hipaa privacy establishing a compliance plan mazursky & dunaway llp monarch tower suite 2400...

HIPAA Privacy Establishing a Compliance Plan

Mazursky & Dunaway LLPMonarch Tower Suite 24003424 Peachtree RoadAtlanta, Georgia 30326-1118

2

Presented by:

Randall D. Grayson

Monarch Tower Suite 24003424 Peachtree RoadAtlanta, Georgia 30326-

1118Main: 404.888.8820Direct: 404.888.8852Fax: [email protected]

A Human Resources Law Firm

3

HIPAA Privacy Presentation Outline

Overview of HIPAA Privacy Regulations

Organizing the Privacy Compliance Project

Key Components of the Privacy Project

4

The Three Elements of HIPAA

Privacy

Security

Electronic Data Interchange

Privacy– Individual rights to control health

information– Restrictions on uses and disclosures

Security– Limited access to electronic systems– Physical controls

Electronic Data Interchange– Standardized code sets for transactions– Uniform Medicare and Medicaid claims

5

Where Are We Now?

Administrative Simplification Act delays effective date for Electronic Data Interchange Standards

– Request for extension and compliance plan were due

October 16, 2002

Final Security regulations published Tuesday, Feb. 18 Privacy Amendments finalized August 2002 Standardized electronic identifier standards slowly

appearing– EIN to identify employers

6

HIPAA Privacy RegulationsThe Big Picture

Regulations are applicable to – Health plans– Health care providers– Health care clearinghouses

April 14, 2003 effective date for large health plans (50 or more participants, $5 million in annual receipts)

7

What is a Small Health Plan?

Insured Plans = Total premiums Self-funded plans = claims paid + administrative

fees. – Does NOT include premiums for stop-loss insurance.

If you are under the receipts test, HHS guidance suggests that number of participants does not matter.

Small Health Plans have an extra 12 months to comply

8

HIPAA Privacy Rule

“Covered Entities” may not use or disclose an individual’s “Protected Health Information” without written authorization except for certain specified purposes.

9

Where Do Employers Fit In?

Plan sponsors are not covered entities Plan administrators are covered entities New regulations exclude “employment records”

from privacy requirements

Focus on the purpose and need for individually identifiable health information to determine covered or not covered activities

10

Where do Group Plans Fit In?

Employers acting as plan administrators are covered entities

Self-funded plan must comply, depending on level of plan administration

The insurer is deemed the “health plan” covered entity in a fully-insured health plan

An employer may receive protected health information even if not administering a plan

11

Common Plan Administration Issues

Employee concerns or questions

Enrollment forms requesting health information– Pre-existing condition exclusion review

Benefits Committee resolving appeals

Claim payment audits

12

Employment Records Exclusion

Employment records held by a covered entity in its role as an employer

Standard was intentionally broad and vague Focus is on the reason for which the

employer/covered entity obtained the information, e.g.,– Processing an appeal under the group health plan– Certifying a request for sick leave

13

Why Covered Entity Status Might Not Matter

Employment laws contain other restrictions on use of medical information – ADA calls records “confidential medical record”

Preemption Analysis– More stringent state laws are not preempted by

HIPAA Privacy requirements– Tort law (e.g., invasion of privacy) could be more

stringent state law– HIPAA provides a road map for negligence standard

14

Exclusion for Enrollment Information

Covered Entity can share enrollment information with a Plan Sponsor (Employer) without authorization

If Plan Sponsor provides enrollment information, the Covered Entity must treat as protected health information

15

HIPAA Privacy Definitions

Protected Health Information (PHI) is:– Individually identifiable information (oral or recorded in any

form or medium)– Created, maintained or received by a health plan or provider – Related to the past, present or future physical or mental

condition of, or the provision or payment for health care for an individual

Employers can receive PHI without authorization if:– Health plan documents are amended to impose specified limits

on the use and disclosure of PHI– PHI is used for purposes of claim appeals, audits or other

administrative purposes (TPO)

16


Permitted uses of PHI without authorization– Treatment = medical care– Payment = claims processing and appeals– Operations

Underwriting, cost containment Internal grievances, medical peer review Quality assessment, utilization review Accreditation, licensing, credentialing

Key for TPO use is Notice of Privacy Practices

17


Notice of Privacy Practices– If plan sponsor uses PHI it must create its own Notice

Consent – Health provider no longer required to get consent each service– Consent may be obtained. State laws may be applicable

Authorization– Individual written authorizations permitting a particular use of

PHI (marketing or research)

18


Business Associates– Consultants, claims administrators, actuaries, etc.

Business Associates who create or receive PHI must agree in writing to comply with HIPAA Privacy requirements, even if not a covered entity otherwise

New amendments contain sample language for business associate contracts

19


Minimum Necessary– Even when utilizing PHI for appropriate purposes– Reasonableness standard

De-Identified Information– Data that cannot reasonably identify an individual– Safe harbor by eliminating identifying characteristics

Summary Health Information– De-identified health information with zip code data used for

underwriting, securing bids, etc.

20

De-Identified Information:The Named Identifiers

Names Geographic subdivisions

smaller than a State Dates related to individual

(birth, discharge, age over 89) Telephone or fax number E-mail address Social Security number Medical record number Health plan beneficiary

numbers Account numbers

Certificate/license numbers Vehicle identifiers and serial

numbers, license plates Device identifiers and serial

numbers URLs Internet Protocol address Biometric identifiers (finger

prints) Photographs “Any other unique

characteristic”

21

A Model for Avoiding Privacy Regulations

“Hands-off” plan administration

De-identified health information only

Clear contractual and plan delegation of administration responsibilities to Business Associates

22

A Model for Complying with Privacy Regulations

Define and limit employees with access to PHI Define permitted uses of PHI Create policies and procedures Notice of Privacy Practices Individual rights – correction, audit, review,

complaint procedure

23

Special Issues

Marketing– New drugs, treatments or benefits offered by an entity other

than the Insurer. – Pharmaceutical advertising.

Physician, Hospital, or Provider Quality Review– Performance objectives– Financial rewards to providers for outcomes

Research– Independent review board exemptions– Disclosures and authorizations

24

Other Special Issues

Public Health Agencies Law Enforcement Officials Subpoenas or Court Orders On-site clinics

– OSHA, workers’ compensation and other workplace safety rules

Wellness programs or employee health initiatives

25

WHAT NOW?

Less than two months until compliance date

What do I need to do? Where do I start? How do I get organized?

26

Modular Approach to HIPAA Compliance

Assessment– “Surveying the Terrain”

Design– “Bridging the Gap”

Drafting– “Putting Pen to Paper”

Implementation– ”Turning Words Into Action”

27

MODULE ONE - SURVEYING THE TERRAIN

Kickoff Meeting

Gap Analysis

M&D presents HIPAA Privacy Overview

Client discussion of privacy

practices and its needs and

preferences

M&D tailors assessment

worksheets for client’s situation

M&D prepares Gap Analysis Report identifying gaps between HIPAA

requirements and client practices

Client completes M&D

assessment worksheets

Client identifies its key issues from

Gap Analysis Report

Identifying Current Practices

28

MODULE TWO - BRIDGING THE GAP

Who is in Charge?

M&D outlines job descriptions and assignments for

compliance personnel

Client identifies privacy officer

and other compliance personnel

M&D outlines policies and procedures and

organization structure tailored to client

Developingthe Rules

M&D and Client define business associate relationships and

business associate responsibilities

M&D and Client develop processes for uses of protected information

M&D organizes format of policies, procedures

and workflows

29

MODULE THREE – PUTTING PEN TO PAPER

InternalGuidance

ProtectingIndividual Rights

M&D drafts policies and procedures for handling protected

information

Client develops internal procedures

for individual access, accounting, and

requests to amend protected

information

M&D develops notice of privacy practices

M&D designs training program for personnel

Noticesand Contracts

M&D drafts job descriptions for


M&D and Client develop rules for

dealing with HIPAA “exceptions”

M&D amends client’s plan documents

M&D and Client amend business associate

contracts

30

MODULE FOUR - TURNING WORDS INTO ACTION

Trainingfor the Future

The End and

the Beginning…

M&D designs training materials for


Client trains future


M&D provides compliance report

detailing success of HIPAA project

Client creates recordkeeping

process documenting

HIPAA compliance

Client proceeds in full compliance

with HIPAA privacy

regulations

Ongoing Documentation

M&D trains the trainer and initial compliance

personnel

Client executes business associate contracts

31

MODULE ONE - SURVEYING THE TERRAIN

Kickoff Meeting

Gap Analysis

M&D presents HIPAA Privacy Overview

Client discussion of privacy

practices and its needs and

preferences

M&D tailors assessment

worksheets for client’s situation

M&D prepares Gap Analysis Report identifying gaps between HIPAA

requirements and client practices

Client completes M&D

assessment worksheets

Client identifies its key issues from

Gap Analysis Report

Identifying Current Practices

32

Module One Key Concepts

Finding Protected Health Information– Individually Identifiable Health Information– Who uses it and what for?

Defining Covered Entity Functions – Payment, Treatment, Operations– Marketing, Research

The Role of the Business Associate Internal Operating Structures

33

Business Associate Issues

Identify the service that is being performed by the Business Associate and evaluate necessity

What protected health information is currently being used?

Are changes to information sharing and defined responsibilities appropriate?

34

Organizational Structure Issues

Who should have access to PHI? What uses of PHI are necessary? Who has the authority and the ability to serve

as a Privacy Officer? Can PHI be separated from health information

in non-covered employment records?

35

Protected Health Information Workflow Issues

Where can PHI be limited?

Where is PHI absolutely necessary to the operations of the entity?

How is PHI walled-off from other members of the organization?

36

Final Assessments

Identify where the Plan is and is not in Compliance with HIPAA

Recommend Operations Modifications Inventory of Policies, Procedures and

Documents Needed The Foundation for Creating a Compliance

Plan

37

MODULE TWO - BRIDGING THE GAP

Who is in Charge?

M&D outlines job descriptions and assignments for


Client identifies privacy officer

and other compliance personnel

M&D outlines policies and procedures and

organization structure tailored to client

Developingthe Rules

M&D and Client define business associate relationships and

business associate responsibilities

M&D and Client develop processes for uses of protected information

M&D organizes format of policies, procedures

and workflows

38

Module Two Key Concepts

Making Plan Design Choices

Creating Operating Rules

Defining Responsible Parties

39

Defining Proper Uses of PHI Inside the Organization

Claims appeals (Payment) Plan exceptions (Treatment) Cost controls by plan design (Operations) Adding or Eliminating benefits (Operations)

– E.g., Pharmacy formulary modifications

Physician or Provider Quality Review (Operations)

40

Defining Roles

Business Associates– What is the role of the Business Associate in

handling protected health information?

Privacy Officer Individuals authorized to access protected

health information– Limits on access– Limits on uses and disclosures of PHI

41

Other Employment Uses of Medical Information

Will similar restrictions be placed on uses and disclosures of employment records?

Will privacy be a company wide initiative?

Is there a “HIPAA Lite” for other uses of medical information?

42


InternalGuidance



information




information










contracts

43

Module Three Key Concepts

Business Associate Contracts Internal Operating Policies and Procedures Notice of Privacy Practices Summary Plan Description Plan Document Amendments Other forms or documents?

44

Internal Operations Issues

Designate group or persons who receive and use information

Define in writing proper uses and disclosures of information

Require de-identified information when possible

Name a Privacy Officer Individualized policies for security of records

45

Notice of Privacy Practices

Health Plan must provide notice to participants– Summary Plan Description– Annual Notice– Posted in Human Resources Department– Available upon request

Limited Uses of PHI, Individual Rights, and Remedies

46

Business Associate Contracts

Written acknowledgement of HIPAA Privacy practices– Limited use of PHI– Appropriate safeguards on PHI– Access for individuals?– Duty to mitigate improper disclosures?

Indemnification Provision?

47

Written Documents: Content of Contracts

Carefully review administrative services agreements

Correctly distribute compliance duties Negotiate indemnification provisions Proper description of uses and disclosures of

protected health information is critical to effective contract

Post-contract destruction or return of records

48

HIPAA Documents

Policies for Individual Access? Policies for the Special Exceptions? Do Not Forget:

– Summary Plan Descriptions– Welfare Wrap Plan Documents– Separate Notice of Privacy Practices

49


InternalGuidance



information




information










contracts

50

Module Four Key Concepts

Training of responsible individuals Keep records of compliance Ongoing compliance efforts

51

Training Programs

Design appropriate training programs for all responsible individuals

Determine appropriate level of education programs for responsible individuals

“Train the Trainer” concept

52

Look Before You Leap

Marketing– New drugs, treatments or benefits offered by an entity other

than the Insurer – Pharmaceutical advertising

Scientific Research or Studies Physician, Hospital, or Provider Quality Review

– Performance objectives– Financial rewards to providers for outcomes

Employment Uses– Hiring and firing decision

53

Effective Date and Beyond

Allow individuals access to PHI– Accounting of disclosures (non-TPO for past six years)– Opportunity to correct PHI

Provide participants with grievance procedures Privacy officer reports compliance efforts

– Document compliance actions Train new employees in handling of PHI Update privacy policies and procedures Electronic data interchange will continue to evolve

Questions

55

Presented by:

Randall D. Grayson

Monarch Tower Suite 24003424 Peachtree RoadAtlanta, Georgia 30326-

1118Main: 404.888.8820Direct: 404.888.8852Fax: [email protected]

A Human Resources Law Firm

hipaa privacy establishing a compliance plan mazursky & dunaway llp monarch tower suite 2400...

Documents

health informationrestrictions

small health plans

protected health information

large health plans

privacy projectthe

privacy requirementsfocus

privacy amendments

group health plancertifying