workplace privacy and hipaa – a decade-old dancetitle goes ... · hipaa penalties to be...
TRANSCRIPT
Your Name Goes Here
Title goes here 1
Title Goes HereWorkplace Privacy and HIPAA –A Decade-Old Dance
TexasMunicipal HumanResources Association AnnualTexasMunicipal HumanResources Association Annual
Presented By:
Timothy G Verrall
Texas Municipal Human Resources Association Annual Texas Municipal Human Resources Association Annual ConferenceConference
Timothy G. Verrall
Overview
HIPAA RefresherHIPAA Refresher What is it? What is it? Who does it cover? What do you need to do about it? What happens if you don’t?
What’s new in HIPAAWhat’s new in HIPAA--Land?Land? Enforcement update & lessons for employers
On the regulatory horizon On the regulatory horizon PHI breaches: planning ahead
Your Name Goes Here
Title goes here 2
HIPAA Basics
The Health Information Portability and Accountability Act regulates use, disclosure, security, and transmission of “ t t d h lth i f ti ”“protected health information”
Privacy, security, and electronic transactions
HIPAA applies to “covered entities”
Healthcare providers conducting “standard transactions”
Healthcare clearinghouses
Health plans (but not employers acting as such)
HITECH Act (2009) expands to “business associates”
Key Terms
HIPAAHIPAA
HITECHHITECH HITECHHITECH
PHIPHI
Covered EntityCovered Entity
AuthorizationsAuthorizations
Business AssociateBusiness Associate
Notice of Privacy PracticesNotice of Privacy Practices
Privacy Policies and ProceduresPrivacy Policies and Procedures
Your Name Goes Here
Title goes here 3
Key Terms (cont.)
What is a “group health plan”?
HIPAA borrowed existing ERISA concept HIPAA borrowed existing ERISA concept GHP = “employee welfare benefit plan” that provides
specified welfare benefits to employees or their dependents through insurance, reimbursement, or otherwise
Includes both fully-insured and self-funded plansp
Key Terms (cont.)
Not every plan/program providing welfare-type benefits is coveredtype benefits is covered Plans providing “excepted benefits” are excluded
Small (under 50 participants), self-funded, self-administered GHPs are excluded
GHPs maintained by governmental entities are not excluded from coverage
Note: the health insurer is not a GHP but it is a “health plan” and therefore independently covered by HIPAA
Your Name Goes Here
Title goes here 4
HIPAA in a Nutshell
No use or disclosure of PHI except as otherwise permitted by HIPAA or requiredotherwise permitted by HIPAA or required by law
BA’s must comply with the terms of their agreements with covered entities
Both covered entities and BA’s must adopt administrative, technical and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
HIPAA Privacy Basics
Use/disclosure limitations for PHI “TPO” TPO
“Plan administration functions”
Authorized disclosures
Public policy exceptions
“Minimum necessary” only
Administrative safeguards
Your Name Goes Here
Title goes here 5
HIPAA Security Basics
Applies to PHI stored, maintained, transmitted or received via electronic mediatransmitted, or received via electronic media
Applies to both covered entities and BA’s
Requires adoption of tailored safeguards to protect confidentiality, integrity, and availability of ePHI Administrative, technical, and physical
HIPAA Penalties
Inadvertent - $100 $25 000 cap per violation per year $25,000 cap per violation per year
Reasonable Cause - $1,000 $100,000 cap per violation per year
Willful Neglect/Corrected - $10,000 $250,000 cap per violation per year
Willful Neglect/Not Corrected - $50,000u eg ect/ ot Co ected $50,000 $1.5 million cap per violation per year
Criminal penalties also available
Your Name Goes Here
Title goes here 6
Enhanced Enforcement
HITECH formally directs DHHS to investigate complaints and impose penaltiesinvestigate complaints and impose penalties for violations
HIPAA penalties to be “recycled” Restitution
Fund more DHHS enforcement
State AGs are “deputized” to enforce HIPAA violations that threaten or affect state residents
HIPAA and State Laws
HIPAA broadly preempts conflicting state laws pertaining to the use and disclosure oflaws pertaining to the use and disclosure of PHI
But: HIPAA does not preclude states from adopting more stringent protections for PHI
Covered entities and BA’s must comply with the stricter requirements that apply to them Texas has adopted its own medical privacy laws
but none enhance HIPAA requirements for GHPs (yet)
Your Name Goes Here
Title goes here 7
HIPAA and Employers
Employers acting as such are not covered entities or BA’sentities or BA s
Major caveat: their group health plans arecovered entities
The structure of a GHP determines its HIPAA profile
E l t HIPAA li Employers must manage HIPAA compliance for their GHPs
HIPAA Privacy and Your Plan
Plan design and degree of employer involvement drive scope of obligationsinvolvement drive scope of obligations More employer involvement = more compliance
responsibilities
Possibilities – Fully-insured, no PHI
Fully-insured, PHI for plan administration
S lf f d d Self-funded
Your Name Goes Here
Title goes here 8
HIPAA Privacy and Your Plan (cont.)
For plans with limited exposure to PHI, obligations are limited tooobligations are limited too
For plans with access to PHI, there will be more extensive obligations Plan amendments/certification
Administrative safeguards
Notice of privacy practices
HIPAA Security and Your Plan
For most employer health plans, HIPAA security is about documentation andsecurity is about documentation and monitoring Conduct a risk/threat assessment Adopt appropriate security standards for PHI
maintained at the GHP level (if any) Ensure BA’s properly secure the ePHI they
handle
HITECH requirements introduce data breach as a new area of concern
Your Name Goes Here
Title goes here 9
What’s New in HIPAA-Land?
Enforcement Update & Lessons for Enforcement Update & Lessons for Employers
Regulatory Update
PHI Breaches – Preparing Ahead of Time
DHHS Enforcement Outlook
DHHS/OCR intends to move towards affirmative and more punitive enforcementaffirmative and more punitive enforcement
Stated goal to “make examples” of HIPAA violators to encourage voluntary compliance
DHHS want to encourage a “culture of compliance”
Your Name Goes Here
Title goes here 10
DHHS Outlook (cont.)
Most violations involve a lack of compliance due diligencedue diligence
DHHS interest lies in – Robust policies and procedures
Focused and regular training
Thoughtful assessments of risks and vulnerabilities
A li ti f ti t i l t Application of sanctions to violators
Do the little things right
Reported Breaches: What We can Learn
Most involve loss or theft of laptops and other mobile devices Theft rarely targets the PHI on devices
Others just as mundane – misdirected emails, papers left on subway seat
Very few involve hacking or systems-level problems
Benefit plans are not immune (several plan p ( pbreaches affected more than 1,000 individuals)
Breaches tend to involve lack of follow-through on policies, training, and sanctions
Your Name Goes Here
Title goes here 11
One Key Area of Breach Risk
Evaluate the risks to ePHI maintained by Business AssociatesBusiness Associates Maintain ePHI on centralized systems, not
mobile devices
Encrypt to HITECH standards
Ensure ability to remotely wipe devices
Provide adequate training
Enforcement Actions
Formal settlements by DHHS up post-HITECHHITECH
State AGs already using new enforcement powers with DHHS training
More states creating or enhancing privacy requirements for PHI
Potential for class-action litigation in some gstates (e.g., CA)
Your Name Goes Here
Title goes here 12
Enforcement Actions (cont.)
Breach reporting does not inevitably lead to DHHS auditDHHS audit How many individuals affected?
What vulnerabilities were identified?
How effective and decisive was mitigation?
Best Practices for New Era
In 2012, off-the-shelf policies and procedures may not impress DHHSprocedures may not impress DHHS
In 2012, “canned” one-off training is not likely to impress DHHS either
In 2012, sanctions policy needs to have teeth and be enforced in practice
In 2012, compliance self-audits are , pimportant to show awareness of issues and appropriate course corrections
Your Name Goes Here
Title goes here 13
On the Regulatory Horizon
New omnibus HIPAA regulations currently under Office of Management and Budget g gReview Regs will be effective in 2012
Consolidates prior DHHS proposals— BA regulation post-HITECH
Marketing/sale of PHI
Electronic access to PHI
Individual-directed restrictions on use/disclosure
GINA
Enforcement
On the Regulatory Horizon (cont.)
Expected impact on employer plans Update notice of privacy practices if applicable Update notice of privacy practices, if applicable
Revise affected policies and procedures, if applicable
Update BA agreements and related policies
Your Name Goes Here
Title goes here 14
PHI Breaches: Planning Ahead
BA’s have a large role in safeguarding PHI and are often the source of potentialand are often the source of potential breaches
Breach assessment and notification process should be tightened in BA agreements
Don’t settle for general BA promise to comply with HIPAA rules
PHI Breaches – Issues in BA Agreements
Who assesses and with input from whom?
What’s the timing? What s the timing?
Is the BA an “agent” or not?
Does the covered entity have/exercise audit rights to confirm compliance and capabilities?
How is subcontracting handled?
What protection for plan from State law violations?
Does indemnification protection require fault by BA (why?)
Your Name Goes Here
Title goes here 15
Quick Review
HIPAA Privacy, Security Refresher Basics Key Terms Basics, Key Terms
Impact on Employers & Their Plans
Penalties
What’s New in HIPAA-Land? Enforcement & lessons to learn
On the regulatory horizon
PHI breaches: planning ahead
Q ti ?Questions?
Your Name Goes Here
Title goes here 16
Title Goes HereWorkplace Privacy and HIPAA –A Decade-Old Dance
Texas Texas
Municipal Municipal
Presented By:
Timothy G Verrall
Municipal Municipal
Human Human
Resources Resources
Association Association
Annual Annual
ConferenceConference
Timothy G. Verrall