erisa group health plans: complying with complex hhs...
TRANSCRIPT
![Page 1: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/1.jpg)
ERISA Group Health Plans: Complying With Complex HHS Regulations and Leveraging New Guidance Structuring Privacy Policies, Security Breach Notifications, Business Associate Agreements, and More
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, MAY 6, 2014
Presenting a live 90-minute webinar with interactive Q&A
Ryan P. Blaney, Partner, Cozen O’Connor, Washington, D.C.
Tiffany D. Downs, Partner, FordHarrison, Atlanta
![Page 2: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/2.jpg)
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-258-2056 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
![Page 3: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/3.jpg)
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).
You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
![Page 4: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/4.jpg)
Program Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
![Page 5: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/5.jpg)
ERISA Group Health Plans: Complying with Complex
HHS Regulations and Leveraging New Guidance
May 6, 2014 Sponsored by Legal Publishing Group of Ryan P. Blaney, Esq. Strafford Publications [email protected] (202) 463-2528 Tiffany D. Downs, Esq. [email protected] (404) 888-3961
![Page 6: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/6.jpg)
OVERVIEW OF PRESENTATION
• Privacy Requirements and Policies • Notice of Privacy Practices and Health Plans • Supplemental Guidance
FINAL PRIVACY RULE
• Security Requirements and Policies • Breach Requirements and Notifications • Supplemental Guidance
FINAL SECURITY AND BREACH
RULES
• Expanded Rules and Requirements and New Business Associates
• Drafting and Negotiating Business Associate Agreements on Behalf of Health Plans
HEALTH PLANS AND BUSINESS
ASSOCIATES
• Distinctions between Employers, Plans Sponsors and Health Plans
ERISA GROUP HEALTH PLANS
6
![Page 7: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/7.jpg)
Part I. Final Privacy Rule
A. Privacy requirements and polices B. Notice of privacy practices
C. Supplemental guidance
7
![Page 8: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/8.jpg)
“Somehow your medical records got faxed to a complete stranger. He has not idea what’s wrong with you either.”
YESTERDAY: FAXING and PAPER Medical Records
8
![Page 9: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/9.jpg)
Today: Big Data, Texts, Twitter, Email, Personalized Medicine, Health Shopping
$3.1 Trillion
20% GDP
61% U.S. Employees rely on self insured
health plans
94% self insured plans for
employers with more than 5000
30% Waste in 2009
FitBit, Nike+, Health tracking, sleep and food
monitoring
9
![Page 10: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/10.jpg)
1 YEAR LATER: THE “OMNIBUS RULE”
• HIPAA Privacy, Security, and Enforcement Rules
• Interim breach notification guidance • Certain changes to HIPAA Privacy
Rule required by GINA
January 25, 2013 HHS implements changes to:
• September 23, 2013 deadline for new and non-compliant health plans
• One year extension (September 2014) to update business associate agreements that are in compliance with the prior regulations.
Compliance Date
10
![Page 11: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/11.jpg)
The Definitions Matter !!! What is PHI?
• Protected Health Information (PHI) is individually identifiable health information that is in all forms – paper, oral, or electronic.
• PHI excludes employment records held by an employer in its role as an employer (e.g., physician’s note submitted by employee documenting reason for absence from office)
11
![Page 12: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/12.jpg)
What is Health Information? • Health information includes any information created by a
health care provider, health plan, employer, school, or university
– and that relates to past, present, or future physical or mental health or condition of the individual,
– the provision of health care to the individual, or
– the past, present or future payment for health care to the individual.
12
![Page 13: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/13.jpg)
What Makes Health Information “Individually Identifiable”?
• Name • Dates: birth, admission to
hospital, discharge from hospital, death
• Telephone and fax numbers • Social Security Number • Account number • Vehicle identifiers including
license plates • Web URLs and IP address
numbers • Genetic Information
• Geographic unit (certain zip code information excepted)
• Ages over 89 • Email and other addresses • Medical record numbers and health
plan numbers • Certificate or license number • Device identifiers and serial
numbers • Biometric identifiers, including
finger and voice prints and full face and other identifying photographic images
13
![Page 14: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/14.jpg)
HIPAA Definitions: Health Plans
• COVERED by HIPAA – Medical plans – Dental plans – Vision plans – Prescription drug plans – Retiree medical plans – ERISA-Covered
employee assistance plans
– Health care spending accounts
• NOT COVERED by HIPAA – Workers’ compensation – Disability plans – Accident plans – Non-ERISA Employee
Assistance Plans and Long Term Care Plans
– Life Insurance
14
![Page 15: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/15.jpg)
A Balancing Act …
Employee Privacy Employee
participation
Employers’ rising health care
expenditures Available health data on cost and
quality
15
![Page 16: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/16.jpg)
Privacy challenges for health plans
• “The tensions between having employers manage health care coverage and employees wanting to have some private space are crashing into each other … it’s probably going to get worse.”
– Matthew T. Bodie, Law Professor at St. Louis University School of Law, quote from New York Times September 14, 2013 article, “On Campus, a Faculty Uprising Over Personal Data”
16
![Page 17: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/17.jpg)
Update - Notice of Privacy Practices
• Health plans cannot “substantially” change their HIPAA policies and procedures before updating their Notice of Privacy Practices to reflect those revisions. HHS considers the Omnibus Rule changes to be “substantial.” – Notices can be delivered by e-mail, if a participant agrees to
electronic notice. – Notices must be distributed upon enrollment to all new
participants – Participants are entitled to paper copies – At least once every 3 years, health plans must remind participants
of the availability of the privacy notice.
17
![Page 18: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/18.jpg)
HIPAA Requires Mandatory Training
• A health plan or its business associate must train its workforce which has access to PHI (HIPAA Personnel) regarding the HIPAA privacy practices and procedures. – Must be trained within a reasonable time
period after his/her hire date.
18
![Page 19: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/19.jpg)
General Privacy Rule • A Covered Entity and its workforce may not use or
disclose PHI, except as permitted by the Privacy Rule • Permitted uses of PHI under the Privacy Rule include:
– treatment, payment, or health care operations – under a specific authorization from the subject of the PHI, – as required by law – in response to a court order – in response to a subpoena but only with “adequate
assurances” of efforts to secure a protective order or notify the subject of the request
19
![Page 20: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/20.jpg)
Uses and Disclosures Pursuant to a Valid Authorization
• A written authorization is needed for disclosures that are not for treatment, payment, and healthcare operations.
• To be valid, an authorization must contain very specific information.
• Use or disclosure of PHI must be consistent with the terms of the authorization.
• An authorization can be revoked by written notice. • An authorization is not required if you must use or
disclose PHI to avert a serious threat to health or safety.
20
![Page 21: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/21.jpg)
“Treatment, Payment, and Health Care Operations”
• Treatment: Providing, coordinating, or managing health care and related
services by health care providers • Payment: Activities to obtain premiums, obtain or provide reimbursement
for the provision of health care, or determine the Plan’s responsibility for coverage
• Health Care Operations: General Plan administration, business planning, quality assessments, evaluation of coverage, and case management
• Disclosing PHI to a FMLA administrator so he/she can determine if the Participant is eligible for FMLA leave
• Giving a manager PHI about a Participant’s medical condition so he/she can make employment-related decisions
21
![Page 22: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/22.jpg)
Minimum Necessary Standard • Whenever the covered entities use or disclose PHI or
requests PHI from another plan or a physician, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure or request” – Exceptions to Minimum Necessary Standard:
• Disclosure is to the individual who is the subject of the PHI
• Disclosure is to health care provider for treatment purposes
• Disclosure is pursuant to individual’s authorization
• Disclosure is for certain legal purposes
22
![Page 23: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/23.jpg)
De-identified Health Information – Health Plans Need More Clarity
• Limitations on use and disclosure of PHI do not apply to “de-identified health information”
• Redacting names and other identifying information does not render information “de-identified” under HIPAA.
• De-identification requires: – determination by a person with “appropriate knowledge of
an experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” that there is a small risk that information could be used alone or with other information to identify the subject, or
– removal of 18 types of information
23
![Page 24: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/24.jpg)
Individual Rights Under HIPAA • Access to PHI – the right to access and copy most PHI that is
part of the records maintained by or for the health plan • Amendment of PHI – the right to amend most PHI that is
created by or on behalf of the health plan • Accounting of disclosures of PHI – the right to a list of certain
disclosures of PHI made by the Plan for the previous 6 years (generally does not include permitted or required disclosures)
• Confidential Communications of PHI – the right to receive communications of PHI by other means or at a different location if the normal method could endanger the participant.
• Restrictions on the Use and Disclosure of PHI – the right to request restrictions on the use and disclosure of the participant’s PHI.
24
![Page 25: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/25.jpg)
Individual Rights: Anti-Retaliation
• Anti-Retaliation Policy: Health plans are prohibited from intimidating, threatening, coercing, discriminating against or taking any retaliatory action against a participant for exercising his or her rights under HIPAA
• Waiver Policy: Participants may not be required to waive their rights under HIPAA in order to receive Plan benefits or treatment.
25
![Page 26: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/26.jpg)
Part II. Final Security and Breach Rules
A. Security Requirements and Policies B. Breach Requirements and Notifications
C. Supplemental Guidance
26
![Page 27: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/27.jpg)
HIPAA Security Rule
• Addresses the security of electronic Protected Health Information (PHI): – Which is Individually Identifiable Health
Information that is transmitted or maintained in electronic, written, or oral form.
27
![Page 28: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/28.jpg)
HIPAA Security Rule
• Security Rule standards include the following safeguards: – Administrative – policies and procedures – Technical – devices and equipment – Physical – facilities, workstations, etc.
• Implementation specifications: – Required (R) – Addressable (A)
28
![Page 29: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/29.jpg)
Administrative Safeguards
• Security Management Process – Risk analysis (A) – Risk management (R) – Sanctions R) – Information System Activity Review
(sign-on/sign-off activity; unsuccessful log on attempts) (R)
• Security Officer (R)
29
![Page 30: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/30.jpg)
Administrative Safeguards
• Workforce Security – Authorization and/or supervision (A) – Workforce clearance procedures
(background checks) (A) – Termination procedures (disable user ID
and password) (A) • Information Access Management
– Access authorization (controlled by user ID and password) (A)
– Access establishment and modification (A)
30
![Page 31: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/31.jpg)
Security Rule Safeguards • Security Awareness and Training
– Security reminders (training) (A) – Protection from malicious software (anti-
viral software/firewall) (A) – Log-in monitoring (report suspicious
activity) (A) – Password management (change
periodically) (A) • Security Incident Procedures
(response and reporting) (R)
31
![Page 32: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/32.jpg)
Security Rule Safeguards • Contingency Plans
– Data backup (nightly? weekly?) (R) – Disaster recovery (R) – Emergency mode operation (R) – Testing and revision procedures (A) – Applications and data criticality analysis
(A) • Evaluation
32
![Page 33: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/33.jpg)
Physical Safeguards
• Facility Access – Contingency operations (A) – Facility security plan (badge readers,
alarm system) (A) – Access control and validation
procedures (escort visitors) (A) – Maintenance records (A)
• Workstation Use (automatic screensavers)
33
![Page 34: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/34.jpg)
Physical Safeguards
• Workstation Security (shut down procedures)
• Device and Media Controls – Disposal (delete or purge PHI first) (R) – Media Re-use (delete or purge PHI first) (R) – Accountability (A) – Data Backup and Storage (A)
34
![Page 35: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/35.jpg)
Technical Safeguards
• Access Controls – Unique User Identification (do not share
user ID or passwords) (R) – Emergency Access Procedure (R) – Automatic Logoff (mandatory screen
savers and shut down procedures) (A) – Encryption and decryption (alternative:
passwords for smart phones and laptops) (A)
• Audit Controls 35
![Page 36: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/36.jpg)
Technical Safeguards
• Data Integrity • Person or Entity Authentication • Transmission Security
– Integrity Controls (A) – Encryption and decryption (for emails or file
transfers containing PHI) (A)
36
![Page 37: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/37.jpg)
Summary of PHI Safeguards
• Printed Documents • Faxes • Electronic Information • Verbal Communications • Storage and Destruction • Secure Facilities and Equipment
37
![Page 38: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/38.jpg)
Breach Rules New Definition of Breach
• What is considered a “Breach”? • Presumption of breach unless 4 factor
risk assessment demonstrates low probability that PHI has been compromised
• Burden shifted to CE or BA to show notice not required
38
![Page 39: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/39.jpg)
What is a Breach? • Applies to “Unsecured” PHI
- PHI is unsecured if HHS-approved methodology has not been used to render the PHI unusable, unreadable, or indecipherable to unauthorized individuals; AND
- PHI is “accessed, acquired, or disclosed” by or to an unauthorized individual as a result of a breach.
- HHS-approved methodology includes only Encryption (for electronic PHI) Destruction (for electronic and paper PHI)
39
![Page 40: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/40.jpg)
Exceptions to Breach • Disclosure of PHI to unauthorized person believed unable to
retain the information (because it is encrypted or password protected);
• Any unintentional acquisition, access or use of PHI by a
workforce member or person acting under the authority of a plan sponsor, if made in good faith and within the scope of their authority and does not result in further use or disclosure in violation of the Privacy Regulations;
• Any inadvertent disclosure by a person who is authorized to
access PHI at plan sponsor to another person authorized to access PHI and the information is not further used or disclosed in a manner not permitted under the Privacy Regulations.
40
![Page 41: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/41.jpg)
Breach Risk Assessment – Breach is presumed unless plan sponsor
demonstrates that there is a low probability that the PHI has been compromised, by relying on at least the follow factors: • Nature and Extent: The nature and extent of the PHI
involved, including the types of identifiers and likelihood or re-identification;
• Identity: The unauthorized person who used the PHI or to whom the disclosure of PHI was made;
• Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired; and
• Mitigation: The extent to which the risk of the PHI has been mitigated.
41
![Page 42: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/42.jpg)
What to do if Breach Occurs?
• Notify the HIPAA Privacy and Security Officer.
• Determine notice obligations and mitigation strategies
• Improper disclosure of PHI or failure to follow privacy and security procedures could result in disciplinary action.
42
![Page 43: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/43.jpg)
Breach Notifications • Individual Notice: Covered Entities must notify affected individuals following the
discovery of a breach of unsecured protected health information in written form by first-class mail, or by e-mail if the affected individual has agreed to receive such notices electronically.
• Media Notice: Covered Entities that experience a breach affecting more than 500 residents of a State or jurisdiction are also required to provide notice to prominent media outlets serving the State or jurisdiction.
• Notice to the Secretary: In addition to notifying affected individuals and the media (where appropriate), covered entities must also notify the Secretary of Health and Human Services of all breaches of unsecured protected health information. If a breach affects 500 or more individuals, Covered Entities must notify the Secretary without unreasonable delay and in no later than 60 days following a breach; if a breach affects fewer than 500 individuals, Covered Entities must notify the Secretary on an annual basis, no later than 60 days after the year in which the breach occurred.
43
![Page 44: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/44.jpg)
Supplemental Guidance • Disclosures for Emergency
Preparedness • Refill Reminders and Other
Communications • Health Information of Deceased
Individuals • Others …..
44
![Page 45: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/45.jpg)
Part III. Business Associate Requirements
A. Expanded Rules and Requirements and New Business Associates
B. Drafting Requirements for Business Associate Agreements
45
![Page 46: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/46.jpg)
What is a Business Associate (“BA”)?
• Definition: – A person who (i) performs for or on behalf of a covered entity, or assists
a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity
• Includes anyone with health information from your health plans (could include attorneys, consultants, third party administrators, auditors, computer software service companies)
• Includes: Benefits Brokers and others
46
![Page 47: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/47.jpg)
January 25, 2013 Omnibus Rule Changes to BA
• HHS published a Final Omnibus Rule on January 25, 2013 that expanded the definition of Business Associates to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and who require routine access to such PHI, and personal health record vendors.
47
![Page 48: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/48.jpg)
What are the Business Associate Rules?
• General Rules
– Need specific HIPAA-dictated language in a contract with all business associates
– Business Associate Agreement must be written.
– Must include language that specifically says that the BA will ensure that individual’s HIPAA rights are followed.
48
![Page 49: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/49.jpg)
Continued …
• Under HITECH all of the HIPAA rules apply directly to business associates, including penalties
– Previously, HIPAA applied only to “covered entities” – health plans, health care providers, and clearinghouses
– HIPAA applied indirectly to business associates – through business associate agreements
49
![Page 50: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/50.jpg)
Tips for Drafting & Negotiating BAAs
• Reporting requirements and timing (the parties can and should agree on shorter periods)
• Review the underlying services agreement and modify services agreement and BAA to be consistent
• Agency and subcontractor provisions • Indemnification clauses • Breach notification costs and responsibilities • Termination and destruction of PHI
50
![Page 51: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/51.jpg)
Part IV. Distinctions between Employer, Plan Sponsor, and
Group Health Plans
51
![Page 52: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/52.jpg)
• Employer • Plan Sponsor • Group Health Plan
Who is Subject to HIPAA?
52
![Page 53: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/53.jpg)
HIPAA COVERED ENTITIES
• Health Care Clearinghouses • Health Care Providers - who transmit any
health information in electronic form • Health Plans - whether insured or self-funded which have:
– 50 or more participants; OR – are administered by an entity other than
the employer 53
![Page 54: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/54.jpg)
Covered Health Plans
• Health (Medical) • Dental • Vision • Health Care Flexible Spending Account • Long Term Care • Employee Assistance Program (in some
cases)
Examples of benefits subject to HIPAA:
54
![Page 55: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/55.jpg)
Entities Not Subject to HIPAA
• Employers performing employer functions (e.g. FMLA, drug testing, sick leave, ADA, OSHA, fitness for duty, and return to work physicals) – But, may need authorization to obtain records
• Life, Disability, and Workers’ Compensation Insurers
• On-site Medical Clinics
55
![Page 56: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/56.jpg)
Employment Records Exception
HIPAA excludes employment records from the definition of protected health
information. A covered entity must use a functional test in determining whether a
record is an employment record.
56
![Page 57: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/57.jpg)
Employment Records Test
• Functional Test: How was this information created or received? Was it created and received in health plan capacity or employer capacity?
• NOTE: Employment records are subject to protection under the ADA, FMLA and GINA
57
![Page 58: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/58.jpg)
Discussion Scenarios
Requests for Leave Pre-employment physicals
Requests for Accommodations
HINT: Not Subject to HIPAA
58
![Page 59: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/59.jpg)
Disclosures to Employers
• Summary health information (for renewal purposes)
• Enrollment information (for payroll deduction)
• To disclose any other PHI to employer, plan documents must contain specific privacy protections (firewall)
• Employer may not use PHI to make employment related decisions or for other benefit plans
59
![Page 60: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/60.jpg)
Self Insured vs. Fully Insured
• Self Insured plans – All privacy rule requirements apply
• Insured plans – “Hands on” – plan sponsor receives PHI
in addition to summary health information and participation information
• Must maintain privacy notice and provide upon request
60
![Page 61: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/61.jpg)
Self Insured vs. Fully Insured • Insured plans
– “Hands off” – plan sponsor does not receive PHI other than summary health information and participation information
• No privacy notice required • No administrative requirements except
retaliation and waiver – No exemption from Security Rule
requirements
61
![Page 62: ERISA Group Health Plans: Complying With Complex HHS ...media.straffordpub.com/.../presentation.pdfMay 06, 2014 · Program Materials If you have not printed the conference materials](https://reader034.vdocuments.site/reader034/viewer/2022050205/5f5822fbcb738b5e56296fd9/html5/thumbnails/62.jpg)
Questions?
Ryan P. Blaney, Esq. Cozen O’Connor Washington, DC [email protected] (202) 463-2528
Tiffany D. Downs, Esq. FordHarrison Atlanta, GA [email protected] (404) 888-3961
62