1 HIPAA UPDATE Employers with Group Health Plans En-Hantz Your Workplace®
Dec 14, 2015
1
HIPAA UPDATE
Employers with Group Health Plans
En-Hantz Your Workplace®
2
What We’re Going to Cover
Important basic conceptsWho needs to worry about HIPAA?Complying with the Privacy Rule, Transaction Rule, Security Rule, and Breach Notification Rules
Violating HIPAAMinimizing impact of HIPAA
En-Hantz Your Workplace®
3
Important Basic Concepts
En-Hantz Your Workplace®
4
What is HIPAA?
Health Insurance Portability and Accountability Act of 1996. Intended to make it easier to share
information electronically Can share information for certain purposes All other purposes prohibited without
authorization
En-Hantz Your Workplace®
5
Protected Health Information
Individually identifiable health information used by a health plan
Any form: written, electronic or oral
Includes information relating to: Physical health
Mental health
Payment for health care
En-Hantz Your Workplace®
6
How Does HIPAA (not Hippo) Apply to Employers’ Group Health Plans?
En-Hantz Your Workplace®
7
Effect on Employers
HIPAA regulates all covered entities. “Covered Entity” includes all health plans. A “health plan” is an individual or group plan that
provides or pays for the cost of health services, including self-funded and insured group health plans of private and government employers.
The definition of health plan specifically includes employee welfare benefit plans as defined by ERISA.
If your organization offers a group health plan for your employees, the group health plan must comply with HIPAA.
En-Hantz Your Workplace®
8
Health Plans Subject to HIPAA
Medical plans Dental plans Vision plans Health flexible spending accounts Employee assistance programs Wellness programs
En-Hantz Your Workplace®
9
What is Not a “Health Plan”? Employment records Leaves of absence, FMLA records ADA claims On the job injuries Workers’ compensation Fitness for duty exams Drug screening
En-Hantz Your Workplace®
10
What is Not a “Health Plan”?
Life insurance
Disability (STD & LTD)
Some wellness programs
En-Hantz Your Workplace®
11
What is Not a “Health Plan”? ADA claims
On the job injuries
Drug screening
En-Hantz Your Workplace®
12
Who Needs to Worry About HIPAA?
En-Hantz Your Workplace®
13
The Plan v. The Employer
Technically it is the group health plan that must comply with HIPAA, but practically speaking the employer/plan sponsor will have to make sure the health plan is in compliance.
An employer’s employee records are excluded from the definition of PHI.
Employers or plan sponsors may not use PHI for employment-related functions without authorization from the individual.
The group health plan must determine which PHI uses and disclosures will be needed to administer the group health plan and then amend the plan document accordingly to indicate that the group health plan will comply with the permitted and required uses and disclosures.
En-Hantz Your Workplace®
14
A Narrow Exception
A very limited exemption exists for small self-administered plans. Your group health plan must have fewer than 50
participants; and Your organization must have established,
maintain and administer the plan, [i.e. you do not use a third party administrator (TPA) or other entity to help administer the plan].
Few health plans will actually qualify for this exception.
En-Hantz Your Workplace®
15
Fully-Insured Benefits
Can take a hands-off approach. Handle only enrollment information and
summary health information Minimum compliance obligations:
Do not require enrollees to waive HIPAA rights Do not retaliate against enrollees who exercise
HIPAA rights
Compliance burden is on insurers/HMOs
En-Hantz Your Workplace®
16
“Hands-Off” Approach
Summary health information for plan sponsor functions Summary health information is: information that may
be individually identifiable health information and: summarizes the claims history, claims expenses or
type of claims experienced by individuals for whom the plan sponsor has provided health benefits under the group health plan, and
from which identifying information (18 specific identifiers) has been deleted (basically de‑identified PHI) (except that the geographic information may only be aggregated to the level of a 5‑digit zip code).
Enrollment/Disenrollment informationEn-Hantz Your Workplace®
17
Self-Insured Benefits
Must fully comply with HIPAA Privacy rules Security rules Transaction rules Breach notification rules
Hiring a TPA does NOT relieve you of your compliance obligation But it can help relieve the burden
En-Hantz Your Workplace®
18
Complying with the Privacy Rule
En-Hantz Your Workplace®
19
Protected Health Information (PHI)Individually identifiable health information used by a health plan.
Any form: written, electronic or oral
Includes information relating to: Physical health
Mental health
Provision of and payment for health care
En-Hantz Your Workplace®
20
What is Not PHI?
Information that does not come from or is not given to health plans Health information employee shares with
Benefits Dept. for health plan purposes (e.g., information for pre-certification of a hospital stay) IS PHI
Same information that employee shares with supervisor for FMLA purposes IS NOT PHI
En-Hantz Your Workplace®
21
What is Not PHI?
Enrollment Records Enrollment records maintained in
employment records not PHI
Enrollment records reported to the health plan is PHI.
En-Hantz Your Workplace®
22
Restrictions on PHI
Health plans may not use or disclose PHI unless: The Privacy Rule specifically allows the
use/disclosure
The individual who is the subject of the PHI specifically allows it
En-Hantz Your Workplace®
23
Restrictions on PHI
Cannot use PHI for: Making personnel decisions
Administrating other employee benefit programs
Cannot use or disclose for marketing purposes without authorization
Cannot sell PHI
En-Hantz Your Workplace®
24
Permitted Uses of PHI
“TPO” Treatment Payment Health care operations
Complying with Law Any other use or disclosure generally
requires authorization
En-Hantz Your Workplace®
25
Minimum Necessary Rule
Must limit uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.
Do not use a fire hydrant when a garden hose will suffice
HITECH clarification
Default rule: use aggregate data only
Must justify use of more detailed information
En-Hantz Your Workplace®
26
Privacy Rule Requirements Designate a privacy officer
Implement written privacy policies
Train those who work with PHI
Discipline those who violate privacy policies
Investigate and respond to complaints
En-Hantz Your Workplace®
27
Privacy Rule Requirements
Include provisions in health plan document that: Describe permitted uses and disclosures Identify who is permitted to have access to
PHI Require compliance with privacy rules
Plan sponsor must certify compliance with HIPAA privacy rules
Distribute a Notice of Privacy PracticesRetain HIPAA compliance records for at least six yearsEn-Hantz Your Workplace®
28
Privacy Rule Requirements
Respect individual rights Right to access PHI in health plan records
Right to request amendments of PHI
Right to an accounting of disclosures
Right to request additional restrictions
Right to request confidential communications
Verify identity and authority of those seeking access to PHI
En-Hantz Your Workplace®
29
Business Associates
Person or organization who: Performs a function or activity for the health plan;
or
Assists the plan sponsor in performing a health plan function or activity
Function or activity involves use or disclosure of PHI
Employees are not business associates HMOs/insurers are not business
associatesEn-Hantz Your Workplace®
30
Examples of Business Associates
Third-party administrators (TPAs) COBRA administrators Outside attorneys and accountants Benefits consultants Insurance agents Utilization review organizations Computer service technicians Software vendors
En-Hantz Your Workplace®
31
Business Associate Agreements Must have written contract
Establishes permitted uses and disclosures Require compliance with HIPAA requirements Require reporting of:
Unauthorized uses/disclosures Security incidents Security breaches
En-Hantz Your Workplace®
32
Business Associates
If learn that business associate has materially violated terms of BAA: Must investigate
Demand BA to end violation and mitigate harm
If BA does not end breach or cannot cure:
Terminate contract, or
Report BA to HHS
En-Hantz Your Workplace®
33
Family Members/Representatives
May disclose PHI to family, relatives, friends involved in individual’s care/payment for care Can use professional judgment
Give individuals ability to designate someone/revoke designation
Personal representatives can exercise all rights of individuals
En-Hantz Your Workplace®
34
Complying with the Transaction Rule
En-Hantz Your Workplace®
35
Transaction Rule
Goal: standardize electronic transactions relating to payment for health care Streamline payment for health care Technical rule for how to structure the
transaction
En-Hantz Your Workplace®
36
Transaction Rule
Applies to electronic transactions by health plan with: Health care providers Other health plans
Generally, an issue for TPAs BAAs must require compliance with
transaction standards
En-Hantz Your Workplace®
37
Complying with the Security Rule
En-Hantz Your Workplace®
38
Scope of Security Rules
Apply to electronic forms of PHI Databases Spreadsheets E-mail communications Copy machines with hard drives
Does not apply to: Paper records Telephone and fax transmissions (but do
apply to voice mail and stored fax documents)
En-Hantz Your Workplace®
39
Risk Assessments
Must conduct a risk assessment Identify where ePHI is stored and used Identify the threats to confidentiality, integrity
and accessibility of ePHI Identify the likelihood that vulnerability will
lead to unauthorized use/disclosure Identify risks that need to be addressed
Must update on a regular basis
En-Hantz Your Workplace®
40
Administrative Safeguards
Designate a Security Officer
Train and discipline workforce
Manage workforce’s access to ePHI
Monitor for and report on security incidents
Establish contingency plans (backup, disaster recovery, emergency modes, etc.)
Periodic evaluation of safeguards
En-Hantz Your Workplace®
41
Physical Security
Control access to physical equipment using/storing ePHI
Workstation use/security Device and media controls
En-Hantz Your Workplace®
42
Technical Safeguards
Unique user IDs/authentication Automatic logoff Emergency access procedures Encryption & transmission security Audit controls Mechanisms to prevent improper
alteration/destruction
En-Hantz Your Workplace®
43
Business Associates
Handle most ePHI for health plans Must now contractually agree to
implement policies and procedures that comply with these requirements
Examine transmissions with business associates
En-Hantz Your Workplace®
44
Complying with Breach Notification Rule
En-Hantz Your Workplace®
45
Breach Notification
Before HITECH: no clear duty to notify of a breach under HIPAA
HITECH Act: Must notify each individual whose PHI is breached within 60 days of discovery
Applies to all forms of unsecured PHI
En-Hantz Your Workplace®
46
Breach Notification Analysis
Was there a “breach”? Unauthorized:
Acquisition Access Use Disclosure
En-Hantz Your Workplace®
47
Breach Notification Analysis
Was the data secured with respect to the individual with unauthorized access? Electronic data: was it encrypted?
Data at rest Data in motion
Media: was it properly destroyed? Paper, film, other hard copy media Electronic data
En-Hantz Your Workplace®
48
Breach Notification Analysis
Does the incident fall within an exception? Person would not reasonably have been
able to retain the information Employee’s unintentional access of record
in good faith Inadvertent disclosure within same
organization by and to individual authorized to access PHI
En-Hantz Your Workplace®
49
Breach Notification Analysis
Could there be a significant risk of harm? Who received/access the information? How detailed was the information? Were steps taken to recall/destroy the
information and mitigate harm? Was information returned/destroyed before
being improperly accessed?
En-Hantz Your Workplace®
50
Breach Notification
Methods of providing notice: Written notice to last known address (or e-
mail if specified by the individual) If contact information is insufficient or out-
dated, alternative notice If more than 10 individuals:
Prominent posting on website; or Notice in major print or broadcast media
In urgent situations, may supplement with telephone or other means, if appropriate
En-Hantz Your Workplace®
51
Breach Notification
Notice to prominent media outlets if more than 500 individuals within state affected.
Notification to Secretary of Health & Human Services: At time of incident, if more than 500
individuals are affected If less than 500 individuals, must submit to
HHS annually http://www.hhs.gov/ocr/privacy/hipaa/administ
rative/breachnotificationrule/brinstruction.htmlEn-Hantz Your Workplace®
52
Breach Notification
Content of notification: Brief description of what happened, including:
Date of breach (if known) Date breach discovered
Description of types of unsecured PHI involved in the breach
Steps individuals should take to protect themselves from potential harm
What covered entity is doing to investigate, mitigate losses and protect against further breaches
Contact procedures to ask questions or learn more.
Deadline: without unreasonable delay, but in any case within 60 days
En-Hantz Your Workplace®
53
Breach Notification
Does not preempt state security breach notification laws. SSNs
Drivers license numbers
Financial account information
May have to comply with both
En-Hantz Your Workplace®
54
Breach Notification
Business Associates also subject to breach notification provisions Default rule: provide notice to the covered
entity Must include identification of each individual
whose PHI has been or is reasonably believed to have been breached.
Covered entities can contract for different arrangement
Duty may be different under State lawEn-Hantz Your Workplace®
55
Consequences of HIPAA Violations
En-Hantz Your Workplace®
56
Pre-HITECH Enforcement
No more than $100 per violation per dayCapped at $25,000 per year for all violations of an identical requirement or prohibition during a calendar year.
HHS pursued “informal” enforcement
En-Hantz Your Workplace®
57
HITECH Enhanced Enforcement New tiered structure for each violation:
“unknown” violations: $100 - $50,000 “reasonable cause” violations: $1,000- $50,000 “willful neglect” violations (if corrected within
30 days): $10,000 - $50,000 “willful neglect” violations (if uncorrected
within 30 days): $50,000
New cap: $1.5 million for all violations of the same type during a calendar year
En-Hantz Your Workplace®
58
New Enforcement Strategies
Individuals who wrongfully disclose PHI now clearly subject to criminal penalties
Requires HHS to conduct auditsState Attorneys General and FTC given enforcement authority
En-Hantz Your Workplace®
59
Minimizing the Impact of HIPAA
En-Hantz Your Workplace®
60
Try not to have PHI
Try to keep it from becoming PHI. Keep enrollment data in employment records Work with enrollment data as much as possible
Limit info TPAs report to you Get de-identified or summary health info only Have health plan participants and beneficiaries
deal directly with TPA Have TPAs handle benefits appeals
En-Hantz Your Workplace®
61
If you must handle PHI
Limit the number of people with accessMinimize the amount of information you receive
Be sure those who handle the information are trained
Be sure policies and procedures are in sync with practices
Try not to have ePHI
En-Hantz Your Workplace®
62
Questions?
Contact info
En-Hantz Your Workplace®