HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson Vice President Compliance Ceridian (904) ;

CONCERNS REGARDING HEALTH INFORMATION Need for protection of individual health information Need for protection of individual health information Potential for abuse Potential for abuse Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

HIPAA General Rule: General Rule: “Covered entities” may not use or disclose an individual’s “protected health information” without the authorization of the individual unless specifically required or allowed by the privacy regulation.

What are the Purposes of the Privacy Rule? Consumer Control Over Health Information Consumer Control Over Health Information -Patient education on privacy protections. -Ensuring patient access to medical records. -Receiving patient consent before information is released. -Providing recourse if privacy protections are violated.

What are the Purposes of the Privacy Rule? To Establish Boundaries on the Use and Release of Medical Records To Establish Boundaries on the Use and Release of Medical Records -Ensuring that health information is not used for non-health purposes. -Providing the minimum amount of information necessary.

What are the Purposes of the Privacy Rule? To Ensure the Security of Personal Health Information To Ensure the Security of Personal Health Information -Adopt written privacy procedures. -Train employees and designate a privacy officer.

What are the Purposes of the Privacy Rule? To establish Special Protection for Psychotherapy Notes To establish Special Protection for Psychotherapy Notes To Preserve Existing, Strong State Confidentiality Laws To Preserve Existing, Strong State Confidentiality Laws

What are the Purposes of the Privacy Rule? To Establish Accountability for the Use and Release of Medical Records To Establish Accountability for the Use and Release of Medical Records -Civil penalties -Federal criminal penalties

CIVIL PENALTIES $100 PER VIOLATION, UP TO $25,000 PER PERSON, PER YEAR FOR EACH REQUIREMENT OR PROHIBITION VIOLATED $100 PER VIOLATION, UP TO $25,000 PER PERSON, PER YEAR FOR EACH REQUIREMENT OR PROHIBITION VIOLATED

CRIMINAL PENALTIES UP TO $50,000 AND 1 YEAR IN PRISON FOR OBTAINING OR DISCLOSING PHI UP TO $50,000 AND 1 YEAR IN PRISON FOR OBTAINING OR DISCLOSING PHI UP TO $100,000 AND UP TO 5 YEARS IN PRISON FOR OBTAINING PHI UNDER “FALSE PRETENSES” UP TO $100,000 AND UP TO 5 YEARS IN PRISON FOR OBTAINING PHI UNDER “FALSE PRETENSES”

CRIMINAL PENALTIES UP TO $250,000 AND UP TO 10 YEARS IN PRISON FOR OBTAINING OR DISCLOSING PHI WITH THE INTENT TO SELL, TRANSFER OR USE IT FOR COMMERCIAL ADVANTAGE, PERSONAL GAIN OR MALICIOUS HARM UP TO $250,000 AND UP TO 10 YEARS IN PRISON FOR OBTAINING OR DISCLOSING PHI WITH THE INTENT TO SELL, TRANSFER OR USE IT FOR COMMERCIAL ADVANTAGE, PERSONAL GAIN OR MALICIOUS HARM

What Information Is HIPAA Designed to Protect? Protected Health Information (“PHI”) Protected Health Information (“PHI”) Protected Health Information encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form.

“PHI” “Covered Entity” “Covered Entity” A health plan, a health care provider, and health care clearinghouse. Note: Employers are NOT “covered entities.”

“PHI” “Health Plan” “Health Plan” -Any plan or program that provides or pays the cost of medical care. -Health care provider -Health care clearing house

How Do the HIPAA Rules Impact a Health Plan? HIPAA does not apply to small-employer administered health plans (those with less than 50 participants). HIPAA does not apply to small-employer administered health plans (those with less than 50 participants). The HIPAA requirements are more stringent for self-funded plans than for fully-insured plans. The HIPAA requirements are more stringent for self-funded plans than for fully-insured plans. Concerns with the sharing of information between the plan, employer and vendors. Concerns with the sharing of information between the plan, employer and vendors.

What Must a Self-Funded Plan Do to Insure Privacy? PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The sponsor: PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The sponsor: -cannot use or disclose PHI except as permitted by the plan or required by law; -must ensure that agents and vendors who receive PHI agree to the same restrictions; -cannot use or disclose PHI for employment- related actions or for other benefit plans;

What Must a Self-Funded Plan Do to Insure Privacy? (cont.) (cont.) -report to the Plan any violation of the privacy requirements; -make PHI available to individuals as required by HIPAA; -allow individuals to amend their PHI (by appending); -provide individuals with an accounting of disclosures of PHI;

What Must a Self-Funded Plan do to Insure Privacy? (cont.) (cont.) - make its practices available to the government to determine compliance; -return or destroy PHI received from the plan that the sponsor maintains in any form and retain no copies of such information no longer needed for the purpose for which the disclosure was made;

What Must a Self-Funded Plan do to Insure Privacy? (cont.) (cont.) -ensure that security procedures have been established that: (1)identify employees or classes of employees who will have access to PHI; (2)restrict access solely to those individuals for the functions performed for the plan; and

What Must a Self-Funded Plan do to Insure Privacy? (cont.) (cont.) (3)provide a mechanism for resolving issues of noncompliance.

What Must a Self-Funded Plan do to Insure Privacy? Plan documents must be amended to include required provisions Plan documents must be amended to include required provisions

What Must a Self-Insured Plan do to Insure Privacy? Privacy policies must be developed to ensure that only the amount of information reasonably necessary to achieve the purpose of the disclosure is provided to a third person. Privacy policies must be developed to ensure that only the amount of information reasonably necessary to achieve the purpose of the disclosure is provided to a third person.

What Must a Self-Funded Plan do to Insure Privacy? THE NOTICE MUST BE PROVIDED PRIOR TO APRIL 14, 2003 (APRIL 14, 2004 FOR SMALL HEALTH PLANS) TO ALL PARTICIPANTS, AND TO NEW ENROLLEES AT ENROLLMENT. THE NOTICE MUST BE PROVIDED PRIOR TO APRIL 14, 2003 (APRIL 14, 2004 FOR SMALL HEALTH PLANS) TO ALL PARTICIPANTS, AND TO NEW ENROLLEES AT ENROLLMENT. Material changes must be communicated within 60 days. Material changes must be communicated within 60 days.

What Must a Self-Funded Plan do to Insure Privacy? Privacy Official/Training Privacy Official/Training -A privacy official must be designated for developing and implementing HIPAA-required policies and procedures. -Training (including an ongoing program for new employees) on handling PHI must be provided for each employee performing health plan administrative functions.

What Must a Self-Funded Plan do to Insure Privacy? Business Associates Business Associates -New contract provisions limiting vendor use and disclosure of PHI and requiring compliance with HIPAA will be required.

What Must a Self-Funded Plan do to Insure Privacy? Participant Complaints Participant Complaints -Policies and procedures must be developed and communicated, and records must be maintained. -Retaliation for complaints is prohibited.

What Must a Fully Insured Medical Plan do to Comply? The sponsor generally can rely on information and policies developed by the insurer, unless it receives PHI. The sponsor generally can rely on information and policies developed by the insurer, unless it receives PHI. Sponsors must review the rules with insurers to verify compliance. Sponsors must review the rules with insurers to verify compliance.

Can Protected Information Be Shared Among Plans? CONSENT IS REQUIRED! CONSENT IS REQUIRED!

Does HIPPA Apply To Flex Plans? YES! YES!

What Must Health Providers and Clearinghouses Do to Comply? Providers and clearinghouses must comply with the rules in a similar manner to prevent disclosure of PHI Providers and clearinghouses must comply with the rules in a similar manner to prevent disclosure of PHI Disclosure pursuant to authorizations must be limited to the amount “reasonably necessary” Disclosure pursuant to authorizations must be limited to the amount “reasonably necessary” Contracts with other entities must be revised and business associate agreements drafted Contracts with other entities must be revised and business associate agreements drafted

Conclusions Compliance with the HIPAA privacy requirements will be complex and expensive and may require significant cultural and procedural changes. Employers must reevaluate programs/plans and perform a cost/benefit analysis in light of the new compliance costs. Immediate ACTION is required!