HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?
-
Upload
drusilla-casey -
Category
Documents
-
view
212 -
download
0
Transcript of HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?
HIPAA Privacy Rules:What Are Plan Sponsors Required to Do?
Objectives Today
•Overview of the HIPAA Privacy Rules•HIPAA Privacy Legislative Guide•What are Plan Sponsors required to do?•Areas where clarification is needed
Overview of the HIPAA Privacy Rules•Regulates Protected Health Information
(PHI)•Requires that patients be told how their
PHI will be used and disclosed•Sets limits on how patients’ PHI may be
used and disclosed•Imposes fines where the requirements
contained within the regulations are not followed
Zywave Legislative Guides
What Are Plan Sponsors Required to Do?
•The rules do not directly regulate plan sponsors or employers
•Compliance obligations indirectly imposed upon plan sponsors will vary depending on access to PHI
•Plan sponsor functions•Plan administration functions
Plan Sponsor Functions•Assist employees with claim disputes
pursuant to a written authorization•Receive Summary Health Information (SHI)
for purposes of obtaining premium bids or modifying, amending or terminating the plan
•Conducting enrollment and disenrollment activities
= Minimal HIPAA Privacy compliance obligations
Plan Administration Functions
•Claims processing•Quality improvement•Fraud detection activities
= Considerable HIPAA Privacy compliance obligations
Plan Sponsors that have access to PHI for plan administration must:•Amend the plan document to allow the
plan sponsor to have access to PHI•Certify to the group health plan that it
will limit its use and disclosure of PHI as required by the Privacy Rule
•Comply with all of the administrative requirements of the Privacy Rule
HIPAA Privacy Rules – Administrative Requirements•Appoint a privacy officer•Train members of workforce with access to
PHI•Create written policies and procedures related
to handling PHI•Create and distribute notice of privacy
practices•Provide plan members with a right to access,
copy and amend PHI in your possession•Create internal firewalls•Enter into written contracts with business
associates
What is a Business Associate?
•A person or entity that receives PHI from a Covered Entity in order to perform services on behalf of the Covered Entity
•Services may include treatment, payment or health care operations
•The Covered Entity must enter into a contract with the Business Associate
•The contract extends HIPAA’s protections to the information exchanged
Areas Where Clarification is Needed•Are authorizations required when an
employer or broker needs access to PHI to advocate on behalf of an employee?
•Is enrollment/disenrollment information held by the plan sponsor considered PHI?
•How can employers deal with fraud against the health plan and abide by restrictions on use of PHI?