1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®

1

HIPAA UPDATE

Employers with Group Health Plans

En-Hantz Your Workplace®

2

What We’re Going to Cover

Important basic conceptsWho needs to worry about HIPAA?Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules

Violating HIPAAMinimizing impact of HIPAA


3

Important Basic Concepts


4

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996. Intended to make it easier to share

information electronically Can share information for certain purposes All other purposes prohibited without

authorization


5

Protected Health Information

Individually identifiable health information used by a health plan

Any form: written, electronic or oral

Includes information relating to: Physical health

Mental health

Payment for health care


6

How Does HIPAA (not Hippo) Apply to Employers’ Group Health Plans?


7

Effect on Employers

HIPAA regulates all covered entities. “Covered Entity” includes all health plans. A “health plan” is an individual or group plan that

provides or pays for the cost of health services, including self-funded and insured group health plans of private and government employers.

The definition of health plan specifically includes employee welfare benefit plans as defined by ERISA.

If your organization offers a group health plan for your employees, the group health plan must comply with HIPAA.


8

Health Plans Subject to HIPAA

Medical plans Dental plans Vision plans Health flexible spending accounts Employee assistance programs Wellness programs


9

What is Not a “Health Plan”? Employment records Leaves of absence, FMLA records ADA claims On the job injuries Workers’ compensation Fitness for duty exams Drug screening


10

What is Not a “Health Plan”?

Life insurance

Disability (STD & LTD)

Some wellness programs


11

What is Not a “Health Plan”? ADA claims

On the job injuries

Drug screening


12

Who Needs to Worry About HIPAA?


13

The Plan v. The Employer

Technically it is the group health plan that must comply with HIPAA, but practically speaking the employer/plan sponsor will have to make sure the health plan is in compliance.

An employer’s employee records are excluded from the definition of PHI.

Employers or plan sponsors may not use PHI for employment-related functions without authorization from the individual.

The group health plan must determine which PHI uses and disclosures will be needed to administer the group health plan and then amend the plan document accordingly to indicate that the group health plan will comply with the permitted and required uses and disclosures.


14

A Narrow Exception

A very limited exemption exists for small self-administered plans. Your group health plan must have fewer than 50

participants; and Your organization must have established,

maintain and administer the plan, [i.e. you do not use a third party administrator (TPA) or other entity to help administer the plan].

Few health plans will actually qualify for this exception.


15

Fully-Insured Benefits

Can take a hands-off approach. Handle only enrollment information and

summary health information Minimum compliance obligations:

Do not require enrollees to waive HIPAA rights Do not retaliate against enrollees who exercise

HIPAA rights

Compliance burden is on insurers/HMOs


16

“Hands-Off” Approach

Summary health information for plan sponsor functions Summary health information is: information that may

be individually identifiable health information and: summarizes the claims history, claims expenses or

type of claims experienced by individuals for whom the plan sponsor has provided health benefits under the group health plan, and

from which identifying information (18 specific identifiers) has been deleted (basically de‑identified PHI) (except that the geographic information may only be aggregated to the level of a 5‑digit zip code).

Enrollment/Disenrollment informationEn-Hantz Your Workplace®

17

Self-Insured Benefits

Must fully comply with HIPAA Privacy rules Security rules Transaction rules Breach notification rules

Hiring a TPA does NOT relieve you of your compliance obligation But it can help relieve the burden


18

Complying with the Privacy Rule


19

Protected Health Information (PHI)Individually identifiable health information used by a health plan.

Any form: written, electronic or oral

Includes information relating to: Physical health

Mental health

Provision of and payment for health care


20

What is Not PHI?

Information that does not come from or is not given to health plans Health information employee shares with

Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI

Same information that employee shares with supervisor for FMLA purposes IS NOT PHI


21

What is Not PHI?

Enrollment Records Enrollment records maintained in

employment records not PHI

Enrollment records reported to the health plan is PHI.


22

Restrictions on PHI

Health plans may not use or disclose PHI unless: The Privacy Rule specifically allows the

use/disclosure

The individual who is the subject of the PHI specifically allows it


23

Restrictions on PHI

Cannot use PHI for: Making personnel decisions

Administrating other employee benefit programs

Cannot use or disclose for marketing purposes without authorization

Cannot sell PHI


24

Permitted Uses of PHI

“TPO” Treatment Payment Health care operations

Complying with Law Any other use or disclosure generally

requires authorization


25

Minimum Necessary Rule

Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.

Do not use a fire hydrant when a garden hose will suffice

HITECH clarification

Default rule: use aggregate data only

Must justify use of more detailed information


26

Privacy Rule Requirements Designate a privacy officer

Implement written privacy policies

Train those who work with PHI

Discipline those who violate privacy policies

Investigate and respond to complaints


27

Privacy Rule Requirements

Include provisions in health plan document that: Describe permitted uses and disclosures Identify who is permitted to have access to

PHI Require compliance with privacy rules

Plan sponsor must certify compliance with HIPAA privacy rules

Distribute a Notice of Privacy PracticesRetain HIPAA compliance records for at least six yearsEn-Hantz Your Workplace®

28

Privacy Rule Requirements

Respect individual rights Right to access PHI in health plan records

Right to request amendments of PHI

Right to an accounting of disclosures

Right to request additional restrictions

Right to request confidential communications

Verify identity and authority of those seeking access to PHI


29

Business Associates

Person or organization who: Performs a function or activity for the health plan;

or

Assists the plan sponsor in performing a health plan function or activity

Function or activity involves use or disclosure of PHI

Employees are not business associates HMOs/insurers are not business

associatesEn-Hantz Your Workplace®

30

Examples of Business Associates

Third-party administrators (TPAs) COBRA administrators Outside attorneys and accountants Benefits consultants Insurance agents Utilization review organizations Computer service technicians Software vendors


31

Business Associate Agreements Must have written contract

Establishes permitted uses and disclosures Require compliance with HIPAA requirements Require reporting of:

Unauthorized uses/disclosures Security incidents Security breaches


32

Business Associates

If learn that business associate has materially violated terms of BAA: Must investigate

Demand BA to end violation and mitigate harm

If BA does not end breach or cannot cure:

Terminate contract, or

Report BA to HHS


33

Family Members/Representatives

May disclose PHI to family, relatives, friends involved in individual’s care/payment for care Can use professional judgment

Give individuals ability to designate someone/revoke designation

Personal representatives can exercise all rights of individuals


34

Complying with the Transaction Rule


35

Transaction Rule

Goal: standardize electronic transactions relating to payment for health care Streamline payment for health care Technical rule for how to structure the

transaction


36

Transaction Rule

Applies to electronic transactions by health plan with: Health care providers Other health plans

Generally, an issue for TPAs BAAs must require compliance with

transaction standards


37

Complying with the Security Rule


38

Scope of Security Rules

Apply to electronic forms of PHI Databases Spreadsheets E-mail communications Copy machines with hard drives

Does not apply to: Paper records Telephone and fax transmissions (but do

apply to voice mail and stored fax documents)


39

Risk Assessments

Must conduct a risk assessment Identify where ePHI is stored and used Identify the threats to confidentiality, integrity

and accessibility of ePHI Identify the likelihood that vulnerability will

lead to unauthorized use/disclosure Identify risks that need to be addressed

Must update on a regular basis


40

Administrative Safeguards

Designate a Security Officer

Train and discipline workforce

Manage workforce’s access to ePHI

Monitor for and report on security incidents

Establish contingency plans (backup, disaster recovery, emergency modes, etc.)

Periodic evaluation of safeguards


41

Physical Security

Control access to physical equipment using/storing ePHI

Workstation use/security Device and media controls


42

Technical Safeguards

Unique user IDs/authentication Automatic logoff Emergency access procedures Encryption & transmission security Audit controls Mechanisms to prevent improper

alteration/destruction


43

Business Associates

Handle most ePHI for health plans Must now contractually agree to

implement policies and procedures that comply with these requirements

Examine transmissions with business associates


44

Complying with Breach Notification Rule


45

Breach Notification

Before HITECH: no clear duty to notify of a breach under HIPAA

HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery

Applies to all forms of unsecured PHI


46

Breach Notification Analysis

Was there a “breach”? Unauthorized:

Acquisition Access Use Disclosure


47


Was the data secured with respect to the individual with unauthorized access? Electronic data: was it encrypted?

Data at rest Data in motion

Media: was it properly destroyed? Paper, film, other hard copy media Electronic data


48


Does the incident fall within an exception? Person would not reasonably have been

able to retain the information Employee’s unintentional access of record

in good faith Inadvertent disclosure within same

organization by and to individual authorized to access PHI


49


Could there be a significant risk of harm? Who received/access the information? How detailed was the information? Were steps taken to recall/destroy the

information and mitigate harm? Was information returned/destroyed before

being improperly accessed?


50

Breach Notification

Methods of providing notice: Written notice to last known address (or e-

mail if specified by the individual) If contact information is insufficient or out-

dated, alternative notice If more than 10 individuals:

Prominent posting on website; or Notice in major print or broadcast media

In urgent situations, may supplement with telephone or other means, if appropriate


51

Breach Notification

Notice to prominent media outlets if more than 500 individuals within state affected.

Notification to Secretary of Health & Human Services: At time of incident, if more than 500

individuals are affected If less than 500 individuals, must submit to

HHS annually http://www.hhs.gov/ocr/privacy/hipaa/administ

rative/breachnotificationrule/brinstruction.htmlEn-Hantz Your Workplace®

52

Breach Notification

Content of notification: Brief description of what happened, including:

Date of breach (if known) Date breach discovered

Description of types of unsecured PHI involved in the breach

Steps individuals should take to protect themselves from potential harm

What covered entity is doing to investigate, mitigate losses and protect against further breaches

Contact procedures to ask questions or learn more.

Deadline: without unreasonable delay, but in any case within 60 days


53

Breach Notification

Does not preempt state security breach notification laws. SSNs

Drivers license numbers

Financial account information

May have to comply with both


54

Breach Notification

Business Associates also subject to breach notification provisions Default rule: provide notice to the covered

entity Must include identification of each individual

whose PHI has been or is reasonably believed to have been breached.

Covered entities can contract for different arrangement

Duty may be different under State lawEn-Hantz Your Workplace®

55

Consequences of HIPAA Violations


56

Pre-HITECH Enforcement

No more than $100 per violation per dayCapped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year.

HHS pursued “informal” enforcement


57

HITECH Enhanced Enforcement New tiered structure for each violation:

“unknown” violations: $100 - $50,000 “reasonable cause” violations: $1,000- $50,000 “willful neglect” violations (if corrected within

30 days): $10,000 - $50,000 “willful neglect” violations (if uncorrected

within 30 days): $50,000

New cap: $1.5 million for all violations of the same type during a calendar year


58

New Enforcement Strategies

Individuals who wrongfully disclose PHI now clearly subject to criminal penalties

Requires HHS to conduct auditsState Attorneys General and FTC given enforcement authority


59

Minimizing the Impact of HIPAA


60

Try not to have PHI

Try to keep it from becoming PHI. Keep enrollment data in employment records Work with enrollment data as much as possible

Limit info TPAs report to you Get de-identified or summary health info only Have health plan participants and beneficiaries

deal directly with TPA Have TPAs handle benefits appeals


61

If you must handle PHI

Limit the number of people with accessMinimize the amount of information you receive

Be sure those who handle the information are trained

Be sure policies and procedures are in sync with practices

Try not to have ePHI


62

Questions?

Contact info


Documents

1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®