Today’s webinar will begin shortly Today’s webinar will begin shortly. We are waiting for attendees to log on. Presented by: Tabatha George Phone: (504) 529-3845 Email: tgeorge@fisherphillips.com Please remember, employment and benefits law compliance depends on multiple factors – particularly those unique to each employer’s circumstances. Numerous laws, regulations, interpretations, administrative rulings, court decisions, and other authorities must be specifically evaluated in applying the topics covered by this webinar. The webinar is intended for general-information purposes only. It is not a comprehensive or all-inclusive explanation of the topics or concepts covered by the webinar.
What Employers Need to Know About HIPAA and HITECH Tabatha George Fisher Phillips, LLP tgeorge@fisherphillips.com
Back to the Basics
HIPAA Health Insurance Portability And Accountability Act Of 1996 Title I: Portability and Nondiscrimination Title II: “Administrative Simplification” Includes the Privacy and Security Rules
HITECH and the Omnibus Rule The Health Information Technology for Economic and Clinical Health Act of 2009 was passed to create a national network of electronic health records. Among other things, it changed: Business Associate liability Breach analysis and notification Enforcement The Omnibus Rule followed
Who must comply? Group Health Plans Health Care Providers Includes medical, dental, vision, health FSAs, HRAs, some EAPs Does not include workers comp, life insurance or disability plans Excluded if <50 participants, self-funded and self-administered Health Care Providers Who transmit health information in electronic form in connection with specific transactions Health Care Clearinghouses Does Not Include Employers, Just Their Plans
Who else must comply? Business Associates are service providers that perform a function or activity for a Covered Entity TPA Attorney Broker Actuary Accountant Service providers
Fully-insured Plans Most fully-insured plans will attempt to keep a “hands off” approach Summary Health Information Claims assistance Enrollment data FSAs and HRAs
Self-insured Plans
What does it mean to comply?
Compliance Obligations Safeguard PHI and ePHI Adhere to use and disclosure requirements Allow individuals to exercise individual rights Provide Privacy Notice, if applicable Fulfill administrative requirements Amend plan document (Plan Sponsor) Execute Business Associate agreements
Protected Health Information
Protected Health Information (PHI) Individually-identifiable health information created or received by a Covered Entity or Business Associate which relates to past, present, or future health care or payment for health care. Excludes employment records pre-employment drug screens, sick leave requests, fitness-for-duty examinations, ADA or FMLA records, doctor’s note from employee Examine source, purpose and use to determine whether a document is an employment record PHI that is sent or stored electronically is ePHI
Electronic PHI (ePHI) PHI maintained or transmitted in electronic form. Electronic storage media Computer hard drive, digital memory card, mobile devices Electronic transmission media Extranet, leased lines, private networks Physical movement of electronic storage media Faxes, telephone calls, video conferencing, and voicemail are not typically ePHI
You have PHI. Now what?
Use and Disclosure Rules: The Minimum Necessary Standard Covered Entity/Business Associate must limit disclosure of PHI to the minimum necessary Only employees with a need to know may have access Identify employees who need access to PHI and limit access to those employees and the specific PHI necessary for them to perform job function Requests: establish policies and procedures limiting PHI disclosure to amount and type necessary
Use and Disclosure Rules: Authorizations Must obtain Authorization for most uses and disclosures of PHI other than those allowable for enrollment tracking, treatment, payment or health care operations. Authorization must describe particular purpose and must contain specific elements. Must be revocable, in writing and voluntary, and individual must receive copy Get Authorization for Claims Assistance to assist employees with plan claim denials Employer may need Authorization to get PHI from doctors for employment purposes (FMLA Leave, Workers Comp, hardship distributions)
Use and Disclosure of PHI Allowed Without an Authorization Treatment Payment Activity undertaken to fulfill plan responsibility for provision of benefits or obtain reimbursement for health care. Includes eligibility and coverage determinations, adjudication of benefit claims, coordination of benefits, determining cost-sharing, risk adjusting, billing, premium collection, claims management, medical necessity, cost review and utilization review. Healthcare Operations Activities directly related to treatment or payment. Includes internal quality oversight review, credentialing, legal services, audit functions, general administration, placing reinsurance, underwriting renewal or replacement of a contract of health insurance. Other Disclosures To the individual, Business Associates, or as required by law Emergencies
Other HIPAA Requirements
Privacy Notice Content Specific content and format Describes rights, plan duties and types of disclosures available without an Authorization HHS has prepared a model notice New participants receive upon enrollment Send revised Notice within 60 days of material change Remind participants every 3 years of Notice availability Copy on intranet and paper copy must be available
Individual Rights Right to Request Restrictions on Use or Disclosure Right to Access PHI to copy/inspect Right to Amend Right to an Accounting of Uses and Disclosures Right to Limit PHI re: Out of Pocket Care
Execute a Plan Amendment Must amend plan if Plan Sponsor receives more than SHI or uses SHI beyond limited purposes Plan document must incorporate HIPAA Privacy provisions Plan Sponsor must certify its adoption of and compliance with amendment
Execute BAAs Covered Entity must identify Business Associates and obtain assurances that the Business Associate will protect PHI and ePHI that it uses or discloses on behalf of the Covered Entity Specific content Effective February 17, 2010, Business Associates also responsible for ensuring BAA in place. Effective September 23 ,2013, Business Associates must get their subcontractors to agree in writing to safeguard PHI. DUAs
Security Rules
Security Rule Structure Security Rule requirement are called “Standards.” Each Standard has a general security requirement and identifies what a Covered Entity/Business Associate must do to meet a Standard (“implementation specifications”) Implementation specifications are either required (“R”) or addressable (“A”) R = must be implemented as stated in Security Regulations A = addressable
Three Types of Safeguards Administrative Safeguards Actions and policies to manage selection, development, implementation and maintenance of security measures to protect ePHI and measure conduct of workforce in relation to protection of ePHI. Physical Safeguards Concern the physical protection of data systems and data from intrusion and from environmental or natural hazards Technical Safeguards Technology and policies for its use that protect ePHI and control access to ePHI
Annual Risk Assessment A risk assessment should be conducted every year A free interactive tool is available at: https://www.healthit.gov/providers-professionals/security-risk- assessment
Best Practices for Compliance Designate Privacy & Security Officials Conduct annual risk assessment Maintain Written Policies Honor Individual Rights Audit both Privacy and Security Practices Maintain a Notice of Privacy Practices Obtain Individual Authorizations for non-plan functions Enter into agreements with Business Associates Amend your plan Report any breach
What is a Breach?
What is a Breach? Unauthorized acquisition, access, use, or disclosure of unsecured PHI in a manner not allowed by the Privacy Rule which compromises the security and privacy of an Individual’s PHI. PHI is unsecure if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology approved by HHS.
Causes of Breach: Curiosity
Causes of Breach: Theft Stolen medical information is valuable Physical theft Phishing Viruses Ransomware
Causes of Breach: Carelessness
Breach Analysis After HITECH The 2013 final rule to the HITECH Act provides that a covered entity or business associate must presume that an acquisition, access, use, or disclosure of PHI in violation of the privacy rule is a breach. This presumption holds unless the covered entity or business associate demonstrates that there is a “low probability” that the PHI has been compromised based on a risk assessment which considers at least the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
Breach Procedures All unauthorized acquisition, access, use, or disclosure of PHI must be reported to the Privacy Official immediately. Notice to the Individual, Health and Human Services, and the Media may be required.
Consider state privacy laws Almost all states have their own privacy laws with respect to medical information Some laws defer to HIPAA Other states require additional reporting Laws changing quickly
Final Questions Presented by: Tabatha George Phone: (504) 529-3845 Email: tgeorge@fisherphillips.com
Thank You Presented by: Tabatha George Phone: (504) 529-3845 Email: tgeorge@fisherphillips.com