HIPAA Privacy for Employers 101
-
Upload
benefitexpress -
Category
Recruiting & HR
-
view
764 -
download
3
Transcript of HIPAA Privacy for Employers 101
General Requirements
“Health plans are required to protect and safeguard a participant’s or
covered dependent’s personal health information (PHI) from
impermissible use or disclosure and they must obtain a patient’s
content for certain uses and disclosures.
• What is required to protect information?
• What information is protected?
• What steps must a health plan and the employer do to comply?
Health plans must:
• Establish written policies and procedures to protect PHI.
• Protect and safeguard a participant’s or covered dependent’s personal
health information (PHI).
• Obtain participant’s or covered dependent’s written permission for certain
uses of PHI.
• Notify a participant and/or covered participant of policies of disclosure
and use of PHI.
• Report impermissible use or disclosure of PHI.
• Allow a participant and/or covered dependent to inspect or copy his or
her PHI.
• Use and disclose only the “minimum necessary” health information.
• Enter into Business Associate Agreements.
What is Required?
What is Protected Health Information (PHI)
• All medical records and other individually identifiable health
information held or disclosed by a health plans in any form,
whether communicated electronically, on paper or orally.
• Health plans may release PHI to employers without authorization
in very limited circumstances.
• Three conditions must be met:
Provider must provide service at the request of employer or as an
employee,
Service provided must relate to medical surveillance of workplace or
an evaluation to determine individual has workplace injuries or illness,
and
Employer must have legal requirement under state or federal law to
keep records.
What are the Plan Sponsor’s Obligations?
• Group health plans do not need to obtain a participant’s or a
covered dependents consent to release information for the
administration of the plan.
• Plan sponsor’s obligation depends on whether it receives
protected health information, summary health information or no
health information.
• Obligations, if it receive only summary health information.
• Required plan amendments.
• Obligations, if it receives protected health information.
What documents are needed to comply?
• HIPAA Privacy Policy
• HIPAA Privacy Use and Disclosures
• Notice of Privacy Practices
• Business Associate Contracts
• Authorization for Release of Information
• Amendment to Health Plan Document
• Amendment to Health Plan SPD
• Plan Sponsor Certification to Health Plan
What documents are needed to comply?
Documents for Implementing individual Rights
• Request to inspect or copy PHI.
• Request to amend or correct PHI.
• Request for Accounting of Disclosures of PHI.
• Request for restrictions on Use or Disclosure of PHI.
Consent Issues - Introduction
Health plans are allowed to use or disclose PHI in the following
circumstances:
• as required in accordance with an individual’s right to access PHI;
• for covered functions (i.e., treatment, payment, or health care
operations);
• with respect to specific types of information after the opportunity to
agree or object;
• pursuant to an individual’s authorization; and
• as required or permitted under HIPAA’s public policy exceptions
and a limited data set may be disclosed when certain
requirements are met.
For Treatment, Payment and Health Care
Operations
A health plan may use and disclose PHI without authorization:
• For its own treatment, payment, and health care operations;
• For the treatment activities of another health care provider;
• To another covered entity for the payment activities of the entity
receiving the information; and
• To another covered entity for certain health care operations
activities of the entity that receives the information if each entity
has (or had) a relationship with the individual who is the subject of
the PHI, the PHI pertains to such relationship, and the purpose of
the disclosure is one of those listed in the regulations.
Requiring an Opportunity to Agree or Object
The health plan may use and disclose PHI if individual has had
opportunity to, prohibit the disclosure of such information in advance
regarding to:
• Disclosures of limited types of information to family members or
close personal friends of the individual for care, payment for care,
notification, and disaster relief purposes; and
• Uses and disclosures of limited types of information for facility
directory purposes (generally not applicable to health plans).
• Exceptions
Requiring Individual Authorizations
• Individual authorizations are required whenever the use or
disclosure is not permitted under privacy rules.
• May request authorization for another entity for:
Any purpose.
But especially, before sending any marketing material.
Without Individual Authorization
Health plans may disclose PHI without authorization:
• If required by law.
• To certain designated public agencies, individuals and the employer.
• Regarding an individual if a victim of designated abuse and certain other
conditions are met.
• To a health oversight agency.
• In response to certain court proceedings.
• To a law enforcement officials if certain conditions are met.
• To a coroner or medical examiner of ID purposes.
• To organ procurement organizations for transplant purposes.
• To prevent health threat.
• For certain specified government purposes.
• To comply with Worker‘s Compensation purposes .
For Health Plan Underwriting
• Underwriting and placement of health coverage is a permissive
health coverage operation.
• Sharing PHI with other covered entities for other purposes
limited.
• Authorizations may be necessary in some situations.
Personal Representatives, Minors, & Spouses
• Covered entities must recognize a personal representative’s
authority and provide information within that authority.
• But certain exceptions do apply.
• Parent’s authority.
• Spouse’s authority.
Privacy Policy and Procedures
What is Required?
• Health plans must establish policies and procedures with respect
to PHI that complies with:
• HIPAA standards.
• Implementation specifications.
• Other requirements.
Privacy Notices
Who is required to provide notices?
Covered entities (Health Plan).
What must the notices describe?
• Uses and disclosures of PHI that may be made by the covered
entity,
• Individual’s rights, and
• Health plan’s legal duties with respect to PHI.
What are a health plan’s duties?
• Must provide own privacy notices if it has access to PHI.
• A health plan may arrange to have another entity to provide
notice, but will be responsible if no notice is provided.
Privacy Official
• A health plan must designate a privacy official.
• Privacy official is responsible for the development and
implementation of policies and procedures.
• A privacy officer must be designated for each subsidiary that is a
covered entity.
A single corporate officer could be designated for multiple subsidiaries.
Contact Person
Covered entities must designate a contract person or office for
receiving complaints.
• Such designation must be documented.
• Contact person must be able to provide additional information
about matters that are covered in privacy notice.
Health Care Security Requirements
• Apply to the electronic storage and transmission of PHI.
• General effective date - April 21, 2006.
• Covered entities must implement appropriate administrative,
technical and physical safeguards for PHI.
• Privacy rules require “appropriate safeguards” for protecting PHI.
• No guidelines for PHI in oral, written or non-electronic form.
Health Care Security Requirements
What information must be protected?
Any information transmitted by electronic media, maintained in
electronic media or maintained in other form or medium.
What is electronic media?
Certain transmissions are not covered.
Health Care Security Requirements
What are the four general security requirements?
• Ensure the confidentiality, integrity and availability of all electronic
PHI that the covered entity creates, receives, maintains or
transmits.
• Protect against any reasonably anticipated threats or hazards to
the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of
such information that are not permitted or required.
• Ensure compliance by the workforce.
Health Care Security Requirements
What are the security standards?
• Administrative safeguards.
• Physical safeguards.
• Technical safeguards.
Covered entities must:
• Use reasonable and appropriate measures to accomplish the
requirements.
• Engage in risk analysis to determine how to comply.
Electronic Transaction Requirements
All covered entities must standardize the format and content of all
electronic transactions when engaging in “covered transactions.”
These are called the EDI Standards.
Electronic Transaction Requirements
What are “covered transactions”?
• Health claims and equivalent encounter information,
• Health care payment and remittance advice,
• Coordination of benefits,
• Health claim status,
• Enrollment and disenrollment in a health plan.
• Eligibility for a health plan,
• Health plan premium payments,
• Referral certification and authorization.
• First report of injury, and
• Health claims attachments.
Electronic Transaction Requirements
What are the EDI Standards requirements?
• Covered entities in conducting covered transactions must use
standardized formats and content, as well as uniform codes in
communicating with other entities.
• Only those entities who conduct ”standard transactions”
electronically or engage others to do so are subject to EDI
standards.
• Health plans are considered to be covered entities and must
comply with the EDI Standards, along with the additional
requirements.
Electronic Transaction Requirements
What transactions and transmissions are covered?
Is the entity conducting the transaction a covered entity (or its
business associate)?
Does the transaction fall within the definition of one of the covered
transactions?
Covered entities must comply with the EDI Standards in certain
stated transactions.
Transactions within a covered entity are subject to the EDI
Standards.
Electronic Transaction Requirements
EDI Requirements
• Applies to transactions transmitted using electronic media.
• Does not apply to any transactions conducted in paper or over the
telephone.
• Does not apply to noncovered entities.
• Does not apply to group health plans with under 50 participants.
• Does not apply to health plan sponsors because they are not
covered entities.
Sharing PHI w/ Plan Sponsor | Final Thoughts
A group health plan may not share PHI with plan sponsor
except for disclosure of:
• De-identified information.
• Group health plan enrollment and disenrollment information.
• Limited summary health information for insurance placement and
settlor function.
• PHI to plan sponsor personnel involved in plan administration
when certain requirements are met
• Pursuant to authorization.
Certain Employer Functions Require
Authorization
• Health plans can not provide access to PHI to plan sponsors
without certain plan provisions and safeguards.
• Disclosure must be for “plan administrative functions.”
• Health care providers and health plans may use and disclose PHI
with an individual’s “authorization” for any purpose provided in the
authorization.
Certain Employer Functions Require
Authorization
These functions include:
• Plan must not condition treatment or payment on receipt of an
authorization.
• In some circumstances, an employer may condition employment
on receipt of authorization.
• Authorization may be required to obtain PHI for purposes of FMLA
or ADA.
• An authorization may be required for an employer to assist
employee with a claim.
• An authorization may be required for an employer to receive
reports from EAP.
Exceptions for Some Common Employer
Practices
• HIPAA includes numerous exceptions to broad use and disclosure
rules.
• Common employer practices that fall under these exceptions:
State/Federal disclosure requirements.
Workers’ compensation.
Health information contained in employment record.
Special Concerns
Change office behavior
• Shred pertinent documents- do not simply discard them.
• Prohibit staff from accessing a participant’s medical records to learn a
neighbor’s birth day or to satisfy a similar form of curiosity.
• Do not leave messages about a participant’s health on an answering
machine or with someone other than the patient or doctor.
• Avoid discussions about a participant’s claims in elevators, cafeteria or
other public places.
• Avoid paging participant’s using identifiable information.
• Do not fax information without knowing that the persons to whom the fax
is addressed is ready to receive it.
• Do not allow faxes to sit on an office machine where unauthorized people
may see them.
Overview
American Recovery and Reinvestment Act of 2009 (ARRA) modified
HIPAA.
• Security and privacy rules apply to Business Associates (BAs).
• Created new notification rules for a Privacy breach.
Notice to affected individuals.
Notice to Media.
Notice to the Department of Health and Human Services (HHS).
• Penalties for non-compliance increased.
Security and Privacy Rules Applied to Business
Associates
• Most security rules now apply to BAs.
• Some privacy rules now apply to BAs.
• Generally effective February 1, 2010:
Some provisions, such as the breach rules and penalties, can apply
earlier.
BAs must comply with electronic protected health information (PHI)
and breach rules as of September 1, 2009, but do not need security
policies and procedures until February, 2010.
Breach Defined
A breach is:
“The acquisition, access, use or disclosure of PHI…”;[In a manner not otherwise permitted under the HIPAA privacy rule]
“…which compromises the security or privacy of the PHI”.
Regulations do not incorporate the statute’s use of “accesses,
maintains, retains, modifies, records, stores, destroys or otherwise
holds, uses or discloses” unsecured PHI.
Breach Defined
Compromises PHI is defined as a breach that poses “a
significant risk of financial, reputational, or other harm.”
BAs can make a judgment call about how significant a threat is.
[If not significant, there is no breach and reporting is not required]
Risk assessment should be done and documented so it can be
demonstrated why a breach notice was not needed.
Breach Defined
During an evaluation consider:
• Who impermissibly used PHI or to whom information was
impermissibly disclosed.
• The nature of the PHI that was disclosed.
For example:
• If the name of an individual and plan participation are disclosed there could
be a privacy breach, but there may be no harm.
• If the types of treatment or other sensitive information (social security
number, account number, etc.) are revealed then there is a higher likelihood
of harm.
Many types of health details are sensitive these days given the risk of
employment discrimination.
Breach Defined
• Effective for breaches occurring 30 days on or after publication in
the Federal Register.
• HHS will use its enforcement discretion and not impose penalties
until February 22, 2010.
No guidance on whether penalties could relate to actions taken
between September 23, 2009 and February 21, 2010.
• HHS does not have the authority to penalize BAs until February
18, 2010.
This will not negate any potential exposure from breach of contract or
negligence.
Exceptions to Breach
1. Secured PHI.
2. Unintentional acquisition, access or use by individual acting
under authority of BA.
3. Inadvertent disclosure from one covered entity to another
covered entity.
4. Unauthorized disclosure where the unauthorized individual
would not reasonably have been able to retain the information.
Exceptions to Breach
Secured PHI
• PHI that is held in a manner deemed to be “secure.”
• Electronic data protected by specified encryption technology.
• Paper or film records shredded or destroyed.
• Electronic media purged in accordance with specific standards.
Unsecured PHI
• PHI that is not rendered unusable, unreadable or indecipherable to
unauthorized individuals through technology or methodology approved by
HHS.
• PHI in any form is covered (oral and written-both paper and electronic.)
• Access controls, firewalls, etc. do not make data secured.
• Redaction of paper documents does not make them secured.
1. Secured PHI
Exceptions to Breach
Safe harbor
For data:
• In motion (moving through a network).
• At rest (in a database or flash drive).
• In use (in process of being created, retrieved, updated or deleted).
• Disposed (both discarded paper records and recycled electronic
media).
1. Secured PHI
Exceptions to Breach
The unintentional acquisition, access or use of PHI by a workforce member
or person acting under the authority of the plan or BA if acquisition, access
or use is in good faith and within the scope of authority and does not result
in further use or disclosure in a manner not permitted under the HIPAA
privacy rule.
• Workforce member – includes employees, volunteers and others under
the control of the plan.
• BA can be acting under the authority of the plan.
Example:
An employee who is responsible for billing receives an email which contains
PHI about a plan participant from another employee. The email was
accidentally sent. The billing employee opens the email, notices she is not
the intended recipient, alerts the employee who sent the email and then
deletes the email.
2. Unintentional Acquisition
Exceptions to Breach
Inadvertent disclosure by a person who is authorized to access PHI
at a plan or BA to another person authorized to access PHI at the
same plan or BA, if the PHI received is not further used or disclosed
in a manner violating 45 CFR § 164 Part E.
Example:
A member of an appeals committee shares a participant’s PHI with
another committee member. Member 1 thought the participant had
appealed a claim, however it was actually a different participant’s
appeal. Member 2 does not disclose or use the PHI.
3. Disclosure to Another Covered Entity
Exceptions to Breach
Disclosure of PHI where a plan or BA has a good faith belief that an
unauthorized person to whom the disclosure was made would not
reasonably have been able to retain the PHI.
Appears to apply to both physical (e.g., actual paper record)
retention and mental retention.
Example:
A plan mails a number of EOBs to the wrong individual. The EOBs
are returned by the post office as undeliverable. They are
unopened.
4. Unauthorized Disclosure, Not Retained
Identification of Breach
Plan and BA must determine:
• whether there was an impermissible use or disclosure of PHI
under the Subpart E.
• whether the impermissible use or disclosure compromises the
security or privacy of the PHI and document such findings.
• if an exception applies.
Notification Rules
• BA should report the data to the plan within the timeframe allowed
by their agreement.
Do not need to report the breach to the affected individuals, unless the
contract specifies.
• Plan must notify each individual whose unsecured PHI has been,
or is reasonably believed to have been, accessed, acquired, used
or disclosed as a result of the breach.
• Plan may need to notify the media.
• Plan must notify HHS.
When a breach is discovered:
Notification Rules
• First day on which the breach is known or should reasonably have
been known by a covered entity or BA if they had exercised
reasonable diligence.
• Plan and BA deemed to have knowledge of workforce members
and any agents.
Agent status determined using federal common law agency rules
• BA is often an agent of the plan.
• Broad reach.
• If breaching employee never tells anyone of a breach, the breach
occurred but cannot be discovered and therefore there is no
reporting obligation.
Discovery of a breach
Notification Rules
• Must notify plan after it discovers a breach of unsecured PHI.
Same rules as for covered entities in determining when a breach is
discovered.
• BA must provide notice to plan without unreasonable delay, but in
no event later than 60 days after breach discovered.
• BA must provide a list of each individual whose PHI was breached
and any other information the plan would need to send out notice
to individuals.
Business Associate notification to plan
Notification Rules
• The Plan must notify each individual whose unsecured PHI has
been, or is reasonably believed to have been, accessed, acquired
or disclosed as a result of the breach.
If BA discovers breach, must notify plan and should identify each
individual who is affected.
• Notification must be made without unreasonable delay and be no
later than 60 calendar days after discovery of the breach.
60 days, from date breach first known, is the outside limit and may be
unreasonable in some circumstances.
• 60 days begins even if initially unclear whether there was a breach
Burden of proof on covered entity/BA to show timeliness.
Notice to Individuals
Notification Rules
• Written notice should be sent by first-class mail to individuals last
known address.
May notify by email if the individual has consented.
May notify next of kin or personal representative if the plan has that
information.
• If it is an urgent situation, due to possible imminent misuse,
notification may be made by telephone or other means in addition
to the written notice.
No guidance has been provided regarding what is considered urgent.
• Burden of proof is on the plan/BA to prove notifications provided.
Notice to Individuals
Notification Rules
When direct notice is not possible due to the plan having insufficient
or out of date contact information, may notify by substitute form.
• For less than 10 individuals, it may be written notice, telephone
notice or other means.
• For more than 10 individuals, should be a conspicuous posting on
the covered entity’s web site for 90 days or more or a conspicuous
notice in a major print or broadcast media.
Toll-free phone number must be included so individuals can learn if
unsecured PHI was breached.
Must be on the home page or the website or be a prominent hyperlink.
What constitutes a major print or broadcast media is a facts and
circumstances test, which considers the geography of the individuals.
Notice to Individuals
Notification Rules
Notice must include:
• Plain language, brief description of what happened including the
date of breach and date of breach discovery.
• Type of unsecured PHI involved (e.g., social security number, full
name, address, etc.).
• Steps an individual should take to protect himself/herself from
potential harm
• Brief description of what is being done to remedy and mitigation
the effects of the breach.
• Contact procedures for individuals to ask questions or get
additional information.
Must include a toll-free phone number, email address, web site or
mailing address.
Notice to Individuals
Notification Rules
• Notice must be provided to prominent media outlets in the state or
jurisdiction if unsecured PHI of more than 500 residents of the
state or jurisdiction is or is reasonably believed to have been
accessed, acquired or disclosed during a breach.
Assumption that major media is similar to prominent media.
Jurisdiction is smaller than a state (e.g., county or city).
Must affect 500 residents of the state or jurisdiction – if the total breach
is more, but there are not 500 in a state or jurisdictions, this notice is
not required.
• This notice is in addition to the individual notice.
Media Notice
Notification Rules
Notice must be provided to HHS if there is a breach of 500 or
more individuals.
• Notice must be submitted within same timeframe for sending
notice to affected individuals.
• Calculation of individuals is for a total discovered during
investigation.
If there was an individual discovery of 400 individual, but upon
investigation another 150 are discovered, must notify HHS.
Log must be maintain and submitted annually to HHS for
breaches of less than 500 individual.
• Must be submitted within 60 days of the end of the calendar year.
• HHS website will provide details on how to submit.
HHS Notice
Other Changes
• State notification laws not preempted unless they stand “as an
obstacle.”
• Law enforcement delay of notification, verbal notice must be
documented and is for a maximum of 30 days, written notice is for
the time period specified.
• Must train workforce on requirements.
• Complaint processes must provide for the ability to include
complaints regarding these processes.
• Retaliation/waiver/intimidating acts are prohibited.
• There are sanctions for failure to comply.
Penalties / Enforcement
• State notification laws not preempted unless they stand “as an
obstacle.”
• Law enforcement delay of notification, verbal notice must be
documented and is for a maximum of 30 days, written notice is for
the time period specified.
• Must train workforce on requirements.
• Complaint processes must provide for the ability to include
complaints regarding these processes.
• Retaliation/waiver/intimidating acts are prohibited.
• There are sanctions for failure to comply.
Penalties / Enforcement
HHS audits now required
Penalty amounts:
• Minimum $100 if did not know of violation and would not have
known even with reasonable diligence – maximum $50K per
violation, $1.5M total.
• Minimum $1,000 if reasonable cause and not willful neglect –
maximum $50K per violation, $1.5M total.
• Minimum $10,000 if willful neglect but corrected – maximum $50K
per violation, $1.5M total.
• Minimum $50,000 if willful neglect and not corrected – maximum
$1.5M.
Future Guidance / Initiatives
• More guidance to be issues by HHS regarding the most
effective/appropriate technical safeguards for Security Standards.
• An individual will be designated in each HHS regional office to
provide guidance/education to covered entities/BAs/individuals on
rights and responsibilities.
• Education initiatives by HHS regarding the use of PHI.
Items Not Addressed
• No answer on whether BAs are subject to all or only some of the
Privacy Rule requirements.
• New restriction request rules.
• New guidance on minimum necessary.
• New disclosure accounting and access rules for electronic health
records.
• Prohibiting sale of PHI.