1

HIPAA

Health Insurance Portability and Accountability Act

Budgeting Effectively for Good Faith Compliance

2

Through HIPAA, Congress Through HIPAA, Congress intended to:intended to:

Overcome “job lock” – the reluctance of moving from one company to another for fear of losing health insurance

Increase portability and access to health insurance

Simplify health care administration

3

The Result of HIPAA was:The Result of HIPAA was:

Administrative Simplification = Uniformity of Electronic Transactions

Standardized Electronic Transactions Highlighted the Need for:

Patient Privacy Records Security

4

IMPACTIMPACT

Patient PrivacyRecords Security

Significant Increases

In Operating Costs

U.S. Dept. of Health & Human Services estimates the industry cost for privacy compliance alone at $3.8 billion.The American Hospital Association estimates the cost of compliance at $22.5 billion over five years.

5

PENALTIES FOR PENALTIES FOR NONCOMPLIANCENONCOMPLIANCE

General Penalty for Failure to Comply– Each violation: $100.– Maximum penalty for violations per standard may not

exceed $25,000.

Wrongful Disclosure of Individual Health Information- Basic offense: $50,000, imprisonment of not more than

one year or both.- False Pretenses: $100,000, imprisonment of not more

than 5 years, or both.- Intent to Sell: $250,000, imprisonment of not more than

10 years, or both.

6

Establishing a “Good Faith”Establishing a “Good Faith”Compliance EffortCompliance Effort

Written compliance program/policiesEmployee trainingRevise vendor contractsAudit security procedures and upgrade as

necessary

7

Covered EntitiesCovered Entities

All health care providers and health plans are required to implement the standardized transactions and to comply with the new privacy and security rules.

Employer group health plans with more than 50 participants are included.

8

Elimination of Local CodesElimination of Local Codes Seven Required Standardized Transactions

Provider Payer Plan Sponsor

Patient Info/ Eligibility Request (270)

Response to Eligibility (271)

Enrollment info (834)

Authorizations & Referrals (Requesting Review 278)

Authorization & Referrals (Response 278)

Plan sponsors do not have to transmit information electronically. However, if they submit standard transactions 834 or 820 Payors and Providers will be required to accept such transactions

Claims/Encounter (Claim 837) (Attachment 275 not yet mandated

Claim/Encounter

(Attachment Request 276 not yet mandated)

Claim Status (Request 276)

Claim Status

(Response 277)

Claim Payment (Remittance Advice 835)

Premium Paid Premium Payment (820)

9

Protected Health Information Protected Health Information (“PHI”)(“PHI”)

A convoluted regulatory definition: All health information created and/or received by

provider, health plan, health care clearinghouse, employer, life insurer or school or university that relates to the physical or mental health or condition of an individual, the provision of health care to that person, or to the payment for that person’s health care, which is sufficiently specific to identify the person, that is transmitted or maintained by a covered entity in any form (orally, on paper or electronically).

10

PrivacyPrivacy

Prohibits the USE or DISCLOSURE of PHI unless PERMITTED or REQUIRED by HIPAA

11

Patient Consents Patient Consents

• New requirements for format and content mandated. Old consent forms for treatment, payment or health care operations will not comply.

• New, broad-form consent now needed for peer reviews, medical training, quality assurance, etc.

12

Restricted Use of Patient Restricted Use of Patient InformationInformation

Affects information used in patient directories. Affects consultations with and disclosures to

family members. Numerous exceptions: child abuse, domestic

violence, research, licensure and disciplinary actions.

Note: HIPAA pre-empts state law unless state law is more restrictive, e.g. HIPAA would allow disclosure of a patient’s religious affiliation, but that is prohibited in Tennessee.

13

Written Authorization Required in Written Authorization Required in Addition to ConsentAddition to Consent

• Any use or disclosure of Psychotherapy Notes requires written authorization.

• Use of PHI in marketing or fundraising activities may require written authorization.

14

Umbrella RuleUmbrella Rule

• Superimposed over all of the new HIPAA regulations is the concept that in using, disclosing or requesting PHI, all covered entities must make reasonable efforts to limit it to the “Minimum Necessary”

• Non-routine uses and disclosures will require case-by-case analysis

15

Vendor ContractsVendor ContractsCovered Entities will be non-compliant unless they execute written agreements with their vendors which cover specific provisions concerning HIPAA compliance.

-A general HIPAA compliance clause is not sufficient for contracts with Business Associates of Covered Entities.

-Vendor contracts must specifically address the limited use and disclosure of PHI as well as other listed vendor obligations.

- Indemnification provisions for failure to comply should be considered.

16

Notice of Privacy PracticesNotice of Privacy Practices

Among the new “Patients’ Rights” created by HIPAA. Must be written in “plain language” and carefully worded. Important to include the ability to change a provider’s privacy

practices. Providers may be required to comply with specific patient

instructions, even if given orally or to non-medical office personnel. – e.g. sending patient information via e-mail or fax or to a specific

address Additional Patients Rights include access to PHI, medical records

accounting of disclosures. Computer system must be capable of creating an audit trail of all

PHI disclosures and to retain records for 6 years.

17

Administrative Requirements: A Administrative Requirements: A Potential Budgetary NightmarePotential Budgetary Nightmare

• Appoint a privacy officer and complaint officer

• Overhaul compliance manual to require HIPAA Compliance

• Employee training: privacy and security awareness

• Institute a formal complaint mechanism

• Audit technical and physical safeguards

• Institute sanctions for failure to comply

• Include mitigation procedures to reduce harmful impact of known violations

18

INCREASED SECURITY OF PHIINCREASED SECURITY OF PHI

All Covered Entities must establish and maintain appropriate policies and procedures to safeguard the confidentiality of their patients’ health information. This includes:

•Administrative procedures•Physical safeguards•Technical security services and mechanisms

19

Review and Upgrade Review and Upgrade Administrative ProceduresAdministrative Procedures

Revise written policies and procedures for each area or department (e.g., for physical security, personal security, procedural security, etc.)

Require security training for all personnelRequire “Chain of Trust Partner

Agreements” with whom you share PHI

20

Review and Upgrade Physical Review and Upgrade Physical SafeguardsSafeguards

Restrict access to PHI

- building/physical plant

- work stations, files

- computers, computer screens and printers

21

Review and Upgrade Technical Review and Upgrade Technical SecuritySecurity

Authentication – to verify the person transacting business electronically is in fact who they claim to be

Encryption – to scramble data so it is non-recognizable

Non-Repudiation – to prevent the person performing data transmission to deny that it was that person sending the data

22

Comprehensive Compliance Services Comprehensive Compliance Services Provided byProvided by

Miller & Martin LLPMiller & Martin LLP Phase I Package Includes: Vendor contract review and amendment Revision of written policies and procedures to

include HIPAA compliance Revised patient privacy, notices, consents and

authorization forms “Chain of Trust Partner Agreements” Employee training Package Services also provided separately and additional services provided as needed

23

Joint Services Provided by Joint Services Provided by Miller & Martin LLP and G.A. Miller & Martin LLP and G.A.

SullivanSullivanPrivacy procedures auditsSecurity procedures auditsReview and upgrade of computer systems

for HIPAA complianceIT personnel training and assistance

24

HIPAA Practice GroupHIPAA Practice GroupWith 14 firm member representatives of each regional office, Miller & Martin’s HIPAA practice group includes attorneys who specialize in healthcare, corporate law, labor and employment, litigation and government relations.We believe a cross-disciplinary approach will help you tackle the complexities of HIPAA in a more comprehensive and cost-effective manner.For more information concerning the individual members of Miller & Martin’s HIPAA practice group, click on the HIPAA icon at www.millermartin.com

25

HIPAAFor further information, please contact

CLAY PHILLIPS(cphillips@millermartin.com; 615-744-8446)

orCHRISTIE GROT

(ckgrot@millermartin.com; 423-785-8307)MILLER & MARTIN LLP