GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 1 HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

H OGAN & H ARTSON, L.L.P.
HIPAA AWARENESS TRAINING
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
HIPAA Health Insurance Portability and Accountability Act.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Part III – HIPAA Reference
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
Copyright Fleisher & Associates A HIPAA PRIMER FOR PUBLIC HEALTH PEOPLE CPHA-N Conference 2003 January 30, 2003 Presented by: Steven M. Fleisher,
Health Insurance Portability and Accountability Act (HIPAA)
1 HIPAA Health Insurance Portability and Accountability Act Budgeting Effectively for Good Faith Compliance.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA’s Medical Privacy Standards: The Long and Really Winding Road Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington,
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
HIPAA and Academic Medical Centers, Colleges and Universities Presented By: Michael L. Blau, Esq.Tina S. Sheldon McDermott, Will & EmeryAssistant Compliance.
HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA Certified LLC 1 6th National HIPAA Summit JCAHO and NCQA and HIPAA Business Associates Friday, March 28, 2003.
 Health Insurance and Accountability Act Cornelius Villalon Jr.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
UNDERSTANDING WHAT HIPAA IS AND IS NOT
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
Disability Services Agencies Briefing On HIPAA
National Congress on Health Care Compliance
Analysis of Final HIPAA Privacy Modification Rule
Presentation transcript:

GW&T © 2002 Garfunkel, Wild & Travis, P.C HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY ATTORNEYS 42 ND ANNUAL CONFERENCE June 27, 2002 Judith A. Eisen, Esq. Garfunkel, Wild & Travis, P.C. 111 Great Neck Road Great Neck, New York (516)

GW&T © 2002 Garfunkel, Wild & Travis, P.C GENERAL OVERVIEW/STRUCTURE OF HIPAA

GW&T © 2002 Garfunkel, Wild & Travis, P.C HIPAA applies to “Covered Entities” General CategoryPossible University Application ?Health Care Providers who carry out at least one “Covered Transaction” Health Care Facilities – Hospitals, etc. Faculty Practice Plan Student Health Center Health Professional Training Programs Psychology Clinics Dental Clinics EAP ?Health PlansGroup Health Plan for employees or student Self-insurance health plan for employees or students ?Health Care ClearinghousesFaculty Practice Plan Billing Company

GW&T © 2002 Garfunkel, Wild & Travis, P.C HIPAA Administrative Simplification Provisions Final Privacy Regulations (Published December 28, 2000) Proposed National Provider Identifier (Published May 7, 1998) Proposed National Employer Identifier (Published June 16, 1998) Proposed Security Standards (Published August 12, 1998) Final Electronic Transaction Standards (Published August 17, 2000) Effective: October 16, 2000 Full Compliance due by October 16, Effective: April 14, 2001 Full Compliance due by April 14, Congress recently passed new legislation which will allow health care providers, health plans and health care clearinghouses to delay compliance for one full year until October 16, 2003 for HIPAA’s electronic transaction standards – if they apply for an extension. Proposed National Payor Identifier (not yet published) Expected to be Finalized June, 2002 Proposed National Individual Identifier (Tabled Indefinitely) Expected to be Finalized August 2002

GW&T © 2002 Garfunkel, Wild & Travis, P.C Effect of HIPAA on State Law and Other Federal Law General Rule:The privacy regulations preempt any contrary provisions of State law or regulations. General Exception:State law that is more stringent or grants greater rights to patients will survive HIPAA. General Rule:HIPAA co-exists with other Federal law, e.g., Common Rule for Human Subject Research. Special Exception:FERPA

GW&T © 2002 Garfunkel, Wild & Travis, P.C ELECTRONIC TRANSACTION AND CODE SET STANDARDS

GW&T © 2002 Garfunkel, Wild & Travis, P.C Purpose of the Electronic Transaction Standards To promote efficiencies in the health care industry by: Encouraging the use of electronic data exchanges for health care transactions Simplifying health care transactions by establishing standards

GW&T © 2002 Garfunkel, Wild & Travis, P.C General Rule If a Covered Entity (either itself or through an agent) conducts a Covered Transaction electronically, the transaction must be conducted using the HIPAA form. “Covered Transactions” include: Submission of claims for payment Checking eligibility Enrollment and disenrollment Checking claims status Referrals and pre-certification Claims attachments Payment and claims remittance Coordination of Benefits

GW&T © 2002 Garfunkel, Wild & Travis, P.C What Does It Mean To Standardize A Transaction? Standardized Formats Standard Data Content Standard Codes

GW&T © 2002 Garfunkel, Wild & Travis, P.C One Year Extension ?Covered Entities may request a one year extension of the compliance date for the transaction standards (until October 16, 2003). ?To request an extension, Covered Entities must submit a compliance plan to DHHS. ?Failure to conform to new standards or request an extension by October 16, 2002 can mean: Termination from Medicare Program Claims denials

GW&T © 2002 Garfunkel, Wild & Travis, P.C SECURITY STANDARDS

GW&T © 2002 Garfunkel, Wild & Travis, P.C Security Risks 1.Human Error 2.Nature (fire, earthquake, flood) 3.Technological Problems 4.Deliberate Security Breaches

GW&T © 2002 Garfunkel, Wild & Travis, P.C GENERAL COMMENTS Still in Proposed Form. In current form, may apply to health care providers who do not carry out a Covered Transaction. Not Technology Specific. Scalability. Overlap with Privacy.

GW&T © 2002 Garfunkel, Wild & Travis, P.C What Do The Security Regulations Require? Administrative Procedures: To protect health information and manage the conduct of personnel. Physical Safeguards: To protect physical computer systems and related buildings and equipment. Technical Security Services: Controlling access to health information at rest and in motion.

GW&T © 2002 Garfunkel, Wild & Travis, P.C HIPAA PRIVACY: POLICY and PITFALLS

GW&T © 2002 Garfunkel, Wild & Travis, P.C GENERAL POLICIES UNDER PRIVACY STANDARDS

GW&T © 2002 Garfunkel, Wild & Travis, P.C General Policy: A Covered Entity may not use or disclose Protected Health Information (“PHI”) except as permitted by the privacy regulations. ?PHI is individually identifiable health information in any form or medium (written, electronic or oral) created or received by a Covered Entity

GW&T © 2002 Garfunkel, Wild & Travis, P.C ?General Policy: If a general written consent is obtained, a Health Care Provider may use or disclose PHI for “TPO”: Treatment (provision, coordination, management of healthcare) Payment (actions to obtain payment for services) Health Care Operations (internal day-to-day business operations – QA, UR, peer review, customer service, etc.) ?The consent is effective indefinitely unless revoked in writing ________________________ * Note: On March 27, 2002, HHS published proposed changes to the Privacy Rules, including deletion of the consent requirement and addition of an acknowledgment of receipt of privacy notice. CONSENT

GW&T © 2002 Garfunkel, Wild & Travis, P.C ?General Policy: If use or disclosure is not for TPO, a Covered Entity may not use or disclose PHI without a more specific authorization. Examples: Research Marketing Fundraising AUTHORIZATION

GW&T © 2002 Garfunkel, Wild & Travis, P.C PRIVACY PITFALLS

GW&T © 2002 Garfunkel, Wild & Travis, P.C BUSINESS ASSOCIATES A.Perform a function involving use or disclosure of PHI on behalf of a Covered Entity; or B.Perform legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a Covered Entity involving the disclosure of PHI.

GW&T © 2002 Garfunkel, Wild & Travis, P.C ?Billing Companies ?Computer Vendors ?Accreditation organizations (e.g., JCAHO) ?Medical Equipment Vendors ?Management or Administrative Service Providers, etc. ?Attorneys, Accountants, Auditors, Actuaries ?Consultants ?Document Storage and Destruction or Conversion Companies EXAMPLES OF BUSINESS ASSOCIATES:

GW&T © 2002 Garfunkel, Wild & Travis, P.C ?Restricts use and disclosure of PHI ?Requires appropriate safeguards ?Requires similar cooperation by its subcontractors ?Requires BA to report breaches ?Requires BA to fix breaches or risk termination of contract BUSINESS ASSOCIATE CONTRACT:

GW&T © 2002 Garfunkel, Wild & Travis, P.C Marketing General Marketing Rule: A Covered Entity may not use or disclose PHI for “marketing” without an authorization. Definition: Written or oral communication made for the purpose of encouraging the recipients of the communication to purchase or use a product or service.

GW&T © 2002 Garfunkel, Wild & Travis, P.C Fundraising General Rule: A Covered Entity may use certain demographic information and dates of service for the purpose of raising funds for its own benefit without an authorization. Note:Individual must be able to “opt-out” of future communications.

GW&T © 2002 Garfunkel, Wild & Travis, P.C Uses and Disclosures for Research Purposes ?Must obtain patient authorization unless: Meet certain criteria for a waiver; or Meet one of HIPAA’s exceptions >New role for Institutional Review Board (IRB)

GW&T © 2002 Garfunkel, Wild & Travis, P.C Special “Carrier” Concerns ?Students in Health Care Professional Training Programs Student Access to PHI Student Discipline ?Researchers involved in Human Subject Research

GW&T © 2002 Garfunkel, Wild & Travis, P.C Hybrid Entity Qualifications: Single legal entity Primary business is not healthcare* University Must:** Identify healthcare components Identify components that act as business associates to HC components Erect firewalls between health care and non-health care components Ensure compliance by health care components ______________________ *Proposed changes do not require that non-covered functions be primary purpose **Proposed changes would require that health care proponents conduct a Covered Transaction electronically.

GW&T © 2002 Garfunkel, Wild & Travis, P.C Joint Consent and Notice Concepts ?Single Affiliated Covered Entity: designating Covered Entities under “common control” or ownership as a single Covered Entity Ex: Commonly owned healthcare facilities in health system ?Organized Health Care Arrangement: two or more Covered Entities in a clinically integrated setting or a joint venture Ex: hospital and its voluntary medical staff ?Both arrangements: Permit combined consent and privacy notice Permit sharing of PHI Negate Business Associate relationship

GW&T © 2002 Garfunkel, Wild & Travis, P.C University as Employer ?Clarification under proposed changes to privacy rule: “Employment records” held by a CE in its role as an employer are not covered by privacy regulations. (FMLA, Disability, Non-Health Benefit Plans) ?University student health clinics may provide health care to employees and faculty ?EAPs may be Health Care Providers ?Group Health Plans (medical, dental, vision) Commercial – defined insurer or HMO Self-insured – with or without TPA

GW&T © 2002 Garfunkel, Wild & Travis, P.C Group Health Plans ?Group Health Plans must comply with: Privacy rules (with some minor exceptions Security rules TCS rules (must be prepared to carry out transactions electronically) ?For commercial plans – insurer or HMO ensures compliance ?For self-insured plans – TPA or Plan itself must ensure compliance. ?Plan sponsor that receives PHI from Plan/insurer must: Keep PHI confidential Not use PHI for employment purposes Amend Plan documents

GW&T © 2002 Garfunkel, Wild & Travis, P.C Administrative Requirements of the Privacy Regulations Policies related to the Minimum Necessary Rule Adoption of Policies and Procedures Safeguards Designation of a Privacy Officer Privacy Notices Complaints Accountings* Amendments to PHI Training for all personnel Sanctions Mitigation Documentation/Retention of Records (for 6 years) _______________ * Note:Proposed changes would eliminate the need to account for disclosures where an authorization was obtained.

GW&T © 2002 Garfunkel, Wild & Travis, P.C PENALTIES AND ENFORCEMENT: Both individuals and entities can incur civil and/or criminal liability for violating HIPAA.

GW&T © 2002 Garfunkel, Wild & Travis, P.C Civil Penalties: Fines up to $100 per violation; maximum of $25,000 in each calendar year for identical violations Criminal Penalties For “Knowing Misuse” of PHI: - Three Degrees: Simple violations: fine of up to $50,000 plus prison of up to 1 year. False pretenses: fine of up to $100,000 plus prison of up to 5 years. For gain or harm: fine of up to $250,000 plus prison term of up to 10 years.

GW&T © 2002 Garfunkel, Wild & Travis, P.C HIPAA Compliance STAGE I: Organize and Educate STAGE II: Analyze and Compare STAGE III: Plan and Implement STAGE IV: Audit and Monitor

GW&T © 2002 Garfunkel, Wild & Travis, P.C DISCUSSION/QUESTIONS