HIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why?

Transcription

1 Chapter I HIPAA Overview HIPAA Compliance for Employers What is it? What is it supposed to do? Why should you care? Who does it apply to? What does it cover? Patricia C. Shea, Esq What is HIPAA? The Privacy Regulations Why? Health Insurance Portability and Accountability Act of Standards for Privacy of Individually Identifiable Health Information proposed 1999; final August 14, Security & Electronic Signature Standards final February 20, 2003 (physical/technological requirements to secure protected health information) 3. Electronic Transactions & Code Set Standards final (requirement for conducting designated electronic transactions involving protected health information) 1. Address inconsistent or nonexistent state laws regarding standards of privacy for patient data 2. Address inconsistent or nonexistent state laws regarding patient s rights regarding their data 3. Address the exponential increase in availability and scope of patient data 3 4 Common HIPAA Misperception The Penalties HIPAA applies only to doctors, hospitals, and insurance companies. Civil ($100 per violation, capped at $25,000 per year). Criminal (from $5,000 to $250,000 and/or 1 to 10 years in jail) Potential for Private lawsuits 5 6

2 HIPAA Applies to Health Plans include Covered Entities HMOs Indemnity insurers Health care providers (e.g., doctors) who transmit health information electronically Health care clearinghouses Health plans Group health plans, that are: - Fully insured or self insured; and - Have 50 or more participants; OR - Administered by an entity other than the employer that established and maintains the plan 7 8 Health Plans include What is Covered? An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care Protected Health Information (PHI) (i) (ii) (iii) Individually identifiable health information that is (see next slide) Transmitted by electronic media; Maintained in any electronic medium; or (iv) Transmitted or stored in any other form or medium; and (v) Is not excluded What is covered? (cont) Exclusions Individually identifiable health information (i) Information created or received; (ii) Relates to past, present, or future physical/mental health condition, treatment or payment for care of the individual (iii) Identifies the individual (iv) Reasonable basis to identify the individual Individually identifiable health information in: (i) Education records covered by the Family Educational Right and Privacy Act; and (ii) Records described at 20 USC 1232(a)(4)(B)(iv) (iii) Employment records held by a covered entity in its role as an employer

3 General Rule of HIPAA Use means Covered entities may not use or disclose protected health information unless the Privacy Regulations permit or require them to do so. With respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information Disclosure means Goal for Employers The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. 1. Know when the HIPAA General Rule applies to the operations of a group health plan; 2. Know the corresponding requirements; 3. Know the boundaries of the requirements Chapter II HIPAA & Group Health Plans Step 1: Identify the plans. Step 1: Identify the applicable health plans. Step 2: Determine the employer s role(s) with respect to each plan. Step 3: Identify the key characteristic of each plan. Step 4: Determine the corresponding HIPAA requirements for each plan. Step 5: Implement the corresponding HIPAA requirements for each plan. HIPAA Privacy Rule Applies To: 1. Medical plans 2. Dental plans 3. Vision plans 4. Employee assistance plans 5. Etc

4 Step 1: Identify the plans (cont) Step 1: Identify the plans (cont) HIPAA Privacy Rule Does Not Apply To: 1. Accident or disability income insurance or any combination thereof 2. Coverage to supplement liability insurance 3. Liability insurance, including general liability insurance and auto liability insurance 4. Workers compensation insurance 5. Auto medical payment insurance 6. Coverage for on site medical clinics 7. Other similar insurance coverage, under which benefits for medical care are secondary or incidental to other insurance benefits. Flexible spending accounts??? Step 2: Determine the employer s role(s). Step 2: Determine the employer s role(s). Plan Sponsor establish plan; amend plan; terminate plan; facilitate enrollment and disenrollment; obtain premium insurance bids (i) employer when the plan is established or maintained by a single employer (ii) in the case of a plan established or maintained by two or more employers or jointly by one or more employers and one or more employee organizations, the association, committee, joint board of trustees or other similar group of representatives of the parties who establish or maintain the plan ; 42 USC 1002(16)(B) Plan Administrator performs aspects of plan operations including claims assistance; quality assurance; auditing; monitoring; management; claims processing; claims payment (i) the person specifically so designated by the terms of the instrument under which the plan is operated; (ii) if an administrator is not so designated, the plan sponsor. 42 USC 1002(16)(A) Caution: Step 3: Identify plan characteristics. It is easy to slip from a plan sponsor role into a plan administrator role. Fully insured or self funded? Who administers it? How many participants in the plan? What is the annual amount of receipts for the plan? Who receives protected health information regarding the plan? From where? How does the plan use protected health information? 23 24

5 Step 3: Identify plan characteristics (cont). Step 3: Identify plan characteristics (cont). Beware of Protected Health Information: 1. Plan Administrators use or disclose protected health information to perform the plan administration functions. 2. Plan Sponsors may receive protected health information that they do not use or need. (i) Do you really need the information? (ii) Can summary health information work? Start thinking about Firewalls. Means of safeguarding the protected health information (operationally and physically) Identifying the employees or classes of employees who will have access to protected health information; Restricting access solely to the employees identified and only for the functions performed on behalf of the Plan. (See Administrative Requirements Checklist) The Two Key Variables: 1. What role does the employer play with respect to the health plan? 2. What information must the employer use and disclose in carrying out these roles? See Plan Sponsor Checklist. 1. Comply with HIPAA administrative requirements. 2. Amend Plan documents. 3. Provide Plan certification that Plan documents have been amended. 4. Prepare and/or provide Notice of Privacy Practices. 5. Enter into agreements with business associates HIPAA Administrative Requirements Designate privacy officer Establish other policies Train workforce Establish documentation policy Establish safeguards Establish non-waiver of rights Establish complaint process policy Establish sanctions policy Establish mitigation policy Establish non-retaliation policy See Administrative Requirements Checklist (i) (ii) (iii) Amend Plan Documents Not to use or further disclose other than as permitted by plan or required by law; Ensure that agents, etc., that plan provides PHI regarding the plan agree to the same restrictions that apply to the sponsor Not use PHI for employment-related actions or in connection with any other benefit or employee benefit plan of the plan sponsor

6 Amend the Plan Documents (iv) Report inconsistent uses and disclosures to the plan of which the sponsor may become aware (v) Provide individuals with access to their PHI (vi) Provide the information necessary to provide an accounting (vii) Make internal practices, books, records and policies and procedures available to the Secretary of the HHS to determine plan s compliance with HIPAA requirements Amend the Plan Documents (viii) If feasible, return or destroy all PHI received from the group health plan and retain no copies (ix) Ensure that there is adequate separate between the group health plan and the plan sponsor (f)(2)(ii) Certify the Fact of the Amendments To the Plan Prepare Notice of Privacy Practices 1. Understand how the Plan will use and disclose protected health information before preparing the notice. 2. Include the specified items identified in the regulations. See Notice of Privacy Practices Requirements Checklist Think About the Notice of Privacy Practices 1. The Plan will probably have to create policies and procedures in addition to the administrative requirements policies to address the information that must be included in the Notice. 2. Examples: Individual s right for an accounting Individual s right to inspect Individual s right to amend, etc. Business Associates 1. Identify them. 2. Execute agreements with them. 3. Monitor them

7 perform or assist a covered entity (e.g., the Plan) in performing a function or activity involving the use or disclosure of individually identifiable health information Business Associates must provide satisfactory assurances that they will safeguard the information, by: Using the information only for the intended purpose (e.g., health care operations) Safeguard the information Assist with providing individuals with access to the protected health information Step 5: Implementation. Time is Running Out 1. Draft the necessary policies and procedures. 2. Train personnel. 3. Amend plan documents and provide certification, as necessary. 4. Prepare and/or provide the Notice of Privacy Practices. 5. Create the physical firewalls. 6. Document everything. Compliance Date = April 2003 Small Plans = April