hipaa: everything you need to know

Copyright 2014- Not to be reproduced without express permission of Benefit Express Services, LLC

By

Larry Grudzien

Attorney at Law


• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 applies to all group health plans: Including:

• Self-insured plans,

• Insured plans, and

• HMOs

• It applies to a number of areas: Pre-existing conditions

Special enrollment periods

Health Status and Genetic Information Nondiscrimination Rules

Lifetime and Annual Dollar Limits; Prohibition on Rescissions

Guaranteed-Availability and Guaranteed-Renewability Rules for Large Group, Small Group, and Bona Fide Association Plans

New disclosure rules

Wellness programs

Privacy

Introduction to HIPAA

HIPAA Portability and

Nondiscrimination Rules


• An employee welfare benefit plan to the extent that the plan provides medical care to employees or their dependents directly or through insurance, reimbursement or otherwise. - ERISA §733(a)1), PHSA §2791(a)(1)

• Automatic Exceptions: AD&D insurance, Disability income insurance, Liability insurance, Supplement to liability insurance. Worker’s compensation Auto medical payment insurance Credit only insurance, and Coverage for on-site medical clinics. Code §§ 9831(b)-9832(c)(1), ERISA §§732(b)-733(c), PHSA §§ 2721(c)- 2791(c) (1)

What is a HIPAA Group Health

Plan?


• What is the Health Coverage Certification requirement?

Group health plans and employers offering group health insurance coverage must provide a certification of the period of creditable coverage under the plan, the coverage under any applicable COBRA continuation provision, and the waiting period (if any).

• Who must provide Certifications? Individuals covered by group health plans must receive them.

Employers are responsible, unless relieved under written agreement.

• To whom and when? Each employee and dependent who loses coverage.

Upon loss of coverage:

• Automatically when coverage ends.

• Automatically when COBRA coverage ends .

• Upon request for certification.

Code §9801(e)(1)(A), ERISA §701(e)(1)(A), PHSA §2701(e)(1)(A)

Health Coverage Certification

Requirements


• Method of delivery? By first class mail to last known address, or

By electronic means.

• Contents of the certification

By writing or electronic media.

Required information.

Provided automatically - only the most recent information.

Provided by request - Each period of coverage.

Temp Treas, Reg, §9801-5T, DOL Reg. §2590.701-5, HHS Reg, §146.115(a)(2)


Requirements


• Plan Description Periods of prior coverage without regard to specific

benefits.

Other benefits will be provided upon request.

• Certification of Dependent Coverage

Provided to employees and dependents.

One certificate to an entire family - only the most recent. Information.

No Certificate until coverage ends.

• Enforcement

Plan administrator can be sued.

Excise tax of $100 per day per violation.


Requirements


• Four important changes

Define pre-existing condition.

Do not exclude participation for more than 12 or 18 months.

Reduce the duration of any exclusion by period of “creditable coverage.”

No exclusion involving pregnancy, childbirth or adoption.

Code §9801(a) & (b), ERISA §701(a) & (b), PHSA §2701(a) § (b)

Preexisting Condition

Requirements and Notice

Obligations


• “Prior creditable coverage”

Preexisting condition exclusions are reduced for

“prior creditable coverage” - day for day .

What is “prior creditable coverage”?

What is a “significant break in coverage”?



Obligations


• Enforcement:

IRS imposed penalty - $100 per day.

DOL and plan participants may file suit to force

compliance.

Code §5000(b), ERISA §502(a)(3)



Obligations


• Group health plans must:

Allow employees and dependents to enroll mid-year .

In three specified situations: • Loss of other coverage,

• Acquisition of new dependent and

• Gain eligible for Medicaid or CHIP.

• Employees and beneficiaries subject to this right

are not treated as “late enrollees.”

• Benefits of this special enrollment right.

Code §9801(f), ERISA §701(f)(1), PHSA §2701(f)(1)

Special Enrollment Rights


• Loss of other coverage:

COBRA was exhausted; or

Either lost eligibility for employer coverage or the

employer contribution for coverage ceased.

• Must request enrollment within 30 days of loss.

• No requirement to elect COBRA.

Code §9832(f), ERISA §701(f)(1), PHSA §2701(f)(1)



• Acquisition of new dependent because:

Marriage; or

Adoption, placement for adoption or birth.

• Employee has right to enroll self and new dependent.

• Must enroll within 30 days of event.

• Effective date of coverage.

• Notice requirements.

• Special rights for COBRA beneficiaries.

Temp Treas. Reg. §54/9801-6T(b), DOL Reg. §2590.701-6(b), 45 CFR

§146.117(b)



• Special enrollment rights are available if the employee or dependent

becomes eligible for assistance, with respect to coverage under the

plan through either a Medicaid plan under Title XIX of the Social

Security Act, or the state children's health insurance program (CHIP)

under Title XXI of the Social Security Act.

• The employee who is eligible, but not enrolled, for coverage under the

terms of the plan (or a dependent of such an employee if the

dependent is eligible, but not enrolled, for coverage under such terms)

may enroll in the plan upon becoming eligible for state premium

assistance subsidy if special enrollment is requested in a timely

manner.

• If an employee or dependent becomes eligible for state premium

assistance subsidy, a plan must allow for a period of at least 60 days

for the employee to request coverage under the plan after such

eligibility is determined.



• Group health plans must not discriminate

based on an individual’s health status in:

Eligibility - initial, continuing or late enrollment.

Premiums or Contributions - determining the

amount.

Code §9802, ERISA §702, PHSA §2702

Health Status Discrimination

Rules


• Prohibited Discrimination in Eligibility:

Group Health Plan must not base eligibility rules on health status related factors, but may:

• Exclude coverage for particular benefits,

• Establish limitations or restrictions,

• Exclude coverage for participation in dangerous activities, and

• Not deny benefits for injury resulting from act of domestic violence or a medical condition.

Temp Treas. Reg. §54.9802-1T(b), DOL Reg. §2590.702(b,) 45 CFR

§146.121(b)


Rules


• Prohibited Discrimination in Premiums/Contributions:

Group Health Plan may not charge greater premiums or contributions among similarly situated employees, but:

• Insurers are not limited in amount they may charge for premiums,

• Plans may charge different amounts to different groups, and

• Plans may charge different amounts for employees and their dependents.

Code §9802(b), ERISA §702(b), PHSA §2702(b)


Rules


• Prohibited Discrimination in Premiums/Contributions: Health Status Factors:

• Health status

• Medical condition

• Claims experience

• Health care utilization

• Medical history

• Genetic information

• Evidence of insurability

• Disability

Wellness programs: • Wellness incentives are permitted, but

• Payment may not be based on results.


Rules

Lifetime and Annual

Dollar Limits


• Lifetime dollar limits are prohibited and annual dollar limits are first

restricted, and later prohibited, with respect to “essential health benefits.

• “Essential health benefits” include minimum benefits in ten general

categories and the items and services within those categories, as defined

by HHS. The categories are— ambulatory patient services;

emergency services;

hospitalization;

maternity and newborn care;

mental health and substance use disorder services, including behavioral health

treatment;

prescription drugs;

rehabilitative and habilitative services and devices;

laboratory services;

preventive and wellness services and chronic disease management; and

pediatric services, including oral and vision care.

Lifetime and Annual Dollar

Limits


• Who must cover Essential Health Benefits?

A: All non-grandfathered, insured plans in the individual and small

group markets – on and off the Exchange/Health Insurance

Marketplace –

are required to provide EHBs, with the start of plan years that begin on

or after January 1, 2014 (policy years in the case of individual policies).

No other plans are required to provide EHBs.

However, if they cover any benefits defined as EHBs, they cannot

impose any annual or lifetime .

Lifetime and Annual Dollar

Limits

Guaranteed Availability &

Renewability Rules


• Health care reform greatly expands HIPAA's guaranteed-

availability rules for the group market by making these

rules applicable to health insurance issuers in the large

and small group markets and effecting the other changes

discussed below, effective January 1, 2014.

• It does not apply to grandfathered plans.

• Each health insurer that offers health insurance coverage

in the individual or group market (regardless of whether

the coverage is offered in the large or small group market)

is required to accept every employer and individual in the

state that applies for such coverage.

Guaranteed Availability Rules


• Health insurers offering coverage in the small and large

group markets in a state must accept all employers that

apply for coverage in the state, effective January 1, 2014.

• Enrollment may be restricted to open or special

enrollment periods.

• Health insurers in the small group market to apply

minimum participation rules other than during the annual

open enrollment period from November 15 to December

15 of each year.

• Insurers in the large group market may not impose

minimum contribution or participation rules because large

employers generally do not present the same adverse

selection risk as small employers.

Guaranteed Availability Rules


• To the extent permitted under state law, an insurer can

discontinue all products in the small group market without

having to also discontinue all products in the large group

market.

• When renewing a product, insurers in the small group

market must provide each plan sponsor a written notice of

renewal at least 60 calendar days before the renewal date.

• The law guarantees an employer the right to renew or

continue in force the coverage it purchased in the small (or

large) group market even if the employer ceases to be a

small (or large) employer by reason of an increase (or

decrease) in its number of employees.

Guaranteed Renewability

Rules


• An issuer can refuse to renew a group policy if the plan sponsor fails to

comply with a material plan provision relating to employer contribution or

group participation rules, pursuant to applicable state law.

• For this purpose, an “employer contribution rule” means a requirement

relating to the minimum level or amount of employer contributions toward

the premium for enrollment of participants and beneficiaries.

• The term “group participation rule” means a requirement relating to the

minimum number of participants or beneficiaries that must be enrolled in

relation to a specified percentage or number of eligible individuals or

employees of an employer.

Guaranteed Renewability

Rules

HIPAA Privacy Rules


• “Health plans are required to protect and safeguard a participant’s or covered dependent’s personal health information (PHI) from impermissible use or disclosure and they must obtain a patient’s content for certain uses and disclosures.

• What is required to protect information?

• What information is protected?

• What steps must a health plan and the employer

do to comply?

General Requirements


• Health plans must:

Establish written policies and procedures to protect PHI.

Protect and safeguard a participant’s or covered dependent’s personal health information (PHI).

Obtain participant’s or covered dependent’s written permission for certain uses of PHI.

Notify a participant and/or covered participant of policies of disclosure and use of PHI.

Report impermissible use or disclosure of PHI.

Allow a participant and/or covered dependent to inspect or copy his or her PHI.

Use and disclose only the “minimum necessary” health information.

Enter into Business Associate Agreements.

What is Required?


• All medical records and other individually identifiable health information held or disclosed by a health plans in any form, whether communicated electronically, on paper or orally.

• Health plans may release PHI to employers without authorization in very limited circumstances.

• Three conditions must be met:

Provider must provide service at the request of employer or as an employee;

Service provided must relate to medical surveillance of workplace or an evaluation to determine individual has workplace injuries or illness; and

Employer must have legal requirement under state or federal law to keep records.

45 CFR §160.103

What is “Protected Health

Information” (PHI)?


• Group health plans do not need to obtain a participant’s or a covered dependents consent to release information for the administration of the plan.

• Plan sponsor’s obligation depends on whether it receives

protected health information, summary health information or no health information.

• Obligations, if it receive only summary health information.

• Required plan amendments.

• Obligations, if it receives protected health information.

What are the Plan Sponsor’s

Obligations?


• HIPAA Privacy Policy

• HIPAA Privacy Use and Disclosures

• Notice of Privacy Practices

• Business Associate Contracts

• Authorization for Release of Information

• Amendment to Health Plan Document

• Amendment to Health Plan SPD

• Plan Sponsor Certification to Health Plan

What Documents are Needed

to Comply?


• Documents for Implementing individual

Rights:

Request to inspect or copy PHI

Request to amend or correct PHI

Request for Accounting of Disclosures of PHI

Request for restrictions on Use or Disclosure of PHI

What Documents are Needed

to Comply?


• Health plans are allowed to use or disclose PHI in the following circumstances:

as required in accordance with an individual’s right to access PHI;

for covered functions (i.e., treatment, payment, or health care operations);

with respect to specific types of information after the opportunity to agree or object;

pursuant to an individual’s authorization ; and

as required or permitted under HIPAA’s public policy exceptions and a limited data set may be disclosed when certain requirements are met.

Consent Issues -

INTRODUCTION


• A health plan may use and disclose PHI without authorization:

For its own treatment, payment, and health care operations; For the treatment activities of another health care provider; To another covered entity for the payment activities of the entity

receiving the information, and To another covered entity for certain health care operations

activities of the entity that receives the information if each entity has (or had) a relationship with the individual who is the subject of the PHI, the PHI pertains to such relationship, and the purpose of the disclosure is one of those listed in the regulations.

45 CFR §164.501

For Treatment, Payment and

Health Care Operations


• The health plan may use and disclose PHI if individual has had opportunity to, prohibit the disclosure of such information in advance regarding to:

Disclosures of limited types of information to family members or close personal friends of the individual for care, payment for care, notification, and disaster relief purposes; and

Uses and disclosures of limited types of information for facility directory purposes (generally not applicable to health plans).

Exceptions

Requiring an Opportunity

to Agree or Object


• Individual authorizations are required whenever the use or disclosure is not permitted under privacy rules.

• May request authorization for another entity for:

Any purpose.

But especially, before sending any marketing material .

Requiring Individual

Authorizations


• Health plans may disclose PHI without authorization:

If required by law;

To certain designated public agencies, individuals and the employer;

Regarding an individual if a victim of designated abuse and certain other conditions are met;

To a health oversight agency;

In response to certain court proceedings;

To a law enforcement officials if certain conditions are met;

To a coroner or medical examiner of ID purposes;

To organ procurement organizations for transplant purposes;

To prevent health threat;

For certain specified government purposes;

To comply with Worker‘s Compensation purposes .

45 CFR §164.512

Without Individual

Authorization


• Covered entities must recognize a personal

representative’s authority and provide information

within that authority.

• But certain exceptions do apply.

• Parent’s authority.

• Spouse’s authority.

45 CFR §164.502(b)

Personal Representatives,

Minors and Spouses


• What is Required?

Health plans must establish policies and

procedures with respect to PHI that complies

with:

• HIPAA standards,

• Implementation specifications,

• Other requirements.

Privacy Policy and Procedures


• Who is required to provide notices?

Covered entities (Health Plan)

• What must the notices describe?

Uses and disclosures of PHI that may be made by the

covered entity,

Individual’s rights, and

Health plan’s legal duties with respect to PHI.

Privacy Notices


• What are a health plan’s duties?

Must provide own privacy notices if it has access to PHI.

A health plan may arrange to have another entity to

provide notice, but will be responsible if no notice is

provided.

Privacy Notices


• A health plan must designate a privacy official.

• Privacy official is responsible for the development and implementation of policies and procedures.

• A privacy officer must be designated for each subsidiary that is a covered entity.

A single corporate officer could be designated for multiple subsidiaries.

Privacy Official


• Covered entities must designate a contract person

or office for receiving complaints.

Such designation must be documented.

Contact person must be able to provide additional

information about matters that are covered in privacy

notice.

Contact Person


• Apply to the electronic storage and transmission of PHI.

• General effective date - April 21, 2006.

• Covered entities must implement appropriate administrative,

technical and physical safeguards for PHI.

• Privacy rules require “appropriate safeguards” for protecting

PHI.

• No guidelines for PHI in oral, written or non-electronic form. 45 CFR § 160.103

Health Care Security

Requirements


• What information must be protected?

Any information transmitted by electronic media, maintained in electronic media or maintained in other form or medium.

What is electronic media?

• Certain transmissions are not covered.


Requirements


• What are the four general security requirements?

Ensure the confidentiality, integrity and availability of all electronic PHI that the covered entity creates, receives, maintains or transmits.

Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.

Ensure compliance by the workforce.


Requirements


• What are the security standards? Administrative safeguards,

Physical safeguards, and

Technical safeguards.

• Covered entities must:

use reasonable and appropriate measures to accomplish the requirements.

engage in risk analysis to determine how to comply.


Requirements


• All covered entities must standardize the format and content of all electronic transactions when engaging in “covered transactions,”

• These are called the EDI Standard.s 45 CFR § 162.923(a).

Electronic Transaction

Requirements


• What are “covered transactions”?

Health claims and equivalent encounter information,

Eligibility for health plan, Referral certification and authorization, Health claim status, Enrollment and disenrollment in a health plan, Health care electronic funds transfer (EFT, Health plan premium payments, Coordination of benefits First report of injury,

Health claims attachments, and.

Other transactions.


Requirements


• What are the EDI Standards requirements? Covered entities in conducting covered transactions must

use standardized formats and content, as well as uniform codes in communicating with other entities.

Only those entities who conduct ”standard transactions” electronically or engage others to do so are subject to EDI standards.

Health plans are considered to be covered entities and must comply with the EDI Standards, along with the additional requirements.


Requirements


• What transactions and transmissions are covered?

Is the entity conducting the transaction a covered entity (or its business associate)?

Does the transaction fall within the definition of one of the covered transactions?

• Covered entities must comply with the EDI Standards in certain stated transactions.

• Transactions within a covered entity are subject to the EDI Standards.


Requirements


• EDI Requirements:

Applies to transactions transmitted using electronic media.

Does not apply to any transactions conducted in paper or over the telephon.e

Does not apply to noncovered entities.

Does not apply to group health plans with under 50 participants.

Does not apply to health plan sponsors because they are not covered entities.


Requirements


• A group health plan may not share PHI with plan sponsor except for disclosure of:

De-identified information,

Group health plan enrollment and disenrollment information,

Limited summary health information for insurance placement and settlor function,

PHI to plan sponsor personnel involved in plan administration when certain requirements are met, and

Pursuant to authorization.

Final Thoughts: Sharing PHI

with Plan Sponsor


• Health plans can not provide access to PHI to plan

sponsors without certain plan provisions and

safeguards.

• Disclosure must be for “plan administrative

functions.”

• Health care providers and health plans may use

and disclose PHI with an individual’s

“authorization” for any purpose provided in the

authorization.

Certain Employer Functions

Require Authorization


• These functions include:

Plan must not condition treatment or payment on receipt of an authorization.

In some circumstances, an employer may condition employment on receipt of authorization.

Authorization may be required to obtain PHI for purposes of FMLA or ADA.

An authorization may be required for an employer to assist employee with a claim.

An authorization may be required for an employer to receive reports from EAP.

Certain Employer Functions

Require Authorization


• HIPAA includes numerous exceptions to broad

use and disclosure rules.

• Common employer practices that fall under these

exceptions:

State/Federal disclosure requirements,

Workers’ compensation, and

Health information contained in employment records.

Exceptions for Some Common

Employer Practices


• Change office behavior

Shred pertinent documents- do not simply discard them.

Prohibit staff from accessing a participant’s medical records to learn a neighbor’s birthday or to satisfy a similar form of curiosity.

Do not leave messages about a participant’s health on an answering machine or with someone other than the patient or doctor.

Avoid discussions about a participant’s claims in elevators, cafeteria or other public places.

Avoid paging participant’s using identifiable information.

Do not fax information without knowing that the persons to whom the fax is addressed is ready to receive it.

Do not allow faxes to sit on an office machine where unauthorized people may see them.

Special Concerns

Questions?


• Larry Grudzien

Phone: 708-717-9638

Email: [email protected]

Website: www.larrygrudzien.com

Contact Information

hipaa: everything you need to know

Documents

period of coverage

cobra coverage

loss of coverage

group health plans

health insurance portability

hipaa group health plan

period of creditable

liability insurance