For a copy of the following presentation, please visit our website at www.UBAbenefits.com. Go to the Wisdom tab and

then to the HR webinar series page.

This UBA Employer Webinar Series is brought to you by United Benefit Advisorsin conjunction with Jackson Lewis

2

United Benefits Advisors:HIPAA Privacy and Security – New Obligations Are Coming

Presented by:Kathleen Barrow, Esq. barrowk@jacksonlewis.com

Joseph Lazzarotti, Esq., CIPP/USlazzarottij@jacksonlewis.com

April 9, 2013

3

About the Firm

Represents management exclusively in every aspect of employment, benefits, labor, and immigration law and related litigation

Over 700 attorneys in 49 locations nationwide

Current caseload of over 5,000 litigations and approximately 300 class actions

Founding member of L&E Global

Disclaimer

This presentation provides general information regarding its subject and explicitly may not be construed as providing any individualized advice concerning particular circumstances. Persons needing advice concerning particular circumstances must consult counsel concerning those circumstances.  Indeed, health care reform law is highly complicated and it supplements and amends an existing expansive and interconnected body of statutory and case law and regulations (e.g., ERISA, IRC, PHS, COBRA, HIPAA, etc.).  The solutions to any given business’s health care reform compliance and design issues depend on too many varied factors to list, including but not limited to, the size of the employer (which depends on complex business ownership and employee counting rules), whether the employer has a fully-insured or self-funded group health plan, whether its employees work full time or part time, the importance of group health coverage to the employer’s recruitment and retention goals,  whether the employer has a collectively-bargained workforce, whether the employer has leased employees, the cost of the current group health coverage and extent to which employees must pay that cost, where the employer/employees are located, whether the employer is a religious organization, what the current plan covers and whether that coverage meets minimum requirements, and many other factors. 

IRS Circular 230 disclosure: Any tax advice contained in this communication (including any attachments or enclosures) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in this communication. (The foregoing disclaimer has been affixed pursuant to U.S. Treasury regulations governing tax practitioners.)

4

5

Legal / Compliance- HIPAA- FCRA- GLBA

- State law- Litigation

- International

H.R. - Information about employees* Hiring

* Testing

* Monitoring

* Record retention

- Ensuring compliance by employees

Workplace Privacy Concerns

- Smart phones- Social media- Email

- E-commerce- Vendors- Customers- COPPA- Data breach

- Confidentiality- Trade secrets- Policies- Agreements- Whisleblowing

I.T.

- Passwords

- Data security

- Firewalls

- Technology

HIPAA – A Brief Refresher

What is the Health Insurance Portability and Accountability Act (HIPAA)?o Nondiscrimination

o Portability

o Fraud and Abuse

o Administrative Simplification

What are key aspects of “Administrative Simplification”?o Privacy and security standards

o Transaction code sets

6

HIPAA – A Brief Refresher

How do the privacy and security standards interact with state law?o They provide a federal floor for health information protection that

supersedes any contrary provision of state law

o State laws are not preempted if they conflict with HIPAA and are more “stringent” – more protective

What is the basic principle under HIPAA?o Covered Entities that possess . . .

o individually identifiable information related to an individual’s health care, or provision or payment for health care. . .

o cannot be used or disclosed except under specified circumstances, and must be safeguarded.

7

HIPAA – A Brief Refresher

Who/what is a covered entity under HIPAA?o Most Healthcare Providers – those that transmit health

information in electronic form in connection with certain covered transactions

o Health Plans

o Health Care Clearinghouses

o No Jurisdiction Over “Employers”

What health plans are covered?o Medical, dental, vision, HRA, HFSA, EAP, many LTC plans

o Remember on-site health clinics, even though not “plans”

8

HIPAA – A Brief Refresher

What plans are NOT covered?o Disability, workers compensation, fixed indemnity LTC,

stop-loss/reinsurance policies

o Self-administered health plans with fewer than 50 participants

What is protected health information?o Information created or received by covered entity or employer

o Relating to individual’s past, present or future

• Physical or mental health or condition or

• Provision of health care or

• Payment for health care

o That does or reasonably could identify the individual

9

HIPAA – A Brief Refresher

What is NOT Protected Health Information?

o Medical information collected or maintained in connection with employer obligations under law (wearing your “employer hat”)

• FMLA, ADA , Sick Leave Requests

• Occupational Injury

• Disability Insurance Eligibility

• Drug Screening Results

• Workplace Medical Surveillance

• Fitness-For-Duty Tests

o Focus on WHY employer acquired the information10

HIPAA – A Brief Refresher

What is a Use?o The sharing, employment, application, utilization, examination,

or analysis of information within the entity maintaining the information.

What is a disclosure?o The release, transfer, provision of, access to, or divulging in any

other manner of information outside the entity holding the information.

11

HIPAA – A Brief Refresher

When can a plan use and disclose PHI?o General rule – not unless permitted under HIPAA

o Key exceptions

• Individual, and pursuant to his/her authorization

• Plan sponsor and business associates

• Inadvertence

• Treatment, payment, health care operations

• Judicial and administrative proceedings

• Workers compensation

• HHS

• Whistleblowers

12

HIPAA – A Brief Refresher

What if a situation does not fall into an exception?o Authorization is needed

What are the required elements for an authorization?o Specific and meaningful description of information

o Identify person or class of persons authorized to make the disclosure, and that will use or receive it

o Purpose of the disclosure, and no compound authorizations

o Expiration date or specified event to terminate the authorization

o Notice of right to revoke and how to do so

o Notice of the potential for subsequent disclosure and loss of protection

o Date and signature of the individual

13

HIPAAFully insured v. Self funded

What do plans (plan sponsors) need to consider when addressing compliance with HIPAA privacy and security?o Fully insured plan exception v. self-funded plans

o Privacy rules

o Security rules

14

HIPAAFully insured v. Self funded

Do fully insured plans have the same requirements as self funded plans?o It depends. Fully insured plans are exempt from many of HIPAA’s

administrative requirements if plan does not create or receive PHI, except for:

• Performing administrative enrollment functions

• Receiving summary health information for limited purposes

– Bid submissions

– Plan amendment or termination

– Administering payroll deductions

o 2004 JCEB informal guidance suggests fully insured plans may avoid triggering full application of rules by obtaining an authorization when dealing with employees

15

HIPAAFully insured v. Self funded

We have a fully insured plan and only receive PHI as plan sponsor for obtaining premium bids, modifying or terminating the plan, and enrollment and disenrollment. Do we need to amend our plan?

o No, virtually all of the compliance burden will fall on the insurer

• Privacy Notice

• Administrative Safeguards

o Required policies, actions:

• Anti-intimidation\retaliation

• Limitation on waiver of HIPAA rights

• Possible Business Associate Agreement – e.g., Insurance brokers who handle claims questions

16

HIPAAFully insured v. Self funded

Same question as the previous slide, but we also have a health flexible spending arrangement (HFSA)?

o While compliance would be the same for the fully insured plan, the HFSA is considered a self-funded health plan to which the administrative exception would not apply.

o Compliance would be similar to what is described for fully insured plans that do not qualify for the administrative exception (the plan has access to PHI beyond what is permitted for exception to apply) and self-funded plans

o The answer is the same for health reimbursement arrangements.

17

HIPAAFully insured v. Self funded

We have a fully insured plan which has a wellness program component that we administer and also provides a participant advocate service for covered employees and dependents?

o The administrative exception described above likely does not apply, which means that the plan is subject to all of the administrative requirements under the privacy rule and the security rule.

o This is the case for self funded plans as well.

18

HIPAAPrivacy Rule Compliance

What are the key requirements under the HIPAA privacy rule?o Appoint Privacy Officer

o Amend the health plan for plan sponsor access, and obtain plan sponsor certification

o Adopt written policies including:

• Safeguards to protect PHI

• Accommodating individuals’ rights including access, amendments, accounting for disclosures, restrictions, etc.

• Record retention and documentation

• Complaints and sanctions

19

HIPAAPrivacy Rule Compliance

What are the key requirements under the HIPAA privacy rule? (ctd.)o Identify and contract with business associates (and their sub-

contractors—discussion ahead!)

o Distribute notice of privacy practices

o Train employees as reasonably necessary to ensure compliance

o Maintain plan for responding to breaches of unsecured PHI

o Periodically review and document compliance efforts

20

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule?o Security rule applies to electronic PHI only

• PHI that is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media

• Electronic media includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-modems, e-mail, web-sites, etc.

o Security - means to ensure the confidentiality, integrity, and availability of PHI that the covered entity creates, receives, maintains, or transmits through applicable administrative, physical and technical standards.

21

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)Administrative Safeguards

o Security Management Process

• Risk analysis (R)

• Risk management (R)

• Sanction policy (R)

• Information system activity review (R)

o Assign Security Responsibility

22

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)o Workforce Security

• Authorization or supervision of workforce (A)

• Workforce clearance procedure (A)

• Termination procedures (A)

o Information Access Management

• Access authorization (A)

• Access establishment and modification (A)

23

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)o Security Awareness and Training

• Security reminders (A)

• Protection from malicious software (A)

• Log-in management (A)

• Password protection (A)

o Security Incident Procedures

• Response and reporting (R)

24

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)o Contingency Plan

• Data backup plan (R)

• Disaster recovery plan (R)

• Emergency mode operation plan (R)

• Testing and revision procedures (A)

• Application and data critically analysis (A)

o Evaluation

o Business Associates

• Written agreement (R)

25

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)Physical Safeguards

o Facility Access Controls

• Contingency operations (A)

• Facility security plan (A)

• Access control and validation procedures (A)

• Maintenance records (A)

o Workstation Use

o Workstation Security

26

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)o Device and Medical Controls

• Disposal (R)

• Media re-use (R)

• Accountability (A)

• Data back-up and storage (A)

27

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)Technical Safeguards

o Access Control

• Unique user identification (R)

• Emergency access procedure (R)

• Automatic log-off (A)

• Encryption and decryption (A)

o Audit Controls

o Integrity

• Authenticate ePHI (A)

28

HIPAASecurity Rule Compliance

What are the key requirements under the HIPAA security rule? (ctd.)o Person or Entity Authentication

o Transmission Security

• Integrity controls (A)

• Encryption (A)

29

HIPAA HITECH, GINA

What changes were made by HITECH?o Modifications to breach notification rule

o Application of HIPAA to business associates, subcontractors

o Attorney general enforcement

o Increased penalties and enforcement

o Updates to Notice of Privacy Practices

o Expanded right of electronic access to PHI

What changes were made by GINA?o Confirmed PHI includes “genetic information”

30

HIPAA HITECH, GINA

What are the key features of the breach notification rule under HIPAA?o Applies to covered entities and business associates

• Final regulations confirm covered entities still have obligation to provide notification

• Covered entities may delegate that responsibility to business associates by contract

o Triggered for unsecured PHI

31

HIPAA HITECH, GINA

What are the key features of the breach notification rule under HIPAA?o No risk of harm standard, CEs and BAs must consider following

factors to determine if there is a breach

• nature and extent PHI involved, including the types of identifiers and the likelihood of re-identification;

• the unauthorized person who used the PHI or to whom the disclosure was made;

• whether the PHI was actually acquired or viewed; and

• the extent to which the risk to the PHI has been mitigated.

32

HIPAA HITECH, GINA

What are the key features of the breach notification rule under HIPAA?o Generally follows the format of 46 state laws with some key

distinctions:

• Absent law enforcement delay, must provide notice without unreasonable delay but not later than 60 days following discovery

• Notify Secretary of HHS via website

– Immediately for breaches affecting 500 or more individuals

– Within 60 days of end of calendar year in which breach occurred for breaches affecting fewer than 500 individuals

• Conspicuously post notice on CE’s website or place notice in major print or broadcast media for breaches involving 10 or more individuals for whom there is insufficient contact information

33

HIPAA HITECH, GINA

How do the new changes affect business associate relationships?o BAs are subject to most of the privacy rules, and virtually all of

the security rules, directly

o Subcontractors of BAs are considered BAs

o An entity is a BA if it meets the regulatory definition, regardless of whether a BAA is in place

o Final regulations make clear that entities that maintain PHI for CEs (even if they do not access it) are likely BAs – e.g., cloud service providers, records storage companies.

34

HIPAA HITECH, GINA

Are CEs responsible for BAs?

o CEs are responsible for their BAs when the BAs are their agents under federal common law

• Look to terms of BAA and nature of relationship to determine agency status

• Key factor – does CE have right to control conduct of BA?

35

HIPAA HITECH, GINA

When are BAs directly liable under HIPAA?o Final regulations make clear that BAs are directly liable for:

• uses and disclosures of PHI not permitted under HIPAA;

• a failure to provide breach notification to the CE;

• a failure to provide access to a copy of electronic PHI to the CE, the individual, or the individual’s designee;

• a failure to disclose PHI to the Secretary of Health and Human Services to investigate or determine the BA’s compliance with the HIPAA privacy and security rules;

• a failure to provide an accounting of disclosures; and

• a failure to comply with the HIPAA security rules.

o But not other portions of privacy rule, such as notice requirement36

HIPAA HITECH, GINA

What key issues need to be addressed in our BAAs?o OCR provides sample provisions:

• http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

o Caution:

• Address agency issue to minimize liability for acts/omissions of BA

• Give attention to state law protections for personal information as BAs often also have access to this kind of information. See, e.g., CA, TX, MD, MA, and others

• Outline process for investigating/handling security incidents/breaches

• Consider indemnification provisions

37

HIPAA HITECH, GINA

What should we know about State AG enforcement?o Actions brought in federal court

o Actions may seek damages on behalf of State residents

o Attorneys’ fees can be recovered

o Damages are determined by

• Multiplying number of violations by $100,

• Subject to a calendar year cap for violations of identical requirements or prohibitions equal to $25,000

o States like CT and MN have already invoked this authority

38

HIPAA HITECH, GINA

What are the new penalties under HITECH?o “Did not know” penalty – amount not less than $100 or more than $50,000 per

violation when it is established the CE or BA did not know and, by exercising reasonable diligence, would not have known of a violation;

o “Reasonable cause” penalty – amount not less than $1,000 or more than $50,000 per violation when it is established the violation was due to reasonable cause and not to willful neglect;

o “Willful neglect-corrected” penalty – amount not less than $10,000 or more than $50,000 per violation when it is established the violation was due to willful neglect and was timely corrected;

o “Willful neglect-not corrected” penalty – amount not less than $50,000 per violation when it is established the violation was due to willful neglect and was not timely corrected.

o A penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.

39

HIPAA HITECH, GINA

Are there new rules for HHS investigations, compliance reviews?o Yes, investigations of complaints (beyond preliminary review) and

compliance reviews are mandatory when willful neglect is possible.

o Willful neglect means the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” Examples:

• CE disposes of several hard drives containing ePHI in an unsecured dumpster, in violation of § 164.530(c) and 310(d)(2)(i). HHS’s investigation reveals CE failed to implement any policies and procedures to reasonably and appropriately safeguard PHI during the disposal process.

• CE’s employee loses unencrypted laptop containing unsecured PHI. HHS’ investigation reveals CE feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

40

HIPAA HITECH, GINA

What changes do we have to make to our Notices of Privacy Practices (NPPs)?o Describe certain uses and disclosure that require authorization,

including:

• psychotherapy notes (where appropriate),

• marketing purposes,

• disclosures that constitute a sale of protected health information, and

• mention that other uses and disclosures may require an authorization

o Inform individuals of the right of affected individuals to be notified following a breach of unsecured PHI; simple statement sufficient

o Include a statement that PHI includes genetic information

41

HIPAA HITECH, GINA

Are these changes to the NPP “material”, and how do we provide notice of the changes?o Yes, these changes are material.

o If NPP is posted on website:

• prominently post material changes or revised NPP on its website by the effective date of the material change – Sept. 23, 2013, and

• provide the revised NPP, or information about the changes and how to obtain a revised NPP, in its next annual mailing to individuals then covered by the plan, such as during the open enrollment period.

o If NPP is not posted on website:

• Provide a revised NPP (or information about the changes and how to get a revised NPP) to individuals covered by the plan within 60 days of the material revision to the NPP.

o Be sure to address ADA, other discrimination issues 42

HIPAA HITECH, GINA

What if we already updated our NPP?o If the NPP has already been updated to reflect the HITECH Act

requirements and individuals have been informed of all material revisions made to the NPP, no additional action is needed because of the final rule.

o If you made the changes to the NPP consistent with the HITECH Act, but did not inform individuals of the material changes, you should do so within the time and manner described above.

Can we provide the NPP by email?o Yes, so long as the individual has agreed (“opt-in” rule) to

receive an electronic copy. The agreement to receive electronic notice can be obtained electronically.

43

HIPAA HITECH, GINA

Does HITECH enhance an individual’s right to their electronic PHI?o For PHI maintained in electronic records systems, covered plans must

provide the requested information:

• in the electronic form and format requested by the individual, if it is readily producible, or

• if not, in readable electronic form and format as agreed to by the plan and the requesting individual.

• To the extent possible, the information must be provided as a “machine readable copy,” meaning in a standard digital format that can be processed and analyzed by a computer (for example, in Microsoft Word or Excel, text, HTML or text-based PDF).

o Plans must use reasonable safeguards in providing the individual with the electronic copy of his or her PHI

44

HIPAA HITECH, GINA

Does HITECH enhance an individual’s right to their electronic PHI (ctd.)?o The timeline for providing access to requested PHI in a

designated record set, whether in paper or electronic form, is shortened from 60 days to 30 days for records maintained at an off-site location.

o A one-time 30-day extension (for a total of 60 days) is permitted if the individual is timely notified of the need for an extension.

45

HIPAA HITECH, GINA

When do we have to comply with final rule?o General rule: The final rule becomes effective on March 26,

2013, but covered plans and business associates have 180 days to comply - September 23, 2013.

o Business associate agreements: For BAAs in place prior to January 25, 2013, that comply with the HIPAA and privacy and security rules:

• the parties need not update the BAA during the one-year period following September 23, 2013, unless

• the BAA is renewed or modified on or before September 23, 2014, and provided

• the parties operate as required under the final rules in accordance with the applicable compliance dates.

46

GINA

What is the Genetic Information Nondiscrimination Act (“GINA”) and why is it important?o Applies to employers and group health plans

o Protects “genetic information” of current/former employees and applicants

o Prohibits employers from collecting (request, require or purchase), using and disclosing “genetic information,” subject to certain exceptions

o Makes it illegal to fire, demote, harass, or otherwise “retaliate” against an applicant or employee for filing a charge of discrimination, participating in a discrimination proceeding (such as a discrimination investigation or lawsuit), or otherwise opposing discrimination

o Genetic information may not be used for underwriting purposes even with the individual’s authorization

47

GINA

What does “genetic information” mean?o Genetic tests of the individual or his/ her family members;

o Family medical history – manifestation of disease in a family member, including an employee’s spouse;

o An individual’s request for, or receipt of, genetic services, or participation in clinical research that includes genetic services; or

o GI of a fetus carried by an individual or by pregnant family member.

48

HIPAA, HITECH, GINA Recap

What do we do now? o Review basic HIPAA privacy and security rule compliance

• Plans should revisit plan design issues, risk assessment, policies and procedures, plan document requirements, etc.

• BAs should ensure they are up to speed with the new HITECH mandates (security rules, in particular) and the requirements in BAAs, as well as state law data security requirements

o Modifications to breach notification rule

• Both plans and BAs should revisit their internal protocols so they are prepared for an eventual breach.

• State laws also need to be considered, and coordination with other parties

o 49

HIPAA, HITECH, GINA Recap

What do we do now? (ctd.)o Business associates, subcontractors

• Plans should ensure BAAs are in place where needed and updated timely (remember state law and personal information)

• BAs should ensure they have BAAs with their subcontractors and that their policies and procedure reflect the provisions in those agreements.

• Watch for state law issues and additional protections – breach, indemnity, audit, etc.

o Update to Notice of Privacy Practices

• Plans need to ensure NPPs are timely updated and disseminated

• BAs responsible for this function must update their NPPs accordingly

o Be audit ready 50

Questions?

51

Workplace law. In four time zones and 47 major locations coast to coast.

To obtain a recording of this presentation, or to register for future presentations, contact your local UBA Partner Firm.

www.UBAbenefits.com www.jacksonlewis.com

Thank you for your participation in the UBA Employer Webinar Series

If your question was not answered during the webinar or if you have a follow-up question, you can email the presenters today or

tomorrow at: UBAwebinars@jacksonlewis.com