Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Increased Enforcement and Penalties (cont'd).

advertisement 
HITECH, HIPAA & SCHIP:
SO MANY ACRONYMS, SO LITTLE TIME
Alphabet Soup
American Recovery and Reinvestment Act of 2009
“ARRA”
Health Insurance Portability and Accountability Act of
1996
“HIPAA”
Health Information Technology for Economic and Clinical
Health Act of 2009
“HITECH”
State Children's Health Insurance Act
“SCHIP”
Stimulus Spending for Health Care
$87 billion in increased Medicaid funding
(Kentucky’s share $990 million)
$17 billion to reimburse physicians and hospitals who embrace
electronic medical records
$25 billion in COBRA subsidies
$8.2 billion to NIH for grants to promote large-scale research,
support community health including $500 million to train
professionals in rural areas through National Health Service Corps
$1.5 billion for “comparative effectiveness research”
Total: $130+ billion
Publicized Kentucky Initiatives to Date
13.6 percent increase in food stamp benefits for
recipient families
$450,000 for training and part-time employment for low
income persons age 55+
Restoration of funds cut from 50 agencies caring for
children in state custody ($4 million)
Temporary increase in hospital reimbursements to
settle outstanding appeals
Kentucky’s Share of Medicaid Funding = $990 Million
Prior to ARRA, federal contribution per $100 of Medicaid
funds paid out in Kentucky was $70.13
Under ARRA, Kentucky receives increased federal
contribution of $78.61
Incentives for Hospitals to Implement
Electronic Health Records
HITECH Infrastructure
Significant HITECH provisions
Federal Gov’t now officially the coordinator of federal HIT
policy
Federal Gov’t has expanded role in HIT testing and
research (NIST to test/certify)
Federal subsidies for states, nonprofits, and
educational institutions to promote/implement HIT
Significant revisions to HIPAA privacy/security
Significant new burdens for HIPAA “business
associates”
HITECH – Role in Healthcare Reform
Why now?
HITECH reflects federal government’s intent for HIT to
play a transformative role in health care reform
Reduce adverse events, increase quality
Eliminate errors & duplication
Accelerate and expand pool of useful data
comparative effectiveness research
identify provider variations & inefficiencies
Contain costs in government healthcare programs
Incentives
Adopting EHR is still voluntary, but HITECH
offers inducements to adopt, penalties for those
who don’t
EHR stimulus money available AFTER
adoption and demonstration “meaningful use” –
yet to be defined
HITECH – Loans and Grants
HITECH provides stimulus money to states
to “promote HIT”
State can use grant money for EHR
Adoption Loan Programs
Loans cannot be made before
1, 2010
January
HITECH – Loans and Grants
Providers can use loan to purchase, upgrade, obtain
training, or improve security
Providers who get a HITECH funded loan must
Submit “quality reports”
Demonstrate that EHR satisfies standards and improves
quality of care – “meaningful use” rule
Include plan for EHR maintenance over time
Submit clinical quality info (TBD)
Must provider maintain the EHR after loan is repaid?
Not addressed
Why EHR?
Physician Office Productivity
Fewer chart pulls
Improved efficiency in communicating with patients
and pharmacies
Improved billing accuracy
Reduced transcription costs
Clearer, safer prescribing through e-prescribing
technology
Why EHR?
Quality of Care Improvement
Comprehensive point-of-care decision support –
clinical guidelines, drug interactions, etc.
Rapid and remote access to patient information
Integration of evidence-based clinical guidelines
Patient-specific alerts – current drug regimen,
allergies, etc.
Reduction of redundant, unnecessary services
Decrease frequency of medical error
HITECH’s Expansion of HIPAA
Who Must Comply? “Covered Entities”
Includes Health Plans
Doesn’t HIPAA apply only to health plans and health care providers? In
other words, aren’t employers exempted?
No. HIPAA applies to any “covered entity,” provided that certain other
requirements are met. A covered entity means a health plan, health
care clearinghouse or health care provider (to the extent that it engages
in the electronic transmission of confidential health information).
Under what circumstances will a group health plan be a covered entity?
If the plan either (i) has 50 or more participants; or (ii) is administered by
a third party (e.g., an insurance carrier).
What Health Information is Protected by the HIPAA
Privacy Rule (“PHI”)?
All Medical Records AND
Other “Individually Identifiable Health Information”
created or received by a Covered Entity or an employer
In ANY form or medium:
electronic
paper
oral
An Important Distinction
Employment records held by a covered entity in its role
as employer are not protected by the Privacy Rule
Information an employer receives from a health plan it
sponsors or obtains from an employee’s medical record
is protected by the Privacy Rule
New Rules on Privacy
HIPAA Changes
Stricter Requirements for “Covered Entities” under
HIPAA
Heath Plans (including employer-sponsored)
Health Care Providers
Health Data Clearinghouses
Direct Regulation of “Business Associates”
Person or entity who performs functions on behalf of a
covered entity involving use or disclosure of PHI
Accountants, lawyers, software vendors, TPAs, utilization
reviewers, transcriptionists, interpreters, collection
agencies and more
Tougher Rules for Covered Entities
Stricter rules re: honoring requests about use/disclosure of PHI
Self-pay
Contraction of “minimum necessary” concept governing
use/disclosure for payment and operations
Limited Data Set “safe harbor”
Expanded requirement to account for disclosures
All disclosures made via EHR must be tracked, reported
Tougher Rules for Covered Entities (cont’d)
Prohibition on any remuneration for PHI without
authorization (some exceptions, like research, public
health, sale of entity)
Access requirement includes production in electronic
form
New restrictions on marketing communications
require conspicuous notice about opting out
New Data Breach Notification Rules
“Breach” is unauthorized acquisition, access, use or
disclosure of PHI that compromises the security or
privacy of the information
Applies to “unsecured PHI”
Duty to notify each individual whose PHI “has been, or is
reasonably believed by the covered entity to have been,”
accessed, acquired, or disclosed due to the breach
Notification (cont’d)
Notification requirement also applies to BAs
BAs to provide notice to the covered entity
“Safe Harbor” for secured PHI based on guidance issues by
HHS
HHS Guidance issued April 27, 2009 says, in effect, encrypt or
destroy. Encrypted data is secure only if the key has not been
breached
Notification (cont’d)
A breach is considered “discovered” on the first day it is known
to the BA or covered entity, including
any employee, officer or other agent of such entity or associate
All notifications must be made “without unreasonable delay”
no later than 60 calendar days after discovery
burden on notifying entity to demonstrate that
all required notifications were made and
explain any details
If the entity lacks sufficient contact information for 10+
individuals, notification must be made on the entity’s home
page, or in major print or broadcast media
Notification (cont’d)
Notice must be
in writing
by first class mail
sent to the last known address of individual or next
of kin
if individual specified preference for e-mail notification,
that method shall be used
one or more mailings (as more information becomes
available)
Notification (cont’d)
If more than 500 residents of a state or jurisdiction are
affected
notices as described above AND
notification to “prominent media outlets” in such state or
jurisdiction
Exception: if notice will “impede a criminal
investigation or cause damage to national security,”
then notice may be delayed
Notification (cont’d)
Notice to Secretary
if more than 500 individuals affected
HHS to publicize breaching entities on its website
If breach impacts more than 500, notice to HHS
must occur immediately
Entities are permitted to keep a log of breaches
effecting less than 500 individuals and submit to
HHS annually
Notification (cont’d)
All notices, to the extent possible, must include
Description of breach
Description of the types of information involved
Steps individuals should take to protect themselves from
potential harm resulting from the breach
Description of covered entity’s actions to investigate the
breach, mitigate losses, and protect against any further
breaches.
Contact information
New Regime for Business Associates
HIPAA is not just a contractual responsibility now
Regulatory requirements to
Notify covered entities of a data breach
Directly comply with administrative, physical, and technical
safeguards and documentation requirements under the
HIPAA security rule, just like covered entities
New Regime for Business Associates (cont’d)
Use or disclose PHI only if such use or disclosure is in
compliance with the privacy provisions of their business
associate contracts
Take action if covered entity has pattern or practice of
violating HIPAA
New Regime for Business Associates (cont’d)
Practical Effects
Security officer or task force
Multi-department risk assessment of how information
is received, accessed and used, stored and disclosed
to others
Adopt and implement written policies and procedures
Increased Enforcement and Penalties
Historically, HIPAA enforcement has been complaint-driven
ARRA appropriated $24.3 billion to the privacy and security goals.
Of this amount, $9.5 million is set aside to fund proactive HIPAA
compliance audits by the Office for Civil Rights and CMS
The GAO is directed to prepare a report within 18 months of
HITECH’s enactment establishing a method for allowing affected
individuals to share in civil monetary penalties imposed under
HIPAA
Old: $100/violation, max of $25,000/year - no intent was factored in
Increased Enforcement and Penalties (cont’d).
Under HITECH, potential penalties are increased significantly, and are
tiered to take into account the intent of the violator. The tiers are as follows:
Tier A – if the violator did not know (and by exercising reasonable
diligence would not have known) that its actions violated the HIPAA laws
or regulations, a penalty of at least $100 per violation but not more than
$25,000 per violation for multiple violations the same requirement in a
calendar year; and up to $50,000 per violation not to exceed $1.5 million for
same requirement
Tier B – if the violation was due to reasonable cause and not willful
neglect, a penalty of at least $1,000 per violation but not more than
$50,000 per violation of the same requirement in a calendar year; and up to
$50,000 per violation not to exceed $1.5 million for same requirement
Increased Enforcement and Penalties (cont’d).
Tier C – if the violation was due to willful neglect and is
corrected, a penalty of at least $10,000 per violation but
not more than $250,000 for multiple violations the same
requirement in a calendar year; and up to $50,000 per
violation but not more than $1.5 million for multiple
violations the same requirement in a calendar year
Tier D – if the violation was due to willful neglect and
is not corrected, a fine of $50,000 per violation but not
more than $1.5 million for multiple violations the same
requirement in a calendar year
Increased Enforcement and Penalties (cont’d).
State Attorneys General may now file a civil action against HIPAA
violators on behalf of residents of their state.
$100 per violation, not to exceed $25,000 per calendar year.
Criminal penalties:
Up to $50,000 and up to one year in prison, or both, if a person
knowingly obtains individually identifiable health information
relating to an individual or discloses the information to another
person in a manner that violates HIPAA.
Up to $100,000 and up to five years in prison or both if the
information was obtained under false pretenses.
Up to $250,000 and up to ten years in prison or both if the
violation involves commercial advantage, personal gain, or
malicious harm.
STEP 1: IDENTIFY THE GROUP HEALTH PLANS THAT
THE EMPLOYER SPONSORS
major medical plans
dental plans
vision plans
health care flexible spending
accounts
health reimbursement
arrangements
high-deductible health plans
health savings accounts
cancer insurance and other
employee-pay-all plans
employee assistance plans
providing counseling
retiree health plans
long-term care plans
wellness programs
STEP 2: IDENTIFY FULLY-INSURED PLANS AND SELFINSURED PLANS
Fully-insured: If no access to PHI (except for summary
and enrollment/disenrollment information), then group
health plan has minimal HIPAA privacy compliance
issues
Self-insured (or fully insured with access to PHI): HIPAA
Privacy Rule will apply and sponsor will have to
implement
STEP 3: IDENTIFY WHAT PHI YOU RECEIVE AND
WHAT PHI YOU REALLY NEED
Employer can receive summary health information - to obtain
premium bids, or to modify, amend or terminate plan, and
information on enrollment and disenrollment
Employer can receive de-identified information
Employer can receive PHI the employee authorizes it to receive
What other information does the employer receive from the
health plan that it doesn’t need? LESS IS MORE
The less PHI an employer receives from a plan, the
better off it is . . .
An employer cannot use or disclose PHI received from the plan for
employment-related decisions unless authorized by the employee
If an employer receives health information about an employee from
someone other than the health plan (including the employee or a coworker), it’s not PHI
STEP 4 – IMPLEMENT A HIPAA PRIVACY AND
SECURITY COMPLIANCE PLAN(S) FOR YOUR GROUP
HEALTH PLANS
Because a fully-insured plan that is “hands off” PHI will have minimal
HIPAA privacy requirements, an employer might want to have a
separate privacy compliance policy for that plan
SCHIP/KCHIP
SCHIP
SCHIP
Created in 1997, Title XXI of the Social Security Act
State and federal combination funded children’s health insurance
Families earning too much for Medicaid, with uninsured children
Within federal guidelines – each state determines design of its
SCHIP program.
KY = KCHIP
SCHIP
Children’s Health Insurance Program Reauthorization
Act (“CHIPRA”)
Signed into law February 4, 2009
Renews and expands SCHIP from 7 million to
projected 11 million children
$33 billion expansion
Funded primarily by boosting the federal cigarette tax
from 61 cents to $1.00 per pack
In addition to 30 million of nation’s poorest children
covered under Medicaid
CHIPRA Impacts Employer Health Plans
Premium Assistance Subsidy
CHIPRA allows a state to provide health plan premium assistance subsidies for
certain low-income children
To be eligible a child must be eligible for SCHIP and eligible for coverage under a
“qualified employer-sponsored health plan” – or employer-sponsored health plan
under which the employer contributes at least 40% toward the employee’s
premium
Does not include health flexible spending arrangements or high-deductible
health plans
In general, the premium assistance subsidy under SCHIP is the difference
between the employee contribution for employee-only coverage and the
employee contribution for coverage of the employee and the child
CHIPRA Impacts Employer Health Plans (cont’d)
Special Enrollment Rights
Became effective April1, 2009
CHIPRA requires group health plans to permit an employee (or a
dependent) who is eligible for plan coverage to enroll in the plan
without waiting for an open enrollment period if:
The employee or dependent loses SCHIP (or Medicaid)
coverage because of a loss of eligibility (rather than nonpayment), and the employee requests coverage under the
group health plan within 60 days after the termination; or
The employee or dependent becomes eligible for an SCHIP
(or Medicaid) premium assistance subsidy and the employee
requests coverage under the group health plan within 60
days after the eligibility determination
KyHealth Choices
CHIPRA Impacts Employer Health Plans (cont’d)
Notices to Employees of State Assistance
CHIPRA requires employers in states that provide Medicaid or
SCHIP premium assistance subsidies to notify their employees
in writing of the premium assistance and their enrollment rights
under CHIPRA
Model notices will be available no later than February 4, 2010
Employers will be required to provide this notice starting with the
first plan year after the model notice is issued
The notice may be provided as part of:
the annual open enrollment materials;
the initial offering of coverage to new eligible employees;
or
when providing the summary plan description
CHIPRA Impacts Employer Health Plans (cont’d)
Disclosure of Plan Information to States
CHIPRA requires group health plan administrators to disclose
certain plan information (e.g., benefits information) to a state that
requests the information
Intended to help a state determine the cost-effectiveness of
providing premium assistance
State governments may not request this information until a
model coverage coordination disclosure form has been
developed and regulations have been issued in connection with
it
CHIPRA Impacts Employer Health Plans (cont’d)
Penalties
CHIPRA will subject employers to penalties of up to
$100 a day for each failure to timely provide the
required notices and disclosures
Some CHIPRA Action Items
Begin offering special enrollment
Prepare a summary of material modifications (SMM) or restate your
summary plan descriptions (SPD) to include new special enrollment
rights
Update special enrollment rights notice provided prior to or at time of
enrollment
Wait to comply with notice requirements until model notice is issued
Disclose plan information when requested by state
Decide whether to opt out of direct payment from the state and
require employee to pay entire premium and seek state
reimbursement
KCHIP
Children under the age of 19
Family income must not exceed 200% of federal poverty level
(before taxes)
Family of 2: $29,140
Family of 3: $36,620
Family of 4: $44,100
A “family” is considered as a child or children and the natural or
adoptive parents residing together in a household
KCHIP Contact Information
Contact Information
KCHIP Toll-Free Hotline: (877) KCHIP-18 (877-5244718)
HITECH
Questions?
Steven D. Gossman
Wyatt, Tarrant & Combs, LLP
500 West Jefferson St., Suite 2800
Louisville, KY 40202
(502) 562-7330
sgossman@wyattfirm.com
www.wyattfirm.com
Copyright reserved.©
Related documents
GASTROINTESTINAL AND LIVER CLINIC, PC
GASTROINTESTINAL AND LIVER CLINIC, PC
Information Security Policies and Standards
Information Security Policies and Standards
CATS
CATS
Legal Aspects of Electronic Communication
Legal Aspects of Electronic Communication
BAA Model Response Letter (Modify information as indicated in the
BAA Model Response Letter (Modify information as indicated in the
Risk Assessment
Risk Assessment
How HIPAA Will Affect Daily Operations
How HIPAA Will Affect Daily Operations
Download
advertisement