H I P A A - Office of Group Benefits | Office of Group …...HIPPA » HIPA » HIPPAA 4 HIPAA History...
Transcript of H I P A A - Office of Group Benefits | Office of Group …...HIPPA » HIPA » HIPPAA 4 HIPAA History...
1
H I P A AH I P A ATommy BenoitTommy BenoitOGB Special Counsel andOGB Special Counsel and
HIPAA Compliance DirectorHIPAA Compliance Director
Everything you Everything you neverneverwanted to know aboutwanted to know about
HIPAAHIPAA
3
H I P A AH I P A ANot...Not...»»HIPPAHIPPA»»HIPAHIPA»»HIPPAAHIPPAA
4
HIPAA HistoryHIPAA History
HHealthealth
IInsurancensurance
PPortability & ortability &
AAccountability ccountability
AAct of 1996
Also referred to Also referred to asas»»KennedyKennedy--
Kassebaum Kassebaum
ct of 1996
5
HIPAA HistoryHIPAA History
Designed to protect health Designed to protect health insurance coverage for insurance coverage for workers when they change or workers when they change or lose their jobslose their jobs
6
Multiple ComponentsMultiple Components
HIPAA
Health InsurancePortability
AdministrativeSimplification
Fraud & Abuse Medical SavingsAccounts
Access to Long TermCare and Coverage
7
Multiple ComponentsMultiple Components
Health InsurancePortability
AdministrativeSimplification
Fraud & Abuse Medical SavingsAccounts
Access to Long TermCare and Coverage
HIPAA
8
Multiple ComponentsMultiple Components
Health InsurancePortability
AdministrativeSimplification
Fraud & Abuse Medical SavingsAccounts
Access to Long TermCare and Coverage
HIPAA
AAdministrativedministrative
SSimplificationimplification
SSubtitleubtitle
ofofHIPAAHIPAA
10
Administrative SimplificationAdministrative Simplification
PurposePurpose»»Improve efficiency and Improve efficiency and
effectivenesseffectiveness––Standardize electronic data Standardize electronic data exchange exchange
11
Administrative SimplificationAdministrative Simplification
PurposePurpose»»Protect security and privacy Protect security and privacy
of individually identifiable of individually identifiable health information health information
12
Multiple ComponentsMultiple Components
Standardized Transactionsand Code Sets
Unique HealthIdentifiers
PrivacyStandards
SecurityStandards
Electronic SignatureStandards
National StandardEmployer Identifier
AdministrativeSimplification
13
Multiple ComponentsMultiple Components
Standardized Transactionsand Code Sets
Unique HealthIdentifiers
PrivacyStandards
SecurityStandards
Electronic SignatureStandards
National StandardEmployer Identifier
AdministrativeSimplification
14
Multiple ComponentsMultiple Components
Standardized Transactionsand Code Sets
Unique HealthIdentifiers
PrivacyStandards
SecurityStandards
Electronic SignatureStandards
National StandardEmployer Identifier
AdministrativeSimplification
15
“In a Nutshell”“In a Nutshell”
Privacy Regulations Privacy Regulations governgovern use and disclosureuse and disclosureof of protected health protected health informatioinformation
16
“In a Nutshell”“In a Nutshell”
Privacy Regulations grant Privacy Regulations grant individuals certain rights individuals certain rights with respect to their with respect to their protected health protected health information.information.
HIPAAHIPAA--SpeakSpeakThe language of HIPAAThe language of HIPAA--FolkFolk
18
Individually Identifiable Individually Identifiable Health InformationHealth Information
Created or received by a Created or received by a covered entity or employercovered entity or employer
19
Individually Identifiable Individually Identifiable
Relates to the past, present Relates to the past, present or future physical or or future physical or mental health condition of mental health condition of an individual...an individual...
20
Individually Identifiable Individually Identifiable
Relates to: Relates to: »»Provision of health care Provision of health care »»Payment for health care Payment for health care ––Identifies the individualIdentifies the individual––Reasonable basis for IDReasonable basis for ID
21
Individually IdentifiableIndividually Identifiable
NameNameGeographic subdivision Geographic subdivision smaller than a statesmaller than a stateAny elements of dates Any elements of dates relating to an individualrelating to an individual
22
Individually IdentifiableIndividually Identifiable
Telephone, fax, email, SSNTelephone, fax, email, SSNHealth plan, medical record, Health plan, medical record, account or certificate/license account or certificate/license numbersnumbersVehicle or device identifiersVehicle or device identifiers
23
Individually IdentifiableIndividually Identifiable
URLs or IP address numbersURLs or IP address numbersBiometric identifiers of fullBiometric identifiers of full--face photographface photographOther unique identifying Other unique identifying number, characteristic or number, characteristic or codecode
24
PHIPHI
All individually identifiable All individually identifiable health information that is health information that is transmitted or maintained in transmitted or maintained in any form or mediumany form or medium
25
Covered EntitiesCovered Entities
Who must comply?Who must comply?»»Health plansHealth plans»»Health care clearing houses Health care clearing houses
26
Covered EntitiesCovered Entities
Who must comply?Who must comply?»»Providers that transmit healthProviders that transmit health
information in electronic information in electronic form in connection with a form in connection with a HIPAA standardizedHIPAA standardizedtransactiontransaction
27
Not Covered EntitiesNot Covered Entities
Employers (but see notes)Employers (but see notes)InsurersInsurers»»Property, Casualty, AutoProperty, Casualty, Auto»»Workers compensationWorkers compensation
28
Business Associates (BA)Business Associates (BA)
NonNon--workforce members workforce members »»Perform or assist in the Perform or assist in the
performance of a function or performance of a function or service that involves the use or service that involves the use or disclosure of PHIdisclosure of PHI
29
Minimum NecessaryMinimum Necessary
Covered entities must limit Covered entities must limit the PHI used or disclosed to the PHI used or disclosed to the the minimum necessaryminimum necessary to to achieve the purpose of the achieve the purpose of the use or disclosure use or disclosure
30
TTreatment,reatment, PPayment,ayment, OOperationsperations
TreatmentTreatment»»Provision of health care by a Provision of health care by a
single provider, or the single provider, or the coordination of health care coordination of health care among various providers for among various providers for single coverage single coverage
31
TTreatment,reatment, PPayment,ayment, OOperationsperations
PaymentPayment»»Activities of a health plan to Activities of a health plan to
obtain premiums, or to obtain premiums, or to determine or fulfill its determine or fulfill its responsibilityresponsibility
32
TTreatment,reatment, PPayment,ayment, OOperationsperations
PaymentPayment»»The activities of a health care The activities of a health care
provider to obtain provider to obtain reimbursement for the reimbursement for the provision of health careprovision of health care
33
TTreatment,reatment, PPayment,ayment, OOperationsperations
Health Care OperationsHealth Care Operations»»The services or activities for The services or activities for
carrying out the management carrying out the management functions necessary for the functions necessary for the support of treatment or support of treatment or paymentpayment
34
Use and DisclosureUse and Disclosure
Use:»»Sharing, applying, examining Sharing, applying, examining
individually identifiable health individually identifiable health information within an entity information within an entity holding the informationholding the information
35
Use and DisclosureUse and Disclosure
Disclosure:»»Release, transfer, providing Release, transfer, providing
access to the information access to the information outside the entity outside the entity
36
ConsentConsent
Consent:Consent:»»Written permission by an Written permission by an
individual to allow a covered individual to allow a covered entity to use or disclose PHI entity to use or disclose PHI for TPOfor TPO
37
ConsentConsent
Consent must be:Consent must be:»»Written in plain language Written in plain language »»Signed and dated Signed and dated Consent valid until revokedConsent valid until revoked
38
AuthorizationAuthorization
Written permission by an Written permission by an individual to allow use of PHI individual to allow use of PHI for activities not related to for activities not related to TPOTPO
39
AuthorizationAuthorization
Written in plain languageWritten in plain languageDescription of info to be used Description of info to be used or disclosedor disclosedIdentify person(s) authorized Identify person(s) authorized to use or discloseto use or disclose
40
AuthorizationAuthorization
Identify recipients of PHI to be Identify recipients of PHI to be discloseddisclosedValid for the time specifiedValid for the time specified
41
Uses and DisclosureUses and Disclosure
Uses and DisclosureUses and Disclosure RequirementRequirement
Treatment, Payment,Health Care Operations
Consent Required-Direct Treatment Relationship
Authorization RequiredAll Others
42
Uses and DisclosureUses and DisclosureUses and Disclosures Requirement
Communication with familyand caregivers, directorylisting, clergy
No consent or authorizationrequired-individual has theability to object or agree
Law enforcement; judicial proceedings; public health; research; facilitate organtransplants
No consent or authorizationrequired - individual has no ability to object or agree
HIPAA RightsHIPAA Rights
44
Privacy Practices and RightsPrivacy Practices and Rights
Must provide notice of Must provide notice of privacy practices, policies, privacy practices, policies, procedures for use and procedures for use and disclosure of PHIdisclosure of PHIRights under Privacy RuleRights under Privacy Rule
45
Individual AccessIndividual Access
Individuals have Individuals have the right to inspect, the right to inspect, copy, and amend copy, and amend their PHI.their PHI.
46
Individual AccessIndividual Access
Individuals may Individuals may request an request an accounting of the accounting of the disclosures of their disclosures of their PHIPHI
47
Right to Request PrivacyRight to Request Privacy
Individuals may Individuals may request that request that covered entities covered entities restrict further restrict further uses / disclosures uses / disclosures of their PHI for TPOof their PHI for TPO
48
Right to Request PrivacyRight to Request Privacy
Covered entities Covered entities may refuse such may refuse such requestsrequests
49
Right to Request PrivacyRight to Request Privacy
If a covered entity If a covered entity agrees, it would agrees, it would be limited by the be limited by the agreedagreed--to to restrictions, restrictions, EXCEPT in cases EXCEPT in cases of an emergencyof an emergency
50
Right to Request PrivacyRight to Request Privacy
A A health planhealth plan that does NOT that does NOT agree to limit disclosures of PHI agree to limit disclosures of PHI would not be obligated to enroll would not be obligated to enroll an individual making the requestan individual making the request
51
Confidential CommunicationsConfidential CommunicationsPHI CommunicationsPHI Communications»»Alternative MeansAlternative Means»»Alternative LocationsAlternative LocationsIf individual states disclosure If individual states disclosure of PHI would endanger him/herof PHI would endanger him/her
HIPAA WrongsHIPAA Wrongs
53
HIPAA WrongsHIPAA Wrongs
Civil SanctionsCivil Sanctions»»Office of Civil Rights of HHSOffice of Civil Rights of HHS––$100 for each violation$100 for each violation––Up to $25,000 per year Up to $25,000 per year
for each provision for each provision violatedviolated
54
Really Bad HIPAA WrongsReally Bad HIPAA Wrongs
Criminal SanctionsCriminal Sanctions»»Up to $250,000 fineUp to $250,000 fine»»Plus 10 years imprisonmentPlus 10 years imprisonment
55
Multiple ComponentsMultiple Components
Standardized Transactionsand Code Sets
Unique HealthIdentifiers
PrivacyStandards
SecurityStandards
Electronic SignatureStandards
National StandardEmployer Identifier
AdministrativeSimplification
56
Key ComponentsKey Components»»Identify and assess risks or Identify and assess risks or
threats to:threats to:––AvailabilityAvailability––IntegrityIntegrity––Confidentiality of PHIConfidentiality of PHI
HIPAA SecurityHIPAA Security
57
Key ComponentsKey Components»»Reasonable steps to reduce risk Reasonable steps to reduce risk »»Reasonable and appropriate Reasonable and appropriate
administrative, administrative, technical, physical technical, physical safeguards guards safeguards guards
HIPAA SecurityHIPAA Security
58
Notes for EmployersNotes for Employers
Employers are not HIPAA Employers are not HIPAA covered entitiescovered entities»“HHS does not have the HHS does not have the
authority to regulate authority to regulate employers.”employers.”
59
Notes for EmployersNotes for Employers
Employers must become Employers must become sensitized to a world in which sensitized to a world in which PHIPHI is highly regulated and is highly regulated and restricted in its disclosure restricted in its disclosure and useand use
60
Notes for EmployersNotes for Employers
HIPAA prohibits using health HIPAA prohibits using health info for employmentinfo for employment--related related purposes without the purposes without the employee’semployee’sauthorizationauthorization
61
Notes for EmployersNotes for Employers
Delicate balance between Delicate balance between HIPAA privacy standard and HIPAA privacy standard and employer’s need for health info employer’s need for health info for ADA, FMLA, COBRA and for ADA, FMLA, COBRA and Worker’s Comp Worker’s Comp
62
Notes for EmployersNotes for Employers
No prohibition from No prohibition from taking adverse action taking adverse action against an employee against an employee who refused to sign who refused to sign an authorizationan authorization
63
Notes for EmployersNotes for Employers
Other Employer Issues:Other Employer Issues:»»“Hybrid Entity”“Hybrid Entity”
Everything you Everything you neverneverwanted to know aboutwanted to know about
HIPAAHIPAA
65
H I P A AH I P A ATommy BenoitTommy BenoitOGB Special Counsel andOGB Special Counsel and
HIPAA Compliance DirectorHIPAA Compliance Director
EligibilityEligibilityCarolyn A. WilfordCarolyn A. Wilford
Eligibility ManagerEligibility Manager
67
Who is a Dependent Child?Who is a Dependent Child?
Natural ChildNatural ChildLegally adopted childLegally adopted child»»In process of adoptionIn process of adoption»»Private or agencyPrivate or agency
68
Who is a Dependent Child?Who is a Dependent Child?
GrandchildrenGrandchildrenLegal CustodyLegal CustodyProvisional Provisional CustodyCustody
69
Retiree RemindersRetiree Reminders
“RetireeRetiree” can also mean a covered ” can also mean a covered employee who continued coverageemployee who continued coveragethrough COBRA immediately priorthrough COBRA immediately priorto the date of retirement, and who to the date of retirement, and who qualifies as a retiree as outlinedqualifies as a retiree as outlinedin the Plan Document. in the Plan Document.
70
Retiree RemindersRetiree Reminders
A person who applies for A person who applies for coverage as a late applicant,coverage as a late applicant,and retires prior to the effective and retires prior to the effective date of coverage is ineligible date of coverage is ineligible for coverage.for coverage.
71
Surviving DependentsSurviving Dependents
Effective Effective July 1, 1999,July 1, 1999, eligibility eligibility ceased for a Covered Person ceased for a Covered Person who is eligible for coverage in a who is eligible for coverage in a Group Health Plan other than Group Health Plan other than Medicare.Medicare.
72
Surviving DependentsSurviving Dependents
FullFull--time students at the time time students at the time of death of the employee:of death of the employee:»»Not covered if theyNot covered if they
leave schoolleave school»»Eligible for coverageEligible for coverage
upon reupon re--enrollmentenrollment
73
PPrere--EExisting xisting CConditionondition
New hiresNew hires»»SixSix--month/onemonth/one--year PEC clauseyear PEC clause»»Effective July 1, 2001Effective July 1, 2001––Unless they have Unless they have
portability rights portability rights under federal lawsunder federal laws
74
PEC Overdue ApplicationPEC Overdue Application
Effective dates of coverageEffective dates of coverage»»Received Received priorprior to the 15th to the 15th ––Effective 1st of following monthEffective 1st of following month
»»Received 15th or afterReceived 15th or after––Effective 1st of Effective 1st of
the 2nd monththe 2nd month
75
Continued CoverageContinued Coverage
OverOver--age dependentsage dependents»»UnmarriedUnmarried»»Never marriedNever married
76
Continued CoverageContinued Coverage
OverOver--age dependentsage dependents»»Incapable of selfIncapable of self--sustaining sustaining
employment employment ––Mental RetardationMental Retardation––Physical IncapacityPhysical Incapacity
77
Continued CoverageContinued Coverage
OverOver--age dependentsage dependents»»Incapable of selfIncapable of self--sustaining sustaining
employment employment –– Statement of condition from a Statement of condition from a
medical doctor must be medical doctor must be received prior to age 21.received prior to age 21.
78
Notification of ChangeNotification of Change
It is the responsibility of the It is the responsibility of the employeeemployee to notify the Program to notify the Program of any change in classification of any change in classification of coverage affecting the of coverage affecting the employee’s contribution employee’s contribution amount.amount.
79
Enrollment/Change FormEnrollment/Change Form