NLRG HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "NLRG HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES"

Transcription

1 NLRG PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE PERFORMANCE MANAGEMENT EMPLOYER GUIDE PAGE 1

2 HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE TABLE OF CONTENTS How Does HIPAA Privacy Fit Within the Scope of Administrative Simplification? What Benefits are Subject to the HIPAA Privacy Rules? 2 Which Entities are Subject to the HIPAA Privacy Rules? 3 Health Plans Must Comply -- What is a Plan? 4 Who Is Responsible for HIPAA Compliance? 5 Brief Overview of HIPAA Privacy Rules 5 What Are Permissible Uses of Protected Health Information? 11 Red Flags: What Plan Designs Negate the Use of the Shortcut Route? 15 Steps to Compliance 16 1 What are the Penalties for Not Complying with the HIPAA Privacy Rules? APPENDIX 17 Glossary of Abbreviations used within this Employer Guide 19 HIPAA Lite Shortcut Implementation Guide 20 SUPPORTING EMPLOYER TOOLS Sample Draft Letter Requesting Confirmation of Fully-Insured Status Designation of Hybrid Entity Status and Health Care Component Letter Requesting Compliance Shortcut Assistance Authorization to Discuss Insurance Claims Authorization to Use or Disclose Health Information Summary of Material Modifications Policies & Procedures for Plan Administration RELATED EMPLOYER GUIDES AND TOOLS ERISA Reporting and Disclosure Health and Welfare Plans HIPAA Privacy Long Route HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE

3 SPECIAL NOTE: The Privacy Rules were written to apply to a broad array of entities, not just health plans. Many of these entities have operations that are vastly different from typical employersponsored health plans operations. Accordingly, the Privacy Rules are, in many cases, difficult to apply to employer-sponsored health plans, and many questions under these rules cannot be answered with certainty. In addition, HIPAA imposes certain Security requirements on covered entities. This HIPAA Privacy Shortcut Route Employer Guide is not meant to provide full compliance with the HIPAA Security requirements. Covered entities must analyze many issues in order to fully comply with HIPAA Security, and only a basic mention of HIPAA Security concepts and terms is included within the HIPAA Lite Shortcut Implementation Guide (which is included within the Appendix at the end of this Employer Guide). For full HIPAA Security compliance, plan sponsors should seek out a service provider to work directly with the plan sponsor s particular plan design. This service provider should assure HIPAA Security compliance and perform the necessary Security risk analysis. This Employer Guide sets out our best understanding of how to apply these rules to health plans sponsored by a single employer. Some conclusions will change as health plans gain experience under these rules, industry practices become adapted to the rules, and additional guidance becomes available. Readers should be aware that, on many points, other reasonable interpretations of the Privacy Rules may be available that are not discussed in this Employer Guide. August 2015 HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE

4 HOW DOES HIPAA PRIVACY FIT WITHIN THE SCOPE OF ADMINISTRATIVE SIMPLIFICATION? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to the health plans employers maintain for their employees. Most employers are familiar with the portability provisions of HIPAA, which include limitations on pre-existing condition exclusions, requirements for special enrollment opportunities and prohibitions against discrimination based on health status. However, aside from the name HIPAA, there is almost no relationship between the HIPAA portability rules and the HIPAA privacy rules, and they should be considered to be two entirely separate topics. The HIPAA Privacy rules guard the collection, dissemination, review, and use of health information so that protected health information is not used in a discriminatory manner and so that health information is more uniformly and carefully handled. ADMINISTRATIVE SIMPLIFICATION LEGISLATION The HIPAA privacy rules are part of HIPAA administrative simplification, which encompasses four sets of rules: Electronic health transaction standards ( EDI Rules ) (not discussed within this Employer Guide). Unique identifier rules for providers, health plans, employers and other participants in the health care system ( Identifier Rules ) (not discussed within this Employer Guide). Security and electronic signature standards ( Security Rules ) (only briefly discussed within this Employer Guide). Standards for privacy of individually identifiable health information ( Privacy Rules ). The EDI Rules and the Identifier Rules are intended to standardize health care transactions and create uniform identifiers for employers, health plans, providers and individuals, and, by doing so, make health care transactions more efficient and less expensive. Because standardized electronic data is vulnerable to unauthorized access, the Privacy Rules and Security Rules require implementation of various protections. Congress generally did not craft the actual HIPAA administration simplification standards. It required HHS to create them within some broad guidelines. The HIPAA legislation also stipulates that HHS administrative simplification rules must allow a two-year compliance period after publication in final form. Therefore, the administrative simplification standards generally could not become effective until at least two years after HHS issued final regulations implementing them. HHS finalized some of the administrative simplification rules in 2000, and the initial compliance deadlines for those rules were in 2002 and Because compliance with the EDI Rules, Identifier Rules and Security Rules is primarily a systems issue and most employers will rely on outside vendors to implement those standards, this Employer Guide does not address compliance with those rules. In addition to employer-sponsored health plans, the Privacy Rules apply to health care providers and clearinghouses for health care transactions, as well as to health plans that are not employer-sponsored. In this Employer Guide, however, we focus only on the responsibilities of employer-sponsored health plans under the Privacy Rules, and in particular the obligations of single-employer plans (as the rules operate somewhat differently for multiple-employer plans). HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 1

5 WHAT BENEFITS ARE SUBJECT TO THE HIPAA PRIVACY RULES? Virtually all employer health plans are subject to the HIPAA Privacy rules. The only health plans that are exempt from HIPAA administration simplification rules are plans with fewer than fifty participants that have no outside administrator. ERISA plans that provide exclusively non-health benefits, like accident coverage, disability income coverage, life insurance coverage, and liability coverage, are not subject to the Privacy Rules. Moreover, these benefits are not subject to the Privacy Rules even if they are included in an ERISA plan along with health benefits. The plan does not have to comply with the Privacy Rules with respect to the excluded benefits (although it will have to comply with respect to the health benefits). Applicability of HIPAA Privacy rules to the following: Subject to HIPAA Privacy Government-sponsored health plans Church-sponsored health plans Small health plans of small employers Self-insured health plans Health Reimbursement Arrangement (Code Section 105 medical reimbursement) Health FSA Fully-insured health plans HMO PPO EPO Traditional Indemnity Open Access HMO POS Minimum Premium Dental benefits Indemnity Dental DMO Vision benefits Prescription drug benefits Executive Physical Program Employee Assistance Plan Retiree Medical Voluntary medical benefits see below to determine which entity is responsible for HIPAA Privacy compliance Wellness program Long-term Care Not Subject to HIPAA Privacy Life Insurance Accidental Death & Dismemberment Insurance Adoption Assistance Disability income coverage On-site medical clinics (not deemed to be a health plan, but clinics may be covered under the Privacy Rules as health care providers this discussion is beyond the scope of this Employer Guide). Medical leave programs Automobile Liability coverage Workers compensation Credit-only insurance General Liability coverage Legal services Dependent FSA Adoption Assistance Education Assistance Section 125 (cafeteria plan) HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 2

6 VOLUNTARY HEALTH BENEFITS While voluntary health benefits are subject to the Privacy Rules, an employer might not be ultimately responsible for such benefits. If an employer offers an employee-pay-all voluntary insurance program, but the employer s involvement with the voluntary benefit meets the following conditions (and thus, the benefit is deemed to be maintained by an insurance company), then HIPAA Privacy compliance will not be the employer s responsibility. The analysis to determine which entity is charged with HIPAA Privacy compliance is the same as the analysis to determine whether or not a benefit option is employer-sponsored or voluntary (and hence not subject to ERISA). The following requirements must be satisfied in order for the Privacy Rule compliance to become the duty of the insurer: The program must be offered by the insurance company on a completely voluntary basis; The employer s involvement with the benefits must be limited to letting insurance representatives publicize the program and collecting premiums through payroll deductions; and The employer must not do any of the following: Make any contributions towards the benefits Receive any consideration in the form of cash or otherwise in connection with the program Endorse the program in any way Note on Endorsement : Many programs fail to qualify because the employer directly or indirectly endorses the program. Several situations have been found to involve employer endorsement that results in the employer having responsibility for the program. The group insurance contract providing coverage under the program is issued in the employer s name The employer allows employees to pay for their coverage under the program through a Section 125 pretax premium plan The employer chooses the insurance company and the coverage (e.g., selecting eligibility criteria, requesting non-standard provisions, or requiring options the insurer usually would not offer) The employer negotiates with the insurer for rates or coverage The employer assists employees in completing their claim forms The employer sends premium notices, and collects premiums from, employees as directed by the insurer, and transmits premiums to the insurer that were paid other than through payroll deduction The employer sends descriptive literature under its own name The employer becomes involved in the discretionary administration of the arrangement If a plan does not clearly meet the requirements to qualify as a voluntary plan, the employer should treat it as a sponsored plan for which the employer has compliance responsibility under the Privacy Rules. WHICH ENTITIES ARE SUBJECT TO THE HIPAA PRIVACY RULES? The Privacy Rules apply to virtually all employer-sponsored health plans (even church plans, government-sponsored plans, and small plans). Even though health plans are nominally the parties subject to these rules, as a practical matter, employers will be responsible to ensure their health plans compliance with the Privacy Rules. While the health plans that employers maintain are subject to the Privacy Rules, employers themselves are not subject to these rules (unless they qualify as health care providers or clearinghouses, or are deemed to be health plans independent of their employer-sponsored benefit plans). Because employer-sponsored health plans generally do not have employees or assets, they cannot do anything unless the employer or a third party acts on their behalf. Accordingly, applicable law assigns responsibility for the plan s actions to various parties involved with the plan. For example, ERISA assigns responsibility for assuring proper HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 3

7 plan operations and compliance with applicable laws to the plan s fiduciaries. In most cases, the employer is a plan fiduciary, making the employer responsible, at least in part, for the plan s compliance with the Privacy Rules. Third parties providing services to employer-sponsored plans, like third-party administrators (TPAs), are not directly subject to the Privacy Rules because of those activities, but may incur penalties for certain violations of the Privacy Rules. Insurers, HMOs, and certain other health care plans are directly subject to the Privacy Rules, but only to the extent that they insure benefits provided under a plan. That is, if an insurer only provides administrative services to a plan but does not provide insurance, it will not be directly subject to the Privacy Rules with respect to that plan, but may incur penalties for certain violations of the Privacy Rules. It is important to note that the employer s responsibilities with respect to its health plan, and many of the health plan s responsibilities under the Privacy Rules, continue to apply even if all plan benefits under the health plan are provided through insurance. This is true even if the health insurer providing the insurance under the plan is subject to those rules itself (although there are some significant compliance shortcuts under the Privacy Rules for fully-insured plans see the HIPAA Privacy Long Route Employer Guide). Nonetheless, a fully-insured employer-sponsored health plan, and its sponsoring employer generally retain overall responsibility for compliance with the Privacy Rules. Plans that are not fully insured do not have any compliance shortcuts under the Privacy Rules. In practice, many of the compliance functions may be delegated to third parties. However, even when an employer or plan delegates a compliance function to a third party, like a TPA, the plan and the employer generally retain responsibility for compliance with the Privacy Rules. HEALTH PLANS MUST COMPLY WHAT IS A PLAN? The benefit options above are subject to the HIPAA Privacy Rules, but employers need to identify Plans that must comply with the Privacy Rules. The Privacy Rules apply separately to each plan an employer maintains, so it is important to identify whether benefits are included within a single plan or whether benefits are offered under multiple plans. EMPLOYERS SUBJECT TO ERISA For employers that are subject to ERISA, a health plan for purposes of the Privacy Rules is an ERISA plan that provides health benefits. For plans that file a Form 5500, the plan is defined by the most recent Form 5500 filed for that plan, or any more recent amendments to that plan. If an employer has combined several welfare benefits into a single plan so that it files only one Form 5500 for those welfare benefits, then that combined plan is the health plan for purposes of the Privacy Rules. These combined plans may provide non-health benefits in addition to health benefits, but will still be health plans for purposes of the Privacy Rules. EMPLOYERS NOT SUBJECT TO ERISA For employers that are not subject to ERISA, or that sponsor health benefits programs with respect to which no Form 5500 is filed, the boundaries of a particular plan may not be well defined. In that case, the available documents regarding the health benefits (for example insurance policies, benefits booklets, and enrollment forms) will determine which health benefits are associated with which plan. Absent other documentation, each health benefits program generally should be treated as a separate plan for purposes of the Privacy Rules. For example, an employer that offers an HMO and a health flexible spending account should treat them as two separate plans, absent documentation showing that they have been combined into a single plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 4

8 WHO IS RESPONSIBLE FOR HIPAA COMPLIANCE? The Privacy Rules apply to virtually all employer-sponsored health plans. Even though health plans are nominally the parties subject to these rules, as a practical matter, employers will be responsible to ensure their health plans compliance with the Privacy Rules. Third parties providing services to employer-sponsored plans, like third-party administrators (TPAs), are not directly subject to the Privacy Rules because of those activities. Insurers, HMOs and certain other health care plans are directly subject to the Privacy Rules, but only to the extent that they insure benefits provided under a plan. That is, if an insurer only provides administrative services to a plan but does not provide insurance, it will not be directly subject to the Privacy Rules with respect to that plan. The employer s responsibilities with respect to its health plan, and many of the health plan s responsibilities under the Privacy Rules, continue to apply even if all plan benefits under the health plan are provided through insurance. This is true even if the health insurer providing the insurance under the plan is subject to those rules itself. This Employer Guide describes the significant compliance shortcuts under the Privacy Rules for fully-insured plans. Nonetheless, a fully-insured employer-sponsored health plan and its sponsoring employer generally retain overall responsibility for compliance with the Privacy Rules. BRIEF OVERVIEW OF HIPAA PRIVACY RULES The compliance burden under the Privacy Rules generally falls on the employer maintaining an employer-sponsored health plan that is subject to the rules. However, under certain circumstances, some of the compliance burden may shift to insurance carriers. The shift in compliance burden requires that the plan not create, maintain, or receive protected health information. Therefore, it will be necessary for the plan to obtain assurances for insurance carriers that the carriers will not release protected health information to the plan, even if the protected health information is requested. The following material describes the general HIPAA Privacy requirements; however, much of the following material will not apply to a HIPAA-subject benefit qualifying for the HIPAA compliance shortcut. Please see the Steps to Compliance section of this Employer Guide for more specific information about the compliance process for plans able to use the HIPAA compliance shortcut.. The Privacy Rules impose conditions, limitations, and documentation requirements on virtually every use and disclosure a health plan might make of an individual s health information. For example, a health plan cannot disclose protected health information to the employer who sponsors the plan, except in limited circumstances. Protected health information is defined very broadly and includes even enrollment and claims payment information, and health plans may use or disclose protected health information without an individual s authorization or consent in very limited circumstances which are referred to as Treatment, Payment, and Health Care Operations. These circumstances which permit use and disclosure of PHI are commonly referred to as TPO events. For example, uses and disclosures for purposes of deciding whether benefits are payable, determining eligibility, or medical necessity, obtaining payments from stop-loss insurance carriers, and auditing claims payments for accuracy are permissible uses and disclosures for which a plan does not need to obtain any consent or authorization from an individual. Any use or disclosure of protected health information for any purpose that the Privacy Rules do not identify as a permitted purpose requires an individual s specific authorization. Authorizations must meet specific criteria in order to satisfy the Privacy Rules, including identifying the specific information to be used or disclosed pursuant to the authorization. The Privacy Rules do not permit the acquisition of a blanket authorization or waiver from individuals enrolling in the plan. Such a blanket authorization will not comply with the HIPAA Privacy Rules. Even when a use or disclosure is for a permissible purpose, the Privacy Rules impose a minimum necessary limit on the amount of information that a health plan can use, disclose or request. In addition, in order to be able to disclose an individual s protected health information to the individual himself or to a third party, the plan is required to verify the identity of the person to whom it is disclosing the information, and, in the case of a third party, to verify the authority of that individual to receive the individual s information. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 5

9 Health plans that engage third parties to provide administrative and other services are allowed to disclose protected health information to those third parties only if the health plan first obtains a legally enforceable contract (a Business Associate Agreement) in which the third party agrees to protect the privacy of enrollees information. Similarly, an employer-sponsored health plan cannot disclose to the sponsoring employer, and cannot allow the employer to use or disclose, protected health information unless the plan first is amended to include plan provisions imposing a variety of privacy obligations on the employer and the employer certifies its agreement to those provisions. Health plans are required to provide participants with a Notice of Privacy Practices, and to restrict their uses and disclosures of protected health information in accordance with the terms of the Notice of Privacy Practices. However, generally, insurers must distribute the Notice of Privacy Practices on behalf of the covered entity. The Notice of Privacy Practices must reflect the health plan s policies and procedures regarding the handling of protected health information and implementation of the Privacy Rules. The plan s policies and procedures are required to provide a detailed description of the plan s compliance measures. Health plans are required to afford individuals a variety of rights with respect to their protected health information, and the Privacy Rules impose various administrative requirements for providing those individual rights. Individual rights include the right to have access to protected health information, the right to request amendments to that protected health information, and the right to receive an accounting of disclosures of protected health information, among others. In addition to actually limiting the uses and disclosures of protected health information, the Privacy Rules require health plans to set up reasonable physical, technical, and administrative safeguards to prevent inappropriate uses and disclosures of protected health information. Plans also are required to maintain a complaint process with respect to their privacy practices, to adopt extensive policies and procedures, and to appoint a privacy official to oversee the plan s implementation of the Privacy Rules. The privacy official s duties include training employees on the plan s privacy policies and procedures and ensuring that those policies and procedures are enforced by applying sanctions to employees who fail to follow them. Finally, the Privacy Rules require that health plans document all of the various steps that they take in complying with the Privacy Rules TWO ROUTES TO HIPAA PRIVACY COMPLIANCE Long Route to Compliance While employers can delegate performance of various requirements to third parties, they still will have the responsibility to make sure that any delegated requirements are performed. Any employer plan that cannot use the compliance shortcut, or with respect to which the employer needs information that is not available to an employer from a plan using the compliance shortcut, must comply more fully with the Privacy Rules. Compliance efforts will require significant documentation, changes in plan processes, polices and procedures. Sample materials for Long Route HIPAA compliance can be found within the HIPAA Privacy Long Route Employer Guide. Shortcut Route to Compliance Fully-insured health plans can use a compliance shortcut that will greatly reduce their compliance burdens -- but only if the employer severely limits its involvement in plan administration. If it is unclear whether a particular benefit is fully insured, the plan sponsor may send a template letter to carriers in order to clarify A Sample Draft Letter to Insurance Carrier or HMO Requesting Confirmation of Fully- Insured Status is available within the the insured nature of the benefits. The Sample Draft Letter to HIPAA Lite Shortcut Implementation Insurance Carrier or HMO Requesting Confirmation of Fully Guide portion of the Appendix Insured Status can be used to request insured plan clarification from the vendor. Plans that qualify for the compliance shortcut eliminate many of the compliance obligations under the Privacy Rules. Plans that follow the shortcut route to HIPAA compliance must meet the following two requirements: HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 6

10 All health benefits under the plan are provided only through an insurance contract or a similar contract with a health maintenance organization (HMO) (that is, the benefits are fully insured ); and Neither the plan nor the sponsoring employer creates, maintains, or receives protected health information (PHI). TYPES OF INFORMATION POSSIBLY SUBJECT TO HIPAA PRIVACY RULES The Privacy Rules recognize several different classes of information and assign differing responsibilities with respect to those classes. Personal Health Information -- Any information related to an individual s health, health care, or payment for health care that is not de-identified information (defined below), is protected health information. Protected Health Information is information that Relates to: The past, present, or future physical or mental health or condition of an individual The provision of health care to an individual The past, present, or future payment for the provision of health care to an individual Is created or received by a health care provider, health plan, employer, or health care clearinghouse Identifies the individual (information is deemed to do this if there is a reasonable basis to believe that the information can be used to identify the individual) De-identified Information -- The Privacy Rules provide two means of de-identifying health information. The first method requires the entity disclosing the health information to strip specific identifiers out of the information. The second method does not require any specific identifiers to be removed, but does require that an expert determine and certify that the information is de-identified. Any information that is de-identified is not protected health information and is not subject to the Privacy Rules. Under the first method of de-identification, the identifiers that must be removed are the following items, each with respect to the individual that is the subject of the information, and the relatives, employers, and household members of that individual. Names. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geo codes, except for the initial three digits of a zip code if: According to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people. All other three-digit zip code designations are shown as 000. All elements of dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, and date of death, and, in the case of individuals over age 89, all date information that would reveal the individual s age more specifically than 90 or older. Telephone numbers. Fax numbers. Electronic mail addresses. Social Security numbers. Medical record numbers. Health plan beneficiary numbers. Account numbers. Certificate/license numbers. Vehicle identifier and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locaters (URLs). Internet Protocol (IP) address numbers. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 7

11 Biometric identifiers, including finger and voice prints. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code (except that a unique code, unrelated to identifying information about an individual, can be assigned to identify information as relating to a single individual, in which case, the entity creating the de-identified information cannot disclose the code for re-identifying the information at all, and cannot use that code or any related mechanism except to re-identify the information). Even with all of these designated identifiers removed, information still may not be de-identified for purposes of the Privacy Rules. The entity preparing the de-identified information cannot release the information if it knows that the information could be used, alone or in combination with other information, to identify an individual who is a subject of the information. As a practical matter, this may preclude smaller employers from receiving de-identified information because the disclosing entity will know that the employer can identify the information to individuals in its workforce. Other Types of Information -- The following three classes of health information are less restricted under the Privacy Rules than other information. By restricting its use of health information to these classes of information to the greatest extent possible, the employer may be able to qualify for the compliance shortcut with respect to its fullyinsured plans. In any event, the employer can minimize compliance burdens under the Privacy Rules by using these types of information to the extent possible, even if it cannot use the compliance shortcut with respect to one or more of its plans. In addition, because health plans are required to use only the minimum information reasonably necessary for most purposes, the employer s health plan may be restricted to using only these types of information whenever it will suffice for the employer s purposes. Summary Health Information -- Employers can receive summary health information with respect to their plan without triggering the full requirements of the Privacy Rules. Summary health information is identical to de-identified information except that it can disclose each individual s five-digit zip code. With even that very limited identifying information, summary health information is considered to be protected health information. Because it has very limited identifying information, however, it is subject to different restrictions than other protected health information. Employers can receive summary health information only for purposes of obtaining premium bids under their health plans, and for purposes of modifying, amending or terminating their health plans. Enrollment Information -- Another set of information that an employer can receive from its health plan or an insurer under its health plan without triggering full compliance with the Privacy Rules is enrollment information. Specifically, the plan sponsor can communicate with the plan, both sending and receiving information regarding individuals participation in the plan and whether they are enrolled with a particular insurer providing coverage under the plan. This information is technically considered to be protected health information, but employers that limit themselves to this information and summary health information will not be required to engage in the steps necessary for full compliance with the Privacy Rules. Employment Records -- Information in an employer s employment records is not considered protected health information for purposes of the employer s health plans compliance with the Privacy Rules. Information that the employer receives in its capacity as an employer, such as a return-to-work evaluation, is protected health information in other contexts but not when it is received by the employer for employment purposes and retained in the employer s files related to employment matters (as opposed to health plan matters). In that case, such information is not considered to be protected health information for which the employer s health plan or the employer has compliance responsibilities under the Privacy Rules. PARTIES WITH INTERESTS UNDER THE PRIVACY RULES When planning a compliance strategy under the Privacy Rules, health plans need to identify who is protected by the Privacy Rules, as well as who has obligations under the Privacy Rules. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 8

12 Individuals -- The Privacy Rules protect individuals protected health information insofar as it is being used, disclosed, or requested by an entity covered under the Privacy Rules. The definition of individual makes clear that each employee and each dependent covered under a health plan is considered to be an individual with independent privacy protections. This means that no individual can act for another in connection with the Privacy Rules except as expressly provided in the Privacy Rules. In addition, a health plan cannot disclose information about an individual to anyone other than that individual except as provided in the Privacy Rules. Plans are required, however, to treat an individual s personal representative as if the personal representative were the individual himself. Prior to doing so, however, the plan must verify the personal representative s identity and verify that the personal representative has authority recognized under the Privacy Rules to act on behalf of the individual. The Privacy Rules recognize the following types of personal representatives: A parent acting for his or her minor child. A guardian acting for an incapacitated adult or emancipated minor. A personal representative acting on behalf of a decedent. It is important to note that an individual s protections under the Privacy Rules continue even after death, until the health plan no longer retains any of the individual s protected health information. The personal representatives recognized under the Privacy Rules do not include an employee acting on behalf of a spouse or an adult child, even if enrolled in a health plan as the employee s dependent. While there are a number of arguments in favor of health plans being able to share protected health information with family members, none of these is recognized in the Privacy Rules themselves. Accordingly, health plans should arrange their systems so that they communicate with individuals enrolled in the plan directly rather than addressing communications containing a spouse s or adult child s protected health information to the employee. According to HHS representatives, an exception to this rule applies with respect to explanation of benefit statements. Those representatives have stated that plans can continue to send these statements to the employee, even if they contain a spouse s or adult child s information. It appears that most health plans are relying on these statements, continuing to send these statements to the employee. Except for these statements, employers and their plans should protect themselves and only communicate protected health information with the individual that is the subject of the information or his personal representative. This will be a change for most plans and will likely be a source of contention. Organizational Issues -- The way in which a health plan is organized and funded affects the various parties roles and responsibilities with respect to the health plan s compliance with the Privacy Rules. Hybrid Entities -- A health plan is a hybrid entity if it is a single plan that includes both health and non-health benefits. If a hybrid entity designates itself as such and designates which portions of the plan are its healthcare components (that is, those parts providing health benefits) then the non-health components of the plan are not required to comply A sample Designation of Hybrid Entity with the Privacy Rules. It is arguable that a health plan would get Status and Health Care Component is this hybrid entity treatment even without the being designated as available within the HIPAA Lite Shortcut a hybrid entity because of the way health plans are defined under Implementation Guide portion of the the Privacy Rules. As a matter of compliance planning, however, Appendix employers should designate their plans that include non-health benefits as hybrid entities to ensure that the non-health portions of those plans are not affected by the Privacy Rules. If an employer has a hybrid plan and is not using the compliance shortcut, it must implement firewalls between the health and non-health portions of that plan. Firewalls are physical, technical, and administrative safeguards that prevent or prohibit disclosure of protected health information. In the case of a hybrid plan providing both health benefits and life insurance benefits, for instance, firewalls might consist of policies and procedures prohibiting any employee that deals with the health plan from using protected health information from the health plan in connection with the life insurance benefits. A physical safeguard might consist of maintaining health benefits records in a locked HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 9

13 file cabinet to which only those employees who work with health benefits have a key (and those who work only with life insurance benefits do not). A technological safeguard would be a protection in a computerized system that would prevent access to protected health information from a health plan by anyone other than employees assigned to work with the health benefits. Plan Sponsors -- As noted previously, the employer that sponsors a health plan is not itself subject to the Privacy Rules on the basis of its activities in connection with the health plan. In addition, the employer is considered to be a separate legal entity from its health plan, so that the health plan generally is not entitled to disclose protected health information to the employer in connection with plan administration. The Privacy Rules prohibit plans from disclosing any protected health information to the sponsoring employer (other than summary health information or enrollment information, as described above) unless the plan document includes certain provisions regarding the plan sponsor s handling of protected health information, and the plan sponsor has certified that: The plan has been amended. The plan sponsor will abide by the plan amendments and certain other commitments. In the event that the plan document is amended and the certification is provided as required, the plan (and an insurer or HMO providing benefits under the plan) can disclose to the employer, solely for the employer s plan administration purposes or as required by law, protected health information in addition to summary health information and enrollment information. Without these documents in place, these disclosures could not occur unless individuals authorized them according to the Privacy Rules requirements for authorizations. These disclosures are subject to the Privacy Rules minimum necessary, verification and other limiting requirements. This means that the plan cannot disclose any protected health information to the employer that is not reasonably necessary to accomplish the plan administration functions that the employer performs on behalf of the plan. The commitments that the employer must make with respect to receipt of protected health information from the plan include, among others, that the employer will identify all of its employees, by name, title or classification, who will have access to the protected health information received from the plan (the designated employees ). The plan sponsor must commit that it will not allow any other employees to have access to that information. In addition, the plan sponsor must commit to setting up firewalls to protect against access by employees other than the designated employees, and access by the designated employees for purposes other than performing the plan sponsor s plan administration functions. To receive protected health information from the plan, an employer must commit that it will not use that protected health information for any employment-related decisions or actions or for any other benefit or benefit plan that the employer maintains. Because of this prohibition, it is particularly important for employers to ensure that protected health information obtained in connection with employment-related matters, such as medical leaves, remains separate from plan protected health information. So long as it remains part of the employer s employment files and is not used in connection with administering the plan, it is not considered protected health information. If, however, an employer combines its plan files and employment files, or uses information in either for the benefit of the other, this employment information could lose its exemption from the Privacy Rules and become part of the protected health information for which the employer s health plan has compliance responsibilities. Insurers -- An insurer or HMO providing coverage under a plan is subject to the Privacy Rules with respect to its own operations on behalf of that plan. That is, unlike the plan sponsor, the insurer is directly required to comply with the Privacy Rules, even if the plan does not impose those requirements on the insurer via contract. The insurer s responsibility is, however, limited to its own operations. It is not responsible for the group health plan s compliance solely because it provides coverage under the plan. Just as the employer is considered to be a separate entity from the group health plan, the insurer is also considered to be a separate legal entity from the health plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 10

14 Even though an insurer is considered to be a separate legal entity from the group health plan, it is treated as part of an organized health care arrangement with respect to the health plan. This means that the insurer and the health plan itself (but not the employer) can exchange certain protected health information as if they were a single entity and can use a single notice of privacy practices. These exchanges, like all other exchanges of protected health information within an entity, are limited to those made for purposes recognized under the Privacy Rules and are subject to the minimum necessary requirements and other restrictions on disclosure. A health plan is not required to enter into a business associate contract, as described in the next section, with an insurer that provides no services other than insurance coverage under the plan. WHAT ARE PERMISSIBLE USES OF PROTECTED HEALTH INFORMATION? The HIPAA Shortcut to compliance is based upon the premise that the Plan does not see, use, or receive protected health information. However, in operation of the benefits, the Plan will have enrollment information, certain claim payment information, and an employee may ask the Plan to participate in a claim appeal. Consequently, the Plan may maintain certain protected health information for Treatment, Payment, or Health Care Operations purposes. TREATMENT Treatment is defined, in part, as provision, coordination, or management of health care and related services by a health care provider, including coordination or management of health care by the health care provider with a third party. Health plans are not health care providers for purposes of the Privacy Rules, so health plans cannot directly perform treatment functions. Health plans may, however, disclose protected health information to any health care provider for that provider s treatment activities. For example, a health plan would be allowed to respond to a physician s request for information regarding previous treatments an individual had received, if needed to assess a current course of treatment. As a practical matter, these disclosures of protected health information will be infrequent. PAYMENT The payment functions for which health plans can use or disclose an individual s protected health information without first obtaining his authorization include all activities to obtain premium payments or to determine or fulfill the plan s responsibility for coverage of, and provision of health benefits with respect to, an individual. Payment functions include: Determining individuals eligibility for coverage, including determination of rights pursuant to COBRA. Obtaining reimbursement for benefits paid during a period of ineligibility. Determining whether individuals have coverage in effect under the plan, and in what capacity. Determining whether particular expenses are covered under the plan with respect to individuals (including coordination of benefits determinations, cost sharing determinations, subrogation determinations, medical necessity determinations, and all other determinations to reach a decision on whether benefits are payable under the terms of the plan for particular health benefit claims). Making claims payments based on those determinations. Coordination of benefits, including, without limitation, collecting amounts from another plan covering an individual, and determining the order of benefits payment and the extent to which benefits have been paid from another plan. Activities related to rights of reimbursement the plan may have with respect to previously-paid benefits and subrogation activities, including asserting liens against actual or potential recoveries, exercising rights of reimbursement with respect to third parties, and making demand for repayment of benefits. Determining cost-sharing amounts applicable to particular claims under the terms of the plan, including determining whether an individual has reached applicable plan limits, satisfied deductibles or out-of-pocket limits, or is required to make a copayment or satisfy coinsurance with respect to a particular claim. Adjudicating benefit claims under the plan (including appeals and other payment disputes). Claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes, and responding to enrollees inquiries about payments. Billing and collection activities and related data processing. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 11

15 Obtaining payment under a contract for reinsurance (including stop-loss and excess loss insurance), including notification to issuers of diagnoses or claims that trigger reporting requirements under such policies. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges. Determining required employee contributions. Risk adjusting amounts due for coverage based on enrollees health status, claims history, and demographic characteristics, to the extent permissible under applicable law. Utilization review activities, including precertification and preauthorization of services, and concurrent and retrospective review of services. Disclosure to consumer reporting agencies relating to collection of premiums or reimbursement, limited to any or all of the following: Name and address. Date of birth. Social Security number. Payment history. Account number. Name and address of the plan. HEALTH CARE OPERATIONS The health care operations functions for which health plans can use or disclose an individual s protected health information without first obtaining the individual s authorization are specified in the Privacy Rules. Those activities are permissible to the extent that they relate to a health plan s providing or paying for health benefits. The listed operations functions are: Quality assessment and improvement activities. Population-based activities relating to improving health or reducing health care costs, protocol development, case management, disease management, care coordination, and contacting health care providers and enrollees with information about treatment alternatives and related functions. Rating provider and plan performance, including accreditation, certification, licensing, or credentialing activities. Fraud and abuse detection and compliance activities. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims (including stop-loss insurance and excess of loss insurance). Conducting or arranging for medical review, legal services, and auditing functions. Business planning and development, such as conducting cost-management and planning-related analyses for the management and operation of the Plan, including formulary development and administration, and development or improvement of payment methods or coverage policies. Business management and general administrative activities, including: Management activities relating to the implementation of and compliance with HIPAA s administrative simplification requirements. Customer service, including the preparation and provision of data analyses for use of the Plan Sponsor and others. Resolution of internal grievances. Due diligence in connection with the sale or transfer of assets to a potential successor in interest if the potential successor in interest either: Is a covered entity for purposes of HIPAA Will become a covered entity following completion of the sale or transfer A health plan may disclose protected health information to other entities that are covered under the Privacy Rules to assist those entities with some of their health care operations activities in two situations. The plan may disclose protected health information to other health plans that are sponsored by the same employer, and to any insurers with respect to those plans, to assist with those plans health care operations activities that are similar to the operations activities listed above. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 12

16 To the extent that both the plan and another entity covered by the Privacy Rules have a relationship with an individual and the individual s protected health information pertains to that relationship, the plan may disclose that individual s protected health information to that entity to assist the entity with its health care operations activities involving: Quality assessment and improvement activities. Population-based activities relating to improving health or reducing health care costs, protocol development, case management, disease management, care coordination, and contacting health care providers and enrollees with information about treatment alternatives and related functions. Rating provider and plan performance, including accreditation, certification, licensing, or credentialing activities. Fraud and abuse detection and compliance activities. Required By Law -- Health plans may use and disclose protected health information to the extent required by applicable law. A use or disclosure is deemed to be required by law for purposes of the Privacy Rules if a mandate contained in law compels a health plan to make a use or disclosure of protected health information, and that mandate is enforceable in a court of law. Uses and disclosures that are required by law include: Complying with court orders and court-ordered warrants. Responding to subpoenas or summons issued by a court, grand jury, governmental or tribal inspector general, or an administrative body authorized to require the production of information. Providing information pursuant to a civil or an authorized investigative demand. Complying with statutes or regulations that require the production of information. The Privacy Rules require health plans to take certain actions whenever the health plan makes certain uses and disclosures of protected health information that are required by law. If a use or disclosure is required because of an order of a court or administrative tribunal, the health plan may use or disclose protected health information only to the extent expressly required by that order. If a use or disclosure is required by a subpoena, discovery request, or other demand in connection with a legal proceeding, but that subpoena, discovery request or demand is not accompanied by an order of a court or administrative tribunal, a health plan may use or disclose protected health information in response only to the extent that the plan receives certain assurances from the party seeking the information or makes reasonable efforts to notify the individual that is the subject of the protected health information of the pending use or disclosure. If a use or disclosure is required by an administrative subpoena or summons, or a civil or authorized investigative demand, a health plan is allowed to disclose protected health information in response only if the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and de-identified information could not reasonably be used. If the health plan is required by law to disclose protected health information about an individual whom the plan reasonably believes to be a victim of abuse, neglect, or domestic violence, the plan must promptly inform the individual that is the subject of the protected health information that such a report has been or will be made except in very specific situations. Law Enforcement -- It is permissible for health plans to make a variety of disclosures to law enforcement officials to voluntarily assist in law enforcement efforts. Most plans, however, only make disclosures to law enforcement officials as required by law and to report criminal activities affecting the plan. A health plan may disclose protected health information to a law enforcement official if the plan believes in good faith that the protected health information constitutes evidence of criminal conduct that occurred on the premises of the health plan. As Authorized By the Individual -- A health plan may use or disclose any protected health information of an individual in any manner that the individual authorizes in an authorization that complies with the Privacy Rules. For an authorization to be valid it must contain the following elements in plain language: HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 13

17 A description of the information to be used or disclosed pursuant to the authorization that identifies the information in a specific and meaningful fashion. The name or other specific identification of the persons or class of persons authorized to make the authorized use or disclosure. The name or other specific identification of the persons or class of persons by or to whom the requested use or disclosure may be made. Each purpose of the requested use or disclosure (a statement that the use or disclosure is at the request of the individual is sufficient when an individual initiates the authorization). An expiration date or expiration event that relates to the individual or the purpose of the use or disclosure. A statement of the individual s right to revoke the authorization, together with a description of how the individual would go about revoking the authorization and any limitations on the right to revoke the authorization. A statement of the extent to which enrollment or eligibility for benefits or payment of benefits are conditioned on the individual s providing the authorization (in most cases this will require a statement that none of these things is conditioned on the individual s providing the authorization). A notation that information disclosed pursuant to the authorization may be re-disclosed by the recipient and no longer protected under the Privacy Rules. A statement that the covered entity must provide the individual with a copy of the signed authorization. The signature of the individual and the date. If the authorization is signed by a personal representative of the individual, a description of the personal representative s authority to act for the individual. Authorizations generally cannot be combined with one another or with other documents. In particular, a voluntary authorization cannot be combined with one that is required in order for an individual to obtain enrollment, eligibility or benefits under a health plan. Authorizations can be required as a condition of enrollment or eligibility in a health plan only if requested prior to an individual s enrollment in the health plan and sought for purposes of determining eligibility, enrollment, or underwriting or risk rating determinations. Employer-sponsored group health plans generally cannot use protected health information for purposes of making individualized eligibility determinations, so these non-voluntary authorizations should be used only in the case of a group applying for coverage with respect to which the insurer has required health statements so that it can decide whether to accept the group and, if so, how to rate the group as a whole. In general, authorizations must be revocable at any time, except to the extent that the entity releasing the authorized information has taken action in reliance on the authorization. If an authorization is obtained as a condition of obtaining insurance coverage, as in the group underwriting situation noted above, and other law provides and insurer with the right to contest a claim under the policy or the policy itself, the authorization also may be made irrevocable. Having received an authorization, a covered entity may use and disclose the authorizing individual s protected health information in accordance with that authorization, but must be careful that its uses and disclosures do not go beyond those authorized unless otherwise permitted under the Privacy Rules. EXTREMELY LIMITED PLAN ADMINISTRATION An employer may only engage in limited plan administration. The following administration functions are permissible under the HIPAA Shortcut Route: Enrollment -- The employer and the insurer or HMO can exchange information about which employees and dependents have coverage in effect under the plan and the employer can collect enrollment and disenrollment forms and send them to the insurer or HMO. If, however, enrollment involves employees providing more than basic information (if, for example, a health statement is required), the employer will need to obtain employees and dependents specific authorizations to collect that information. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 14

18 Explaining Plan Terms -- The employer can discuss plan terms and how they apply in particular situations with employees and dependents to assist in their understanding of the plan. The employer cannot, however, become involved in specific claims decisions under the plan. Assisting with Claim Denials -- The employer can: Allow employees and dependents to report claims difficulties to the employer. Discuss those difficulties with the individual(s) involved. Report the difficulties to the insurer or HMO. Plan Sponsor Functions -- The employer can use summary health information from the insurer or the HMO, but only for purposes of obtaining premium bids for, or modifying or terminating, the plan. The employer may not receive information from the insurer other than summary health information, de-identified health information, enrollment and disenrollment information, and information released in accordance with an individual s authorization. RED FLAGS: WHAT PLAN DESIGNS NEGATE THE USE OF THE SHORTCUT ROUTE? Fully-insured employer plans can avoid most of the compliance burdens imposed by the Privacy Rules by using the compliance shortcut. In order to use the shortcut, however, the employer under the plan must severely limit its involvement with plan administration. RED FLAG #1: EMPLOYERS THAT NEED/REQUIRE MORE PHI THAN PERMITTED In order to follow the shortcut route, neither the plan nor the sponsoring employer may create, maintain, or receive protected health information. If the employer chooses to be involved in day-to-day administration and oversight of all aspects of the benefits, then the shortcut route is not available to the employer. RED FLAG #2: PLANS THAT CONTAIN A COMBINATION OF FULLY-INSURED AND SELF- INSURED HIPAA-SUBJECT BENEFITS The employer should consider each of its Plans separately and consider the following steps: 1. The employer should determine how many Plans it has. (Please refer to the section in this Employer Guide entitled Health Plans Must Comply What Is A Plan?) 2. Separate HIPAA Privacy compliance applies to each Plan that includes HIPAA-subject benefits. So, within each Plan, the employer should determine if there are HIPAA-subject benefits (see the section entitled What Benefits Are Subject to the HIPAA Privacy Rules, earlier in this Employer Guide). 3. Within each Plan subject to HIPAA Privacy, the employer will need to determine if there is a combination of fully-insured and self-insured HIPAA-subject benefits. Plans that include both fully-insured and self-insured HIPAA-subject benefits must follow the Long Route to HIPAA compliance (please see HIPAA Privacy Long Route: An Employer Guide). Tip: Employers wishing to take advantage of the HIPAA Shortcut should move either the fully-insured HIPAA-subject benefits or the self-insured HIPAA-subject benefits out of the Plan and into a different Plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 15

19 STEPS TO COMPLIANCE ASSESS APPLICABILITY OF HIPAA PRIVACY 1. Identify all plans sponsored by the employer (for entities subject to ERISA, this will mean identifying how many separate, active plan numbers exist; for entities not subject to ERISA, this will mean searching through paperwork and benefit materials in order to determine the plan sponsor s intention regarding how many plans it would offer). 2. Determine whether or not the plan sponsor is subject to the Privacy Rules. (If yes, proceed. If no, stop.) 3. Identify any benefit options which are exempt from the Privacy Rules. (With regard to those specific benefit options, do not proceed. Note: This does not necessarily mean that other benefit options contained within the same Plan are also exempt from the HIPAA Privacy Rules.) 4. Within the Plans, identify which benefit options are required to comply with the HIPAA Privacy Rules. EVALUATE PLAN DESIGN 5. If there are multiple benefit options within a given plan, then make the following determinations with regard to the benefit(s) offered under each plan: a. Are all HIPAA Privacy-subject benefits under the plan fully-insured? i. If yes, then the plan sponsor can follow the HIPAA Shortcut Route with regard to the HIPAA Privacysubject benefit options under the plan. ii. If no, then the plan sponsor must either: See the HIPAA Privacy Long Route: An Employer Guide (a) Change the plan design (on a prospective basis) in order to allow the plan sponsor to take advantage of the HIPAA Privacy Shortcut. The plan sponsor can accomplish this by: 1) moving all fully-insured HIPAA Privacy-subject benefits to a new or existing plan (with regard to the HIPAA Privacy-subject self-insured benefits remaining in the plan, the plan sponsor would need to follow the Long Route to HIPAA Compliance); or 2) moving all of the self-insured HIPAA Privacy-subject benefits to a new or existing plan; or (b) Follow the Long Route to HIPAA Compliance and do NOT continue with the remaining Steps to Compliance in this Employer Guide. b. Does any Plan contain a mix of HIPAA Privacy-subject benefits and benefits which are not subject to HIPAA Privacy? i. If yes, then for that Plan, the plan sponsor should consider one of the following options: (a) (b) Designate the Plan as a Hybrid Entity; Change the plan design (on a prospective basis), moving either all of the HIPAA Privacy-subject benefits to a new or existing A Sample Hybrid Designation Form is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix Plan or moving all of the benefits which are not subject to HIPAA Privacy to a new or existing Plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 16

20 ADMINISTRATIVE DETAILS 6. Adopt an Authorization Form that allows the employer to discuss specific claims with an insurer or HMO (The employer may explain plan terms and may assist employees with enrollment questions and with claim appeals as long as an Authorization Form has been signed by the employee and permits the employer to assist with a specific claim). 7. Request carrier s assistance in continuing to satisfy the requirements for the compliance shortcut. 8. Create and adopt the abbreviated Policies and Procedures necessary in order to comply with the HIPAA Shortcut requirements. A Sample Authorization to Discuss Insurance Claims is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix A Sample Letter Requesting Compliance Shortcut Assistance is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix Sample Policies and Procedures are available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix DISTRIBUTION TO EMPLOYEES 9. Distribute a Summary of Material Modifications ( SMM ) to employees who are covered by the fully-insured benefits which are permitted to follow the HIPAA Shortcut. A Sample Summary of Material Modifications is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix WHAT ARE THE PENALTIES FOR NOT COMPLYING WITH THE HIPAA PRIVACY RULES? The administrative simplification rules generally are enforceable only by HHS and the Department of Justice, through civil and criminal penalties. Individuals generally cannot sue to recover damages for violation of the Privacy Rules. In some instances, however, individuals will be able to sue under ERISA or comparable state authorities to enforce plan terms required by the Privacy Rules. Accordingly, employers should be aware that they may have liability to individual plan participants as a result of noncompliance. CIVIL PENALTIES Under the HITECH Act provisions, an affirmative defense exists if the violation was not due to willful neglect and the violation is corrected during the 30-day period beginning on the first date of such knowledge or during the period determined by the Secretary of HHS to be appropriate (based upon the nature and extent of the covered entity s failure to comply). After investigation of a breach, HHS will inform the covered entity of its security failure. The covered entity will then have 30 days in which to submit evidence of its affirmative defenses or any mitigating factors. The penalties can be waived by the HHS Secretary if the violations were not due to willful neglect. The penalties associated with violations of HIPAA s administrative simplification provisions vary according to when they occurred. Violations which occurred before February 18, 2009 amount to $100 per violation (there is a maximum limit of $25,000 per calendar year for identical violations). However, violations which occurred on/after February 18, 2009 are subject to minimum civil penalties, and the maximum limit of the penalty was significantly increased in the 2013 final regulations. Additionally, the 2013 final regulations subject a covered entity to liability for civil penalties because of the actions of its business associate, even if the covered entity did not know of the violations. Civil penalty analysis relies on a tier structure for the severity of the penalty: HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 17

The HIPAA Privacy Rule: Overview and Impact

The HIPAA Privacy Rule: Overview and Impact The HIPAA Privacy Rule: Overview and Impact DISCLAIMER: This information is provided as is without any express or implied warranty. It is provided for educational purposes only and does not constitute

More information

HIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE

HIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE Important: Conducting an assessment of your health plan(s) is the first step to determining HIPAA compliance. You will need to conduct a separate assessment for each of your health plans. (Please be aware

More information

Frequently Asked Questions About the Privacy Rule Under HIPAA

Frequently Asked Questions About the Privacy Rule Under HIPAA Q-1: What is HIPAA? Frequently Asked Questions About the Privacy Rule Under HIPAA A: HIPAA is the Health Insurance Portability and Accountability Act (passed by Congress in 1996). The Privacy Rule was

More information

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance

More information

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc. 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes

More information

An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP

An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP Important Disclaimer: Practice limited to labor and employment law on behalf of management and related litigation.

More information

HIPAA OVERVIEW ETSU 1

HIPAA OVERVIEW ETSU 1 HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

BROWN RUDNICK BERLACK ISRAELS LLP. Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND

BROWN RUDNICK BERLACK ISRAELS LLP. Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND B R B I BROWN RUDNICK BERLACK ISRAELS LLP Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND ADMINISTRATIVE MAZE Q&A 2003 QUESTION AND ANSWER RESOURCE GUIDE Group Health Plan Compliance

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

Plan Sponsor Guide HIPAA Privacy Rule

Plan Sponsor Guide HIPAA Privacy Rule Plan Sponsor Guide HIPAA Privacy Rule Plan Sponsor s Guide to the HIPAA Privacy Rule Compliments of Aetna 00.02.108.1A (5/05) Compliments of Aetna You have likely heard a great deal about the HIPAA Privacy

More information

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes

More information

Graphic Communications National Health and Welfare Fund. Notice of Privacy Practices

Graphic Communications National Health and Welfare Fund. Notice of Privacy Practices Notice of Privacy Practices Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules Employer Sponsored Group Health Plans and the HIPAA Privacy Rules Employers must be prepared for their obligations under the HIPAA Privacy Rules January 2003 Bob Radecki KnowHIPAA.com HIPAA-COBRA-FMLA

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

HIPAA. HIPAA and Group Health Plans

HIPAA. HIPAA and Group Health Plans HIPAA HIPAA and Group Health Plans CareFirst BlueCross BlueShield is the business name of CareFirst of Maryland, Inc. and is an independent licensee of the Blue Cross and Blue Shield Association. Registered

More information

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements PROSKAUER ROSE LLP Client Alert HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements The U.S. Department of Health and Human Services published

More information

HIPAA Privacy Rule Primer for the College or University Administrator

HIPAA Privacy Rule Primer for the College or University Administrator HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule

More information

HIPAA Privacy Manual

HIPAA Privacy Manual California State University HIPAA Privacy Manual Revised February 17, 2010 As prepared by Mercer Human Resource Consulting 2010 California State University The HIPAA Privacy Manual was drafted for the

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

HIPAA PRIVACY RULE & AUTHORIZATION

HIPAA PRIVACY RULE & AUTHORIZATION HIPAA PRIVACY RULE & AUTHORIZATION Definitions Breach. The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy

More information

SUMMARY PLAN DESCRIPTION FOR THE WILLAMETTE UNIVERSITY CONSOLIDATED WELFARE BENEFITS PLAN

SUMMARY PLAN DESCRIPTION FOR THE WILLAMETTE UNIVERSITY CONSOLIDATED WELFARE BENEFITS PLAN SUMMARY PLAN DESCRIPTION FOR THE WILLAMETTE UNIVERSITY CONSOLIDATED WELFARE BENEFITS PLAN TABLE OF CONTENTS INTRODUCTION... 1 Type of Plan... 1 Plan Sponsor... 1 Purpose of the Plan... 1 Purpose of this

More information

HIPAA PRIVACY AND EDI RULES

HIPAA PRIVACY AND EDI RULES The Health and Human Services (HHS) issued final HIPAA privacy regulations on August 14, 2002. These rules govern how individually identifiable medical information must be protected. HIIPAA also requires

More information

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

More information

HIPAA Privacy Overview

HIPAA Privacy Overview May 21, 2003 HIPAA Privacy Overview Presented to the California State University Agenda Introduction HIPAA privacy regulations HIPAA privacy impact on CSU Next steps/action items Mercer Human Resource

More information

HIPAA - - Basic Concepts and Implementation Roadmap

HIPAA - - Basic Concepts and Implementation Roadmap HIPAA - - Basic Concepts and Implementation Roadmap Prepared by: David Weiner dweiner@seyfarth.com Fredric Singerman fsingerman@dc.seyfarth.com Today s Agenda n Introduction of HIPAA Privacy and Electronic

More information

HIPAA PRIVACY POLICIES AND PROCEDURES

HIPAA PRIVACY POLICIES AND PROCEDURES HIPAA PRIVACY POLICIES AND PROCEDURES FOR MOTT COMMUNITY COLLEGE NOVEMBER 18, 2004 PREPARED BY: KUSHNER & COMPANY 2427 WEST CENTRE AVENUE PORTAGE, MICHIGAN 49024 (269) 342-1700 WWW.KUSHNERCO.COM EMPLOYEE

More information

USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS [45 CFR 164.506]

USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS [45 CFR 164.506] USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS [45 CFR 164.506] Background The HIPAA Privacy Rule establishes a foundation of Federal protection for personal health information,

More information

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10 HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH

More information

NORTHWESTERN NEUROSURGICAL ASSOCIATES, S.C. Patient s Name: Age: Address: Name: Address: Referred for: Auto related? Yes - No

NORTHWESTERN NEUROSURGICAL ASSOCIATES, S.C. Patient s Name: Age: Address: Name: Address: Referred for: Auto related? Yes - No NORTHWESTERN NEUROSURGICAL ASSOCIATES, S.C. Patient s Name: Age: Sex: Male Female Date of Birth: S.S.N.: Address: City State Zip Code Home Phone: ( ) Cell Phone: ( ) Work Phone: ( ) Other Phone: ( ) PRIM

More information

Agent Instruction Sheet for PriorityHRA Plan Document

Agent Instruction Sheet for PriorityHRA Plan Document Agent Instruction Sheet for PriorityHRA Plan Document Thank you for choosing PriorityHRA! Here are some instructions as to what to do with each PriorityHRA document. Required Documents: HRA Application

More information

VENDOR / CONTRACTOR. Privacy Basics

VENDOR / CONTRACTOR. Privacy Basics VENDOR / CONTRACTOR Privacy Basics Introduction Premera s mission is to provide our customers with peace of mind about their healthcare. This requires that everyone who works with or for Premera (the Company

More information

Affordable Care Act (ACA) Frequently Asked Questions

Affordable Care Act (ACA) Frequently Asked Questions Grandfathered policies Q1: What is grandfathered health plan coverage? A: The interim final rule on grandfathering under ACA generally defines grandfathered health plan coverage as coverage provided by

More information

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION ELKIN & ASSOCIATES, LLC HIPAA Privacy Policy and Procedures INTRODUCTION The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict a Covered Entity

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

What is Covered under the Privacy Rule? Protected Health Information (PHI)

What is Covered under the Privacy Rule? Protected Health Information (PHI) HIPAA & RESEARCH What is Covered under the Privacy Rule? Protected Health Information (PHI) Health information + Identifier = PHI Transmitted or maintained in any form (paper, electronic, forms, web-based,

More information

-1- PERSONNEL CERTIFIED / NON-CERTIFIED 4112.61/4212.61

-1- PERSONNEL CERTIFIED / NON-CERTIFIED 4112.61/4212.61 -1- HIPAA Privacy Policies The Wallingford Board of Education ("the Board" or the "Plan Sponsor") sponsors a group health plan that provides medical and dental benefits (the "Plan"). These Privacy Policies

More information

State of Florida Employees' Group Health Insurance Privacy Notice

State of Florida Employees' Group Health Insurance Privacy Notice This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. The Health Insurance Portability and Accountability

More information

ELECTRONIC HEALTH RECORDS

ELECTRONIC HEALTH RECORDS ELECTRONIC HEALTH RECORDS Understanding and Using Computerized Medical Records CHAPTER TEN LESSON ONE Privacy and Security of Health Records Understanding HIPAA HIPAA: acronym for Health Insurance Portability

More information

THE STATE FARM INSURANCE COMPANIES GROUP HEALTH AND WELFARE PLAN FOR UNITED STATES EMPLOYEES SUMMARY PLAN DESCRIPTION. Effective January 1, 2012

THE STATE FARM INSURANCE COMPANIES GROUP HEALTH AND WELFARE PLAN FOR UNITED STATES EMPLOYEES SUMMARY PLAN DESCRIPTION. Effective January 1, 2012 THE STATE FARM INSURANCE COMPANIES GROUP HEALTH AND WELFARE PLAN FOR UNITED STATES EMPLOYEES SUMMARY PLAN DESCRIPTION Effective January 1, 2012 This document, together with the attached documents listed

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

Connecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement

Connecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement Connecticut Pipe Trades Health Fund Privacy Notice 2013 Restatement Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

More information

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction HIPAA Privacy Regulations-General The final HIPAA Privacy regulation was released on December 20, 2000 and was effective for compliance on April

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW

More information

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL What is HIPAA? Comprehensive federal legislation regarding health insurance which is comprised of four key areas:

More information

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES SCHOOL DISTRICT OF BLACK RIVER FALLS 523.5 Exhibit NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how

More information

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)]

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] Background By law, the HIPAA Privacy Rule applies only to covered entities health plans, health care clearinghouses, and certain

More information

The privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been

The privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been As Appeared in Benefits Law Journal Vol. 17, No. 1, Spring 2004 HIPAA Privacy Compliance: It s Time to Take It Seriously By Russell E. Greenblatt and Jeffrey J. Bakker, Katten Muchin Zavis Rosenman 2004

More information

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits American Bar Association Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits May 6, 2008 The following notes are based upon the personal comments

More information

Schindler Elevator Corporation

Schindler Elevator Corporation -4539 Telephone: (973) 397-6500 Mail Address: P.O. Box 1935 Morristown, NJ 07962-1935 NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU

More information

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS 1. HIPAA Privacy Policies & Procedures Overview (Policy & Procedure) 2. HIPAA Privacy Officer (Policy & Procedure) 3. Notice of Privacy

More information

HIPAA NOTICE OF PRIVACY FOR PERSONAL HEALTH INFORMATION

HIPAA NOTICE OF PRIVACY FOR PERSONAL HEALTH INFORMATION HIPAA NOTICE OF PRIVACY FOR PERSONAL HEALTH INFORMATION MetLife/NELICO HIPAA Privacy Notice HIPAA Notice of Privacy Practices for Personal Health Information METLIFE/NELICO This notice describes how medical

More information

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business

More information

MILWAUKEE ROOFERS HEALTH FUND

MILWAUKEE ROOFERS HEALTH FUND MILWAUKEE ROOFERS HEALTH FUND PRIVACY PRACTICES NOTICE October 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE

More information

SUMMARY OF GUIDE CONTENTS... 1 HIGHLIGHTS OF TAX-ADVANTAGED PLANS... 2 EMPLOYEE SALARY REDUCTION PLANS... 5

SUMMARY OF GUIDE CONTENTS... 1 HIGHLIGHTS OF TAX-ADVANTAGED PLANS... 2 EMPLOYEE SALARY REDUCTION PLANS... 5 This Guide is for informational and educational purposes only. It does not constitute legal advice or a comprehensive guide to issues to be considered by employers in establishing tax-advantaged benefits

More information

HIPAA Privacy Notice

HIPAA Privacy Notice HIPAA Privacy Notice This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This notice describes

More information

Professional Employer Organizations Obligations Under HIPAA A Summary

Professional Employer Organizations Obligations Under HIPAA A Summary NAPEO Legal InsightsTM Volume 2, Number 6 November 2009 Professional Employer Organizations Obligations Under HIPAA A Summary Dale R. Vlasek, Esq. Attorney McDonald Hopkins LLC Cleveland, Ohio A PEO is

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Protected

More information

Privacy Notice. The Plan s duties with respect to health information about you

Privacy Notice. The Plan s duties with respect to health information about you Privacy Notice Please carefully review this notice. It describes how medical information about you may be used and disclosed and how you can get access to this information. The Health Insurance Portability

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

HIPAA Privacy Summary for Fully-insured Employer Groups

HIPAA Privacy Summary for Fully-insured Employer Groups HIPAA Privacy Summary for Fully-insured Employer Groups I. Overview The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures

More information

NOTICE OF PRIVACY PRACTICES. for Sony Pictures Entertainment Inc.

NOTICE OF PRIVACY PRACTICES. for Sony Pictures Entertainment Inc. NOTICE OF PRIVACY PRACTICES for Sony Pictures Entertainment Inc. [Para recibir esta notificación en español por favor llamar al número proviso en este documento.] This notice describes how medical information

More information

Notice of Privacy Practices

Notice of Privacy Practices Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Notice of

More information

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy June 2008 Table of Contents PART V: The Health Insurance Portability and Accountability Act (HIPAA)...

More information

HIPAA Privacy Summary for Self-insured Employer Groups

HIPAA Privacy Summary for Self-insured Employer Groups I. Overview HIPAA Privacy Summary for Self-insured Employer Groups The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures of

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

HIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why?

HIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why? Chapter I HIPAA Overview HIPAA Compliance for Employers What is it? What is it supposed to do? Why should you care? Who does it apply to? What does it cover? Patricia C. Shea, Esq. 717.231.5870 2 What

More information

Effective April 14, 2003

Effective April 14, 2003 Effective April 14, 2003 THE BOEING COMPANY GROUP HEALTH PLANS NOTICE OF PRIVACY PRACTICES This notice describes how health plan medical information about you may be used and disclosed and how you can

More information

California State University. HIPAA Privacy Summary Manual

California State University. HIPAA Privacy Summary Manual California State University HIPAA Privacy Summary Manual As prepared by Mercer Human Resource Consulting 2003 California State University The HIPAA Privacy Summary Manual was drafted for the exclusive

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES Human Resources Department 16000 N. Civic Center Plaza Surprise, AZ 85374 Ph: 623-222-3532 // Fax: 623-222-3501 TTY: 623-222-1002 Purpose of This Notice This Notice describes

More information

407-767-8554 Fax 407-767-9121

407-767-8554 Fax 407-767-9121 Florida Consumers Notice of Rights Health Insurance, F.S.C.A.I, F.S.C.A.I., FL 32832, FL 32703 Introduction The Office of the Insurance Consumer Advocate has created this guide to inform consumers of some

More information

Virginia Commonwealth University Information Security Standard

Virginia Commonwealth University Information Security Standard Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,

More information

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4 HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit

More information

CROSS, GUNTER, WITHERSPOON & GALCHUS, P.C. ATTORNEYS AT LAW LITTLE ROCK/FORT SMITH/FAYETTEVILLE

CROSS, GUNTER, WITHERSPOON & GALCHUS, P.C. ATTORNEYS AT LAW LITTLE ROCK/FORT SMITH/FAYETTEVILLE CROSS, GUNTER, WITHERSPOON & GALCHUS, P.C. ATTORNEYS AT LAW LITTLE ROCK/FORT SMITH/FAYETTEVILLE Scotty Shively sshively@cgwg.com www.cgwg.com 500 President Clinton Avenue, Suite 200 Little Rock, AR 72201

More information

ü Ensuring the privacy and security of personally identifiable health information (the Privacy and Security Rules); and

ü Ensuring the privacy and security of personally identifiable health information (the Privacy and Security Rules); and Provided by Benefits By Choice HIPAA Rules: Privacy, Security and Electronic Data Interchange The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law regarding health

More information

NC General Statutes - Chapter 58 Article 68 1

NC General Statutes - Chapter 58 Article 68 1 Article 68. Health Insurance Portability and Accountability. 58-68-1 through 58-68-20: Repealed by Session Laws 1997-259, s. 1(a). Part A. Group Market Reforms. Subpart 1. Portability, Access, and Renewability

More information

HIPAA. HIPAA s provisions affect group health plan coverage in the following ways:

HIPAA. HIPAA s provisions affect group health plan coverage in the following ways: HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes provisions of Federal law governing health coverage portability, health information privacy, administrative simplification,

More information

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Date: June 1, 2014 Salt Lake Community College

More information

Health Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms

Health Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms Health Insurance Portability and Accountability Act HIPAA Glossary of Common Terms Terms: HIPAA Definition*: PHCS Definition/Interpretation: Administrative Simplification HIPAA Subtitle F It is the purpose

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

HEALTH CARE REFORM: Grandfathered Health Plans

HEALTH CARE REFORM: Grandfathered Health Plans HEALTH CARE REFORM: Grandfathered Health Plans Guidance concerning grandfathered health plan status was issued on June 17, 2010, by the Departments of Labor, Treasury and Health and Human Services with

More information

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

Notice of Privacy Practices. Human Resources Division Employees Benefits Section Notice of Privacy Practices Human Resources Division Employees Benefits Section THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

SURA/JEFFERSON SCIENCE ASSOCIATES, LLC COMPREHENSIVE HEALTH AND WELFARE BENEFIT PLAN. Amended and Restated

SURA/JEFFERSON SCIENCE ASSOCIATES, LLC COMPREHENSIVE HEALTH AND WELFARE BENEFIT PLAN. Amended and Restated SURA/JEFFERSON SCIENCE ASSOCIATES, LLC COMPREHENSIVE HEALTH AND WELFARE BENEFIT PLAN Amended and Restated Effective June 1, 2006 SURA/JEFFERSON SCIENCE ASSOCIATES, LLC COMPREHENSIVE HEALTH AND WELFARE

More information

Health Insurance Portability and Accountability Act. Policies and Procedures Compliance Manual. Human Resources. Ferris State University

Health Insurance Portability and Accountability Act. Policies and Procedures Compliance Manual. Human Resources. Ferris State University Health Insurance Portability and Accountability Act Policies and Procedures Compliance Manual Human Resources Ferris State University Introduction to Ferris State University s HIPAA Privacy Policies and

More information

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

More information

Chapter 91. Regulation 68 Patient Rights under Health Insurance Coverage in Louisiana

Chapter 91. Regulation 68 Patient Rights under Health Insurance Coverage in Louisiana D. A copy of the certification form shall be maintained by the insurer and by the producing agent or broker in the policyholder's record for a period of five years from the date of issuance of the insurance

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE OF PRIVACY PRACTICES

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

Memorandum. Factual Background

Memorandum. Factual Background Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to

More information

Member s Name First M.I. Last Dependent s Name (if enrolling in Medicare) First M.I. Last

Member s Name First M.I. Last Dependent s Name (if enrolling in Medicare) First M.I. Last Oklahoma State and Education Employees Group Insurance Board A Division of the Office of State Finance APPLICATION FOR MEDICARE SUPPLEMENT WITH PART D Member ID # *MCENRL* Phone ( ) Member s Name First

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

NLRG PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES COBRA ADMINISTRATION: AN EMPLOYER GUIDE

NLRG PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES COBRA ADMINISTRATION: AN EMPLOYER GUIDE NLRG PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES COBRA ADMINISTRATION: AN EMPLOYER GUIDE COBRA ADMINISTRATION: AN EMPLOYER GUIDE TABLE OF CONTENTS SECTION

More information