HIPAA: Understanding the Basics
advertisement
HIPAA: Understanding the Basics HIPAA Basics: 2002 Washington and Lee University 1 May 2, 2002 (updated 1/13/03) Presenters Leanne Shank, Esquire University Counsel Jennifer Kirkland, Esquire Office of University Counsel Washington and Lee University Lexington, Virginia HIPAA Basics: 2002 Washington and Lee University 2 May 2, 2002 (updated 1/13/03) HIPAA: The Basics What is it? Why should you care? How might it affect your institution? What steps should you take to determine your institution’s exposure and to comply? NOTE: This presentation is geared toward institutions without academic medical centers. HIPAA Basics: 2002 Washington and Lee University 3 May 2, 2002 (updated 1/13/03) Health Insurance Portability and Accountability Act of 1996 Kennedy-Kassebaum Bill --amended Social Security Act to allow for portability of health insurance (immediate qualification for comparable coverage upon change of employment.) Congress desired to promote Electronic Data Interchange to facilitate this portable health insurance and to reduce administrative costs of health care. HIPAA Basics: 2002 Washington and Lee University 4 May 2, 2002 (updated 1/13/03) A Little Congressional Humor: “ADMINISTRATIVE SIMPLIFICATION” 42 U.S.C. 1320d-1 et seq. Title II, Subtitle F, Part C of HIPAA • Gives HHS (Department of Health and Human Services) authority to mandate (1) transaction standards and code sets for electronic exchange of health care data, as well as (2) privacy and (3) security measures for personally identifiable health information. • Also provides for required use of national identifiers for providers, employers/sponsors, payers/plans, and patients (patient identifier shelved). • Substantial penalties for non-compliance. HIPAA Basics: 2002 Washington and Lee University 5 May 2, 2002 (updated 1/13/03) Transaction Regulations Designed to ensure format and content standardization in certain specific financial and administrative health care transactions conducted electronically. NOTE: it is important that you familiarize yourself with what types of transactions are governed by the transaction regulations – not every health care transaction is covered – only those defined in the regulations. 45 CFR Part 162, Subparts K through R. HIPAA Basics: 2002 Washington and Lee University 6 May 2, 2002 (updated 1/13/03) Privacy Regulations Designed to establish a federal regulatory framework to promote the privacy of health information among entities covered by HIPAA, and those acting on their behalf. Regulations restrict the use and disclosure of protected identifiable health information, provide for patient access to such information, and mandate administrative safeguards to promote privacy of protected health information. HIPAA Basics: 2002 Washington and Lee University 7 May 2, 2002 (updated 1/13/03) Security Regulations Not yet finalized! (Rumored for Dec.’02) Designed to establish a federal standard for the protection of health information maintained or transmitted electronically. Require administrative, technical and physical safeguards for storage, transmission, and access. HIPAA Basics: 2002 Washington and Lee University 8 May 2, 2002 (updated 1/13/03) Is Your Institution, or any part of it, Covered by HIPAA? By any or all of the Transaction, Privacy and/or Security Regs? HIPAA Basics: 2002 Washington and Lee University DON’T ASSUME HIPAA OR THE SEPARATE SETS OF REGULATIONS APPLY TO THE COLLEGE OR UNIVERSITY AS A WHOLE! 9 May 2, 2002 (updated 1/13/03) Campus Entities That Are NOT “Covered Entities” Per Se without further analysis: Colleges Universities Employers Supervisors and Administrators All University Insurance Plans Health Care Providers (physicians, nurses, counselors, athletic trainers) HIPAA Basics: 2002 Washington and Lee University 10 May 2, 2002 (updated 1/13/03) What is a “Covered Entity” under HIPAA? Health Plan Health Care Provider who transmits any health information in electronic form in connection with a HIPAA transaction [May be broader under proposed security regulations] Health Care Clearinghouse (converts nonstandard transactions to or from standard format) 42 U.S.C. 1320d-1, 45 CFR 160.103 HIPAA Basics: 2002 Washington and Lee University 11 May 2, 2002 (updated 1/13/03) Use the CMS Covered Entity Decision Tools to Help Determine Your Campus Coverage http://www.cms.hhs.gov/hipaa/hipaa2/supp ort/tools/decisionsupport/default.asp This site will walk you through a series of questions with respect to your health care providers and health plans to assist you in determining if your campus will be covered under HIPAA. HIPAA Basics: 2002 Washington and Lee University 12 May 2, 2002 (updated 1/13/03) Health Plan “An individual or group plan that provides, or pays the cost of, medical care. . .” INCLUDES (singly, or in combination): • Group health plans (ERISA plans), insured AND selfinsured, providing medical care for employees or dependents Plans with fewer than 50 participants that are administered inhouse by the employer are excluded from this definition. • Health insurance issuers and HMOs HIPAA Basics: 2002 Washington and Lee University 13 May 2, 2002 (updated 1/13/03) Health Plan (cont’d.) • Medicare, Medicaid, Veterans, CHAMPUS, and other federal and state health plans outlined in regulations • Issuers of long-term care policies, excluding nursing home fixed-indemnity policies • *Any other individual or group plan providing or paying for the cost of medical care. • 42 U.S.C. 1320d, 45 CFR 160.103 HIPAA Basics: 2002 Washington and Lee University 14 May 2, 2002 (updated 1/13/03) Plans Not Covered By HIPAA Plans, policies, or programs to the extent they pay for excepted benefits: • • • • • • • • Coverage only for accident Disability income insurance Coverage supplementing liability insurance Liability insurance, including general and auto Workers’ compensation insurance Automobile medical payment insurance Coverage for on-site medical clinics 42 U.S.C. 300gg-91(c)(1) HIPAA Basics: 2002 Washington and Lee University 15 May 2, 2002 (updated 1/13/03) Examples of Covered Health Plans in the College or University Setting Employee group health plan (fully/self-insured) Employee group dental plan (fully/self-insured) Employee group vision plan (fully/self-insured) Employee flexible spending account Employee Assistance Plan (for other than on-site clinic) Retiree health plan (fully/self-insured) Student health (fully/self-insured) (for other than on-campus clinic) HIPAA Basics: 2002 Washington and Lee University 16 May 2, 2002 (updated 1/13/03) Examples of Non-Covered Plans in a College or University Setting NCAA intercollegiate accident policy Employee long-term disability policy Employee life insurance policy Employee workers’ compensation coverage Student health fee for on-site student health and counseling services HIPAA Basics: 2002 Washington and Lee University 17 May 2, 2002 (updated 1/13/03) Is This Example a Health Plan? University has a private psychiatrist on retainer, to evaluate students on a one-time referral from University physician/counselors when behavioral concerns arise. University pays psychiatrist directly for these sessions out of student health and counseling budget. Is this practice a “health plan” under HIPAA? Presenter takes the position that this is not a covered health plan, but a contractual extension of the excluded on-site clinic exemption under HIPAA. (Note: this is the presenter’s opinion, not an official HHS response.) HIPAA Basics: 2002 Washington and Lee University 18 May 2, 2002 (updated 1/13/03) “Plan Sponsor” Defined only under the privacy regulations, as the employer or other entity that establishes and maintains a group health plan. (ERISA only? 45 CFR 164.501) Employers and other Plan Sponsors are NOT covered entities under HIPAA, per se. However, Plan Sponsors do have certain specific obligations under the Privacy Regulations. As a practical matter, employer-sponsored health plans have no employees and exist only as plan documents. So the employer/plan sponsor/plan administrator may need to ensure compliance, particularly with self-insured plans. HIPAA Basics: 2002 Washington and Lee University 19 May 2, 2002 (updated 1/13/03) Endorsed vs. Sponsored Plans Question: A university endorses one student health insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college and the insurer and the students apply, pay premiums, and file claims on their own. Is the college a Plan Sponsor for HIPAA? No. First, the concept of a plan sponsor as defined appears to apply only to ERISA plans. Second, the college has not undertaken any responsibility to pay any premiums or subject itself to any other liability under the policy. It is acting only as endorser and liaison between insurer and student. Under these circumstances, the college is not a HIPAA plan sponsor of this plan. (Presenter’s opinion) HIPAA Basics: 2002 Washington and Lee University 20 May 2, 2002 (updated 1/13/03) “Health Care Providers” Health care providers are only covered under HIPAA IF they electronically transmit any health information in connection with one of the specifically defined HIPAA transactions. [May be broader under proposed security regulations] 42 U.S.C. 1320d-1, 45 CFR 160.103 According to HHS FAQs, paper to paper faxing (NOT sent via/to computer, but by telephone fax) is NOT electronic transmission under HIPAA, neither are phone mail/voice faxback systems. Size of health care provider is irrelevant to coverage – there is no small provider exception. HIPAA Basics: 2002 Washington and Lee University 21 May 2, 2002 (updated 1/13/03) HIPAA Transactions The following administrative and financial health care transactions are the HIPAA transactions required to be processed as “standard transactions” by covered entities (see definitions at 45 CFR Part 162, Subparts K-R): • • • • • • • • • • Health care claims and encounters Enrollment and disenrollment in a health plan Eligibility for a health plan Health care payment and remittance advice Health plan premium payments Health claim status Referral certification and authorization Coordination of benefits First report of injury (to be adopted later) Claims attachments (to be adopted later) HIPAA Basics: 2002 Washington and Lee University 22 May 2, 2002 (updated 1/13/03) HIPAA Transactions (cont’d.) If a health care provider transmits any of these transactions electronically, that health care provider is a covered entity. E.g., if your student health center bills student insurance electronically, or bills summer campers’ insurance electronically, or sends referral authorizations to insurers electronically, it has become a covered entity. It appears from HHS comments that “in connection with” means as a part of the covered transaction itself, not merely in communications in any way related to a covered transaction (e.g., electronically submitting a claim as opposed to emailing with a question about how to transmit a claim). HIPAA Basics: 2002 Washington and Lee University 23 May 2, 2002 (updated 1/13/03) Look Closely at the Definitions of HIPAA Transactions Do not assume that you know what the listed transactions include. They are specifically defined, and most specifically pertain only to transactions to/from health providers from/to health plans. E.g., student health centers that only bill student accounts, not third-party payers. This is direct billing of the patient under an excluded plan covering on-site clinic services, not a “claim” to a covered health plan. Thus, this sort of account billing is not a HIPAA transaction. HIPAA Basics: 2002 Washington and Lee University 24 May 2, 2002 (updated 1/13/03) More Examples of non-HIPAA Triggering Transactions E.g., an email from one doctor to another doctor regarding a patient’s treatment is not a HIPAA transaction to trigger coverage as a “covered entity” or require standard formatting. E.g., a flexible spending account plan does not involve claims from health providers to the plan, but merely direct reimbursement of the employee, so though the plan is a covered plan, it conducts no HIPAA “claims” required to be standardized. HIPAA Basics: 2002 Washington and Lee University 25 May 2, 2002 (updated 1/13/03) Health Care Providers that May Be Covered in a College or University Setting Student Health Centers – physicians, nurses, and other providers Counseling Center staff – psychiatrists, clinical psychologists Athletic Trainers ONLY IF THEY TRANSMIT HEALTH INFO. ELECTRONICALLY IN ONE OF THE DEFINED HIPAA TRANSACTIONS [May be broader under proposed security regulations] HIPAA Basics: 2002 Washington and Lee University 26 May 2, 2002 (updated 1/13/03) Health Care Clearinghouse An entity that takes non-standard health care transactions and converts them into standard form. Some college and university health care providers or plans may use these entities in administering their health services or plans. Others may act as clearinghouses by billing third-party payers on behalf of other entities, such as clinics or practice groups. HIPAA Basics: 2002 Washington and Lee University 27 May 2, 2002 (updated 1/13/03) Business Associates Persons or entities that perform functions or activities on behalf of a covered entity, but that are not part of the covered entity’s workforce. 45 CFR 160.103 Business Associates do not thereby become covered entities, but may be in their own right. E.g., Third-Party Administrators are business associates that perform claims administration functions for self-insured health plans. E.g., External Billing Services are business associates that perform functions on behalf of covered health care providers, but are not themselves covered entities. HIPAA Basics: 2002 Washington and Lee University 28 May 2, 2002 (updated 1/13/03) Threshold Question: Are You Covered under HIPAA? Determine whether your college or university maintains any covered health plans. Determine whether your college or university has any covered health care providers. Survey appropriate individuals in offices dealing with these areas: financial, personnel, business, student health, counseling, trainers, etc. Survey the business associates of any health plans and health providers to determine whether they engage in HIPAA transactions and the extent to which they use/disclose health information. HIPAA Basics: 2002 Washington and Lee University 29 May 2, 2002 (updated 1/13/03) HIPAA Transaction Regulations: Overview HIPAA Basics: 2002 Washington and Lee University Designed to bring about the standardization of electronic exchange of health care information between health plans, providers, and their business associates, in certain specific key financial and administrative transactions. BE SURE YOU DETERMINE WHETHER ANY COVERED ENTITY ENGAGES IN ANY OF THESE TRANSACTIONS. 30 May 2, 2002 (updated 1/13/03) Transaction Regulations HHS has adopted national standards and code sets (medical and administrative) that must be used in the electronic exchange of health information in connection with the HIPAA Transactions. 45 CFR Part 160 and 45 CFR Part 162. All health plans, and covered health care providers that conduct HIPAA Transactions electronically, must use the transaction standards. All health plans must assure that their business associates (e.g., Third-Party Administrators) comply with the transaction standards. HIPAA Basics: 2002 Washington and Lee University 31 May 2, 2002 (updated 1/13/03) Transaction Regulations (cont’d.) Health plans MUST be able to conduct transactions as standard transactions upon request, though they may use a clearinghouse or other business associate (such as a Third-Party Administrator) to do so. Plan Sponsors are NOT required to submit HIPAA transactions (e.g., enrollment and premium submissions) using the standards, because they are NOT covered entities. Covered health care providers do NOT have to transmit any of the transactions electronically; but if they do so, they must use the standard transactions. HIPAA Basics: 2002 Washington and Lee University 32 May 2, 2002 (updated 1/13/03) Transaction Regulations Compliance Deadline Deadline for compliance with Transactions Regulations has been extended to October 16, 2003 for covered entities IF, by October 16, 2002, they filed a compliance extension plan. (HR 3323) Small health plans (with annual receipts of $5 million dollars or less) need not file any extension – their original compliance deadline remains as October 16, 2003. Information on correction/clarification of extension filings can be accessed at: http://www.cms.gov/hipaa. HIPAA Basics: 2002 Washington and Lee University 33 May 2, 2002 (updated 1/13/03) What if You Failed to File an Extension? First, be sure you are a covered entity and subject to the earlier deadline, not the extended deadline for small health plans. Covered Health Plans should contact their insurers to determine if insurers filed for extensions on behalf of the covered plans. For self-insured plans, Third-Party Administrators are not covered entities, and so were not obligated to file for extensions. However, some TPAs may have voluntarily filed for their self-insured plans, so check to see if this was done. HIPAA Basics: 2002 Washington and Lee University 34 May 2, 2002 (updated 1/13/03) Privacy Regulations: Overview HIPAA Basics: 2002 Washington and Lee University Designed to protect patient rights by providing patient access to protected health information, restricting use of that information, and creating a nationwide framework for health privacy protection. 35 May 2, 2002 (updated 1/13/03) Status of Privacy Regulations NOTE: Privacy Regulations became effective April 14, 2001, and amendments were finalized August 14, 2002. For compliance deadlines, see slide #62. HIPAA Basics: 2002 Washington and Lee University 36 May 2, 2002 (updated 1/13/03) Application of Privacy Regulations Various parts of the privacy regulations will apply to the following entities with respect to protected health information: • Health plans and health clearinghouses • Health care providers who transmit health information electronically in a HIPAA transaction • Plan sponsors of group health plans Covered entities must ensure that their business associates who create or receive protected health information comply with the privacy regulations by written contract or agreement requiring specific assurances. 45 CFR 164.502, -504, -532. HIPAA Basics: 2002 Washington and Lee University 37 May 2, 2002 (updated 1/13/03) “Protected Health Information” Individually identifiable health information (diagnosis, condition, treatment, payment) transmitted or maintained in any medium, including oral or hardcopy, not limited to electronic media. 45 CFR 164.501 In other words, if you are a covered entity with protected health information, these regulations apply to all forms of such records and information. IMPORTANT EXCLUSIONS: student health information and employment records. HIPAA Basics: 2002 Washington and Lee University 38 May 2, 2002 (updated 1/13/03) Student Health Information Exclusion Education records covered by FERPA and Records of students held by colleges and universities used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student’s request. (These are specifically excluded from the definition of “education records.”) 45 CFR 164.501 HHS expressly determined that it was not going to preempt FERPA, because FERPA provided a privacy framework for student records. So, if the records fit within the “HIPAA FERPA” exception, must apply FERPA. HIPAA Basics: 2002 Washington and Lee University 39 May 2, 2002 (updated 1/13/03) Employee Records Exclusion Contained in the finalized amendments to the privacy regulations. Excludes from protected health information employment records held by a covered entity in its role as employer. 45 CFR 164.501 E.g., covered university physician or benefits office maintaining employee records regarding requested disability accommodation, FMLA, or on the job drug testing. However, the records kept on employee health plan participation and claims, as well as medical treatment of employees by any college/university health care providers who are covered entities, are PHI. HIPAA Basics: 2002 Washington and Lee University 40 May 2, 2002 (updated 1/13/03) Disclosure of PHI Restricted Covered entities allowed to disclose without authorization for treatment, payment, and health care operations (see regulations for specific definition of these terms). 45 CFR 164.506 Amended regulations remove requirement for health care providers to get general consent, allow for acknowledgement of notice on privacy practices at time of first visit. Covered entities allowed to disclose otherwise with written authorization of individual. 45 CFR 164.508 HIPAA Basics: 2002 Washington and Lee University 41 May 2, 2002 (updated 1/13/03) Disclosure of PHI Restricted (cont’d.) Covered entities allowed to disclose certain types of information without individual authorization if opportunity to “ agree or opt out” (like FERPA directory information.) 45 CFR 164.510 Covered entities may disclose without authorization when required by HIPAA or law to do so (e.g., public health emergency, product recall) 45 CFR 164.512 In most disclosures, covered entities must disclose “minimum necessary” information. 45 CFR 164.514 HIPAA Basics: 2002 Washington and Lee University 42 May 2, 2002 (updated 1/13/03) How do Restrictions on PHI Disclosure Affect Research? Research alone does not make a university a covered entity or a department a health care component, unless researchers are also treating and, as health care providers, are electronically transmitting health info in HIPAA transactions. However, researchers will need to produce either a specific HIPAA authorization, IRB/privacy board waiver, or meet a specific HIPAA research exception in order to obtain PHI from covered health care providers or other covered entities who are data sources. 45 CFR 164.508 or 164.512(I) Contact data sources now to see what they will require. HIPAA Basics: 2002 Washington and Lee University 43 May 2, 2002 (updated 1/13/03) “Hybrid Entity” Unique to privacy regulations – 42 CFR 164.504 A single legal entity that is a covered entity, that performs covered and non-covered functions, and that designates health care components. Most colleges/universities will be a hybrid. E.g., university with a covered student health center and covered health plans. Under the hybrid status, the entire university does not become a covered entity – only the designated health care components are required to comply with HIPAA privacy regulations. 45 CFR 164.504 HIPAA Basics: 2002 Washington and Lee University 44 May 2, 2002 (updated 1/13/03) “Hybrid Entity” (cont’d.) Hybrid entity MUST designate any component that would meet the definition of a covered entity if it were a separate legal entity. Hybrid entity MAY include other components that perform covered functions and activities that would make the component a business associate if it were a separate legal entity (e.g., division of business office involved in billing, division of benefits office involved in covered plans, division of legal counsel’s office involved in health care issues.) Can be specific as to individuals – need not name an entire office. HIPAA Basics: 2002 Washington and Lee University 45 May 2, 2002 (updated 1/13/03) Considerations for Selection of Optional Health Care Components A hybrid covered entity must ensure privacy regulations compliance by its health care components. 45 CFR 164.504 Without a HIPAA authorization, a health care component can’t disclose PHI to another nonhealth care component of the university where disclosure would be prohibited if the components were separate legal entities. HIPAA Basics: 2002 Washington and Lee University 46 May 2, 2002 (updated 1/13/03) Designation of Hybrid Entity Components Must make this designation in writing (internal designation, not required to be filed, but must have a paper trail in case of OCR/HHS inquiry.) Document any additions or removals of individuals/offices as health care components as they occur. Remember: only individuals/offices that deal in PHI are required to comply with privacy regs. If an office only deals with exempt student or employment records, it does not handle PHI and there may be no reason to designate it as a health care component if it would not meet the definition of a covered entity itself. HIPAA Basics: 2002 Washington and Lee University 47 May 2, 2002 (updated 1/13/03) Considerations for Hybrid Entities (cont’d.) If non-covered components are closely intertwined with covered components and have need for PHI, it may make sense to designate them as health care components. But be careful of over designating! (E.g., if student health center not covered entity and not closely intertwined with covered health plans, designation could require unnecessary practices and conflicts with FERPA) Other examples of potentially unnecessary designation: athletic trainers who do no electronic third-party billing or referrals with covered plans; researchers uninvolved with health care providers or health plans HIPAA Basics: 2002 Washington and Lee University 48 May 2, 2002 (updated 1/13/03) Use/Disclosure by Business Associates Covered entities need business associate contracts/agreements with all business associates who create or receive PHI in carrying out functions on behalf of the covered entity. E.g., third-party administrators of university selfinsured health plans, outside counsel handling matters involving PHI. BA must not use or further disclose PHI other than as permitted or required by law. BA must use appropriate privacy and security safeguards. HIPAA Basics: 2002 Washington and Lee University 49 May 2, 2002 (updated 1/13/03) Use/Disclosure by Business Associates (cont’d.) BA must report any improper use or disclosure of which it becomes aware to covered entity. BA must ensure its agents agree to same restrictions. Regulations provide transition timetable for contracts renewed at various points prior to compliance deadline. 45 CFR 164.502,-504,-532 HIPAA Basics: 2002 Washington and Lee University 50 May 2, 2002 (updated 1/13/03) Right of Individual Patient or Plan Participant Individual has a right to request confidential communication of health information. 45 CFR 164.522 Individual has a right to access his/her health information. 45 CFR 164.524 Individual has a right to request amendment of incomplete or inaccurate health information. 45 CFR 164.526 Individual has a right to receive an accounting of certain disclosures of health information. 45 CFR 164.528 HIPAA Basics: 2002 Washington and Lee University 51 May 2, 2002 (updated 1/13/03) Required Privacy Notices by Covered Entities Covered entities must provide notice of their privacy practices for protected health information. 45 CFR 164.520 For self-insured group health plans, the health plan itself must provide the notice. For an insured or HMO plan, the insurance issuer or HMO must provide the notice. If a an insured/HMO group health plan creates or receives PHI (beyond information on participation, enrollment, disenrollment, or summary information), it is required to develop and maintain such notice and provide on request. Otherwise, not required. HIPAA Basics: 2002 Washington and Lee University 52 May 2, 2002 (updated 1/13/03) Joint Consent and Notice Vehicles Single Affiliated Covered Entity: designation of multiple covered entities under common ownership or control as a single Covered Entity (e.g., commonly owned health care facilities, different divisions of a single covered entity.) 45 CFR 164.504(d) HIPAA Basics: 2002 Washington and Lee University 53 May 2, 2002 (updated 1/13/03) Joint Consent and Notice Vehicles (cont’d.) Organized Health Care Arrangement: joint venture between covered entities, which allows for joint notice of privacy practices and joint consent for covered health care providers. Also allows these entities to use their PHI without business associate agreement or authorization. Available for clinically integrated settings, insurers and group health plans, group health plans with the same plan sponsor. Requires written designation and indication on notice of privacy practices. 45 CFR 164.501, -520(d). Ambiguity re: any shared liability. HIPAA Basics: 2002 Washington and Lee University 54 May 2, 2002 (updated 1/13/03) Use of PHI by Plan Sponsors of Group Health Plans Regulations restrict the disclosure of PHI by group health plans/insurance issuers/HMOs to employer plan sponsors. Designed to prevent use of PHI in making employment-related decisions. Before a group health plan/insurance issuer/HMO can disclose PHI to a plan sponsor (other than summary/enrollment/disenrollment OR with an authorization), the plan sponsor must have amended its plan documents to agree to: • Establish permitted and required uses of PHI • Ensure that agents will agree to same restrictions • Not use information for employment-related actions HIPAA Basics: 2002 Washington and Lee University 55 May 2, 2002 (updated 1/13/03) Plan Document Amendments (cont’d.) • Report inconsistent use or disclosure of which it becomes aware • Make available information required for health information amendment and accounting of disclosures • Make internal practices and records available to HHS for determining compliance • Return or destroy all PHI when no longer needed • Ensure that adequate separation (“firewalls) are established by identifying employees or classes of employees to be given access to PHI, restricting that use to plan administration functions, and providing a mechanism to resolve noncompliance issues. • 45 CFR 164.504(f) HIPAA Basics: 2002 Washington and Lee University 56 May 2, 2002 (updated 1/13/03) Should all Plan Sponsors Amend their Plan Documents? Not necessarily, but there are several reasons why plan sponsors should carefully consider how to proceed. Ask: How often/why do we get PHI? • Insurers/HMOs may require plan document amendments for continued coverage or premium discounts, etc. • The college/university may want to continue claims advocacy on behalf of its employees without obtaining an individual authorization each time. • Ultimately, if a PHI disclosure occurs, the group health plan could face HIPAA penalties for not ensuring that the amendments were made before the PHI was disclosed to the plan sponsor. HIPAA Basics: 2002 Washington and Lee University 57 May 2, 2002 (updated 1/13/03) Ancillary Administrative Requirements of Privacy Regs Note: Insured/HMO group health plans that neither create nor receive PHI except summary/participation/enrollment information are not subject to most of these requirements. Plan sponsors are not subject to these requirements as such. HOWEVER, self-insured health plans must comply with all of these requirements, as must insured/HMO plans that create or receive other PHI. 45 CFR 164.530(k) HIPAA Basics: 2002 Washington and Lee University 58 May 2, 2002 (updated 1/13/03) Ancillary Administrative Requirements (cont’d.) Designate privacy official for policy development and receipt of complaints Train workforce of covered entity (covered health care components) on PHI Implement reasonable administrative, technical and physical safeguards to protect PHI Provide complaint process Establish and apply appropriate sanctions for covered entity workforce noncompliance HIPAA Basics: 2002 Washington and Lee University 59 May 2, 2002 (updated 1/13/03) Ancillary Administrative Requirements (cont’d.) Mitigate any harmful effect of wrongful disclosures of PHI Take no retaliatory action against those exercising HIPAA rights or complainants Implement written policies and procedures re: PHI and maintain documentation required under the regulations for six years 45 CFR 164.530 HIPAA Basics: 2002 Washington and Lee University 60 May 2, 2002 (updated 1/13/03) Attn: Covered University Health Care Providers and Student Health Plans With No PHI In comments to the privacy regulations, HHS has stated that the privacy rules only apply to a covered entity “to the extent” it possesses PHI. (P. 82488 Federal Register, December 28, 2000) HHS has also commented that, in light of FERPA exclusion (removing student health records from PHI), only non-FERPA schools would be subject to the ancillary administrative requirements as regards their covered health care clinics. (P. 82595 Federal Register, December 28, 2000) HIPAA Basics: 2002 Washington and Lee University 61 May 2, 2002 (updated 1/13/03) The $64,000 Question: Does the FERPA exception to PHI act to exempt a covered college/university health care provider or self-insured student health plan with only student records from the ancillary administrative requirements? No definitive regulatory answer, despite noted comments, FERPA exemption, and administrative requirements exemption for insured group health plans with no PHI. HIPAA Basics: 2002 Washington and Lee University 62 May 2, 2002 (updated 1/13/03) Deadlines for Privacy Regulations Compliance Covered entities must comply by April 14, 2003. Small health plans with annual receipts (essentially, total of employer and employee premiums) of $5 million or less have until April 14, 2004. For self-insured plans, calculate using total amount of claims paid. HIPAA Basics: 2002 Washington and Lee University 63 May 2, 2002 (updated 1/13/03) First Steps to Take Toward Compliance with Privacy Regs Inventory your campus for providers and plans that may be covered entities, as well as those departments that must/should be designated as health care components for a hybrid entity. Determine current practices re: health information and analyze the “gaps” between current practice and HIPAA requirements. Do the same for business associates of your covered entities and health care components. Develop compliant policies, documents, and training, working with insurers, TPAs, other business associates, and research data sources to promote consistency of practice. HIPAA Basics: 2002 Washington and Lee University 64 May 2, 2002 (updated 1/13/03) Security Regulations (Proposed): Overview HIPAA Basics: 2002 Washington and Lee University Proposed regulations are designed to provide a standard level of protection for health information housed or transmitted electronically. Administrative, technical and physical safeguards for storage, transmission, and access of electronic health information. 65 May 2, 2002 (updated 1/13/03) Security Regulations Coverage (Proposed) Potentially broader scope of covered entities than transaction and privacy regulations. In addition to health plans, proposed regulations cover clearinghouses or health care providers that (1) process any electronic transmission between covered health care entities OR (2) electronically maintain any health information used in an electronic transmission between any combination of covered health care entities. 45 CFR 142.302 HIPAA Basics: 2002 Washington and Lee University 66 May 2, 2002 (updated 1/13/03) Security Standards (Proposed) A covered entity must assess potential risks and vulnerabilities to the individual health data it possesses and develop, implement, and maintain appropriate security measures to protect individual health information in ELECTRONIC FORM, not hard copy or oral. 45 CFR 142.306 Specifics will vary according to system, environment, etc. HIPAA Basics: 2002 Washington and Lee University 67 May 2, 2002 (updated 1/13/03) Security Standards (Proposed) (cont’d.) Minimum features (45 CFR 142.308): • Administrative procedures to guard data integrity, confidentiality, and availability • Physical safeguards to guard data integrity, confidentiality, and availability • Technical security services and mechanisms to guard data integrity, confidentiality, and availability If covered entity elects to use electronic signatures in covered transactions, entity must apply proposed electronic signature standard. 45 CFR 142.310 HIPAA Basics: 2002 Washington and Lee University 68 May 2, 2002 (updated 1/13/03) Security Regulations Compliance Deadline Proposed effective/compliance date is 24 months after publication of the final rule in Federal Register (not yet published – rumored for publication in December, 2002.) Small health plans have 36 months to comply. [Small health plans in proposed regs = fewer than 50 participants, but expect final to mirror transaction/privacy regs.] 45 CFR 142.312 HIPAA Basics: 2002 Washington and Lee University 69 May 2, 2002 (updated 1/13/03) General Penalty for NonCompliance with HIPAA $100 per violation Cap on identical violations for one calendar year is $25,000. Penalty may be waived if non-compliance was due to reasonable cause and not willful neglect. 42 U.S.C. 1320d-5 HIPAA Basics: 2002 Washington and Lee University 70 May 2, 2002 (updated 1/13/03) Penalty for Knowing Wrongful Disclosure of Individually Identifiable Health Information Fine of not more than $50,000 and imprisonment for one year, or both If committed under false pretenses, fine of not more than $100,000 and imprisonment for not more than five years, or both If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000 and imprisonment of ten years, or both 42 U.S.C. 1320d-6 HIPAA Basics: 2002 Washington and Lee University 71 May 2, 2002 (updated 1/13/03) No Private Cause of Action HIPAA does not provide a private cause of action by a patient or participant in a covered health plan against a covered entity or business associate. However, the HIPAA regulations and standards may become the standard of care for health information and could be used against the entity in a separate cause of action. HIPAA Basics: 2002 Washington and Lee University 72 May 2, 2002 (updated 1/13/03) Want to Know More about HIPAA? HIPAA Basics: 2002 Washington and Lee University We hope that this presentation has made you aware of HIPAA, its basic coverage, and areas where it might apply on your campus. To find out more, here are some resources: 73 May 2, 2002 (updated 1/13/03) A Few Online Resources on HIPAA http://www.acha.org/info_resources/hipaa_links.c fm = HIPAA Resource site of American College Health Association http://aspe.hhs.gov/admnsimp/ = United States Department of Health and Human Services/Administrative Simplification http://www.hhs.gov/ocr/hipaa = Office for Civil Rights/HIPAA http://snip.wedi.org = Strategic National Implementation Process of the Workgroup for Electronic Data Interchange HIPAA Basics: 2002 Washington and Lee University 74 May 2, 2002 (updated 1/13/03)
