hipaa basic training for health & welfare plan administrators · 2010. 3. 19. · fully-insured...
TRANSCRIPT
![Page 1: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/1.jpg)
2010 Human Resources Seminar
HIPAA Basic Training for
Health & Welfare Plan
Administrators
Norbert F. Kugele
![Page 2: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/2.jpg)
What We’re going to Cover
�Important basic concepts
�Who needs to worry about HIPAA?
�Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules
�Violating HIPAA
�Minimizing Impact of HIPAA
![Page 3: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/3.jpg)
Important Basic
Concepts
![Page 4: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/4.jpg)
What Is HIPAA?
� Health Insurance Portability and Accountability Act of 1996.
� Intended to make it easier to share information electronically
� Can share information for certain purposes
� All other purposes prohibited without authorization
![Page 5: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/5.jpg)
Protected Health Information
� Individually identifiable health information used by a health plan
� Any form: written, electronic or oral
� Includes information relating to:
� Physician health
� Mental health
� Payment for health care
![Page 6: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/6.jpg)
Health Plans Subject to HIPAA
� Medical plans
� Dental plans
� Vision plans
� Health flexible spending accounts
� Employee assistance programs
� Wellness programs
![Page 7: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/7.jpg)
What Is Not A “Health Plan”?
� Employment records
� Leaves of absence, FMLA records
� ADA claims
� On the job injuries
� Workers’ compensation
� Fitness for duty exams
� Drug screening
![Page 8: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/8.jpg)
What Is Not A Health Plan”?
� Life insurance
� Disability (STD & LTD)
� Some wellness programs
![Page 9: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/9.jpg)
What is not a “health plan”?
� Life insurance
� Disability plans� Workers’ Compensation plans
� Leaves of absence� FMLA records
![Page 10: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/10.jpg)
What is not a “health plan”?
� ADA claims
� On the job injuries
� Drug screening
![Page 11: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/11.jpg)
Who Needs to Worry
About HIPAA?
![Page 12: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/12.jpg)
Fully-Insured Benefits
� Can take a hands-off approach.
� Handle only enrollment information and summary health information
� Minimum compliance obligations:
� Do not require enrollees to waive HIPAA rights
� Do not retaliate against enrollees who exercise HIPAA rights
� Compliance burden is on insurers/HMOs
![Page 13: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/13.jpg)
Self-Insured Benefits
�Must fully comply with HIPAA
� Privacy rules
� Security rules
� Transaction rules
� Breach notification rules
�Hiring a TPA does NOT relieve you of your compliance obligation
� But it can help relieve the burden
![Page 14: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/14.jpg)
Complying with the
Privacy Rule
![Page 15: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/15.jpg)
Protected Health Information (PHI)
�Individually identifiable health information used by a health plan.
� Any form: written, electronic or oral
� Includes information relating to:
� Physical health
� Mental health
� Provision of and payment for health care
![Page 16: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/16.jpg)
What is not PHI?
� Information that does not come from or is not given to health plans
� Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI
� Same information that employee shares with supervisor for FMLA purposes IS NOT PHI
![Page 17: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/17.jpg)
What is not PHI?
� Enrollment Records
� Enrollment records maintained in employment records not PHI
� Enrollment records reported to the health plan is PHI.
![Page 18: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/18.jpg)
Restrictions on PHI
� Health plans may not use or disclose PHI unless:
� The Privacy Rule specifically allows the use/disclosure
� The individual who is the subject of the PHI specifically allows it
![Page 19: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/19.jpg)
Restrictions on PHI
� Cannot use PHI for:
� Making personnel decisions
� Administrating other employee benefit programs
� Cannot use or disclose for marketing purposes without authorization
� Cannot sell PHI
![Page 20: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/20.jpg)
Permitted Uses of PHI
� “TPO”
� Treatment
� Payment
� Health care operations
� Complying with Law
� Any other use or disclosure generally requires authorization
![Page 21: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/21.jpg)
Minimum Necessary Rule
� Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.
� Do not use a fire hydrant when a garden hose will suffice
� HITECH clarification
� Default rule: use aggregate data only
� Must justify use of more detailed information
![Page 22: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/22.jpg)
Privacy Rule Requirements
� Designate a privacy officer
� Implement written privacy policies
� Train those who work with PHI
� Discipline those who violate privacy policies
� Investigate and respond to complaints
![Page 23: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/23.jpg)
Privacy Rule Requirements
� Include provisions in health plan document that:� Describe permitted uses and disclosures� Identify who is permitted to have access to PHI� Require compliance with privacy rules
� Plan sponsor must certify compliance with HIPAA privacy rules
� Distribute a Notice of Privacy Practices
� Retain HIPAA compliance records for at least six years
![Page 24: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/24.jpg)
Privacy Rule Requirements
�Respect individual rights
� Right to access PHI in health plan records
� Right to request amendments of PHI
� Right to an accounting of disclosures
� Right to request additional restrictions
� Right to request confidential communications
�Verify identity and authority of those seeking access to PHI
![Page 25: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/25.jpg)
Business Associates
� Person or organization who:
� Performs a function or activity for the health plan; or
� Assists the plan sponsor in performing a health plan function or activity
� Function or activity involves use or disclosure of PHI.
� Employees are not business associates
� HMOs/insurers are not business associates
![Page 26: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/26.jpg)
Examples of Business Associates
� Third-party administrators (TPAs)
� COBRA administrators
� Outside attorneys and accountants
� Benefits consultants
� Insurance agents
� Utilization review organizations
� Computer service technicians
� Software vendors
![Page 27: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/27.jpg)
Business Associate Agreements
� Must have written contract
� Establishes permitted uses and disclosures
� Require compliance with HIPAA requirements
� Require reporting of:
� Unauthorized uses/disclosures
� Security incidents
� Security breaches
![Page 28: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/28.jpg)
Business Associates
� If learn that business associate has materially violated terms of BAA:
� Must investigate
� Demand BA to end violation and mitigate harm
� If BA does not end breach or cannot cure:
� Terminate contract, or
� Report BA to HHS
![Page 29: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/29.jpg)
Family Members/Representatives
� May disclose PHI to family, relatives, friends involved in individual’s care/payment for care
� Can use professional judgment
� Give individuals ability to designate someone/revoke designation
� Personal representatives can exercise all rights of individuals
![Page 30: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/30.jpg)
Complying with the
Transaction Rule
![Page 31: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/31.jpg)
Transaction Rule
� Goal: standardize electronic transactions relating to payment for health care
� Streamline payment for health care
� Technical rule for how to structure the transaction
![Page 32: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/32.jpg)
Transaction Rule
� Applies to electronic transactions by health plan with:
� Health care providers
� Other health plans
� Generally, an issue for TPAs
� BAAs must require compliance with transaction standards
![Page 33: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/33.jpg)
Complying with the
Security Rule
![Page 34: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/34.jpg)
Scope of Security Rules
� Apply to electronic forms of PHI
� Databases
� Spreadsheets
� E-mail communications
� Copy machines with hard drives
� Does not apply to:
� Paper records
� Telephone and fax transmissions (but do apply to voice mail and stored fax documents)
![Page 35: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/35.jpg)
Risk Assessments
� Must conduct a risk assessment
� Identify where ePHI is stored and used
� Identify the threats to confidentiality, integrity and accessibility of ePHI
� Identify the likelihood that vulnerability will lead to unauthorized use/disclosure
� Identify risks that need to be addressed
� Must update on a regular basis
![Page 36: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/36.jpg)
Administrative Safeguards
� Designate a Security Officer
� Train and discipline workforce
� Manage workforce’s access to ePHI
� Monitor for and report on security incidents
� Establish contingency plans (backup, disaster recovery, emergency modes, etc.)
� Periodic evaluation of safeguards
![Page 37: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/37.jpg)
Physical Security
� Control access to physical equipment using/storing ePHI
� Workstation use/security
� Device and media controls
![Page 38: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/38.jpg)
Technical Safeguards
� Unique user IDs/authentication
� Automatic logoff
� Emergency access procedures
� Encryption & transmission security
� Audit controls
� Mechanisms to prevent improper alteration/destruction
![Page 39: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/39.jpg)
Business Associates
� Handle most ePHI for health plans
� Must now contractually agree to implement policies and procedures that comply with these requirements
� Examine transmissions with business associates
![Page 40: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/40.jpg)
Complying with Breach Notification
Rule
![Page 41: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/41.jpg)
Breach Notification
� Before HITECH: no clear duty to notify of a breach under HIPAA
� HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery
� Applies to all forms of unsecured PHI
![Page 42: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/42.jpg)
Breach Notification Analysis
� Was There a “breach”?
� Unauthorized:
� Acquisition
� Access
� Use
� Disclosure
![Page 43: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/43.jpg)
Breach Notification Analysis
� Was the data secured with respect to the individual with unauthorized access?
� Electronic data: was it encrypted?
� Data at rest
� Data in motion
� Media: was it properly destroyed?
� Paper, film, other hard copy media
� Electronic data
![Page 44: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/44.jpg)
Breach Notification Analysis
� Does the incident fall within an exception?
� Person would not reasonably have been able to retain the information
� Employee’s unintentional access of record in good faith
� Inadvertent disclosure within same organization by and to individual authorized to access PHI
![Page 45: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/45.jpg)
Breach Notification Analysis
� Could there be a significant risk of harm?
� Who received/access the information?
� How detailed was the information?
� Were steps taken to recall/destroy the information and mitigate harm?
� Was information returned/destroyed before being improperly accessed?
![Page 46: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/46.jpg)
Breach Notification
� Methods of providing notice:
� Written notice to last known address (or e-mail if specified by the individual)
� If contact information is insufficient or out-dated, alternative notice
� If more than 10 individuals:
� Prominent posting on website; or
� Notice in major print or broadcast media
� In urgent situations, may supplement with telephone or other means, if appropriate
![Page 47: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/47.jpg)
Breach Notification
� Notice to prominent media outlets if more than 500 individuals within state affected.
� Notification to Secretary of Health & Human Services:� At time of incident, if more than 500 individuals
are affected
� If less than 500 individuals, must submit to HHS annually
� http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
![Page 48: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/48.jpg)
Breach Notification
� Content of notification:� Brief description of what happened, including:
� Date of breach (if known)� Date breach discovered
� Description of types of unsecured PHI involved in the breach
� Steps individuals should take to protect themselves from potential harm
� What covered entity is doing to investigate, mitigate losses and protect against further breaches
� Contact procedures to ask questions or learn more.
� Deadline: without unreasonable delay, but in any case within 60 days
![Page 49: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/49.jpg)
Breach Notification
� Does not preempt state security breach notification laws.
� SSNs
� Drivers license numbers
� Financial account information
� May have to comply with both
![Page 50: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/50.jpg)
Breach Notification
� Business Associates also subject to breach notification provisions
� Default rule: provide notice to the covered entity
� Must include identification of each individual whose PHI has been or is reasonably believed to have been breached.
� Covered entities can contract for different arrangement
� Duty may be different under State law
![Page 51: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/51.jpg)
Consequences of HIPAA
Violations
![Page 52: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/52.jpg)
Pre-HITECH enforcement
�No more than $100 per violation per day
�Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year.
�HHS pursued “informal” enforcement
![Page 53: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/53.jpg)
HITECH enhanced enforcement
� New tiered structure for each violation:
� “unknown” violations: $100 - $50,000
� “reasonable cause” violations: $1,000- $50,000
� “willful neglect” violations (if corrected within 30 days): $10,000 - $50,000
� “willful neglect” violations (if uncorrected within 30 days): $50,000
� New cap: $1.5 million for all violations of the same type during a calendar year
![Page 54: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/54.jpg)
New enforcement strategies
�Individuals who wrongfully disclose PHI now clearly subject to criminal penalties
�Requires HHS to conduct audits
�State Attorneys General and FTC given enforcement authority
![Page 55: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/55.jpg)
Minimizing the Impact of HIPAA
![Page 56: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/56.jpg)
Try not to have PHI
� Try to keep it from becoming PHI.
� Keep enrollment data in employment records
� Work with enrollment data as much as possible
� Limit info TPAs report to you
� Get de-identified or summary health info only
� Have health plan participants and beneficiaries deal directly with TPA
� Have TPAs handle benefits appeals
![Page 57: HIPAA Basic Training for Health & Welfare Plan Administrators · 2010. 3. 19. · Fully-Insured Benefits Can take a hands-off approach. Handle only enrollment information and summary](https://reader036.vdocuments.us/reader036/viewer/2022071108/5fe33300b8292b24162c6f2b/html5/thumbnails/57.jpg)
If you must handle PHI
�Limit the number of people with access
�Minimize the amount of information you receive
�Be sure those who handle the information are trained
�Be sure policies and procedures are in sync with practices
�Try not to have ePHI