reflections on the state of privacy risk management in health care benefits administration (one year...
TRANSCRIPT
Reflections on the State of Privacy Risk Management in Health Care
Benefits Administration
(one year and counting …)
Mark Lutes, Esq.PartnerEpstein Becker & Green, P.C.Washington, DC(202) [email protected]
Are We Aiming At The Right Target?
• Reputational Risk
• Class Action litigation?
• Employment discrimination suits?
• Office of Civil Rights (HHS) risk?
Misdirected Efforts
• Committee meetings galore (“activity mistaken for progress”)
• Gap Analysis mania– Does anyone really expect that the old forms
would meet the new standards?
– GAP work product: unprotected and dangerous if exposures are unremediated
• Dangers in HIPAA compliance focus v. privacy risk management focus
Real Exposures That Are Rarely Appreciated
• Breach of fiduciary duty - Bureau of Indian Affairs case (sound familiar to anyone running an ERISA plan?)
• Overpromises to patients and members– Glib privacy policy statement
– Inaccurate web site statements
– Lesson of Eli Lilly consent order
• ERISA, ADA and other claims around employer use of employee health benefit information
The HIPAA Answer Is Not Always The Best Risk Management
• E.g., the HIPAA privacy rule suggests that health plans might pass up gaining consent for mainstream uses and disclosures
• E.g., HIPAA countenances uses that would be commonly understood as marketing without an opt-out
• E.g., preamble countenances more health plan disclosures to subscribers re: spouses than good risk management suggests
Practical Privacy Risk Management
• The rule’s proliferation of technical requirements obscures the fact that covered entities need to carry out due diligence as to their “uses” and “disclosures” of PHI.
• Whether the covered entity or business associate uses a paper or software tool, long term privacy risk management depends on periodic review of “Us&Ds”
• The U&D inventory protects your professional reputation and that of your organization.
Inventory System Solution to Privacy Compliance
Inventory
CQI - changes to policy & procedure
Compliance Committee meetings considers minimum necessary and other standards
Data base
Changes to work procedures
Practical Privacy Risk Management
• Prioritize tasks according to the real exposures– Create a record of diligence
– Create a record of continuous quality improvement against the minimum necessary and other standards
– Address everyday exposures such as customer service disclosures to telephone or web inquiries
– Address key risk issues like access of subscriber to records of spouse
– Manage the risk of disclosure of employee PHI to employer
• Ask yourself whether your program meets these tests!
Major Policy Decision for Plan Sponsor
• Will the plan sponsor be content to receive deidentified information and summary information for plan settlor functions or obtaining premium bids?
– If so it can avoid the plan document changes and the firewalls (and the risk management challenges they pose)
Plan Sponsor Decision Tree
Receive only summary health information and use it only for premium bidding and settlor functions
Fully insure Self fund including through FSA
No requirement for plan to maintain privacy officer, have complaint policy, training program, notice of privacy practices, etc. Use and disclosure rules still apply.
Appoint privacy officer, conduct training, have complaint policy, publish notice of privacy practices. Use and disclosure rules still apply.
Receive summary health information for settlor functions and receive PHI for:
Plan administrative purposes
Other purposes
Make Section 504(f) disclosures and give Section 504(f) certification
Get Section 508 complaint authorization
Receive non summary PHI information for:
Plan administration
Other purposes
©Mark LutesEpstein Becker & Green, P.C.
2002
Practical Privacy Risk Management
Employee Welfare Benefit Plan Data:• Do analysis of options as to the receipt of PHI ((a.)
none; (b.) only summary for plan administration purposes; or (c.) all PHI)
• Consider whether Benefits Administration should stay where it is in company structure
• Provide necessary safeguards in Benefits Administration
• Disclosures in ERISA plan documents• Evidence of employee training program and
enforcement mechanism
Has this work begun at your company?