Tuesday, April 15, 2014

Presented by:

Elizabeth E. Vollmar, J.D.

Compliance Services, Lockton Benefit Group

Client Advisory Seminar Series Spring Semester 2014 HIPAA Privacy and Security Refresher Training

Click the Lockton Logo to

Access the Presentation

PLEASE NOTE:

The audio portion of this presentation will be broadcast through your PC.

Please DO NOT attempt to dial-in to the webcast on your telephone.

Haven’t Received Your Handouts Yet?

Some spam filters intercept messages sent from our group mail server. If you have not yet received your

handouts, please e-mail Shannon Hopfinger and we’ll send a copy of the handouts to you in an individual e-

mail.

Shopfinger@lockton.com

Questions?

You may submit questions using the Q&A box on your computer screen.

Please wait until we near the end of the presentation—

or leave the topic to which your question pertains—before submitting your question.

CEUs?

This presentation has been pre-approved for 1.5 general recertification credit hours toward

PHR, SPHR and GPHR recertification through the HR Certification Institute (HRCI).

Please contact LBGHelp@lockton.com for the

program ID number to use when requesting recertification credits through the HRCI website.

To be eligible to receive credit, you must log on

individually so that your attendance may be verified.

Tuesday, April 15, 2014

Presented by:

Elizabeth E. Vollmar, J.D.

Compliance Services, Lockton Benefit Group

Client Advisory Seminar Series Spring Semester 2014 HIPAA Privacy and Security Refresher Training

Agenda

Why are we doing HIPAA training?

Overview of HIPAA requirements

Entities subject to HIPAA

Information HIPAA protects

Requirements for health plans

Enforcement environment

Compliance strategies

PPACA changes to EDI rules

7

Why HIPAA Training?

8

Federal regulations require periodic privacy and security training for staff who may have access to confidential medical information under the employer’s health plan

Training on HIPAA requirements

Training on the specific plan’s policies and procedures for HIPAA compliance

Stiff penalties can apply for non-compliance

No training required for staff who do not need to access confidential medical information under the health plan

But training may help them prevent problems arising from use or disclosure of confidential medical information under the health plan

HIPAA Training Overview

9

“Administrative Simplification”

HIPAA’s five components:

Portability*

Nondiscrimination (including wellness)*

Privacy (including breach notification)

Data security

EDI**

* We will not discuss

** We will briefly discuss

HIPAA Training Overview

10

HIPAA Privacy and Security Basics

Privacy

Covered entities may not access, use or disclose protected health information (PHI) except as required or permitted under HHS rules

For permissible purposes specified in regulations, subject to several limitations

As the individual to whom it relates specifically authorizes in writing

To the individual to whom it relates (mandatory, in some cases)

As HHS requests (mandatory)

Many administrative and documentation requirements, including policies and procedures, organizational documents, processes for exercise of individual rights

Violations of privacy rules may trigger breach notifications to those whose information was affected

11

HIPAA Privacy and Security Basics

Security

Covered entities must implement reasonable safeguards to protect the confidentiality, integrity and availability of electronic PHI (ePHI)

Security management process determines safeguards

Many administrative and documentation requirements, including policies and procedures and organizational documents

12

The Entities and Plans to Which HIPAA Applies

13

HIPAA privacy and security rules and regulations apply to “covered entities”

Healthcare providers*

Healthcare clearinghouses*

Healthcare plans

Includes insurance carriers issuing health insurance policies**

Includes plans established by employers that provide virtually any health benefits

For HIPAA purposes, employer plans are treated as separate entities from the sponsoring employer

NOT employers (unless the employer is a healthcare provider)

* We will not discuss ** We will discuss only as related to employer-sponsored health plans

Entities Subject to HIPAA

14

Entities Subject to HIPAA

Health plans include employer-sponsored –

Medical, dental, vision, EAPs, health FSAs, HRAs, long-term care, wellness, executive physical programs

Insured and self-insured healthcare plans

Contributory, non-contributory, voluntary, major medical, limited medical, ERISA, and non-ERISA healthcare plans

Plans exempt from HIPAA:

Narrow exception for small, self-insured, self-administered programs (fewer than 50 eligible employees or retirees)

On-site clinics are not health plans, but may be providers

STD/LTD, workers’ compensation, life insurance, and retirement plans

Although the health information they receive/use remains highly confidential (other confidentiality requirements apply)

15

Information that HIPAA Protects

16

Protected Health Information (PHI)

What information does HIPAA protect?

Health information

Past, present, or future physical or mental health (including genetic information

Provision of health care

Past, present or future payment for health care

If the information that can be tied back to an individual

And if the information is created or received by an employer or a covered entity

Almost all information a health plan uses is PHI

Includes claims payment information (e.g., EOBs and claim reports)

Includes enrollment and participation information (subject to an exception for employers’ use of enrollment information)

17

Protected Health Information (PHI)

Not ALL individualized health information gets protected—only the information that moves through the healthcare plans

FMLA leave requests

Sick leave requests

Pre-employment screens

Workers’ compensation claims

Return to work notes

STD or LTD applications or claims

Life insurance applications

Anecdotal information and gossip

BUT, when it comes to securing individualized health information, keep it all “top secret”

18

Does it really matter if confidential information is not PHI?

Plan participants cannot sue (yet) under HIPAA, and the HIPAA enforcement environment (via CMS) is rather benign vis-à-vis health plans

But ramping up…and

Under the law, state attorneys general may sue…

But participants CAN sue to enforce terms of employer-sponsored plan, which must include privacy and security protections if employer receives PHI or e-PHI

Protected Health Information (PHI)

19

Does it really matter?

So, when it comes to securing individualized health information, from whatever source, keep it all “top secret”

It is an easier approach to apply

May supply some protection against state law problems

But it is also helpful, or comforting, to know that HIPAA’s reach is limited, so we don’t need to sweat the many “HIPAA hassles” with respect to non-PHI

Protected Health Information (PHI)

20

HIPAA’s Requirements for Health Plans

21

Health Plan Requirements

Self-insured plans (e.g., HRAs, FSAs, but not HSAs) are subject to the full array of HIPAA requirements

Insured plans: whether the full array of rules applies to employer with fully insured plans depends on whether the sponsor can keep “hands off” the plan’s PHI

If “hands off,” can rely on insurer for most compliance duties

Exceptions –

Enrollment information

De-identified information and summary health information

Information disclosed under an authorization

However, it is not always easy to do so . . .

Wellness programs

Internal payment process

Handling requests for claims assistance

22

Health Plan Requirements

HIPAA requirements for health plans

Privacy and security official(s)

Privacy and security policies and procedures

Security gap analysis and documentation

Firewalls

Training

Administrative procedures and forms

Document retention and recordkeeping requirements

Individuals’ rights with respect to their PHI

Business associate agreements

Privacy notice

Notification duties if breach results in unpermitted use or disclosure of unsecured PHI

23

Business Associates

24

Business Associates

“Business associate” is an entity that performs services for the health plan that involve the use of PHI

Examples include TPA, wellness vendor, broker/consultant, etc.

Regulations require that health plans enter into written contracts with business associates

HHS regulations dictate content of agreement (BAA)

Plan sponsor (employer) and its staff are never a business associate with respect to the employer’s own health plan

But plan document must include provisions imposing similar standards

25

Business Associates

Rules relating to content of business associate agreements changed September 23, 2013

But, a special rule for BAAs in place on January 25, 2013

If not renewed or modified between March 26, 2013 and September 23, 2013, required amendments delayed until September 23, 2014

Or, if earlier, the date the agreement is renewed or modified on or after 09/23/2013

26

Privacy Notices

27

Privacy Notice

Requirements for privacy notice distribution

Distributed at enrollment

Reissued within 60 days of a material change

Electronic delivery OK if person consents

Privacy notice reminder required every three years

Best practice is to distribute annually with open enrollment materials

28

Breach Notification Requirements

29

HIPAA Breach Notification Requirements

Notification requirements for breaches of unsecured PHI

Definition of “breach”

Any impermissible acquisition, access, use, or disclosure of PHI is a breach unless the health plan demonstrates that there is a low probability that the PHI has been “compromised” (undefined)

Examples of breaches can include errant e-mails, EOBs, and theft of unencrypted laptops or storage devices, including thumb drives

Documented risk assessment for each potential breach that includes –

Nature and extent of PHI involved, including identifiers and chances of re-identification

Unauthorized person who used the PHI or to whom the disclosure was made

Whether PHI was acquired or viewed

The extent to which the risk to the PHI has been mitigated

30

HIPAA Breach Notification Requirements

General rule

Plan must provide notice without unreasonable delay and within 60 days of discovery

Notice requirements vary depending on the number affected and ability to find them

Exceptions

Secured = Encrypted or destroyed per HHS requirements

Encryption: Convert data to code requiring a password or key to decipher

Practical advice: encrypt, encrypt, encrypt!

Other exceptions to breach notification requirements may apply, but don’t rely on them

31

HIPAA Breach Notification Requirements

HIPAA breach notice overview and decision tree

Was there PHI involved?

Was it “unsecured”?

Was there a use or disclosure of the PHI in violation of the HIPAA privacy rules?

Is there a low probability that the protected health information has been compromised?

Is the breach otherwise forgiven (under the “incidental” exceptions)?

Common health plan issues

Wrongful disclosure of PHI

Mailing EOBs to wrong addresses

Theft of laptops, flash drives, PDAs or other hardware containing PHI

32

HIPAA: Enforcement Environment

33

Enforcement

Penalties for noncompliance

Civil and criminal actions may be brought by HHS to enforce privacy rules

If HHS fails to act, State AGs may bring civil suits

Health plans and business associates also subject to periodic audits by HHS

34

Enforcement

Penalties for noncompliance

$100 per violation if person does not know of the violation, up to $25,000 per year for identical violations

$1,000 per violation due to reasonable cause, up to $100,000 per year for identical violations

$10,000 per violation due to willful neglect, up to $250,000 per year for identical violations

$50,000 per violation due to willful neglect where the entity did not correct the problem, up to $1.5 million per year for identical violations

35

Enforcement

Factors HHS will weigh in determining penalty amounts:

The number of individuals affected

The time period during which the violation occurred

The nature and extent of the harm resulting from the violation including whether the violation caused –

Physical harm,

Financial harm

Reputational harm

Hindered an individual's ability to obtain healthcare

History of prior compliance or noncompliance with the HIPAA rules

Whether financial difficulties affected the ability to comply

Whether the imposition of a civil money penalty would jeopardize the ability of the health plan or business associate to continue to provide, or to pay for, healthcare

36

Compliance Strategies

37

Keep it simple (that is, practical)

With respect to information received from or in connection with a health plan, assume it’s PHI, think “Top Secret”

Also assume it’s ePHI, unless spoken in person or hand-written

Use or disclose only as permitted by plan’s policies and procedures

Authorization = HIPAA magic

None of the restrictions apply so long as within the authorization terms

Consider using an authorization whenever an employee asks for assistance

Compliance Strategies

38

“TPO”

Under HIPAA, plans may use and disclose PHI for treatment, payment, and operations, without authorization

Only the “minimum necessary” PHI for the purpose may be used or disclosed

If disclosing, need to ensure that recipient is entitled to receive PHI for the stated purpose

Compliance Strategies

39

TPO = Plan purposes for use or disclosure of PHI

Employer (plan sponsor) may only use or disclose PHI as plan permits

Plan may only permit employer to use or disclose for plan administration functions

Only designated employees may access PHI for plan administration functions

Designated employees must be identified in plan document (plans typically do this by referring to job titles)

All other employees need to be walled off from accessing PHI

Compliance Strategies

40

Keep it simple (that is, practical)

What do the restrictions require?

For each use or disclosure of health plan information can you cite a valid purpose?

Plans rarely have treatment purposes

Consider what information is needed for the purpose

Can any identifiers be omitted?

Does the identity of a participant matter?

Who are you providing PHI to?

Ensure there are reasonable barriers between the information in your custody, and those who do not have a need to see it—think “defensively”

Compliance Strategies

41

The practicalities

Acquiring information

Paper, electronic, telephonic, etc.

Where and how received?

What do you do with it when you receive it?

Compliance Strategies

42

The practicalities

Using information

Paper, electronic, telephonic, etc.

Where and how used?

Who do you share it with internally; how, when, where, and why?

How readily may someone view the information on your desk, computer screen, other location?

Compliance Strategies

43

The practicalities

Storing information

Paper, electronic, voice mail, etc.

Where and how stored?

Passwords and user IDs must be secure

Paper should be locked up

ePHI should be saved to secure file location

Laptops should be encrypted and tethered under lock and key; keep key separate; avoid maintaining ePHI (including in e-mails) on laptop’s hard drive unless absolutely necessary

Be VERY careful using other portable e-storage devices for storing PHI

Loss of PDA = information accessible thereby is compromised; use phone locks etc.

Delete unneeded voice mail, e-mails, etc.

Compliance Strategies

44

The practicalities

Transmitting information

Paper, electronic, voice mail, etc.

Know who you’re sending it to and know their authority to receive it.

How best to transmit paper?

How best to transmit electronically.

Password protect files.

Encryption of e-mails.

What is being archived, and where?

From where do you place sensitive telephone calls?

Compliance Strategies

45

The practicalities

Disposing of information

Paper, electronic, voice mail, etc.

Shredding, trashing, deleting

Be careful of electronic storage devices (is the data really deleted?)

Compliance Strategies

46

The practicalities

When things go wrong

Notify plan’s privacy official, security official or both immediately

They will want to take immediate and aggressive remedial action

“Get the cows back in the barn” if possible

Compliance Strategies

47

HIPAA and Health Reform

48

Health Reform and HIPAA

PPACA expands requirements for electronic data interchange (EDI)

Unique health plan identifiers: Must obtain by November 5, 2014, with one year delay for small plans ($5M or less in annual receipts)

All plans must use the HPID in standard transactions beginning November 7, 2016 (no delay for small plans)

“Controlling health plans” are required to obtain an HPID

Appears to include employer-sponsored health plans

Certification of compliance for various electronic transactions required from controlling health plans by December 31, 2015

49

Questions?

50

Our Mission

To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management

Our Goal

To be the best place to do business and to work

www.lockton.com

© 2013 Lockton, Inc. All rights reserved.

Images © 2013 Thinkstock. All rights reserved.