HIPAA PRIVACY AND EDI RULES
|
|
- Buddy Hicks
- 8 years ago
- Views:
Transcription
1 The Health and Human Services (HHS) issued final HIPAA privacy regulations on August 14, These rules govern how individually identifiable medical information must be protected. HIIPAA also requires national standards for electronic health care transactions, code standards, and national identifiers for healthcare plans, providers and clearinghouses. The intent of these standards is to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange (EDI) in health care. Finally, HIPAA requires that security standards be established for the protection of electronic health information. Final rules implementing these standards are expected to be issued later this year. Following is a brief overview of the HIPAA privacy rules and EDI rules that may impact plan sponsors, plan administrators, and health plans. WHAT SHOULD AN EMPLOYER DO? 1. Determine plans subject to the HIPAA privacy rules (see Section I-A and B, Covered Entities, on page 1). 2. Determine plans subject to the EDI rules (see Section I-A and B, Covered Entities, on page 1 and Section III, Overview of EDI Rules, on page 8). Determine whether the insurer or third party administrator (TPA) is handling the EDI transactions, including the extension request, for the health plan. Is an EDI extension necessary, and if so, has one been requested by the insurer or TPA? (see Section III-B, Compliance Date, on page 8). 3. Determine what PHI you will receive (see Section II-A, Protected Health Information, on page 2). 4. Determine your obligation with each health plan, i.e., plan sponsor or plan administrator (see Section II-D, Employer Functions, on page 2). 5. Determine your role with each type of health plan that you sponsor (see Section II-G, Employer Obligations by Employer Role/Plan Type, on page 7). 6. Determine employees involved in health plan functions and provide privacy training to these employees, if required (see Section II-E(4), Privacy Training, on page 4). 7. Determine vendors who will receive PHI (see Section II-E(3), Business Associate Agreements, on page 4). I. COVERED ENTITIES Entities covered by the HIPAA privacy and EDI rules include health care providers, health care clearinghouses, and health plans. A. TYPES OF PLANS SUBJECT TO HIPAA PRIVACY AND EDI RULES Health plans subject to the HIPAA privacy and EDI rules are individual and group health plans, including: 1. Insured and self-funded health plans, such as comprehensive medical plans, dental plans, vision plans, employee assistance plans, and flexible spending accounts (FSAs) 2. Multiple employer welfare arrangements (MEWAs) 3. Long-term care policies 4. Government plans, such as the Federal Employees Health Benefit Program, CHAMPUS, Medicare, Medicaid, and the Indian Health Service Program 5. State high-risk pools
2 B. PLANS EXEMPT FROM HIPAA PRIVACY AND EDI RULES Self-administered health plans with fewer than 50 participants are exempt from the HIPAA privacy rules. For this purpose, participant means an employee, excluding dependents. The under-50 participant plan exception would primarily apply to flexible spending accounts that are administered by the employer. It is important to note that if a plan wraps multiple components into one plan, such as disability, life, etc., those components otherwise exempt from HIPAA would become subject to HIPAA. II. OVERVIEW OF HIPAA PRIVACY RULES A. PROTECTED HEALTH INFORMATION Protected health information (PHI) includes any individually identifiable medical information maintained in any form, including oral communications, that: 1. Is created or received by a covered entity or employer; 2. Relates to an individual's physical or mental condition, the provision of health care services to such individual, or the payment for such health care services; or 3. Identifies the individual or creates a reasonable basis to believe that such information could be used to identify the individual. B. DISCLOSURE OF PHI The final regulations do provide some limited disclosure of PHI to plan sponsors for plan operation purposes. Specifically, enrollment and disenrollment information can be disclosed to the plan sponsor, even though it is PHI. Enrollment and disenrollment information includes such components as: names of participants and covered dependents, covered plan choices, and premium amounts. In addition, PHI can be disclosed to business associates or other health plans, such as insurers or HMOs, for purposes of obtaining proposals, or for otherwise placing the business. C. EMPLOYMENT RECORDS Medical information received for employment purposes, and not for health plan purposes, is not PHI. This means that medical information that an employer receives relating to pre-employment physicals, drug tests, fitness-for-duty information, medical information for FMLA purposes, etc., is not subject to the HIPAA privacy rules, though, other confidentiality requirements may govern how this information must be handled. D. EMPLOYER FUNCTIONS 1. Plan Sponsorship includes: a. Plan establishment b. Plan amendment, modification, and termination c. Enrollment and disenrollment in the plan d. Marketing the plan 2
3 2. Plan Administration includes: a. Plan operation activities, such as claims assistance, claims processing, plan audits, quality assurance b. Other operational functions E. HIPAA ADMINISTRATIVE REQUIREMENTS A covered entity must establish policies and procedures that are regularly followed to ensure protection of PHI. Steps to be taken include: 1. Appoint a Privacy Officer a. Designate a privacy officer responsible for developing and implementing privacy policies and procedures to ensure compliance with HIPAA. b. Designate a contact person for privacy inquiries and complaints. This person can be the privacy officer. 2. Privacy Policy Prepare a written notice of your privacy policies and procedures, i.e., a privacy policy. The privacy policy should describe the types of uses and disclosure of PHI by the covered entity. This privacy policy can be designed in a manner such that a short summary policy is followed by a more detailed explanation of the entity s privacy practices. a. Contents of Privacy Policy. Elements of a privacy policy include: 1. A required header: This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. 2. A description of the types of uses and disclosures by the covered entity for purposes of treatment, payment and health care operations. 3. A description of other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual s authorization, including any use or disclosure that is prohibited or materially limited by other applicable law. 4. A statement that other uses or disclosures will be made only with the individual s written authorization. 5. A statement that the group health plan or HMO may disclose PHI to the plan sponsor, if applicable. 6. A statement of the individual s rights regarding PHI (see Rights of Individuals in Section II-F on page 6). 7. A statement that the covered entity is required to maintain the privacy of PHI and provide individuals with notice of its legal duties and privacy practices. 8. A statement that the covered entity has the right to change the terms of its privacy policy and how it will notify individuals of any change. 9. A statement that individuals may complain to the Secretary of HHS if they believe their privacy rights have been violated and include a description of how to file a complaint. 10. The name and telephone number of the person or office to contact for further information. 3
4 b. Distributing Privacy Policy 1. The privacy policy must be provided to participants upon: A. The applicability date of the HIPAA privacy rules (see Section II-I, Applicability Date, on page 7), or, if later, B. The date the individual becomes covered under the plan. 2. Every three years thereafter, the covered entity must give participants notice of the right to obtain the entity s privacy policy. 3. In addition, the privacy policy must be distributed within 60 days of any material change in the privacy policy. 4. ELECTRONIC DISTRIBUTION A. A covered entity that maintains a website that contains customer service or benefit information must post its privacy notice on its website, and make a copy of the policy available through the website. B. A privacy policy can be delivered electronically to individuals, as long as certain conditions are satisfied. 3. Business Associate Agreements Enter into business associate agreements with service providers, including third party administrators (TPAs), premium administrators, accountants, attorneys, consultants, utilization review entities and any other entity that engages in a function governed by HIPAA, or having access or using PHI. The intent of this provision is to ensure that business associates would likewise provide safeguards to PHI. The final privacy rules include sample contract language that can be used in business associate agreements. It is important for entities to carefully review this sample language to ensure its appropriateness in respect to the business associate relationship. According to the final regulations, if a written agreement exists between the health plan and the business associate prior to October 15, 2002, and if that agreement is not modified prior to April 14, 2003, the business associate agreement need not be formally entered into until the earlier of the date the agreement between the parties is modified, or, April 14, Nevertheless, both the covered entity and the business associate must comply with the spirit of the HIPAA privacy rules. This means that individually identifiable medical information must be protected. Only those with specific business reasons relating to the medical information may have access to the PHI. 4. Privacy Training Provide privacy training to all members of your workforce who would have access to PHI, including employees and non-employees. The initial training must be completed by the date on which the privacy rules become applicable to the covered entity (see applicability date, below). After that date, a covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, when a covered entity makes a material change in its privacy policy or procedure, it 4
5 is required to retrain those members of the workforce whose duties are affected by the change, within a reasonable time of making the change. Training Certification. Upon completion of the training, the trainee is required to sign a statement certifying that he/she received the privacy training and would honor all of the entity s privacy policies and procedures. Each workforce member is required to sign a new statement every three years certifying that he/she would continue to honor the entity s privacy policies. Such certification is kept by the entity to document compliance with the privacy training provisions. 5. Implement Administrative, Technical and Physical Safeguards of PHI These might include firewalls to protect electronic data, locked file cabinets or other storage for paper records, shredding records that are no longer necessary, and limiting access to those who have a need to know. 6. Amend Plan Document to ensure confidentiality, and provide certification to the insurer that it agrees to certain terms and conditions in the use and disclosure of PHI including: a. Not using or disclosing PHI other than as permitted or required by the plan document, or by law. It must also ensure that any of its agents or subcontractors to whom the sponsor provides PHI will likewise agree to the same restrictions. b. Not using or disclosing PHI for employment-related actions. c. Providing an accounting of its disclosures, and report any inconsistent uses or disclosures of PHI. d. Providing individuals access to their PHI. e. Returning or destroying all PHI when no longer needed. f. Ensuring appropriate firewalls have been established for protecting PHI. 7. Individual s Right to Inspect, Review and Copy PHI. Establish a procedure that allows individuals to review and make changes to his/her PHI (see Section II-F, Rights of Individuals, on page 6). 8. Develop Policies and Authorization Forms for Obtaining Participant Authorization to Release PHI. If PHI is used for purposes of payment, treatment or health plan operations, then a written authorization to release PHI is not required. However, if PHI is used for other purposes, such as releasing information to an employer, managing other benefit plans not subject to HIPAA, such as disability plans, or for marketing or disease management activities, then a written authorization must be obtained from the individual to release such information. Contents of a Valid Authorization. Elements of a valid authorization include: a. Description of the information to be used or disclosed, and the purpose for its use or disclosure. 5
6 b. Name or other identification of the party releasing the information, as well as identifying the party requesting the information. c. Expiration date of the authorization. d. Signature of the individual and date. e. A statement regarding the individual s right to revoke the authorization. Covered entities are prohibited from conditioning payment, treatment, or enrollment and eligibility for benefits upon the individual s signing the authorization. 9. Review Current Record Retention Policies. The HIPAA record retention requirement provides that records must be kept for six years from the later of: 1) the date it was created, or 2) the date it is last affected. ERISA generally requires that records be kept six years beyond the year of creation (seven years). A good rule of thumb is that records be kept for seven years. 10. Establish a Complaint Process for individuals to make complaints concerning the covered entity s privacy policies and procedures. 11. Establish Sanctions for Violation of Privacy Policies and Procedures. A covered entity must have appropriate sanctions against members of its workforce who fail to comply with its privacy policies and procedures. 12. Establish a Mitigation Policy. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures by the covered entity, or by its business associate. 13. Establish a Non-Retaliation Policy. A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual who: a. Exercises his/her privacy rights. b. Files a complaint. c. Participates in an investigation or compliance review. d. Oppose an entity s privacy policy if he/she has a good faith belief that it is unlawful. 14. Establish a Non-Waiver of Rights Policy. A covered entity cannot require individuals to waive their right to file a complaint as a condition for treatment, payment, enrollment in a health plan, or eligibility for benefits. F. RIGHTS OF INDIVIDUALS Under the HIPAA privacy rules, individuals have the following rights relating to PHI: 1. Right to receive a copy of the entity s privacy policy. 2. Right to access, inspect, and copy an individual s PHI contained in a designated record set. A designated record set means a group of records maintained by, or for a covered entity, that is: a. The medical records and billing records about individuals maintained by a covered health care provider; 6
7 b. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by a health plan; or c. Used, in whole or in part, by or for the covered entity to make decisions about individuals. 3. Right to request amendment of incomplete information in a designated record set. 4. Right to an accounting of disclosure of PHI. 5. Right to request restrictions on disclosure of PHI. 6. Right to file a complaint with HHS or health plan. G. EMPLOYER OBLIGATIONS BY EMPLOYER ROLE/PLAN TYPE TYPE OF PLAN FUNCTION INFORMATION OBLIGATIONS Fully Insured Fully Insured Selffunded All administrative requirements in Sections II-E(1)-(14) except: 1. Amending the plan document [Section II-E(6)] 2. Providing compliance certification to group health plan [Section II- E(6)]. Selffunded Plan Sponsor Only Plan Sponsor/Plan Administrator Plan Sponsor Only Plan Sponsor/Plan Administrator Receives summary health information only Receives PHI Receives summary health information only Receives PHI 1. Non-waiver of rights [Section II- E(14)] 2. Non-retaliation in administrative functions. [Section II-E(13)] Insurer accomplishes all other administrative functions described above in Sections II-E (1)-(12). 1. All administrative requirements in Sections II-E (1) (14) 2. Rights of individuals [Section II-F] 1. All administrative requirements in Sections II-E(1)-(14). 2. Rights of individuals [Section II-F] H. INTERPLAY WITH STATE PRIVACY LAWS The HIPAA privacy rules are designed to enhance the protections afforded by many existing state privacy laws. Therefore, the federal privacy rules will preempt state law to the degree of greater protection of privacy. Conversely, federal law is superseded if a state privacy law provides more stringent privacy provisions. I. APPLICABILITY DATE OF PRIVACY RULES The rules become applicable on April 14, Small plans have until April 14, 2004 to comply with the rules. A small health plan is a plan with $5 million or less in annual receipts. This is determined as follows: For an insured plan, annual receipt is determined by premiums paid in the preceding fiscal year. For a self-funded plan, this means claims paid in the preceding fiscal year. If the employer has a combined insured and self-funded plan, the employer adds premium and claims paid to determine receipts. 7
8 HIPAA PRIVACY AND EDI RULES If stop loss insurance is held by the employer and not by plan to reimburse the employer for its expenses, it would appear that the premium for the stop loss insurance would not be included in the calculation of annual receipt. III. OVERVIEW OF EDI RULES A. ESTABLISHMENT OF NATIONAL STANDARDS The EDI rules govern electronic transactions between health plans (as defined in Section I-A on page 1), providers, and health care clearinghouses. Examples of administrative and financial health care transaction standards include: 1. Health claims and equivalent encounter information 2. Enrollment and disenrollment in a health plan 3. Eligibility for a health plan 4. Health care payment and remittance advice 5. Health plan premium payments 6. Health claim status 7. Referral certification and authorization 8. Coordination of benefits A health plan that neither currently, nor in the future, intends to engage in electronic transactions, then such plan would not be subject to these rules. B. COMPLIANCE DATE All health plans (as defined in Section I-A on page 1) must comply with the EDI rules by October 16, 2002, unless: 1. The plan is a small health plan (as defined in Section II-I on page 7), or, 2. A compliance extension is filed with the Centers for Medicare & Medicaid Services (CMS) no later than October 15, The extension is a simple, non-binding questionnaire that can be filed electronically through the CMS Web site ( IV. PENALTIES FOR HIPAA PRIVACY AND EDI VIOLATIONS Health plans, providers and clearinghouses that violate the privacy or EDI standards could be subject to civil penalties of $100 per incident, up to $25,000 per person, per year, per standard. Criminal penalties, including fines and imprisonment, may also be imposed. The information contained in this document is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. 8
HIPAA. HIPAA and Group Health Plans
HIPAA HIPAA and Group Health Plans CareFirst BlueCross BlueShield is the business name of CareFirst of Maryland, Inc. and is an independent licensee of the Blue Cross and Blue Shield Association. Registered
More informationHIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.
2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes
More informationHIPAA Compliance Manual
HIPAA Compliance Manual HIPAA Compliance Manual 1 This Manual is provided to assist your efforts to comply with the federal privacy and security rules mandated under HIPAA and HITECH, specifically as said
More informationHIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why?
Chapter I HIPAA Overview HIPAA Compliance for Employers What is it? What is it supposed to do? Why should you care? Who does it apply to? What does it cover? Patricia C. Shea, Esq. 717.231.5870 2 What
More informationGuidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance
More informationHIPAA Privacy Summary for Self-insured Employer Groups
I. Overview HIPAA Privacy Summary for Self-insured Employer Groups The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures of
More informationAn Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP
An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP Important Disclaimer: Practice limited to labor and employment law on behalf of management and related litigation.
More informationHIPAA Privacy Summary for Fully-insured Employer Groups
HIPAA Privacy Summary for Fully-insured Employer Groups I. Overview The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures
More informationHIPAA Privacy Overview
May 21, 2003 HIPAA Privacy Overview Presented to the California State University Agenda Introduction HIPAA privacy regulations HIPAA privacy impact on CSU Next steps/action items Mercer Human Resource
More informationAlert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements
PROSKAUER ROSE LLP Client Alert HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements The U.S. Department of Health and Human Services published
More informationSARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY
SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY Purpose: The following privacy policy is adopted to ensure that the Sarasota County Government Employee Medical Benefit Plan
More informationAPPENDIX 1: Frequently Asked Questions
APPENDIX 1: Frequently Asked Questions Practice Name Q: What is the HIPAA Privacy Rule? A: The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI).
More informationExecutive Memorandum No. 27
OFFICE OF THE PRESIDENT HIPAA Compliance Policy (effective April 14, 2003) Purpose It is the purpose of this Executive Memorandum to set forth the Board of Regents and the University Administration s Policy
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationTHE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL What is HIPAA? Comprehensive federal legislation regarding health insurance which is comprised of four key areas:
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationThe HIPAA Privacy Rule: Overview and Impact
The HIPAA Privacy Rule: Overview and Impact DISCLAIMER: This information is provided as is without any express or implied warranty. It is provided for educational purposes only and does not constitute
More informationELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION
ELKIN & ASSOCIATES, LLC HIPAA Privacy Policy and Procedures INTRODUCTION The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict a Covered Entity
More informationHIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General
HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction HIPAA Privacy Regulations-General The final HIPAA Privacy regulation was released on December 20, 2000 and was effective for compliance on April
More informationHIPAA Privacy Rule Primer for the College or University Administrator
HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule
More informationPATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)
PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03) Use and Disclosure of PHI: Protected Health Information ( PHI ) may not be used or disclosed in violation of the Health Insurance
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationHIPAA Privacy For our Group Customers and Business Partners
HIPAA Privacy For our Group Customers and Business Partners AmeriHealth HMO, Inc. AmeriHealth Insurance Company of New Jersey QCC Insurance Company, d/b/a AmeriHealth Insurance Company HIPAA, The Health
More informationFrequently Asked Questions About the Privacy Rule Under HIPAA
Q-1: What is HIPAA? Frequently Asked Questions About the Privacy Rule Under HIPAA A: HIPAA is the Health Insurance Portability and Accountability Act (passed by Congress in 1996). The Privacy Rule was
More informationHIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS
HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS 1. HIPAA Privacy Policies & Procedures Overview (Policy & Procedure) 2. HIPAA Privacy Officer (Policy & Procedure) 3. Notice of Privacy
More informationRONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania 19007 (215) 785-3400 (215) 785-3401 (Fax) childproviderlaw.
RONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania 19007 (215) 785-3400 (215) 785-3401 (Fax) childproviderlaw.com HIPAA The Health Insurance Portability and Accountability Act
More informationNOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES
SCHOOL DISTRICT OF BLACK RIVER FALLS 523.5 Exhibit NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how
More informationState of Florida Employees' Group Health Insurance Privacy Notice
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. The Health Insurance Portability and Accountability
More informationRUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information
RUTGERS POLICY Section: 100.1.9 Section Title: HIPAA Policies Policy Name: Standards for Privacy of Individually Identifiable Health Information Formerly Book: 00-01-15-05:00 Approval Authority: RBHS Chancellor
More informationPlan Sponsor Guide HIPAA Privacy Rule
Plan Sponsor Guide HIPAA Privacy Rule Plan Sponsor s Guide to the HIPAA Privacy Rule Compliments of Aetna 00.02.108.1A (5/05) Compliments of Aetna You have likely heard a great deal about the HIPAA Privacy
More informationThe MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations
The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business
More informationHIPAA CHECKLISTS DEVELOPING YOUR HIPAA DOCUMENTS PRACTICAL TOOLS AND RESOURCES. MASSACHUSETTS MEDICAL SOCIETY Getting Ready for
MASSACHUSETTS MEDICAL SOCIETY Getting Ready for HIPAA BASIC ELEMENTS FOR COMPLIANCE WITH THE PRIVACY REGULATIONS CHECKLISTS Assess and Begin Your HIPAA Compliance Efforts DEVELOPING YOUR HIPAA DOCUMENTS
More informationHIPAA INFORMATION FOR METLIFE GROUP DENTAL and/or VISION INSURANCE CUSTOMERS
HIPAA INFORMATION FOR METLIFE GROUP DENTAL and/or VISION INSURANCE CUSTOMERS Dear Group Dental and/or Vision Customer : This letter relates to privacy requirements contained in federal regulations under
More informationSalt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Date: June 1, 2014 Salt Lake Community College
More informationSchindler Elevator Corporation
-4539 Telephone: (973) 397-6500 Mail Address: P.O. Box 1935 Morristown, NJ 07962-1935 NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU
More informationGCD. Client Memorandum. What Every Employer Needs to Know About the HIPAA Privacy Rules. Gardner Carton & Douglas HR Law: Employee Benefits
GCD Gardner Carton & Douglas HR Law: Employee Benefits Client Memorandum August 2002 What Every Employer Needs to Know About the HIPAA Privacy Rules By Timothy J. Stanton, Kathleen S. Scheidt, and Sarah
More informationHIPAA PRIVACY POLICIES AND PROCEDURES
HIPAA PRIVACY POLICIES AND PROCEDURES FOR MOTT COMMUNITY COLLEGE NOVEMBER 18, 2004 PREPARED BY: KUSHNER & COMPANY 2427 WEST CENTRE AVENUE PORTAGE, MICHIGAN 49024 (269) 342-1700 WWW.KUSHNERCO.COM EMPLOYEE
More informationHIPAA Employee Training Guide. Revision Date: April 11, 2015
HIPAA Employee Training Guide Revision Date: April 11, 2015 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (also known as Kennedy- Kassebaum Act ). HIPAA regulations address
More informationThe Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices
The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL
More informationSUMMARY OF HIPAA PRIVACY RULES
SUMMARY OF HIPAA PRIVACY RULES I. Introduction The privacy rules regulate the use and disclosure of protected health information (PHI) by defining who is authorized to access PHI created or maintained
More informationGaston County HIPAA Manual
Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationDETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan
DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationHIPAA Privacy and Business Associate Agreement
HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)
More informationPrivacy Notice. The Plan s duties with respect to health information about you
Privacy Notice Please carefully review this notice. It describes how medical information about you may be used and disclosed and how you can get access to this information. The Health Insurance Portability
More informationHIPAA Policies and Procedures
HIPAA Policies and Procedures William T. Chen, MD, Inc. General Rule 164.502 A Covered Entity may not use or disclose PHI except as permitted or required by the privacy regulations. Permitted Disclosures:
More informationHealth Insurance Portability and Accountability Act. Policies and Procedures Compliance Manual. Human Resources. Ferris State University
Health Insurance Portability and Accountability Act Policies and Procedures Compliance Manual Human Resources Ferris State University Introduction to Ferris State University s HIPAA Privacy Policies and
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationHIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996
HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title
More informationCity of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010
City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationNotice of Privacy Practices
Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Notice of
More informationThere are three sections to HIPAA the Privacy Rule, the Security Rule, and the Transaction Rule.
Introduction This course is on the federal HIPPA rule. HIPAA is the Health Insurance Portability and Accountability Act. It is the federal rule that sets standards for the protection of health information.
More informationJanuary 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules
Employer Sponsored Group Health Plans and the HIPAA Privacy Rules Employers must be prepared for their obligations under the HIPAA Privacy Rules January 2003 Bob Radecki KnowHIPAA.com HIPAA-COBRA-FMLA
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationHIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4
HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit
More informationELECTRONIC HEALTH RECORDS
ELECTRONIC HEALTH RECORDS Understanding and Using Computerized Medical Records CHAPTER TEN LESSON ONE Privacy and Security of Health Records Understanding HIPAA HIPAA: acronym for Health Insurance Portability
More informationThe privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been
As Appeared in Benefits Law Journal Vol. 17, No. 1, Spring 2004 HIPAA Privacy Compliance: It s Time to Take It Seriously By Russell E. Greenblatt and Jeffrey J. Bakker, Katten Muchin Zavis Rosenman 2004
More informationGraphic Communications National Health and Welfare Fund. Notice of Privacy Practices
Notice of Privacy Practices Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationHIPAA Compliance Review
HIPAA Compliance Review For HR and IT Presented by: Linda Railton, PHR HR Consultant Leavitt Group linda.railton@leavitt.com Discussion Points HIPAA Final Rule (effective March 26, 2013) Overview of HIPAA
More informationHIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE
Important: Conducting an assessment of your health plan(s) is the first step to determining HIPAA compliance. You will need to conduct a separate assessment for each of your health plans. (Please be aware
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHIPAA FOR HUMAN RESOURCE EXECUTIVES. Stuart Miller, Esq. Gerry Hinkley, Esq. Davis Wright Tremaine LLP
HIPAA FOR HUMAN RESOURCE EXECUTIVES Stuart Miller, Esq. Gerry Hinkley, Esq. Davis Wright Tremaine LLP 1 COVERED ENTITY ANALYSIS Determine if employer is a Covered Entity (health care provider, health plan
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA NOTICE OF PRIVACY PRACTICES
HIPAA NOTICE OF PRIVACY PRACTICES Human Resources Department 16000 N. Civic Center Plaza Surprise, AZ 85374 Ph: 623-222-3532 // Fax: 623-222-3501 TTY: 623-222-1002 Purpose of This Notice This Notice describes
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").
More informationThe California State University
The California State University HR 2004-22 PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how you can access this information. Please review it carefully.
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationEntities Covered by the HIPAA Privacy Rule
Entities Covered by the HIPAA Privacy Rule Who Is A Covered Entity? HIPAA standards apply only to: Health care providers who transmit any health information electronically in connection with certain transactions
More informationHIPAA - - Basic Concepts and Implementation Roadmap
HIPAA - - Basic Concepts and Implementation Roadmap Prepared by: David Weiner dweiner@seyfarth.com Fredric Singerman fsingerman@dc.seyfarth.com Today s Agenda n Introduction of HIPAA Privacy and Electronic
More informationADMINISTRATIVE REQUIREMENTS OF HIPAA
ADMINISTRATIVE REQUIREMENTS OF HIPAA Policy: The University of Connecticut will comply with all administrative requirements of the Health Insurance Portability and Accountability Act. Rationale: To maintain
More informationIMPACT to EMPLOYER / PLAN SPONSOR of HIPAA PRIVACY
IMPACT to EMPLOYER / PLAN SPONSOR of HIPAA PRIVACY As the Plan Sponsor/Employer you must contend with yet another federal requirement on your group health plans: the "Health Insurance Portability and Accountability
More informationBROWN RUDNICK BERLACK ISRAELS LLP. Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND
B R B I BROWN RUDNICK BERLACK ISRAELS LLP Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND ADMINISTRATIVE MAZE Q&A 2003 QUESTION AND ANSWER RESOURCE GUIDE Group Health Plan Compliance
More informationCHAPTER 7 BUSINESS ASSOCIATES
CHAPTER 7 BUSINESS ASSOCIATES I. GENERAL RULE DMH may disclose Protected Health Information (PHI) to a Business Associate or allow it to create or receive PHI on DMH's behalf only if DMH obtains satisfactory
More informationHIPAA Compliance And Participation in the National Oncologic Pet Registry Project
HIPAA Compliance And Participation in the National Oncologic Pet Registry Project Your facility has indicated its willingness to participate in the National Oncologic PET Registry Project (NOPR) sponsored
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationEffective April 14, 2003
Effective April 14, 2003 THE BOEING COMPANY GROUP HEALTH PLANS NOTICE OF PRIVACY PRACTICES This notice describes how health plan medical information about you may be used and disclosed and how you can
More informationSDC-League Health Fund
SDC-League Health Fund 1501 Broadway, 17 th Floor New York, NY 10036 Tel: 212-869-8129 Fax: 212-302-6195 E-mail: health@sdcweb.org NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION
More informationChief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL 60446-1679 cpo@cbservices.org 800-807-0100
Summary of Notice of Privacy Practices for Christian Brothers Prescription Drug Program Christian Brothers Services is the program sponsor of the Christian Brothers Prescription Drug Program (the Program
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act of 1996
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
More informationHIPAA Privacy Compliance Manual
HIPAA Privacy Compliance Manual AgriPlan BizPlan COBRAToday DirectPay FlexSystem MAPP PHiEd 1 Purpose of this Manual This publication provides authoritative and accurate information regarding requirements
More informationHIPAA Privacy Notice
HIPAA Privacy Notice This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This notice describes
More informationNOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS
NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationConnecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement
Connecticut Pipe Trades Health Fund Privacy Notice 2013 Restatement Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationHIPAA: Coverage and Implementation Issues (Focus on EDI and Privacy)
HIPAA: Coverage and Implementation Issues (Focus on EDI and Privacy) Robyn A. Meinhardt, RN, JD October 16, 2000 First National HIPAA Summit Washington, D.C. What This Presentation Will Address New Definitions
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationCovered Entity Charts
Covered Entity Charts Guidance on how to determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA 2 Background: The Administrative
More informationBENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT
BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationThe benefits you need... from the name you know and trust
The benefits you need... Privacy and Security Best at Practices the price you can afford... Guide from the name you know and trust The Independence Blue Cross (IBC) Privacy and Security Best Practices
More informationCompliance Alert. New requirement for health plans: HIPAA Health Plan Identifier (HPID) August 29, 2014
Compliance Alert New requirement for health plans: HIPAA Health Plan Identifier (HPID) August 29, 2014 Quick Facts: Health plans need to obtain a unique health plan identifier number (HPID). For insured
More informationState of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits
State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes
More informationGenworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES
Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationHealth Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) General Education Presented by: Bureau of Personnel Department of Health Department of Human Services Department of Social Services Bureau of
More informationHIPAA NOTICE OF PRIVACY PRACTICES
HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. This HIPAA Notice
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred
More information