HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured...
Transcript of HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured...
2010 Human Resources Seminar
HIPAA Basic Training for
Health & Welfare Plan
Administrators
Norbert F. Kugele
What We’re going to Cover
�Important basic concepts
�Who needs to worry about HIPAA?
�Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules
�Violating HIPAA
�Minimizing Impact of HIPAA
Important Basic
Concepts
What Is HIPAA?
� Health Insurance Portability and Accountability Act of 1996.
� Intended to make it easier to share information electronically
� Can share information for certain purposes
� All other purposes prohibited without authorization
Protected Health Information
� Individually identifiable health information used by a health plan
� Any form: written, electronic or oral
� Includes information relating to:
� Physician health
� Mental health
� Payment for health care
Health Plans Subject to HIPAA
� Medical plans
� Dental plans
� Vision plans
� Health flexible spending accounts
� Employee assistance programs
� Wellness programs
What Is Not A “Health Plan”?
� Employment records
� Leaves of absence, FMLA records
� ADA claims
� On the job injuries
� Workers’ compensation
� Fitness for duty exams
� Drug screening
What Is Not A Health Plan”?
� Life insurance
� Disability (STD & LTD)
� Some wellness programs
What is not a “health plan”?
� Life insurance
� Disability plans� Workers’ Compensation plans
� Leaves of absence� FMLA records
What is not a “health plan”?
� ADA claims
� On the job injuries
� Drug screening
Who Needs to Worry
About HIPAA?
Fully-Insured Benefits
� Can take a hands-off approach.
� Handle only enrollment information and summary health information
� Minimum compliance obligations:
� Do not require enrollees to waive HIPAA rights
� Do not retaliate against enrollees who exercise HIPAA rights
� Compliance burden is on insurers/HMOs
Self-Insured Benefits
�Must fully comply with HIPAA
� Privacy rules
� Security rules
� Transaction rules
� Breach notification rules
�Hiring a TPA does NOT relieve you of your compliance obligation
� But it can help relieve the burden
Complying with the
Privacy Rule
Protected Health Information (PHI)
�Individually identifiable health information used by a health plan.
� Any form: written, electronic or oral
� Includes information relating to:
� Physical health
� Mental health
� Provision of and payment for health care
What is not PHI?
� Information that does not come from or is not given to health plans
� Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI
� Same information that employee shares with supervisor for FMLA purposes IS NOT PHI
What is not PHI?
� Enrollment Records
� Enrollment records maintained in employment records not PHI
� Enrollment records reported to the health plan is PHI.
Restrictions on PHI
� Health plans may not use or disclose PHI unless:
� The Privacy Rule specifically allows the use/disclosure
� The individual who is the subject of the PHI specifically allows it
Restrictions on PHI
� Cannot use PHI for:
� Making personnel decisions
� Administrating other employee benefit programs
� Cannot use or disclose for marketing purposes without authorization
� Cannot sell PHI
Permitted Uses of PHI
� “TPO”
� Treatment
� Payment
� Health care operations
� Complying with Law
� Any other use or disclosure generally requires authorization
Minimum Necessary Rule
� Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.
� Do not use a fire hydrant when a garden hose will suffice
� HITECH clarification
� Default rule: use aggregate data only
� Must justify use of more detailed information
Privacy Rule Requirements
� Designate a privacy officer
� Implement written privacy policies
� Train those who work with PHI
� Discipline those who violate privacy policies
� Investigate and respond to complaints
Privacy Rule Requirements
� Include provisions in health plan document that:� Describe permitted uses and disclosures� Identify who is permitted to have access to PHI� Require compliance with privacy rules
� Plan sponsor must certify compliance with HIPAA privacy rules
� Distribute a Notice of Privacy Practices
� Retain HIPAA compliance records for at least six years
Privacy Rule Requirements
�Respect individual rights
� Right to access PHI in health plan records
� Right to request amendments of PHI
� Right to an accounting of disclosures
� Right to request additional restrictions
� Right to request confidential communications
�Verify identity and authority of those seeking access to PHI
Business Associates
� Person or organization who:
� Performs a function or activity for the health plan; or
� Assists the plan sponsor in performing a health plan function or activity
� Function or activity involves use or disclosure of PHI.
� Employees are not business associates
� HMOs/insurers are not business associates
Examples of Business Associates
� Third-party administrators (TPAs)
� COBRA administrators
� Outside attorneys and accountants
� Benefits consultants
� Insurance agents
� Utilization review organizations
� Computer service technicians
� Software vendors
Business Associate Agreements
� Must have written contract
� Establishes permitted uses and disclosures
� Require compliance with HIPAA requirements
� Require reporting of:
� Unauthorized uses/disclosures
� Security incidents
� Security breaches
Business Associates
� If learn that business associate has materially violated terms of BAA:
� Must investigate
� Demand BA to end violation and mitigate harm
� If BA does not end breach or cannot cure:
� Terminate contract, or
� Report BA to HHS
Family Members/Representatives
� May disclose PHI to family, relatives, friends involved in individual’s care/payment for care
� Can use professional judgment
� Give individuals ability to designate someone/revoke designation
� Personal representatives can exercise all rights of individuals
Complying with the
Transaction Rule
Transaction Rule
� Goal: standardize electronic transactions relating to payment for health care
� Streamline payment for health care
� Technical rule for how to structure the transaction
Transaction Rule
� Applies to electronic transactions by health plan with:
� Health care providers
� Other health plans
� Generally, an issue for TPAs
� BAAs must require compliance with transaction standards
Complying with the
Security Rule
Scope of Security Rules
� Apply to electronic forms of PHI
� Databases
� Spreadsheets
� E-mail communications
� Copy machines with hard drives
� Does not apply to:
� Paper records
� Telephone and fax transmissions (but do apply to voice mail and stored fax documents)
Risk Assessments
� Must conduct a risk assessment
� Identify where ePHI is stored and used
� Identify the threats to confidentiality, integrity and accessibility of ePHI
� Identify the likelihood that vulnerability will lead to unauthorized use/disclosure
� Identify risks that need to be addressed
� Must update on a regular basis
Administrative Safeguards
� Designate a Security Officer
� Train and discipline workforce
� Manage workforce’s access to ePHI
� Monitor for and report on security incidents
� Establish contingency plans (backup, disaster recovery, emergency modes, etc.)
� Periodic evaluation of safeguards
Physical Security
� Control access to physical equipment using/storing ePHI
� Workstation use/security
� Device and media controls
Technical Safeguards
� Unique user IDs/authentication
� Automatic logoff
� Emergency access procedures
� Encryption & transmission security
� Audit controls
� Mechanisms to prevent improper alteration/destruction
Business Associates
� Handle most ePHI for health plans
� Must now contractually agree to implement policies and procedures that comply with these requirements
� Examine transmissions with business associates
Complying with Breach Notification
Rule
Breach Notification
� Before HITECH: no clear duty to notify of a breach under HIPAA
� HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery
� Applies to all forms of unsecured PHI
Breach Notification Analysis
� Was There a “breach”?
� Unauthorized:
� Acquisition
� Access
� Use
� Disclosure
Breach Notification Analysis
� Was the data secured with respect to the individual with unauthorized access?
� Electronic data: was it encrypted?
� Data at rest
� Data in motion
� Media: was it properly destroyed?
� Paper, film, other hard copy media
� Electronic data
Breach Notification Analysis
� Does the incident fall within an exception?
� Person would not reasonably have been able to retain the information
� Employee’s unintentional access of record in good faith
� Inadvertent disclosure within same organization by and to individual authorized to access PHI
Breach Notification Analysis
� Could there be a significant risk of harm?
� Who received/access the information?
� How detailed was the information?
� Were steps taken to recall/destroy the information and mitigate harm?
� Was information returned/destroyed before being improperly accessed?
Breach Notification
� Methods of providing notice:
� Written notice to last known address (or e-mail if specified by the individual)
� If contact information is insufficient or out-dated, alternative notice
� If more than 10 individuals:
� Prominent posting on website; or
� Notice in major print or broadcast media
� In urgent situations, may supplement with telephone or other means, if appropriate
Breach Notification
� Notice to prominent media outlets if more than 500 individuals within state affected.
� Notification to Secretary of Health & Human Services:� At time of incident, if more than 500 individuals
are affected
� If less than 500 individuals, must submit to HHS annually
� http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
Breach Notification
� Content of notification:� Brief description of what happened, including:
� Date of breach (if known)� Date breach discovered
� Description of types of unsecured PHI involved in the breach
� Steps individuals should take to protect themselves from potential harm
� What covered entity is doing to investigate, mitigate losses and protect against further breaches
� Contact procedures to ask questions or learn more.
� Deadline: without unreasonable delay, but in any case within 60 days
Breach Notification
� Does not preempt state security breach notification laws.
� SSNs
� Drivers license numbers
� Financial account information
� May have to comply with both
Breach Notification
� Business Associates also subject to breach notification provisions
� Default rule: provide notice to the covered entity
� Must include identification of each individual whose PHI has been or is reasonably believed to have been breached.
� Covered entities can contract for different arrangement
� Duty may be different under State law
Consequences of HIPAA
Violations
Pre-HITECH enforcement
�No more than $100 per violation per day
�Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year.
�HHS pursued “informal” enforcement
HITECH enhanced enforcement
� New tiered structure for each violation:
� “unknown” violations: $100 - $50,000
� “reasonable cause” violations: $1,000- $50,000
� “willful neglect” violations (if corrected within 30 days): $10,000 - $50,000
� “willful neglect” violations (if uncorrected within 30 days): $50,000
� New cap: $1.5 million for all violations of the same type during a calendar year
New enforcement strategies
�Individuals who wrongfully disclose PHI now clearly subject to criminal penalties
�Requires HHS to conduct audits
�State Attorneys General and FTC given enforcement authority
Minimizing the Impact of HIPAA
Try not to have PHI
� Try to keep it from becoming PHI.
� Keep enrollment data in employment records
� Work with enrollment data as much as possible
� Limit info TPAs report to you
� Get de-identified or summary health info only
� Have health plan participants and beneficiaries deal directly with TPA
� Have TPAs handle benefits appeals
If you must handle PHI
�Limit the number of people with access
�Minimize the amount of information you receive
�Be sure those who handle the information are trained
�Be sure policies and procedures are in sync with practices
�Try not to have ePHI