPAA Basics: 2002 Washington and Lee University
7
Determination
• Remember: only individuals/offices that deal in PHI are required to comply with
HIPAA privacy regulations. If your office only deals with student or employment records, and does not handle PHI it may not be necessary to designate it as a covered care component of SUNY as a hybrid HIPAA covered entity.
*HIPAA Basics: 2002 Washington and Lee University
8
1. Health Plans
2. Health Care Providers
3. Health Care Clearinghouses
9
Covered Entities –
1. Health Plan
• Health Plans – provide or pay the cost of medical care
( 42 U.S.C. 1320d, 45 CFR 160.103)
– Include: health, dental, vision, prescription drug insurers, HMOs, Medicare, Medicaid…
– Excludes: (reference 42 U.S.C. 300 gg-91(c) (1))
• Group health plan with less than 50 participants that is administered solely by the employer and established and maintains the plan
• Two types of governmental funded programs
– Those whose principle purpose is not providing or paying the cost of health care, such as food stamps program
– Those whose principle activity is directly providing health care, such as community health center
• Certain other entities providing: workers compensation, automobile insurance, and property and casualty insurance, coverage for on-site medical clinics
10
Examples of Covered Health Plans in the
College or University Setting*
• Employee group health plan (fully/self-insured)
• Employee group dental plan (fully/self-insured)
• Employee group vision plan (fully/self-insured)
• Employee flexible spending account
• Employee Assistance Plan (for other than on-site clinic)
• Retiree health plan (fully/self-insured)
• Student health (fully/self-insured) (for other than on-campus clinic)
*HIPAA Basics: 2002 Washington and Lee University
11
Examples of Non-Covered Plans in a College or University Setting*
• NCAA intercollegiate accident policy
• Employee long-term disability policy
• Employee life insurance policy
• Employee workers’ compensation coverage
• Student health fee for on-site student health and counseling services
*HIPAA Basics: 2002 Washington and Lee University
12
Evaluate Activity – An Example
• University has a private psychiatrist on retainer, to evaluate students on a one-time referral from University physician/counselors when behavioral concerns arise. University pays psychiatrist directly for these sessions
Is this practice a “health plan” under HIPAA?
• This is not a covered health plan, but a contractual extension of the excluded on-site clinic exemption as an excerpted benefit excluded from HIPAA privacy and security rule.
*HIPAA Basics: 2002 Washington and Lee University
13
Endorsed vs. Sponsored Plans
• Question: A university endorses one student health insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan.
There is no contractual relationship between the college and the insurer and the students apply, pay premiums, and file claims on their own. Is the college a Plan Sponsor for HIPAA?
• No. First, the concept of a plan sponsor as defined appears to apply only to ERISA plans. Second, the college has not undertaken any responsibility to pay any premiums or subject itself to any other liability under the policy. It is acting only as endorser and liaison between insurer and student. Under these circumstances, the college is not a HIPAA plan sponsor of this plan. ( Presenter’s opinion )
*HIPAA Basics: 2002 Washington and Lee University
14
Who is the Covered Entity –
Student Health Insurance
• Best practice – in case of an issue with HIPAA and
Student Health Insurance - Know which entity is covered (many colleges and university’s utilize group health insurance companies such as Aetna for their student health insurance, these entities are the HIPAA covered entity and comply with regulations).
• Why does it matter? Most campuses exchange information as it relates to students and their health insurance. This information should be verified as not
PHI and that only summary/participation/enrollment is being transacted. You can verify this will your student health insurance carrier.
15
Covered Entities –
2. Health Care Providers
• Every health care provider who electronically submits health information in connection with
standard transactions (42 U.S.C. 1320d-1, 45
CFR 160.103) is covered
• Standard Transactions (45 CFR Part 162, K-R)
– Health care claims or equivalent encounter information
– Enrollment and disenrollment in a health plan
– Eligibility for a health plan
– Health care payment and remittance advice
– Health plan premium payments
– Health claim status
– Referral certification and authorization
– Coordination of benefits
16
Evaluate Activity – An Example
• If a health care provider transmits any of these transactions electronically, that health care provider is a covered entity. E.g., if your student health center bills student insurance electronically, or bills summer campers’ insurance electronically, or sends referral authorizations to insurers electronically, it has become a covered entity.
• It appears from HHS comments that “in connection with” means as a part of the covered transaction itself, not merely in communications in any way related to a covered transaction (e.g., electronically submitting a claim as opposed to emailing with a question about how to transmit a claim).
*HIPAA Basics: 2002 Washington and Lee University
17
Evaluate Activity - Examples
• Student health centers that only bill student accounts, not third-party payers. This is direct billing of the patient under an excluded plan covering on-site clinic services, not a “claim” to a covered health plan. Thus, this sort of account billing is not a HIPAA transaction.
• An email from one doctor to another doctor regarding a patient’s treatment is not a HIPAA transaction to trigger coverage as a “covered entity” or require standard formatting.
• A flexible spending account plan does not involve claims from health providers to the plan, but merely direct reimbursement of the employee, so though the plan is a covered plan, it conducts no HIPAA “claims” required to be standardized.
*HIPAA Basics: 2002 Washington and Lee University
18
Health Care Providers
Double Check
• Student Health Centers – physicians, nurses, and other providers
• Counseling Center staff – psychiatrists, clinical psychologists
• Athletic Trainers
ONLY IF THEY TRANSMIT HEALTH INFO.
ELECTRONICALLY IN ONE OF THE
DEFINED HIPAA TRANSACTIONS
*HIPAA Basics: 2002 Washington and Lee University
19
Covered Entity –
3. Health Care Clearinghouses
• Entities that process nonstandard information they receive from another entity into a standard format
• They include: billing services, re-pricing companies, community health management information systems, and value-added networks and switches if the entity performs clearinghouse functions.
20
Evaluate Activity – An Example
• Universities or Colleges may act as clearinghouses by billing third-party payers on behalf of other entities, such as clinics or practice groups and which makes the university/college a HIPAA covered entity
*HIPAA Basics: 2002 Washington and Lee University
21
Evaluate Activity –
Electronic Health Record
• In and of itself an electronic health record does not make a institution HIPAA covered, an evaluation of the activities processed through the electronic health record determines whether the entity is
HIPAA covered (refer to covered electronic transactions)
• Note: Even where not HIIPAA covered, institutions should apply the highest in privacy and security safeguards with respect to access, use and transmission of electronic health records.
22
• A person or organization that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
• The HITECH Act of 2009 part of the American
Reinvestment and Recovery Act now imposes direct compliance of security rule, information breach notification, and enhanced penalties etc on business associates to the same extent as applicable to covered entities.
23
SUNY and
Business Associate Agreements
• SUNY has a standard template for
Business Associate Agreements. Please contact SUNY Counsel should you be asked about entering into a Business
Associate Agreement.
• Business Associates must use appropriate privacy and security safeguards.
24
• Contact your SUNY counsel and they will work with designated campus and System
Administration personnel to help assist you to determine which privacy and security regulations apply.
25
• Contact your human resources representative to see about GOER training and your access.
• If you have an ability to access the GOER training, please make sure to check out the learning module titled “Privacy and
Security of Health Information in New York
State”.
26
• Policy 4200 HIPAA
• Policy 6608 Information Security
Guidelines
• Privacy and Safety on Campus – A legal framework
27
• Presentation Source Material
– U.S. Department of Health and Human
Services Office of Civil Rights
• www.hhs.gov/ocr/privacy
– HIPAACOW.org
– HIPAA Basics: Washington and Lee
University
28