Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin 2003 Dechert LLP HIPAA Privacy Rule Basics
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 2 HIPAA n Health Insurance Portability and Accountability Act of 1996 (HIPAA) o Portability of health benefit policies, pre-existing conditions, fraud and abuse o Administrative simplification n 1994 health care reform efforts n Standardize electronic claims
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 3 Components of Legislation n Standardized electronic transactions n Standardized code sets n Standardized unique identifiers n Security n Privacy and confidentiality
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 4 HIPAA Applicability n Health Plans -- including employer group health plans n Health Care Providers -- that transmit any health information in electronic form n Health Care Clearinghouses
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 5 Health Plan Definition n “Health plan” is broadly defined: o An “individual or group plan that provides, or pays the cost of, medical care” n Includes most ERISA employer welfare benefit plans, insured and self-funded, plus some non- ERISA plans
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 6 Health Plan n Includes medical, dental, vision n Likely includes FSAs for health care n Does not include workers’ compensation Does not include disability
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 7 Health Plans n Health plans must comply with all the Privacy Standards that apply to Providers, plus certain Standards applicable only to health plans
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 8 Health Plans Health Plans must comply with: n Restrictions on Uses and Disclosures of PHI n Plan Member Rights Requirements n Administrative Requirements Firewall Requirements – Separation between the plan and plan sponsor
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 9 Restrictions on Uses and Disclosures n Covered entities may not use or disclose PHI, except as permitted or required under the Standards n Treatment, payment, and health care operations (TPO)
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 10 Restrictions on Uses and Disclosures n Authorizations o For uses and disclosures not otherwise permitted by the rule o Authorizations are necessary for most, but not all, purposes other than TPO o Authorization content -- core elements
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 11 Restrictions on Uses and Disclosures n “Minimum Necessary” Standard n Business Associate Requirements, including re-contracting n De-identification requirements
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 12 Uses and Disclosures without Authorization n Certain public health authorities n Health oversight activities n Judicial or administrative proceedings n Law enforcement
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 13 Business Associate Definition n A person who, on behalf of a covered entity, performs a function involving the use or disclosure of IHI (includes claims processing, data analysis, utilization review, quality assurance, billing, benefit management, and repricing) OR
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 14 Business Associate Definition n A person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where this service involves disclosure of IHI
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 15 Business Associate Contracts n “Satisfactory assurance” requirement o Plans must have contracts with business associates that include many specified terms (includes plan administrators)
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 16 Member Rights n Right to Notice of Privacy Practices o Strict content requirements o Self-funded plans o Insured plans
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 17 Member Rights n Right to request restrictions on uses and disclosures o Plans are not required to agree to requested restrictions o More confidential mode of communication
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 18 Member Rights n Right to access PHI o Members have the right to access, inspect, and copy their health information o Strict deadlines and procedures
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 19 Member Rights n Right to amend PHI o Plans may deny requests for amendment if the PHI: n Was not created by the plan; Is accurate and complete
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 20 Member Rights n Right to an accounting of certain disclosures of PHI made by plan during the previous 6 years o Exceptions
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 21 Administrative Requirements n Appoint a privacy officer n Designate a contact person or office responsible for receiving privacy- related complaints
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 22 Administrative Requirements n Plan workforce training o Policies and procedures o Combine with Security training
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 23 Administrative Requirements n Privacy safeguards o Install appropriate administrative, technical, and physical safeguards o Scalability o Intersection with Security Rule
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 24 Administrative Requirements n Complaints o Process o Documentation
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 25 Administrative Requirements n Sanctions o Establish and apply appropriate sanctions against plan workforce members who violate the plan’s privacy policies or the Privacy Standards
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 26 Administrative Requirements n Mitigation o Mitigate, if practicable, any harmful effect resulting from a violation of the plan’s policies and procedures or the Privacy Standards
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 27 Administrative Requirements n Privacy policies and procedures
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 28 Firewall Requirements n HIPAA applies to health plans, not plan sponsors n For this reason, the Standards focus on plans, and force plans to impose certain requirements on plan sponsors
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 29 Firewall Requirements Plan sponsors may access identifiable health information only for plan administration purposes
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 30 Firewall Requirements n Plan sponsors may NOT access PHI for employment-related actions without written permission from the plan member
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 31 Firewall Requirements n Clarification: o Employment records are not considered Protected Health Information
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 32 Firewall Requirements n Plan Documents o If Plan Sponsors receive PHI other than summary and enrollment/disenrollment information, they must amend their plan documents to include specified terms, including:
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 33 Plan Documents n GHP may disclose PHI to the PS only if plan documents have been amended to include: o How the Plan Sponsor may use and disclose PHI
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 34 Plan Documents o PS agrees not to use or further disclose the information other than as permitted or required by the plan documents or as required by law
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 35 Plan Documents o PS agrees not to use or disclose PHI for employment-related actions or in connection with any other benefit or employee benefit plan
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 36 Plan Documents n Plan documents also must establish “adequate separation” between the GHP and PS by o Describing those employee positions who may access PHI n Employees who use PHI for payment or health care operations of the plan
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 37 Plan Document o Plan documents also must provide an effective mechanism for resolving issues of noncompliance by those designated persons
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 38 Firewall Requirements Reminder: n Written authorization from the member is required for disclosure of PHI (related to the health plan) to a plan sponsor for o Employment-related actions o Actions relating to any other benefit or plan (including workers’ compensation) maintained by the plan sponsor
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 39 Insured Plans n Insured plans that do NOT receive PHI (other than summary and enrollment/disenrollment) are exempt from many requirements, including:
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 40 Insured Plans n Exempt from: o Privacy officer o Workforce training o Privacy safeguards o Complaints o Workforce sanctions o Mitigation
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 41 Insured Plans n Exempt from: o Policies and procedures o Notice of privacy practices o Patient rights of access, amendment and accounting Why? Individuals enrolled in these plans have these rights through the insurer/HMO
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 42 Insured Plans n Do you create or receive PHI? o From the Administrator/Insurer? o From Plan members? n E.g., plan sponsor assistance with claims n Keep plan sponsor employees outside the Plan firewall
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 43 Policies and Procedures n What types of Plan policies and procedures are needed? o Overall privacy policy addressing handling of PHI and “adequate separation”
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 44 Policies and Procedures o Plan member rights (detailed) o Plan Member Privacy Complaints o Plan Workforce Training Privacy-related Workforce Sanctions
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 45 Policies and Procedures o Policy on Safeguards for Protecting PHI -- detailed o Policy on Plan Documentation and Retention of Certain Records o Policy on Authorizations (including Authorization form)
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 46 Selected Issues n Re-negotiation of third party administrator agreements o Add required business associate terms o Consider adding/modifying other related terms
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 47 Selected Issues n Can a self-funded Plan use a TPA for all required tasks and not have policies and procedures, privacy officer, etc? o No -- You can delegate tasks, but can’t delegate all HIPAA responsibilities
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 48 Compliance Dates n Small health plans (with annual receipts of $5 million or less) o April 14, 2004 n Other (not small health plans) o April 14, 2003
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 49 Penalties n Violating the privacy rule can create both civil and criminal liability o “Nice HIPAA” o “HIPAA for crooks”
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 50 Penalties n Civil penalties: $100 per violation o Capped at $25,000 per person, per year, per standard
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 51 Penalties n Criminal penalties: up to $250,000 and prison sentences of up to 10 years, if: o Offense is committed with an intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 52 Case Law n In May 2001, a federal judge noted that although compliance is not required until April 2003, the HIPAA privacy regulations are “persuasive in that they demonstrate a strong federal policy of protection for patient medical records.” U.S. v. Sutherland n The judge applied the HIPAA regulations to that case n Another judge did the same
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 53 Enforcement n A new “standard of care” for how health plans (employers) should handle identifiable health information?
© 2003 Dechert LLP December 4, 2003 HIPAA Privacy Rule Basics 54 Beth L. Rubin Dechert LLP 4000 Bell Atlantic Tower 1717 Arch Street Philadelphia, PA slides: (look up “Rubin” under “Lawyers”)