hipaa privacy establishing a compliance plan mazursky & dunaway llp monarch tower suite 2400...
TRANSCRIPT
HIPAA Privacy Establishing a Compliance Plan
Mazursky & Dunaway LLPMonarch Tower Suite 24003424 Peachtree RoadAtlanta, Georgia 30326-1118
2
Presented by:
Randall D. Grayson
Monarch Tower Suite 24003424 Peachtree RoadAtlanta, Georgia 30326-
1118Main: 404.888.8820Direct: 404.888.8852Fax: [email protected]
A Human Resources Law Firm
3
HIPAA Privacy Presentation Outline
Overview of HIPAA Privacy Regulations
Organizing the Privacy Compliance Project
Key Components of the Privacy Project
4
The Three Elements of HIPAA
Privacy
Security
Electronic Data Interchange
Privacy– Individual rights to control health
information– Restrictions on uses and disclosures
Security– Limited access to electronic systems– Physical controls
Electronic Data Interchange– Standardized code sets for transactions– Uniform Medicare and Medicaid claims
5
Where Are We Now?
Administrative Simplification Act delays effective date for Electronic Data Interchange Standards
– Request for extension and compliance plan were due
October 16, 2002
Final Security regulations published Tuesday, Feb. 18 Privacy Amendments finalized August 2002 Standardized electronic identifier standards slowly
appearing– EIN to identify employers
6
HIPAA Privacy RegulationsThe Big Picture
Regulations are applicable to – Health plans– Health care providers– Health care clearinghouses
April 14, 2003 effective date for large health plans (50 or more participants, $5 million in annual receipts)
7
What is a Small Health Plan?
Insured Plans = Total premiums Self-funded plans = claims paid + administrative
fees. – Does NOT include premiums for stop-loss insurance.
If you are under the receipts test, HHS guidance suggests that number of participants does not matter.
Small Health Plans have an extra 12 months to comply
8
HIPAA Privacy Rule
“Covered Entities” may not use or disclose an individual’s “Protected Health Information” without written authorization except for certain specified purposes.
9
Where Do Employers Fit In?
Plan sponsors are not covered entities Plan administrators are covered entities New regulations exclude “employment records”
from privacy requirements
Focus on the purpose and need for individually identifiable health information to determine covered or not covered activities
10
Where do Group Plans Fit In?
Employers acting as plan administrators are covered entities
Self-funded plan must comply, depending on level of plan administration
The insurer is deemed the “health plan” covered entity in a fully-insured health plan
An employer may receive protected health information even if not administering a plan
11
Common Plan Administration Issues
Employee concerns or questions
Enrollment forms requesting health information– Pre-existing condition exclusion review
Benefits Committee resolving appeals
Claim payment audits
12
Employment Records Exclusion
Employment records held by a covered entity in its role as an employer
Standard was intentionally broad and vague Focus is on the reason for which the
employer/covered entity obtained the information, e.g.,– Processing an appeal under the group health plan– Certifying a request for sick leave
13
Why Covered Entity Status Might Not Matter
Employment laws contain other restrictions on use of medical information – ADA calls records “confidential medical record”
Preemption Analysis– More stringent state laws are not preempted by
HIPAA Privacy requirements– Tort law (e.g., invasion of privacy) could be more
stringent state law– HIPAA provides a road map for negligence standard
14
Exclusion for Enrollment Information
Covered Entity can share enrollment information with a Plan Sponsor (Employer) without authorization
If Plan Sponsor provides enrollment information, the Covered Entity must treat as protected health information
15
HIPAA Privacy Definitions
Protected Health Information (PHI) is:– Individually identifiable information (oral or recorded in any
form or medium)– Created, maintained or received by a health plan or provider – Related to the past, present or future physical or mental
condition of, or the provision or payment for health care for an individual
Employers can receive PHI without authorization if:– Health plan documents are amended to impose specified limits
on the use and disclosure of PHI– PHI is used for purposes of claim appeals, audits or other
administrative purposes (TPO)
16
HIPAA Privacy Definitions
Permitted uses of PHI without authorization– Treatment = medical care– Payment = claims processing and appeals– Operations
Underwriting, cost containment Internal grievances, medical peer review Quality assessment, utilization review Accreditation, licensing, credentialing
Key for TPO use is Notice of Privacy Practices
17
HIPAA Privacy Definitions
Notice of Privacy Practices– If plan sponsor uses PHI it must create its own Notice
Consent – Health provider no longer required to get consent each service– Consent may be obtained. State laws may be applicable
Authorization– Individual written authorizations permitting a particular use of
PHI (marketing or research)
18
HIPAA Privacy Definitions
Business Associates– Consultants, claims administrators, actuaries, etc.
Business Associates who create or receive PHI must agree in writing to comply with HIPAA Privacy requirements, even if not a covered entity otherwise
New amendments contain sample language for business associate contracts
19
HIPAA Privacy Definitions
Minimum Necessary– Even when utilizing PHI for appropriate purposes– Reasonableness standard
De-Identified Information– Data that cannot reasonably identify an individual– Safe harbor by eliminating identifying characteristics
Summary Health Information– De-identified health information with zip code data used for
underwriting, securing bids, etc.
20
De-Identified Information:The Named Identifiers
Names Geographic subdivisions
smaller than a State Dates related to individual
(birth, discharge, age over 89) Telephone or fax number E-mail address Social Security number Medical record number Health plan beneficiary
numbers Account numbers
Certificate/license numbers Vehicle identifiers and serial
numbers, license plates Device identifiers and serial
numbers URLs Internet Protocol address Biometric identifiers (finger
prints) Photographs “Any other unique
characteristic”
21
A Model for Avoiding Privacy Regulations
“Hands-off” plan administration
De-identified health information only
Clear contractual and plan delegation of administration responsibilities to Business Associates
22
A Model for Complying with Privacy Regulations
Define and limit employees with access to PHI Define permitted uses of PHI Create policies and procedures Notice of Privacy Practices Individual rights – correction, audit, review,
complaint procedure
23
Special Issues
Marketing– New drugs, treatments or benefits offered by an entity other
than the Insurer. – Pharmaceutical advertising.
Physician, Hospital, or Provider Quality Review– Performance objectives– Financial rewards to providers for outcomes
Research– Independent review board exemptions– Disclosures and authorizations
24
Other Special Issues
Public Health Agencies Law Enforcement Officials Subpoenas or Court Orders On-site clinics
– OSHA, workers’ compensation and other workplace safety rules
Wellness programs or employee health initiatives
25
WHAT NOW?
Less than two months until compliance date
What do I need to do? Where do I start? How do I get organized?
26
Modular Approach to HIPAA Compliance
Assessment– “Surveying the Terrain”
Design– “Bridging the Gap”
Drafting– “Putting Pen to Paper”
Implementation– ”Turning Words Into Action”
27
MODULE ONE - SURVEYING THE TERRAIN
Kickoff Meeting
Gap Analysis
M&D presents HIPAA Privacy Overview
Client discussion of privacy
practices and its needs and
preferences
M&D tailors assessment
worksheets for client’s situation
M&D prepares Gap Analysis Report identifying gaps between HIPAA
requirements and client practices
Client completes M&D
assessment worksheets
Client identifies its key issues from
Gap Analysis Report
Identifying Current Practices
28
MODULE TWO - BRIDGING THE GAP
Who is in Charge?
M&D outlines job descriptions and assignments for
compliance personnel
Client identifies privacy officer
and other compliance personnel
M&D outlines policies and procedures and
organization structure tailored to client
Developingthe Rules
M&D and Client define business associate relationships and
business associate responsibilities
M&D and Client develop processes for uses of protected information
M&D organizes format of policies, procedures
and workflows
29
MODULE THREE – PUTTING PEN TO PAPER
InternalGuidance
ProtectingIndividual Rights
M&D drafts policies and procedures for handling protected
information
Client develops internal procedures
for individual access, accounting, and
requests to amend protected
information
M&D develops notice of privacy practices
M&D designs training program for personnel
Noticesand Contracts
M&D drafts job descriptions for
compliance personnel
M&D and Client develop rules for
dealing with HIPAA “exceptions”
M&D amends client’s plan documents
M&D and Client amend business associate
contracts
30
MODULE FOUR - TURNING WORDS INTO ACTION
Trainingfor the Future
The End and
the Beginning…
M&D designs training materials for
compliance personnel
Client trains future
compliance personnel
M&D provides compliance report
detailing success of HIPAA project
Client creates recordkeeping
process documenting
HIPAA compliance
Client proceeds in full compliance
with HIPAA privacy
regulations
Ongoing Documentation
M&D trains the trainer and initial compliance
personnel
Client executes business associate contracts
31
MODULE ONE - SURVEYING THE TERRAIN
Kickoff Meeting
Gap Analysis
M&D presents HIPAA Privacy Overview
Client discussion of privacy
practices and its needs and
preferences
M&D tailors assessment
worksheets for client’s situation
M&D prepares Gap Analysis Report identifying gaps between HIPAA
requirements and client practices
Client completes M&D
assessment worksheets
Client identifies its key issues from
Gap Analysis Report
Identifying Current Practices
32
Module One Key Concepts
Finding Protected Health Information– Individually Identifiable Health Information– Who uses it and what for?
Defining Covered Entity Functions – Payment, Treatment, Operations– Marketing, Research
The Role of the Business Associate Internal Operating Structures
33
Business Associate Issues
Identify the service that is being performed by the Business Associate and evaluate necessity
What protected health information is currently being used?
Are changes to information sharing and defined responsibilities appropriate?
34
Organizational Structure Issues
Who should have access to PHI? What uses of PHI are necessary? Who has the authority and the ability to serve
as a Privacy Officer? Can PHI be separated from health information
in non-covered employment records?
35
Protected Health Information Workflow Issues
Where can PHI be limited?
Where is PHI absolutely necessary to the operations of the entity?
How is PHI walled-off from other members of the organization?
36
Final Assessments
Identify where the Plan is and is not in Compliance with HIPAA
Recommend Operations Modifications Inventory of Policies, Procedures and
Documents Needed The Foundation for Creating a Compliance
Plan
37
MODULE TWO - BRIDGING THE GAP
Who is in Charge?
M&D outlines job descriptions and assignments for
compliance personnel
Client identifies privacy officer
and other compliance personnel
M&D outlines policies and procedures and
organization structure tailored to client
Developingthe Rules
M&D and Client define business associate relationships and
business associate responsibilities
M&D and Client develop processes for uses of protected information
M&D organizes format of policies, procedures
and workflows
38
Module Two Key Concepts
Making Plan Design Choices
Creating Operating Rules
Defining Responsible Parties
39
Defining Proper Uses of PHI Inside the Organization
Claims appeals (Payment) Plan exceptions (Treatment) Cost controls by plan design (Operations) Adding or Eliminating benefits (Operations)
– E.g., Pharmacy formulary modifications
Physician or Provider Quality Review (Operations)
40
Defining Roles
Business Associates– What is the role of the Business Associate in
handling protected health information?
Privacy Officer Individuals authorized to access protected
health information– Limits on access– Limits on uses and disclosures of PHI
41
Other Employment Uses of Medical Information
Will similar restrictions be placed on uses and disclosures of employment records?
Will privacy be a company wide initiative?
Is there a “HIPAA Lite” for other uses of medical information?
42
MODULE THREE – PUTTING PEN TO PAPER
InternalGuidance
ProtectingIndividual Rights
M&D drafts policies and procedures for handling protected
information
Client develops internal procedures
for individual access, accounting, and
requests to amend protected
information
M&D develops notice of privacy practices
M&D designs training program for personnel
Noticesand Contracts
M&D drafts job descriptions for
compliance personnel
M&D and Client develop rules for
dealing with HIPAA “exceptions”
M&D amends client’s plan documents
M&D and Client amend business associate
contracts
43
Module Three Key Concepts
Business Associate Contracts Internal Operating Policies and Procedures Notice of Privacy Practices Summary Plan Description Plan Document Amendments Other forms or documents?
44
Internal Operations Issues
Designate group or persons who receive and use information
Define in writing proper uses and disclosures of information
Require de-identified information when possible
Name a Privacy Officer Individualized policies for security of records
45
Notice of Privacy Practices
Health Plan must provide notice to participants– Summary Plan Description– Annual Notice– Posted in Human Resources Department– Available upon request
Limited Uses of PHI, Individual Rights, and Remedies
46
Business Associate Contracts
Written acknowledgement of HIPAA Privacy practices– Limited use of PHI– Appropriate safeguards on PHI– Access for individuals?– Duty to mitigate improper disclosures?
Indemnification Provision?
47
Written Documents: Content of Contracts
Carefully review administrative services agreements
Correctly distribute compliance duties Negotiate indemnification provisions Proper description of uses and disclosures of
protected health information is critical to effective contract
Post-contract destruction or return of records
48
HIPAA Documents
Policies for Individual Access? Policies for the Special Exceptions? Do Not Forget:
– Summary Plan Descriptions– Welfare Wrap Plan Documents– Separate Notice of Privacy Practices
49
MODULE THREE – PUTTING PEN TO PAPER
InternalGuidance
ProtectingIndividual Rights
M&D drafts policies and procedures for handling protected
information
Client develops internal procedures
for individual access, accounting, and
requests to amend protected
information
M&D develops notice of privacy practices
M&D designs training program for personnel
Noticesand Contracts
M&D drafts job descriptions for
compliance personnel
M&D and Client develop rules for
dealing with HIPAA “exceptions”
M&D amends client’s plan documents
M&D and Client amend business associate
contracts
50
Module Four Key Concepts
Training of responsible individuals Keep records of compliance Ongoing compliance efforts
51
Training Programs
Design appropriate training programs for all responsible individuals
Determine appropriate level of education programs for responsible individuals
“Train the Trainer” concept
52
Look Before You Leap
Marketing– New drugs, treatments or benefits offered by an entity other
than the Insurer – Pharmaceutical advertising
Scientific Research or Studies Physician, Hospital, or Provider Quality Review
– Performance objectives– Financial rewards to providers for outcomes
Employment Uses– Hiring and firing decision
53
Effective Date and Beyond
Allow individuals access to PHI– Accounting of disclosures (non-TPO for past six years)– Opportunity to correct PHI
Provide participants with grievance procedures Privacy officer reports compliance efforts
– Document compliance actions Train new employees in handling of PHI Update privacy policies and procedures Electronic data interchange will continue to evolve
55
Presented by:
Randall D. Grayson
Monarch Tower Suite 24003424 Peachtree RoadAtlanta, Georgia 30326-
1118Main: 404.888.8820Direct: 404.888.8852Fax: [email protected]
A Human Resources Law Firm