Hipaa101 updated

May 2, 2002 (updated 11/02/02)

HIPAA Basics: 2002 Washington and Lee University1

HIPAA: HIPAA: Understanding the BasicsUnderstanding the Basics

May 2, 2002 (updated 11/02/02)


PresentersPresenters

Leanne Shank, EsquireUniversity Counsel

Jennifer Kirkland, EsquireOffice of University Counsel

Washington and Lee UniversityLexington, Virginia

May 2, 2002 (updated 11/02/02)


HIPAA: The Basics HIPAA: The Basics

What is it? Why should you care? How might it affect your institution? What steps should you take to determine

your institution’s exposure and to comply?

NOTE: This presentation is geared toward institutions without academic medical centers.

May 2, 2002 (updated 11/02/02)


HHealth ealth IInsurance nsurance PPortability ortability and and AAccountability ccountability AAct of 1996 ct of 1996 Kennedy-Kassebaum Bill --amended Social

Security Act to allow for portability of health insurance (immediate qualification for comparable coverage upon change of employment.)

Congress desired to promote Electronic Data Interchange to facilitate this portable health insurance and to reduce administrative costs of health care.

May 2, 2002 (updated 11/02/02)


A Little Congressional Humor:A Little Congressional Humor: “ADMINISTRATIVE SIMPLIFICATION” 42 U.S.C. 1320d-1 et seq.

Title II, Subtitle F, Part C of HIPAA• Gives HHS (Department of Health and Human Services)

authority to mandate (1) transaction standards and code sets for electronic exchange of health care data, as well as (2) privacy and (3) security measures for personally identifiable health information.

• Also provides for required use of national identifiers for providers, employers/sponsors, payers/plans, and patients (patient identifier shelved).

• Substantial penalties for non-compliance.

May 2, 2002 (updated 11/02/02)


Transaction RegulationsTransaction Regulations

Designed to ensure format and content standardization in certain specific financial and administrative health care transactions conducted electronically.

NOTE: it is important that you familiarize yourself with what types of transactions are governed by the transaction regulations – not every health care transaction is covered – only those defined in the regulations.

45 CFR Part 162, Subparts K through R.

May 2, 2002 (updated 11/02/02)


Privacy RegulationsPrivacy Regulations

Designed to establish a federal regulatory framework to promote the privacy of health information among entities covered by HIPAA, and those acting on their behalf.

Regulations restrict the use and disclosure of protected identifiable health information, provide for patient access to such information, and mandate administrative safeguards to promote privacy of protected health information.

May 2, 2002 (updated 11/02/02)


Security RegulationsSecurity Regulations

Not yet finalized! (Rumored for Dec.’02) Designed to establish a federal standard

for the protection of health information maintained or transmitted electronically.

Require administrative, technical and physical safeguards for storage, transmission, and access.

May 2, 2002 (updated 11/02/02)


Is Your Institution, or any part Is Your Institution, or any part of it, Covered by HIPAA? By of it, Covered by HIPAA? By any or all of the Transaction, any or all of the Transaction, Privacy and/or Security Regs?Privacy and/or Security Regs?

DON’T ASSUME HIPAA OR THE SEPARATE SETS OF REGULATIONS APPLY TO THE COLLEGE OR UNIVERSITY AS A WHOLE!

May 2, 2002 (updated 11/02/02)


Campus Entities That Are NOT Campus Entities That Are NOT “Covered Entities” “Covered Entities” Per Se Per Se without further analysis:without further analysis: Colleges Universities Employers Supervisors and Administrators All University Insurance Plans Health Care Providers (physicians, nurses,

counselors, athletic trainers)

May 2, 2002 (updated 11/02/02)


What is a “Covered Entity” What is a “Covered Entity” under HIPAA?under HIPAA? Health Plan Health Care Provider who transmits any health

information in electronic form in connection with a HIPAA transaction [May be broader under proposed security regulations]

Health Care Clearinghouse (converts non-standard transactions to or from standard format)

42 U.S.C. 1320d-1, 45 CFR 160.103

May 2, 2002 (updated 11/02/02)


Use the CMS Covered Entity Use the CMS Covered Entity Decision Tools to Help Decision Tools to Help Determine Your Campus Determine Your Campus CoverageCoverage

http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp

This site will walk you through a series of questions with respect to your health care providers and health plans to assist you in determining if your campus will be covered under HIPAA.

May 2, 2002 (updated 11/02/02)


Health PlanHealth Plan

“An individual or group plan that provides, or pays the cost of, medical care. . .”

INCLUDES (singly, or in combination):• Group health plans (ERISA plans), insured AND self-

insured, providing medical care for employees or dependents

Plans with fewer than 50 participants that are administered in-house by the employer are excluded from this definition.

• Health insurance issuers and HMOs

May 2, 2002 (updated 11/02/02)


Health Plan (cont’d.)Health Plan (cont’d.)

• Medicare, Medicaid, Veterans, CHAMPUS, and other federal and state health plans outlined in regulations

• Issuers of long-term care policies, excluding nursing home fixed-indemnity policies

• *Any other individual or group plan providing or paying for the cost of medical care.

• 42 U.S.C. 1320d, 45 CFR 160.103

May 2, 2002 (updated 11/02/02)


Plans Not Covered By HIPAAPlans Not Covered By HIPAA

Plans, policies, or programs to the extent they pay for excepted benefits:• Coverage only for accident• Disability income insurance• Coverage supplementing liability insurance• Liability insurance, including general and auto• Workers’ compensation insurance• Automobile medical payment insurance• Coverage for on-site medical clinics• 42 U.S.C. 300gg-91(c)(1)

May 2, 2002 (updated 11/02/02)


Examples of Covered Health Examples of Covered Health Plans in the College or Plans in the College or University SettingUniversity Setting Employee group health plan (fully/self-insured) Employee group dental plan (fully/self-insured) Employee group vision plan (fully/self-insured) Employee flexible spending account Employee Assistance Plan (for other than on-site

clinic) Retiree health plan (fully/self-insured) Student health (fully/self-insured) (for other than

on-campus clinic)

May 2, 2002 (updated 11/02/02)


Examples of Non-Covered Examples of Non-Covered Plans in a College or University Plans in a College or University SettingSetting NCAA intercollegiate accident policy Employee long-term disability policy Employee life insurance policy Employee workers’ compensation

coverage Student health fee for on-site student

health and counseling services

May 2, 2002 (updated 11/02/02)


Is This Example a Health Plan?Is This Example a Health Plan? University has a private psychiatrist on retainer,

to evaluate students on a one-time referral from University physician/counselors when behavioral concerns arise. University pays psychiatrist directly for these sessions out of student health and counseling budget. Is this practice a “health plan” under HIPAA?

Presenter takes the position that this is not a covered health plan, but a contractual extension of the excluded on-site clinic exemption under HIPAA. (Note: this is the presenter’s opinion, not an official HHS response.)

May 2, 2002 (updated 11/02/02)


““Plan Sponsor”Plan Sponsor” Defined only under the privacy regulations, as the

employer or other entity that establishes and maintains a group health plan. (ERISA only? 45 CFR 164.501)

Employers and other Plan Sponsors are NOT covered entities under HIPAA, per se. However, Plan Sponsors do have certain specific obligations under the Privacy Regulations.

As a practical matter, employer-sponsored health plans have no employees and exist only as plan documents. So the employer/plan sponsor/plan administrator may need to ensure compliance, particularly with self-insured plans.

May 2, 2002 (updated 11/02/02)


Endorsed vs. Sponsored PlansEndorsed vs. Sponsored Plans Question: A university endorses one student health

insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college and the insurer and the students apply, pay premiums, and file claims on their own. Is the college a Plan Sponsor for HIPAA?

No. First, the concept of a plan sponsor as defined appears to apply only to ERISA plans. Second, the college has not undertaken any responsibility to pay any premiums or subject itself to any other liability under the policy. It is acting only as endorser and liaison between insurer and student. Under these circumstances, the college is not a HIPAA plan sponsor of this plan. (Presenter’s opinion)

May 2, 2002 (updated 11/02/02)


““Health Care Providers”Health Care Providers” Health care providers are only covered under

HIPAA IF they electronically transmit any health information in connection with one of the specifically defined HIPAA transactions. [May be broader under proposed security regulations]

42 U.S.C. 1320d-1, 45 CFR 160.103 According to HHS FAQs, paper to paper faxing

(NOT sent via/to computer, but by telephone fax) is NOT electronic transmission under HIPAA, neither are phone mail/voice faxback systems.

Size of health care provider is irrelevant to coverage – there is no small provider exception.

May 2, 2002 (updated 11/02/02)


HIPAA TransactionsHIPAA Transactions The following administrative and financial health care

transactions are the HIPAA transactions required to be processed as “standard transactions” by covered entities (see definitions at 45 CFR Part 162, Subparts K-R):• Health care claims and encounters• Enrollment and disenrollment in a health plan• Eligibility for a health plan• Health care payment and remittance advice• Health plan premium payments• Health claim status• Referral certification and authorization• Coordination of benefits• First report of injury (to be adopted later)• Claims attachments (to be adopted later)

May 2, 2002 (updated 11/02/02)


HIPAA Transactions (cont’d.)HIPAA Transactions (cont’d.) If a health care provider transmits any of these

transactions electronically, that health care provider is a covered entity. E.g., if your student health center bills student insurance electronically, or bills summer campers’ insurance electronically, or sends referral authorizations to insurers electronically, it has become a covered entity.

It appears from HHS comments that “in connection with” means as a part of the covered transaction itself, not merely in communications in any way related to a covered transaction (e.g., electronically submitting a claim as opposed to emailing with a question about how to transmit a claim).

May 2, 2002 (updated 11/02/02)


Look Closely at the Definitions Look Closely at the Definitions of HIPAA Transactionsof HIPAA Transactions Do not assume that you know what the listed

transactions include. They are specifically defined, and most specifically pertain only to transactions to/from health providers from/to health plans.

E.g., student health centers that only bill student accounts, not third-party payers. This is direct billing of the patient under an excluded plan covering on-site clinic services, not a “claim” to a covered health plan. Thus, this sort of account billing is not a HIPAA transaction.

May 2, 2002 (updated 11/02/02)


More Examples of non-HIPAA More Examples of non-HIPAA Triggering Transactions Triggering Transactions E.g., an email from one doctor to another doctor

regarding a patient’s treatment is not a HIPAA transaction to trigger coverage as a “covered entity” or require standard formatting.

E.g., a flexible spending account plan does not involve claims from health providers to the plan, but merely direct reimbursement of the employee, so though the plan is a covered plan, it conducts no HIPAA “claims” required to be standardized.

May 2, 2002 (updated 11/02/02)


Health Care Providers that May Health Care Providers that May Be Covered in a College or Be Covered in a College or University SettingUniversity Setting Student Health Centers – physicians, nurses, and

other providers Counseling Center staff – psychiatrists, clinical

psychologists Athletic Trainers

ONLY IF THEY TRANSMIT HEALTH INFO. ELECTRONICALLY IN ONE OF THE DEFINED HIPAA TRANSACTIONS [May be broader under proposed security regulations]

May 2, 2002 (updated 11/02/02)


Health Care ClearinghouseHealth Care Clearinghouse

An entity that takes non-standard health care transactions and converts them into standard form.

Some college and university health care providers or plans may use these entities in administering their health services or plans. Others may act as clearinghouses by billing third-party payers on behalf of other entities, such as clinics or practice groups.

May 2, 2002 (updated 11/02/02)


Business AssociatesBusiness Associates Persons or entities that perform functions or activities

on behalf of a covered entity, but that are not part of the covered entity’s workforce. 45 CFR 160.103

Business Associates do not thereby become covered entities, but may be in their own right.

E.g., Third-Party Administrators are business associates that perform claims administration functions for self-insured health plans.

E.g., External Billing Services are business associates that perform functions on behalf of covered health care providers, but are not themselves covered entities.

May 2, 2002 (updated 11/02/02)


Threshold Question: Are You Threshold Question: Are You Covered under HIPAA?Covered under HIPAA? Determine whether your college or university

maintains any covered health plans. Determine whether your college or university has

any covered health care providers. Survey appropriate individuals in offices dealing

with these areas: financial, personnel, business, student health, counseling, trainers, etc.

Survey the business associates of any health plans and health providers to determine whether they engage in HIPAA transactions and the extent to which they use/disclose health information.

May 2, 2002 (updated 11/02/02)


HIPAA Transaction Regulations: HIPAA Transaction Regulations: Overview Overview

Designed to bring about the standardization of electronic exchange of health care information between health plans, providers, and their business associates, in certain specific key financial and administrative transactions. BE SURE YOU DETERMINE WHETHER ANY COVERED ENTITY ENGAGES IN ANY OF THESE TRANSACTIONS.

May 2, 2002 (updated 11/02/02)


Transaction RegulationsTransaction Regulations HHS has adopted national standards and code sets

(medical and administrative) that must be used in the electronic exchange of health information in connection with the HIPAA Transactions. 45 CFR Part 160 and 45 CFR Part 162.

All health plans, and covered health care providers that conduct HIPAA Transactions electronically, must use the transaction standards.

All health plans must assure that their business associates (e.g., Third-Party Administrators) comply with the transaction standards.

May 2, 2002 (updated 11/02/02)


Transaction Regulations Transaction Regulations (cont’d.)(cont’d.) Health plans MUST be able to conduct transactions

as standard transactions upon request, though they may use a clearinghouse or other business associate (such as a Third-Party Administrator) to do so.

Plan Sponsors are NOT required to submit HIPAA transactions (e.g., enrollment and premium submissions) using the standards, because they are NOT covered entities.

Covered health care providers do NOT have to transmit any of the transactions electronically; but if they do so, they must use the standard transactions.

May 2, 2002 (updated 11/02/02)


Transaction Regulations Transaction Regulations Compliance DeadlineCompliance Deadline Deadline for compliance with Transactions

Regulations has been extended to October 16, 2003 for covered entities IF, by October 16, 2002, they filed a compliance extension plan. (HR 3323)

Small health plans (with annual receipts of $5 million dollars or less) need not file any extension – their original compliance deadline remains as October 16, 2003.

Information on correction/clarification of extension filings can be accessed at: http://www.cms.gov/hipaa.

May 2, 2002 (updated 11/02/02)


What if You Failed to File an What if You Failed to File an Extension?Extension? First, be sure you are a covered entity and subject

to the earlier deadline, not the extended deadline for small health plans.

Covered Health Plans should contact their insurers to determine if insurers filed for extensions on behalf of the covered plans.

For self-insured plans, Third-Party Administrators are not covered entities, and so were not obligated to file for extensions. However, some TPAs may have voluntarily filed for their self-insured plans, so check to see if this was done.

May 2, 2002 (updated 11/02/02)


Privacy Regulations: OverviewPrivacy Regulations: Overview

Designed to protect patient rights by providing patient access to protected health information, restricting use of that information, and creating a nationwide framework for health privacy protection.

May 2, 2002 (updated 11/02/02)


Status of Privacy RegulationsStatus of Privacy Regulations

NOTE: Privacy Regulations became effective April 14, 2001, and amendments were finalized August 14, 2002.

For compliance deadlines, see slide #62.

May 2, 2002 (updated 11/02/02)


Application of Privacy Application of Privacy RegulationsRegulations Various parts of the privacy regulations will

apply to the following entities with respect to protected health information:• Health plans and health clearinghouses• Health care providers who transmit health

information electronically in a HIPAA transaction• Plan sponsors of group health plans

Covered entities must ensure that their business associates who create or receive protected health information comply with the privacy regulations by written contract or agreement requiring specific assurances. 45 CFR 164.502, -504, -532.

May 2, 2002 (updated 11/02/02)


““Protected Health Information”Protected Health Information” Individually identifiable health information

(diagnosis, condition, treatment, payment) transmitted or maintained in any medium, including oral or hardcopy, not limited to electronic media. 45 CFR 164.501

In other words, if you are a covered entity with protected health information, these regulations apply to all forms of such records and information.

IMPORTANT EXCLUSIONS: student health information and employment records.

May 2, 2002 (updated 11/02/02)


Student Health Information Student Health Information ExclusionExclusion

Education records covered by FERPA and Records of students held by colleges and

universities used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student’s request. (These are specifically excluded from the definition of “education records.”) 45 CFR 164.501

HHS expressly determined that it was not going to preempt FERPA, because FERPA provided a privacy framework for student records. So, if the records fit within the “HIPAA FERPA” exception, must apply FERPA.

May 2, 2002 (updated 11/02/02)


Employee Records ExclusionEmployee Records Exclusion Contained in the finalized amendments to the privacy

regulations. Excludes from protected health information

employment records held by a covered entity in its role as employer. 45 CFR 164.501

E.g., covered university physician or benefits office maintaining employee records regarding requested disability accommodation, FMLA, or on the job drug testing. However, the records kept on employee health plan participation and claims, as well as medical treatment of employees by any college/university health care providers who are covered entities, are PHI.

May 2, 2002 (updated 11/02/02)


Disclosure of PHI RestrictedDisclosure of PHI Restricted

Covered entities allowed to disclose without authorization for treatment, payment, and health care operations (see regulations for specific definition of these terms). 45 CFR 164.506

Amended regulations remove requirement for health care providers to get general consent, allow for acknowledgement of notice on privacy practices at time of first visit.

Covered entities allowed to disclose otherwise with written authorization of individual. 45 CFR 164.508

May 2, 2002 (updated 11/02/02)


Disclosure of PHI Restricted Disclosure of PHI Restricted (cont’d.)(cont’d.) Covered entities allowed to disclose certain types

of information without individual authorization if opportunity to “ agree or opt out” (like FERPA directory information.) 45 CFR 164.510

Covered entities may disclose without authorization when required by HIPAA or law to do so (e.g., public health emergency, product recall) 45 CFR 164.512

In most disclosures, covered entities must disclose “minimum necessary” information. 45 CFR 164.514

May 2, 2002 (updated 11/02/02)


How do Restrictions on PHI How do Restrictions on PHI Disclosure Affect Research?Disclosure Affect Research? Research alone does not make a university a

covered entity or a department a health care component, unless researchers are also treating and, as health care providers, are electronically transmitting health info in HIPAA transactions.

However, researchers will need to produce either a specific HIPAA authorization, IRB/privacy board waiver, or meet a specific HIPAA research exception in order to obtain PHI from covered health care providers or other covered entities who are data sources. 45 CFR 164.508 or 164.512(I)

Contact data sources now to see what they will require.

May 2, 2002 (updated 11/02/02)


““Hybrid Entity”Hybrid Entity”

Unique to privacy regulations – 42 CFR 164.504 A single legal entity that is a covered entity, that

performs covered and non-covered functions, and that designates health care components. Most colleges/universities will be a hybrid.

E.g., university with a covered student health center and covered health plans. Under the hybrid status, the entire university does not become a covered entity – only the designated health care components are required to comply with HIPAA privacy regulations. 45 CFR 164.504

May 2, 2002 (updated 11/02/02)


““Hybrid Entity” (cont’d.)Hybrid Entity” (cont’d.) Hybrid entity MUST designate any component

that would meet the definition of a covered entity if it were a separate legal entity.

Hybrid entity MAY include other components that perform covered functions and activities that would make the component a business associate if it were a separate legal entity (e.g., division of business office involved in billing, division of benefits office involved in covered plans, division of legal counsel’s office involved in health care issues.) Can be specific as to individuals – need not name an entire office.

May 2, 2002 (updated 11/02/02)


Considerations for Selection of Considerations for Selection of Optional Health Care Optional Health Care ComponentsComponents A hybrid covered entity must ensure privacy

regulations compliance by its health care components. 45 CFR 164.504

Without a HIPAA authorization, a health care component can’t disclose PHI to another non-health care component of the university where disclosure would be prohibited if the components were separate legal entities.

May 2, 2002 (updated 11/02/02)


Designation of Hybrid Entity Designation of Hybrid Entity ComponentsComponents Must make this designation in writing (internal

designation, not required to be filed, but must have a paper trail in case of OCR/HHS inquiry.)

Document any additions or removals of individuals/offices as health care components as they occur.

Remember: only individuals/offices that deal in PHI are required to comply with privacy regs. If an office only deals with exempt student or employment records, it does not handle PHI and there may be no reason to designate it as a health care component if it would not meet the definition of a covered entity itself.

May 2, 2002 (updated 11/02/02)


Considerations for Hybrid Considerations for Hybrid Entities (cont’d.)Entities (cont’d.) If non-covered components are closely

intertwined with covered components and have need for PHI, it may make sense to designate them as health care components.

But be careful of over designating! (E.g., if student health center not covered entity and not closely intertwined with covered health plans, designation could require unnecessary practices and conflicts with FERPA)

Other examples of potentially unnecessary designation: athletic trainers who do no electronic third-party billing or referrals with covered plans; researchers uninvolved with health care providers or health plans

May 2, 2002 (updated 11/02/02)


Use/Disclosure by Business Use/Disclosure by Business AssociatesAssociates

Covered entities need business associate contracts/agreements with all business associates who create or receive PHI in carrying out functions on behalf of the covered entity.

E.g., third-party administrators of university self-insured health plans, outside counsel handling matters involving PHI.

BA must not use or further disclose PHI other than as permitted or required by law.

BA must use appropriate privacy and security safeguards.

May 2, 2002 (updated 11/02/02)


Use/Disclosure by Business Use/Disclosure by Business Associates (cont’d.)Associates (cont’d.) BA must report any improper use or

disclosure of which it becomes aware to covered entity.

BA must ensure its agents agree to same restrictions.

Regulations provide transition timetable for contracts renewed at various points prior to compliance deadline.

45 CFR 164.502,-504,-532

May 2, 2002 (updated 11/02/02)


Right of Individual Patient or Right of Individual Patient or Plan ParticipantPlan Participant Individual has a right to request confidential

communication of health information. 45 CFR 164.522

Individual has a right to access his/her health information. 45 CFR 164.524

Individual has a right to request amendment of incomplete or inaccurate health information. 45 CFR 164.526

Individual has a right to receive an accounting of certain disclosures of health information. 45 CFR 164.528

May 2, 2002 (updated 11/02/02)


Required Privacy Notices by Required Privacy Notices by Covered EntitiesCovered Entities

Covered entities must provide notice of their privacy practices for protected health information. 45 CFR 164.520

For self-insured group health plans, the health plan itself must provide the notice. For an insured or HMO plan, the insurance issuer or HMO must provide the notice.

If a an insured/HMO group health plan creates or receives PHI (beyond information on participation, enrollment, disenrollment, or summary information), it is required to develop and maintain such notice and provide on request. Otherwise, not required.

May 2, 2002 (updated 11/02/02)


Joint Consent and Notice Joint Consent and Notice VehiclesVehicles Single Affiliated Covered Entity:

designation of multiple covered entities under common ownership or control as a single Covered Entity (e.g., commonly owned health care facilities, different divisions of a single covered entity.)

45 CFR 164.504(d)

May 2, 2002 (updated 11/02/02)


Joint Consent and Notice Joint Consent and Notice Vehicles (cont’d.)Vehicles (cont’d.) Organized Health Care Arrangement: joint

venture between covered entities, which allows for joint notice of privacy practices and joint consent for covered health care providers. Also allows these entities to use their PHI without business associate agreement or authorization.

Available for clinically integrated settings, insurers and group health plans, group health plans with the same plan sponsor. Requires written designation and indication on notice of privacy practices.

45 CFR 164.501, -520(d). Ambiguity re: any shared liability.

May 2, 2002 (updated 11/02/02)


Use of PHI by Plan Sponsors of Use of PHI by Plan Sponsors of Group Health PlansGroup Health Plans Regulations restrict the disclosure of PHI by

group health plans/insurance issuers/HMOs to employer plan sponsors. Designed to prevent use of PHI in making employment-related decisions.

Before a group health plan/insurance issuer/HMO can disclose PHI to a plan sponsor (other than summary/enrollment/disenrollment), the plan sponsor must have amended its plan documents to agree to:• Establish permitted and required uses of PHI• Ensure that agents will agree to same restrictions• Not use information for employment-related actions

May 2, 2002 (updated 11/02/02)


Plan Document Amendments Plan Document Amendments (cont’d.)(cont’d.)

• Report inconsistent use or disclosure of which it becomes aware

• Make available information required for health information amendment and accounting of disclosures

• Make internal practices and records available to HHS for determining compliance

• Return or destroy all PHI when no longer needed• Ensure that adequate separation (“firewalls) are

established by identifying employees or classes of employees to be given access to PHI, restricting that use to plan administration functions, and providing a mechanism to resolve noncompliance issues.

• 45 CFR 164.504(f)

May 2, 2002 (updated 11/02/02)


Should all Plan Sponsors Should all Plan Sponsors Amend their Plan Documents?Amend their Plan Documents? Not necessarily, but there are several reasons why

plan sponsors should carefully consider how to proceed.• Insurers/HMOs may require plan document

amendments for continued coverage or premium discounts, etc.

• The college/university may want to continue a practice of assisting employees with claims.

• Ultimately, if a PHI disclosure occurs, the group health plan could face HIPAA penalties for not ensuring that the amendments were made before the PHI was disclosed to the plan sponsor.

May 2, 2002 (updated 11/02/02)


Ancillary Administrative Ancillary Administrative Requirements of Privacy RegsRequirements of Privacy Regs Note: Insured/HMO group health plans that

neither create nor receive PHI except summary/participation/enrollment information are not subject to most of these requirements. Plan sponsors are not subject to these requirements as such. HOWEVER, self-insured health plans must comply with all of these requirements, as must insured/HMO plans that create or receive other PHI.

45 CFR 164.530(k)

May 2, 2002 (updated 11/02/02)


Ancillary Administrative Ancillary Administrative Requirements (cont’d.)Requirements (cont’d.) Designate privacy official for policy

development and receipt of complaints Train workforce of covered entity (covered

health care components) on PHI Implement reasonable administrative, technical

and physical safeguards to protect PHI Provide complaint process Establish and apply appropriate sanctions for

covered entity workforce noncompliance

May 2, 2002 (updated 11/02/02)


Ancillary Administrative Ancillary Administrative Requirements (cont’d.)Requirements (cont’d.) Mitigate any harmful effect of wrongful

disclosures of PHI Take no retaliatory action against those

exercising HIPAA rights or complainants Implement written policies and procedures

re: PHI and maintain documentation required under the regulations for six years

45 CFR 164.530

May 2, 2002 (updated 11/02/02)


Attn: Covered University Health Attn: Covered University Health Care Providers and Student Care Providers and Student Health Plans With No PHIHealth Plans With No PHI In comments to the privacy regulations, HHS has

stated that the privacy rules only apply to a covered entity “to the extent” it possesses PHI. (P. 82488 Federal Register, December 28, 2000)

HHS has also commented that, in light of FERPA exclusion (removing student health records from PHI), only non-FERPA schools would be subject to the ancillary administrative requirements as regards their covered health care clinics. (P. 82595 Federal Register, December 28, 2000)

May 2, 2002 (updated 11/02/02)


The $64,000 Question:The $64,000 Question: Does the FERPA exception to PHI act to

exempt a covered college/university health care provider or self-insured student health plan with only student records from the ancillary administrative requirements?

No definitive regulatory answer, despite noted comments, FERPA exemption, and administrative requirements exemption for insured group health plans with no PHI.

May 2, 2002 (updated 11/02/02)


Deadlines for Privacy Deadlines for Privacy Regulations ComplianceRegulations Compliance Covered entities must comply by April 14,

2003. Small health plans with annual receipts

(essentially, total of employer and employee premiums) of $5 million or less have until April 24, 2004. For self-insured plans, calculate using total amount of claims paid.

May 2, 2002 (updated 11/02/02)


First Steps to Take Toward First Steps to Take Toward Compliance with Privacy RegsCompliance with Privacy Regs Inventory your campus for providers and plans that

may be covered entities, as well as those departments that must/should be designated as health care components for a hybrid entity.

Determine current practices re: health information and analyze the “gaps” between current practice and HIPAA requirements. Do the same for business associates of your covered entities and health care components.

Develop compliant policies, documents, and training, working with insurers, TPAs, other business associates, and research data sources to promote consistency of practice.

May 2, 2002 (updated 11/02/02)


Security Regulations Security Regulations (Proposed): Overview(Proposed): Overview

Proposed regulations are designed to provide a standard level of protection for health information housed or transmitted electronically.

Administrative, technical and physical safeguards for storage, transmission, and access of electronic health information.

May 2, 2002 (updated 11/02/02)


Security Regulations Coverage Security Regulations Coverage (Proposed)(Proposed) Potentially broader scope of covered entities than

transaction and privacy regulations. In addition to health plans, proposed regulations

cover clearinghouses or health care providers that (1) process any electronic transmission between covered health care entities OR (2) electronically maintain any health information used in an electronic transmission between any combination of covered health care entities. 45 CFR 142.302

May 2, 2002 (updated 11/02/02)


Security Standards (Proposed)Security Standards (Proposed)

A covered entity must assess potential risks and vulnerabilities to the individual health data it possesses and develop, implement, and maintain appropriate security measures to protect individual health information in ELECTRONIC FORM, not hard copy or oral. 45 CFR 142.306

Specifics will vary according to system, environment, etc.

May 2, 2002 (updated 11/02/02)


Security Standards (Proposed) Security Standards (Proposed) (cont’d.)(cont’d.) Minimum features (45 CFR 142.308):

• Administrative procedures to guard data integrity, confidentiality, and availability

• Physical safeguards to guard data integrity, confidentiality, and availability

• Technical security services and mechanisms to guard data integrity, confidentiality, and availability

If covered entity elects to use electronic signatures in covered transactions, entity must apply proposed electronic signature standard. 45 CFR 142.310

May 2, 2002 (updated 11/02/02)


Security Regulations Security Regulations Compliance DeadlineCompliance Deadline Proposed effective/compliance date is 24

months after publication of the final rule in Federal Register (not yet published – rumored for publication in December, 2002.) Small health plans have 36 months to comply. [Small health plans in proposed regs = fewer than 50 participants, but expect final to mirror transaction/privacy regs.] 45 CFR 142.312

May 2, 2002 (updated 11/02/02)


General Penalty for Non-General Penalty for Non-Compliance with HIPAACompliance with HIPAA

$100 per violation Cap on identical

violations for one calendar year is $25,000.

Penalty may be waived if non-compliance was due to reasonable cause and not willful neglect.

42 U.S.C. 1320d-5

May 2, 2002 (updated 11/02/02)


Penalty for Knowing Wrongful Penalty for Knowing Wrongful Disclosure of Individually Disclosure of Individually Identifiable Health InformationIdentifiable Health Information Fine of not more than $50,000 and imprisonment

for one year, or both If committed under false pretenses, fine of not

more than $100,000 and imprisonment for not more than five years, or both

If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000 and imprisonment of ten years, or both

42 U.S.C. 1320d-6

May 2, 2002 (updated 11/02/02)


No Private Cause of ActionNo Private Cause of Action

HIPAA does not provide a private cause of action by a patient or participant in a covered health plan against a covered entity or business associate.

However, the HIPAA regulations and standards may become the standard of care for health information and could be used against the entity in a separate cause of action.

May 2, 2002 (updated 11/02/02)


Want to Know More about Want to Know More about HIPAA?HIPAA?

We hope that this presentation has made you aware of HIPAA, its basic coverage, and areas where it might apply on your campus. To find out more, here are some resources:

May 2, 2002 (updated 11/02/02)


A Few Online Resources on A Few Online Resources on HIPAAHIPAA http://www.acha.org/info_resources/hipaa_links.

cfm = HIPAA Resource site of American College Health Association

http://aspe.hhs.gov/admnsimp/ = United States Department of Health and Human Services/Administrative Simplification

http://www.hhs.gov/ocr/hipaa = Office for Civil Rights/HIPAA

http://snip.wedi.org = Strategic National Implementation Process of the Workgroup for Electronic Data Interchange