2010 Human Resources Seminar

HIPAA Basic Training for

Health & Welfare Plan

Administrators

Norbert F. Kugele

What We’re going to Cover

�Important basic concepts

�Who needs to worry about HIPAA?

�Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules

�Violating HIPAA

�Minimizing Impact of HIPAA

Important Basic

Concepts

What Is HIPAA?

� Health Insurance Portability and Accountability Act of 1996.

� Intended to make it easier to share information electronically

� Can share information for certain purposes

� All other purposes prohibited without authorization

Protected Health Information

� Individually identifiable health information used by a health plan

� Any form: written, electronic or oral

� Includes information relating to:

� Physician health

� Mental health

� Payment for health care

Health Plans Subject to HIPAA

� Medical plans

� Dental plans

� Vision plans

� Health flexible spending accounts

� Employee assistance programs

� Wellness programs

What Is Not A “Health Plan”?

� Employment records

� Leaves of absence, FMLA records

� ADA claims

� On the job injuries

� Workers’ compensation

� Fitness for duty exams

� Drug screening

What Is Not A Health Plan”?

� Life insurance

� Disability (STD & LTD)

� Some wellness programs

What is not a “health plan”?

� Life insurance

� Disability plans� Workers’ Compensation plans

� Leaves of absence� FMLA records

What is not a “health plan”?

� ADA claims

� On the job injuries

� Drug screening

Who Needs to Worry

About HIPAA?

Fully-Insured Benefits

� Can take a hands-off approach.

� Handle only enrollment information and summary health information

� Minimum compliance obligations:

� Do not require enrollees to waive HIPAA rights

� Do not retaliate against enrollees who exercise HIPAA rights

� Compliance burden is on insurers/HMOs

Self-Insured Benefits

�Must fully comply with HIPAA

� Privacy rules

� Security rules

� Transaction rules

� Breach notification rules

�Hiring a TPA does NOT relieve you of your compliance obligation

� But it can help relieve the burden

Complying with the

Privacy Rule

Protected Health Information (PHI)

�Individually identifiable health information used by a health plan.

� Any form: written, electronic or oral

� Includes information relating to:

� Physical health

� Mental health

� Provision of and payment for health care

What is not PHI?

� Information that does not come from or is not given to health plans

� Health information employee shares with Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI

� Same information that employee shares with supervisor for FMLA purposes IS NOT PHI

What is not PHI?

� Enrollment Records

� Enrollment records maintained in employment records not PHI

� Enrollment records reported to the health plan is PHI.

Restrictions on PHI

� Health plans may not use or disclose PHI unless:

� The Privacy Rule specifically allows the use/disclosure

� The individual who is the subject of the PHI specifically allows it

Restrictions on PHI

� Cannot use PHI for:

� Making personnel decisions

� Administrating other employee benefit programs

� Cannot use or disclose for marketing purposes without authorization

� Cannot sell PHI

Permitted Uses of PHI

� “TPO”

� Treatment

� Payment

� Health care operations

� Complying with Law

� Any other use or disclosure generally requires authorization

Minimum Necessary Rule

� Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.

� Do not use a fire hydrant when a garden hose will suffice

� HITECH clarification

� Default rule: use aggregate data only

� Must justify use of more detailed information

Privacy Rule Requirements

� Designate a privacy officer

� Implement written privacy policies

� Train those who work with PHI

� Discipline those who violate privacy policies

� Investigate and respond to complaints

Privacy Rule Requirements

� Include provisions in health plan document that:� Describe permitted uses and disclosures� Identify who is permitted to have access to PHI� Require compliance with privacy rules

� Plan sponsor must certify compliance with HIPAA privacy rules

� Distribute a Notice of Privacy Practices

� Retain HIPAA compliance records for at least six years

Privacy Rule Requirements

�Respect individual rights

� Right to access PHI in health plan records

� Right to request amendments of PHI

� Right to an accounting of disclosures

� Right to request additional restrictions

� Right to request confidential communications

�Verify identity and authority of those seeking access to PHI

Business Associates

� Person or organization who:

� Performs a function or activity for the health plan; or

� Assists the plan sponsor in performing a health plan function or activity

� Function or activity involves use or disclosure of PHI.

� Employees are not business associates

� HMOs/insurers are not business associates

Examples of Business Associates

� Third-party administrators (TPAs)

� COBRA administrators

� Outside attorneys and accountants

� Benefits consultants

� Insurance agents

� Utilization review organizations

� Computer service technicians

� Software vendors

Business Associate Agreements

� Must have written contract

� Establishes permitted uses and disclosures

� Require compliance with HIPAA requirements

� Require reporting of:

� Unauthorized uses/disclosures

� Security incidents

� Security breaches

Business Associates

� If learn that business associate has materially violated terms of BAA:

� Must investigate

� Demand BA to end violation and mitigate harm

� If BA does not end breach or cannot cure:

� Terminate contract, or

� Report BA to HHS

Family Members/Representatives

� May disclose PHI to family, relatives, friends involved in individual’s care/payment for care

� Can use professional judgment

� Give individuals ability to designate someone/revoke designation

� Personal representatives can exercise all rights of individuals

Complying with the

Transaction Rule

Transaction Rule

� Goal: standardize electronic transactions relating to payment for health care

� Streamline payment for health care

� Technical rule for how to structure the transaction

Transaction Rule

� Applies to electronic transactions by health plan with:

� Health care providers

� Other health plans

� Generally, an issue for TPAs

� BAAs must require compliance with transaction standards

Complying with the

Security Rule

Scope of Security Rules

� Apply to electronic forms of PHI

� Databases

� Spreadsheets

� E-mail communications

� Copy machines with hard drives

� Does not apply to:

� Paper records

� Telephone and fax transmissions (but do apply to voice mail and stored fax documents)

Risk Assessments

� Must conduct a risk assessment

� Identify where ePHI is stored and used

� Identify the threats to confidentiality, integrity and accessibility of ePHI

� Identify the likelihood that vulnerability will lead to unauthorized use/disclosure

� Identify risks that need to be addressed

� Must update on a regular basis

Administrative Safeguards

� Designate a Security Officer

� Train and discipline workforce

� Manage workforce’s access to ePHI

� Monitor for and report on security incidents

� Establish contingency plans (backup, disaster recovery, emergency modes, etc.)

� Periodic evaluation of safeguards

Physical Security

� Control access to physical equipment using/storing ePHI

� Workstation use/security

� Device and media controls

Technical Safeguards

� Unique user IDs/authentication

� Automatic logoff

� Emergency access procedures

� Encryption & transmission security

� Audit controls

� Mechanisms to prevent improper alteration/destruction

Business Associates

� Handle most ePHI for health plans

� Must now contractually agree to implement policies and procedures that comply with these requirements

� Examine transmissions with business associates

Complying with Breach Notification

Rule

Breach Notification

� Before HITECH: no clear duty to notify of a breach under HIPAA

� HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery

� Applies to all forms of unsecured PHI

Breach Notification Analysis

� Was There a “breach”?

� Unauthorized:

� Acquisition

� Access

� Use

� Disclosure

Breach Notification Analysis

� Was the data secured with respect to the individual with unauthorized access?

� Electronic data: was it encrypted?

� Data at rest

� Data in motion

� Media: was it properly destroyed?

� Paper, film, other hard copy media

� Electronic data

Breach Notification Analysis

� Does the incident fall within an exception?

� Person would not reasonably have been able to retain the information

� Employee’s unintentional access of record in good faith

� Inadvertent disclosure within same organization by and to individual authorized to access PHI

Breach Notification Analysis

� Could there be a significant risk of harm?

� Who received/access the information?

� How detailed was the information?

� Were steps taken to recall/destroy the information and mitigate harm?

� Was information returned/destroyed before being improperly accessed?

Breach Notification

� Methods of providing notice:

� Written notice to last known address (or e-mail if specified by the individual)

� If contact information is insufficient or out-dated, alternative notice

� If more than 10 individuals:

� Prominent posting on website; or

� Notice in major print or broadcast media

� In urgent situations, may supplement with telephone or other means, if appropriate

Breach Notification

� Notice to prominent media outlets if more than 500 individuals within state affected.

� Notification to Secretary of Health & Human Services:� At time of incident, if more than 500 individuals

are affected

� If less than 500 individuals, must submit to HHS annually

� http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

Breach Notification

� Content of notification:� Brief description of what happened, including:

� Date of breach (if known)� Date breach discovered

� Description of types of unsecured PHI involved in the breach

� Steps individuals should take to protect themselves from potential harm

� What covered entity is doing to investigate, mitigate losses and protect against further breaches

� Contact procedures to ask questions or learn more.

� Deadline: without unreasonable delay, but in any case within 60 days

Breach Notification

� Does not preempt state security breach notification laws.

� SSNs

� Drivers license numbers

� Financial account information

� May have to comply with both

Breach Notification

� Business Associates also subject to breach notification provisions

� Default rule: provide notice to the covered entity

� Must include identification of each individual whose PHI has been or is reasonably believed to have been breached.

� Covered entities can contract for different arrangement

� Duty may be different under State law

Consequences of HIPAA

Violations

Pre-HITECH enforcement

�No more than $100 per violation per day

�Capped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year.

�HHS pursued “informal” enforcement

HITECH enhanced enforcement

� New tiered structure for each violation:

� “unknown” violations: $100 - $50,000

� “reasonable cause” violations: $1,000- $50,000

� “willful neglect” violations (if corrected within 30 days): $10,000 - $50,000

� “willful neglect” violations (if uncorrected within 30 days): $50,000

� New cap: $1.5 million for all violations of the same type during a calendar year

New enforcement strategies

�Individuals who wrongfully disclose PHI now clearly subject to criminal penalties

�Requires HHS to conduct audits

�State Attorneys General and FTC given enforcement authority

Minimizing the Impact of HIPAA

Try not to have PHI

� Try to keep it from becoming PHI.

� Keep enrollment data in employment records

� Work with enrollment data as much as possible

� Limit info TPAs report to you

� Get de-identified or summary health info only

� Have health plan participants and beneficiaries deal directly with TPA

� Have TPAs handle benefits appeals

If you must handle PHI

�Limit the number of people with access

�Minimize the amount of information you receive

�Be sure those who handle the information are trained

�Be sure policies and procedures are in sync with practices

�Try not to have ePHI

Questions?

Norbert F. Kugelenkugele@wnj.com

616.752-2186