Reflections on the State of Privacy Risk Management in Health Care

Benefits Administration

(one year and counting …)

Mark Lutes, Esq.PartnerEpstein Becker & Green, P.C.Washington, DC(202) 861-1824mlutes@ebglaw.com

Are We Aiming At The Right Target?

• Reputational Risk

• Class Action litigation?

• Employment discrimination suits?

• Office of Civil Rights (HHS) risk?

Misdirected Efforts

• Committee meetings galore (“activity mistaken for progress”)

• Gap Analysis mania– Does anyone really expect that the old forms

would meet the new standards?

– GAP work product: unprotected and dangerous if exposures are unremediated

• Dangers in HIPAA compliance focus v. privacy risk management focus

Real Exposures That Are Rarely Appreciated

• Breach of fiduciary duty - Bureau of Indian Affairs case (sound familiar to anyone running an ERISA plan?)

• Overpromises to patients and members– Glib privacy policy statement

– Inaccurate web site statements

– Lesson of Eli Lilly consent order

• ERISA, ADA and other claims around employer use of employee health benefit information

The HIPAA Answer Is Not Always The Best Risk Management

• E.g., the HIPAA privacy rule suggests that health plans might pass up gaining consent for mainstream uses and disclosures

• E.g., HIPAA countenances uses that would be commonly understood as marketing without an opt-out

• E.g., preamble countenances more health plan disclosures to subscribers re: spouses than good risk management suggests

Practical Privacy Risk Management

• The rule’s proliferation of technical requirements obscures the fact that covered entities need to carry out due diligence as to their “uses” and “disclosures” of PHI.

• Whether the covered entity or business associate uses a paper or software tool, long term privacy risk management depends on periodic review of “Us&Ds”

• The U&D inventory protects your professional reputation and that of your organization.

Inventory System Solution to Privacy Compliance

Inventory

CQI - changes to policy & procedure

Compliance Committee meetings considers minimum necessary and other standards

Data base

Changes to work procedures

Practical Privacy Risk Management

• Prioritize tasks according to the real exposures– Create a record of diligence

– Create a record of continuous quality improvement against the minimum necessary and other standards

– Address everyday exposures such as customer service disclosures to telephone or web inquiries

– Address key risk issues like access of subscriber to records of spouse

– Manage the risk of disclosure of employee PHI to employer

• Ask yourself whether your program meets these tests!

Major Policy Decision for Plan Sponsor

• Will the plan sponsor be content to receive deidentified information and summary information for plan settlor functions or obtaining premium bids?

– If so it can avoid the plan document changes and the firewalls (and the risk management challenges they pose)

Plan Sponsor Decision Tree

Receive only summary health information and use it only for premium bidding and settlor functions

Fully insure Self fund including through FSA

No requirement for plan to maintain privacy officer, have complaint policy, training program, notice of privacy practices, etc. Use and disclosure rules still apply.

Appoint privacy officer, conduct training, have complaint policy, publish notice of privacy practices. Use and disclosure rules still apply.

Receive summary health information for settlor functions and receive PHI for:

Plan administrative purposes

Other purposes

Make Section 504(f) disclosures and give Section 504(f) certification

Get Section 508 complaint authorization

Receive non summary PHI information for:

Plan administration

Other purposes

©Mark LutesEpstein Becker & Green, P.C.

2002

Practical Privacy Risk Management

Employee Welfare Benefit Plan Data:• Do analysis of options as to the receipt of PHI ((a.)

none; (b.) only summary for plan administration purposes; or (c.) all PHI)

• Consider whether Benefits Administration should stay where it is in company structure

• Provide necessary safeguards in Benefits Administration

• Disclosures in ERISA plan documents• Evidence of employee training program and

enforcement mechanism

Has this work begun at your company?