HIPAA PRIVACY REQUIREMENTS

Dana L. ThrasherDana L. Thrasher

Constangy, Brooks & Smith, LLCConstangy, Brooks & Smith, LLC

(205) 252-9321; (205) 252-9321; dthrasher@constangy.comdthrasher@constangy.com

Victoria NemersonVictoria Nemerson

Vice President Compliance CeridianVice President Compliance Ceridian

(904) 564-4220; victoria.nemerson@ceridian.com(904) 564-4220; victoria.nemerson@ceridian.com

CONCERNS REGARDING HEALTH INFORMATION Need for protection of individual health Need for protection of individual health

informationinformation Potential for abusePotential for abuse Health Insurance Portability and Health Insurance Portability and

Accountability Act of 1996 (“HIPAA”)Accountability Act of 1996 (“HIPAA”)

HIPAA

General Rule:General Rule:

““Covered entities” may not use or disclose Covered entities” may not use or disclose an individual’s “protected health an individual’s “protected health information” without the authorization of information” without the authorization of the individual unless specifically required the individual unless specifically required or allowed by the privacy regulation.or allowed by the privacy regulation.

What are the Purposes of the Privacy Rule? Consumer Control Over Health InformationConsumer Control Over Health Information

-- Patient education on privacy protections.Patient education on privacy protections.-- Ensuring patient access to medical Ensuring patient access to medical records.records.-- Receiving patient consent before Receiving patient consent before information is released.information is released.-- Providing recourse if privacy Providing recourse if privacy protections protections are violated.are violated.

What are the Purposes of the Privacy Rule?

To Establish Boundaries on the Use and To Establish Boundaries on the Use and Release of Medical RecordsRelease of Medical Records

-- Ensuring that health information is Ensuring that health information is not used for non-health purposes.not used for non-health purposes.

-- Providing the minimum amount of Providing the minimum amount of information necessary.information necessary.

What are the Purposes of the Privacy Rule? To Ensure the Security of Personal To Ensure the Security of Personal

Health InformationHealth Information

-- Adopt written privacy procedures.Adopt written privacy procedures.

-- Train employees and designate a Train employees and designate a privacy officer.privacy officer.

What are the Purposes of the Privacy Rule?

To establish Special Protection for To establish Special Protection for Psychotherapy NotesPsychotherapy Notes

To Preserve Existing, Strong State To Preserve Existing, Strong State Confidentiality LawsConfidentiality Laws

What are the Purposes of the Privacy Rule?

To Establish Accountability for the Use and To Establish Accountability for the Use and Release of Medical RecordsRelease of Medical Records

-- Civil penaltiesCivil penalties

-- Federal criminal penaltiesFederal criminal penalties

CIVIL PENALTIES

$100 PER VIOLATION, UP TO $25,000 $100 PER VIOLATION, UP TO $25,000 PER PERSON, PER YEAR FOR EACH PER PERSON, PER YEAR FOR EACH REQUIREMENT OR PROHIBITION REQUIREMENT OR PROHIBITION VIOLATEDVIOLATED

CRIMINAL PENALTIES

UP TO $50,000 AND 1 YEAR IN PRISON UP TO $50,000 AND 1 YEAR IN PRISON FOR OBTAINING OR DISCLOSING PHIFOR OBTAINING OR DISCLOSING PHI

UP TO $100,000 AND UP TO 5 YEARS UP TO $100,000 AND UP TO 5 YEARS IN PRISON FOR OBTAINING PHI IN PRISON FOR OBTAINING PHI UNDER “FALSE PRETENSES”UNDER “FALSE PRETENSES”

CRIMINAL PENALTIES

UP TO $250,000 AND UP TO 10 YEARS UP TO $250,000 AND UP TO 10 YEARS IN PRISON FOR OBTAINING OR IN PRISON FOR OBTAINING OR DISCLOSING PHI WITH THE INTENT DISCLOSING PHI WITH THE INTENT TO SELL, TRANSFER OR USE IT FOR TO SELL, TRANSFER OR USE IT FOR COMMERCIAL ADVANTAGE, COMMERCIAL ADVANTAGE, PERSONAL GAIN OR MALICIOUS PERSONAL GAIN OR MALICIOUS HARMHARM

What Information Is HIPAA Designed to Protect?

Protected Health Information (“PHI”)Protected Health Information (“PHI”)

Protected Health Information Protected Health Information encompasses all individually identifiable encompasses all individually identifiable health information transmitted or health information transmitted or maintained by a covered entity, regardless maintained by a covered entity, regardless of form.of form.

“PHI”

““Covered Entity”Covered Entity”

A health plan, a health care provider, A health plan, a health care provider, and health care clearinghouse.and health care clearinghouse.

Note: Employers are NOT “covered Note: Employers are NOT “covered entities.”entities.”

“PHI”

““Health Plan”Health Plan”-- Any plan or program that provides or pays the cost Any plan or program that provides or pays the cost

of medical care.of medical care.-- Health care providerHealth care provider-- Health care clearing houseHealth care clearing house

How Do the HIPAA Rules Impact a Health Plan? HIPAA does not apply to small-employer HIPAA does not apply to small-employer

administered health plans (those with less administered health plans (those with less than 50 participants).than 50 participants).

The HIPAA requirements are more The HIPAA requirements are more stringent for self-funded plans than for stringent for self-funded plans than for fully-insured plans.fully-insured plans.

Concerns with the sharing of information Concerns with the sharing of information between the plan, employer and vendors.between the plan, employer and vendors.

What Must a Self-Funded Plan Do to Insure Privacy?

PHI can only be disclosed to the plan sponsor if PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. information in accordance with the HIPAA rules. The sponsor: The sponsor:-- cannot use or disclose PHI except as cannot use or disclose PHI except as permitted by the plan or required by law;permitted by the plan or required by law;-- must ensure that agents and vendors who must ensure that agents and vendors who receive PHI agree to the same restrictions;receive PHI agree to the same restrictions;-- cannot use or disclose PHI for employment-cannot use or disclose PHI for employment-

related actions or for other benefit plans;related actions or for other benefit plans;

What Must a Self-Funded Plan Do to Insure Privacy? (cont.)(cont.)

-- report to the Plan any violation of the report to the Plan any violation of the privacy requirements;privacy requirements;

-- make PHI available to individuals as make PHI available to individuals as required by HIPAA;required by HIPAA;

-- allow individuals to amend their PHI (by allow individuals to amend their PHI (by appending);appending);

-- provide individuals with an accounting of provide individuals with an accounting of disclosures of PHI;disclosures of PHI;

What Must a Self-Funded Plan do to Insure Privacy? (cont.)(cont.)

-- make its practices available to the make its practices available to the government to determine compliance;government to determine compliance;-- return or destroy PHI received from the return or destroy PHI received from the

plan that the sponsor maintains in any plan that the sponsor maintains in any form form and retain no copies of such and retain no copies of such

information no longer needed for the information no longer needed for the purpose for which the disclosure was purpose for which the disclosure was made;made;

What Must a Self-Funded Plan do to Insure Privacy? (cont.)(cont.)

-- ensure that security procedures have been ensure that security procedures have been established that:established that:(1)(1) identify employees or classes ofidentify employees or classes of

employees who will have access toemployees who will have access toPHI;PHI;

(2)(2) restrict access solely to those restrict access solely to those individuals for the functions individuals for the functions performed for the plan; andperformed for the plan; and

What Must a Self-Funded Plan do to Insure Privacy? (cont.)(cont.)

(3)(3) provide a mechanism for provide a mechanism for resolving resolving issues of noncompliance.issues of noncompliance.

What Must a Self-Funded Plan do to Insure Privacy? Plan documents must be amended to Plan documents must be amended to

include required provisionsinclude required provisions

What Must a Self-Insured Plan do to Insure Privacy? Privacy policies must be developed to Privacy policies must be developed to

ensure that only the amount of information ensure that only the amount of information reasonably necessary to achieve the purpose reasonably necessary to achieve the purpose of the disclosureof the disclosure is provided to a third is provided to a third person.person.

What Must a Self-Funded Plan do to Insure Privacy? THE NOTICE MUST BE PROVIDED THE NOTICE MUST BE PROVIDED

PRIOR TO APRIL 14, 2003 (APRIL 14, PRIOR TO APRIL 14, 2003 (APRIL 14, 2004 FOR SMALL HEALTH PLANS) TO 2004 FOR SMALL HEALTH PLANS) TO ALL PARTICIPANTS, AND TO NEW ALL PARTICIPANTS, AND TO NEW ENROLLEES AT ENROLLMENT. ENROLLEES AT ENROLLMENT.

Material changes must be communicated Material changes must be communicated within 60 days.within 60 days.

What Must a Self-Funded Plan do to Insure Privacy?

Privacy Official/TrainingPrivacy Official/Training

-- A privacy official must be designated A privacy official must be designated for developing and implementing for developing and implementing HIPAA-HIPAA-required policies and required policies and procedures.procedures.

-- Training (including an ongoing program Training (including an ongoing program for new employees) on handling PHI must for new employees) on handling PHI must be provided for each employee performing be provided for each employee performing health plan administrative functions.health plan administrative functions.

What Must a Self-Funded Plan do to Insure Privacy?

Business AssociatesBusiness Associates

-- New contract provisions limiting New contract provisions limiting vendor vendor use and disclosure of PHI and use and disclosure of PHI and requiring requiring compliance with HIPAA will be compliance with HIPAA will be

required.required.

What Must a Self-Funded Plan do to Insure Privacy?

Participant ComplaintsParticipant Complaints

-- Policies and procedures must be Policies and procedures must be developed and communicated, and developed and communicated, and records must be maintained.records must be maintained.

-- Retaliation for complaints is Retaliation for complaints is prohibited.prohibited.

What Must a Fully Insured Medical Plan do to Comply?

The sponsor generally can rely on The sponsor generally can rely on information and policies developed by the information and policies developed by the insurer, unless it receives PHI.insurer, unless it receives PHI.

Sponsors must review the rules with Sponsors must review the rules with insurers to verify compliance.insurers to verify compliance.

Can Protected Information Be Shared Among Plans?

CONSENT IS REQUIRED!CONSENT IS REQUIRED!

Does HIPPA Apply To Flex Plans? YES!YES!

What Must Health Providers and Clearinghouses Do to Comply? Providers and clearinghouses must comply with Providers and clearinghouses must comply with

the rules in a similar manner to prevent disclosure the rules in a similar manner to prevent disclosure of PHIof PHI

Disclosure pursuant to authorizations must be Disclosure pursuant to authorizations must be limited to the amount “reasonably necessary”limited to the amount “reasonably necessary”

Contracts with other entities must be revised and Contracts with other entities must be revised and business associate agreements draftedbusiness associate agreements drafted

Conclusions

• Compliance with the HIPAA privacy requirements will be complex and expensive and may require significant cultural and procedural changes.

• Employers must reevaluate programs/plans and perform a cost/benefit analysis in light of the new compliance costs.

• Immediate ACTION is required!