An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP

Transcription

1 An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP Important Disclaimer: Practice limited to labor and employment law on behalf of management and related litigation. Ballard Rosenberg Golper & Savitt, LLP has prepared these materials to enable you to learn more about our firm and the services it provides. These materials do not, and are not intended to, constitute legal advice. The information we make available does not create an attorney-client relationship, nor does it substitute for obtaining legal advice 2004 Ballard Rosenberg Golper & Savitt, LLP. No part of this site may be reproduced without permission. 1

2 An Employer s Introduction to HIPAA I. What is HIPAA? Health Insurance Portability and Accountability Act of 1996 ( HIPAA ). The HIPAA Privacy Rule creates national standards to protect individuals medical records and other personal health information by giving individuals more control over their health information, setting boundaries on the use and release of health records, establishing safeguards to protect the privacy of health information and holding violators accountable if they violate individuals privacy rights. II. Who's Covered? The HIPAA Privacy Rule specifically applies to the following covered entities : (1) Health plans [including insured or self-insured group health plans- group health plans HMO s - any other welfare benefit plans or other arrangements that provide healthcare benefits for two or more employees - Section 125 Flexible Spending Accounts/Healthcare Reimbursement Plans, Dental and/or Vision Plans, and Employee Assistance Plans (other than referral-only programs)]; (2) Healthcare clearinghouses [such as billing services or healthcare management organizations]; and (3) Healthcare providers who conduct certain financial and administrative translations electronically. Even though employers are not considered covered entities, the Privacy Rule has a significant impact on employers. The only employer-sponsored group health plans that are not covered by this definition of covered entities are those plans that are self-insured and self-administered and that have 49 or fewer participants. III. What is PHI? What is SHI? Protected Health Information (or PHI ): HIPAA requirements apply to the use and disclosure of protected health information. Health information is protected if: It is created or received by a provider, health plan, employer, or health care clearinghouse; It relates to the physical or mental health or condition of an individual, at any time, past, present or future (and includes information related to payment of health benefits); It identifies an individual or can be used to identify the individual; and It is in the possession or control of a covered entity (including a group health plan). Disclosure of PHI: In very general terms, a group health plan may use PHI internally or disclose it externally only under the limited circumstances and for the specific purposes permitted by the Privacy Rule. Otherwise, group health plans may use or disclose PHI only with the permission of the individual who is the subject of the PHI. Even where the HIPAA allows disclosure of PHI without the employee's permission, the group health plan must satisfy the "minimum necessary" requirement of the statute by limiting the amount of PHI used or disclosed to the minimum amount of information necessary to satisfy the request. Examples of permitted uses or disclosures include: 2

3 To the individual that is the subject of the PHI For payment and health care operations activities To a service provider with whom the group health plan has a business associate agreement For judicial and administrative proceedings For law enforcement purposes As required by law For public health activities About victims of abuse, neglect, or domestic violence Summary Health Information : Summary Health Information ( SHI ) is information that plan sponsors can use for certain settlor functions, such as amending the plan benefits or obtaining bids for health insurance coverage. To qualify as SHI, the health information must be in summary form. Thus, it summarizes the claims history, claims expenses, or type of claims experienced by individuals in the plan. Additionally, the SHI must have following elements removed: Names All dates (except year) Telephone and fax numbers Social security numbers Health plan beneficiary numbers Certificate/license numbers All geographic units small than a state (except for 5 digit zip codes) All ages over 89 addresses Medical record numbers Account numbers IV. HIPAA and Employers A. Impact of HIPAA on Employment Practices: Under the HIPAA Privacy Rule, covered entities may not use or disclose an individual s protected health information other than for treatment, payment or healthcare operations, to anyone (including employers) unless the individual authorizes the disclosure. The authorization requirement applies in almost every situation where an employer communicates directly with a covered entity (e.g., the employer s group health plan or an employee s physician) to obtain health information about an employee for employment purposes. Thus, in each and every situation in which an employer would like detailed (protected) medical information about an employee, the company should ask the employee to complete an authorization, and should keep a copy of that authorization in the employee s file. The HIPAA Privacy Rule also suggests that one general authorization for all purposes is not sufficient. A separate authorization is necessary for each event. Authorizations are not required if the employee voluntarily brings medical information (i.e., a doctor s note) to the employer. as well. Note: Compliance with HIPAA may not be enough. There may also be state privacy requirements B. Limited Involvement Employers: Employers falling into the following categories of limited involvement will have minimal HIPAA Privacy Rule compliance obligations: 3

4 (1) Employers who sponsor a fully-insured plan, and receive only SHI (information stripped of all identifying information) from the plan for obtaining premium bids or modifying, amending, or terminating the plan; (2) Employers who sponsor a fully-insured plan, and receive PHI (individually identifiable information) from the plan for the limited purpose of performing enrollment and disenrollment activities, including payroll deductions; or (3) Employers who sponsor a fully-insured plan, and receive protected health information from the plan, based on a valid authorization, to assist employees with claims. If the employer receives only summary health information from its fully-insured health plan and uses that information only for the limited purposes described above, the employer should be able to rely primarily on the plan's insurer to meet the compliance burden as plan sponsor. If the company receives more information or uses summary health information for purposes beyond shopping the plan or amending it, its faces a much more complex compliance burden. Even if a group health plan is fully insured, all businesses must still comply with state confidentiality laws. For example, in California, businesses must comply with the Confidentiality of Medical Information Act ( CMIA ). C. Employers as Sponsors of Self-Insured Plans - Plan Sponsors Who Use PHI for Purposes Beyond Those Limited Purposes Employers who become active in the decision-making process or administration of a health plan, or play integral roles in operating or controlling the provisions of health coverage, will have extensive obligations in their role as plan sponsors. To disclose PHI to the plan sponsor, a group health plan must obtain assurances from the plan sponsor that its applicable plan documents restrict the use and disclosure of that information as required by the Privacy Rule. The Plan documents must be amended to include numerous requirements outlined in HIPAA. In accordance with the detailed compliance procedures for more actively involved employers, a Notice of Privacy Practices must be posted in a prominent area and distributed to employees. D. Plans Exempt from HIPAA HIPAA s Privacy Rule does not cover life, disability, accidental death and dismemberment, or workers compensation insurance. A company s group health plan is covered by the HIPAA Privacy Rules unless it has fewer than 50 participants and it is self-administered. E. Identifying the HIPAA Compliance Burden for Group Health Plans 1. Compliance Burden Factors The extent to which a group health plan must comply with the HIPAA privacy requirements depends on three factors: (1) whether the health plan is self-insured or fully insured, (2) whether the plan sponsor receives PHI or SHI, and (3) how the plan sponsor utilizes SHI. Fully Insured Plan - If all of the health benefits under a group health plan are provided solely through an insurance contract with a health insurer or HMO, the plan is considered a "fully insured" plan. 4

5 Self-Insured Plan - If some or all of the health benefits under a group health plan are self-insured, the group health plan will be considered a "self-insured" plan. NOTE: A flexible spending account ("FSA") is a self-insured health benefit. Thus, most FSA's are subject to the HIPAA Privacy Rule. If a group health plan is fully insured but includes an FSA, the employer's entire health plan will be considered "self-insured" and subject to the "self-insured" HIPAA compliance requirements described below. Most Employee Assistance Programs ( EAP s ) are also subject to HIPAA s Privacy Rule. Referral only EAP s are an exception. 2. Group Health Plan Compliance Burdens If the plan sponsor of a fully insured group health plan receives SHI from the group health plan solely to modify, amend, or terminate the health plan or to obtain bids from other health insurance companies, the group health plan has a reduced compliance burden. For example, it does not have to provide the Privacy Notice or appoint a privacy officer. It does, however, have to negotiate a Business Associate Contract with its third party service providers. If the plan sponsor of a fully insured group health plan receives SHI from the group health plan not only to modify, amend, or terminate the health plan or to obtain bids from other health insurance companies, but also for other plan functions, the group health plan will have to amend its plan documents and negotiate a Business Associate Contract with its third party service providers. If the plan sponsor of a self-insured group health plan receives SHI from the group health plan only to modify, amend, or terminate the health plan or to obtain bids from other health insurance companies, the group health plan will not have to amend its plan documents, but will have to: Distribute a Notice of Privacy Practices Negotiate a Business Associate Contract with its third party service providers Establish policies and procedures to restrict the use and disclosure of PHI Appoint a privacy official Create a complaint mechanism procedure and document compliance procedure. If the plan sponsor of a self-insured group health plan receives SHI from the group health plan not only to modify, amend, or terminate the health plan or to obtain bids from other health insurance, but also for other plan functions OR If the plan sponsor of a fully insured or self-insured group health plan receives PHI from the group health plan, the group health plan will have to: Amend its plan documents Negotiate a Business Associate Contract with its third party service providers Distribute a Notice of Privacy Practices Establish policies and procedures to restrict the use and disclosure of PHI Appoint a privacy official Create a complaint mechanism procedure and document compliance procedure 5

6 F. HIPAA s Impact on Employers Use of Health Information 1. Identifying Who Receives Health Information Under HIPAA, a company's group health plan is considered a separate entity from the company as the employer. To help conceptualize how the Privacy Rule operates, consider the company as having two distinct roles for purposes of HIPAA: (1) its role as the employer and (2) its role as the company's group plan sponsor. COMPANY COMPANY GROUP HEALTH PLAN Employer Plan Sponsor Health Insurance/HMO's, FSA, EAP, etc. Under the Privacy Rule, a group health plan can disclose PHI to the plan sponsor for certain purposes such as plan administration if the requirements of the Privacy Rule are met, but it cannot disclose PHI to the employer without the employee's authorization. Further, the group health plan cannot disclose PHI to the plan sponsor for the purpose of employment related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. To ensure compliance with the Privacy Rule, every time an employer receives or uses health information about an employee, the employer should determine whether it is using it in its role as the employer or plan sponsor. As explained below, the distinction between the company/employer and the company/plan sponsor is especially important when the employer receives medical information about an employee that is unrelated to the group health plan. For example, if a company receives health information regarding an employee for reasons related to employment actions such as leave requests, drug testing, or fitness-for-duty exams, the company must ensure that it receives the information in its role as the employer. Further, the employer must maintain that health information separate from any PHI it maintains as the plan sponsor. 2. Privacy Rule s Effect on Compliance with Other Federal Employment Laws (e.g., FMLA, ADA, Title VII, Rehab Act) Employers often receive medical information about their employees unrelated to their employer-sponsored health benefits. For example, employers might need medical information to substantiate a requested accommodation under the Americans with Disabilities Act ( ADA ). The Privacy Rule should not affect an employer s ability to receive the necessary medical information. Whenever an employer receives medical information relating to is FMLA, ADA, Title VII, etc., compliance, it should ask whether it is receiving the information from an employee or medical provider in its role as employer, or instead, is receiving the information from the group health plan it is role as employer, or instead, is receiving the information from the group health plan in its role as plan sponsor. If it is receiving the medical information in its role as employer, then the information is not protected by the Privacy Rule. 3. Privacy Rule s Impact On the Use and Disclosure of Health Information Collected for Purposes of Drug Testing, Pre-Employment Physicals, and Fitness for Duty Examinations The medical information collected for these purposes, once received by the employer, is not subject to the Privacy Rule s protections. It is not received by the employer or its plan sponsor from the group health plan. Instead, it is received by the employer from a medical professional who conducted the exam at the employer s request. The medical professional is likely a covered entity under the Privacy Rule. This means that before the medical professional releases the information to the employer, the individual whose medical information is at issue must sign an authorization permitting the disclosure. Because employees may refuse to voluntarily sign an authorization, employers may condition employment on the signing of an appropriate authorization form. 6

7 G. Business Associates HIPAA s protections extend to business associates with whom private health information is shared. Business associates are persons or entities that: (1) perform some of the functions or activities of a covered entity that involve the use or disclosure of protected health information on behalf of a covered entity, or (2) provide services to a covered entity, i.e. an accounting firm with access to protected health information, a health care clearinghouse, or an attorney whose services involve access to protected health information, or (3) create or receive protected health information on behalf of the group health plan. The Privacy Rule requires satisfactory assurances from a business associate that the business associate will appropriately safeguard protected health information. These assurances take the form of required contract language. The Privacy Rule does not require group health plans to monitor their business associates. The group health plan does, however, have responsibilities if it learns of a material breach by one of its business associates. H. Right to An Accounting A participant or beneficiary, or the participant s or beneficiary s personal representative has a right to an accounting of his or her protected health information. Group health plans must include disclosures of PHI for the six years preceding the request unless the participant or beneficiary requests disclosures fro a period of less than six years. Group health plans do not have to include disclosures made prior to the effective date of the Privacy Rule. I. Deadlines The deadline for compliance with HIPAA's Privacy Rule was April 14, HIPAA allows "small health plans," defined as health plans having annual receipts (i.e., claims paid) of $5 million or less, an additional year, or until April 14, 2004, to come into compliance. A small health plan is one that collects less than $5 million annually. A fully insured plan that collects premiums of less than $5 million in the plan=s last full fiscal year is a small health plan and, if not self-administered, or if more than 50 participants are covered, is subject to HIPAA as of April 14, The HIPAA privacy rule contains five necessary responsibilities for a small health plan to meet by the April 14 th deadline. Plans must: (1) Provide information to participants about their privacy rights and how their information can be used (2) Adopt clear privacy procedures (3) Train all employees in the plan=s privacy procedures (4) Designate an individual to be held responsible for enforcing privacy procedures (5) Secure all patient records and individually identifiable health information 7

8 J. Potential HIPAA Liabilities Civil fines Criminal fines Imprisonment HIPAA imposes civil and criminal penalties for failing to comply with the Privacy Rule. Penalties begin at $100 per violation, up to a maximum of $25,000. Criminal penalties apply for a deliberate offense, as in intent to sell protected health information, ranging from $50,000 to $250,000 and from one to ten years in prison. 8