1 HIPAA Health Insurance Portability and Accountability Act Budgeting Effectively for Good Faith Compliance

2 Through HIPAA, Congress intended to: Overcome “job lock” – the reluctance of moving from one company to another for fear of losing health insurance Increase portability and access to health insurance Simplify health care administration

3 The Result of HIPAA was: Administrative Simplification = Uniformity of Electronic Transactions Standardized Electronic Transactions Highlighted the Need for: Patient Privacy Records Security

4 IMPACT Patient Privacy Records Security Significant Increases In Operating Costs U.S. Dept. of Health & Human Services estimates the industry cost for privacy compliance alone at $3.8 billion. The American Hospital Association estimates the cost of compliance at $22.5 billion over five years.

5 PENALTIES FOR NONCOMPLIANCE General Penalty for Failure to Comply – Each violation: $100. – Maximum penalty for violations per standard may not exceed $25,000. Wrongful Disclosure of Individual Health Information - Basic offense: $50,000, imprisonment of not more than one year or both. - False Pretenses: $100,000, imprisonment of not more than 5 years, or both. - Intent to Sell: $250,000, imprisonment of not more than 10 years, or both.

6 Establishing a “Good Faith” Compliance Effort Written compliance program/policies Employee training Revise vendor contracts Audit security procedures and upgrade as necessary

7 Covered Entities All health care providers and health plans are required to implement the standardized transactions and to comply with the new privacy and security rules. Employer group health plans with more than 50 participants are included.

8 Elimination of Local Codes Seven Required Standardized Transactions ProviderPayerPlan Sponsor Patient Info/ Eligibility Request (270) Response to Eligibility (271) Enrollment info (834) Authorizations & Referrals (Requesting Review 278) Authorization & Referrals (Response 278) Plan sponsors do not have to transmit information electronically. However, if they submit standard transactions 834 or 820 Payors and Providers will be required to accept such transactions Claims/Encounter (Claim 837) (Attachment 275 not yet mandated Claim/Encounter (Attachment Request 276 not yet mandated) Claim Status (Request 276) Claim Status (Response 277) Claim Payment (Remittance Advice 835) Premium PaidPremium Payment (820)

9 Protected Health Information (“PHI”) A convoluted regulatory definition: All health information created and/or received by provider, health plan, health care clearinghouse, employer, life insurer or school or university that relates to the physical or mental health or condition of an individual, the provision of health care to that person, or to the payment for that person ’ s health care, which is sufficiently specific to identify the person, that is transmitted or maintained by a covered entity in any form (orally, on paper or electronically).

10 Privacy Prohibits the USE or DISCLOSURE of PHI unless PERMITTED or REQUIRED by HIPAA

11 Patient Consents New requirements for format and content mandated. Old consent forms for treatment, payment or health care operations will not comply. New, broad-form consent now needed for peer reviews, medical training, quality assurance, etc.

12 Restricted Use of Patient Information Affects information used in patient directories. Affects consultations with and disclosures to family members. Numerous exceptions: child abuse, domestic violence, research, licensure and disciplinary actions. Note: HIPAA pre-empts state law unless state law is more restrictive, e.g. HIPAA would allow disclosure of a patient’s religious affiliation, but that is prohibited in Tennessee.

13 Written Authorization Required in Addition to Consent Any use or disclosure of Psychotherapy Notes requires written authorization. Use of PHI in marketing or fundraising activities may require written authorization.

14 Umbrella Rule Superimposed over all of the new HIPAA regulations is the concept that in using, disclosing or requesting PHI, all covered entities must make reasonable efforts to limit it to the “Minimum Necessary” Non-routine uses and disclosures will require case-by-case analysis

15 Vendor Contracts Covered Entities will be non-compliant unless they execute written agreements with their vendors which cover specific provisions concerning HIPAA compliance. -A general HIPAA compliance clause is not sufficient for contracts with Business Associates of Covered Entities. -Vendor contracts must specifically address the limited use and disclosure of PHI as well as other listed vendor obligations. - Indemnification provisions for failure to comply should be considered.

16 Notice of Privacy Practices Among the new “Patients’ Rights” created by HIPAA. Must be written in “plain language” and carefully worded. Important to include the ability to change a provider’s privacy practices. Providers may be required to comply with specific patient instructions, even if given orally or to non-medical office personnel. – e.g. sending patient information via or fax or to a specific address Additional Patients Rights include access to PHI, medical records accounting of disclosures. Computer system must be capable of creating an audit trail of all PHI disclosures and to retain records for 6 years.

17 Administrative Requirements: A Potential Budgetary Nightmare Appoint a privacy officer and complaint officer Overhaul compliance manual to require HIPAA Compliance Employee training: privacy and security awareness Institute a formal complaint mechanism Audit technical and physical safeguards Institute sanctions for failure to comply Include mitigation procedures to reduce harmful impact of known violations

18 INCREASED SECURITY OF PHI All Covered Entities must establish and maintain appropriate policies and procedures to safeguard the confidentiality of their patients’ health information. This includes: Administrative procedures Physical safeguards Technical security services and mechanisms

19 Review and Upgrade Administrative Procedures Revise written policies and procedures for each area or department (e.g., for physical security, personal security, procedural security, etc.) Require security training for all personnel Require “Chain of Trust Partner Agreements” with whom you share PHI

20 Review and Upgrade Physical Safeguards Restrict access to PHI - building/physical plant - work stations, files - computers, computer screens and printers

21 Review and Upgrade Technical Security Authentication – to verify the person transacting business electronically is in fact who they claim to be Encryption – to scramble data so it is non- recognizable Non-Repudiation – to prevent the person performing data transmission to deny that it was that person sending the data

22 Comprehensive Compliance Services Provided by Miller & Martin LLP  Phase I Package Includes: Vendor contract review and amendment Revision of written policies and procedures to include HIPAA compliance Revised patient privacy, notices, consents and authorization forms “Chain of Trust Partner Agreements” Employee training  Package Services also provided separately and additional services provided as needed

23 Joint Services Provided by Miller & Martin LLP and G.A. Sullivan Privacy procedures audits Security procedures audits Review and upgrade of computer systems for HIPAA compliance IT personnel training and assistance

24 HIPAA Practice Group  With 14 firm member representatives of each regional office, Miller & Martin’s HIPAA practice group includes attorneys who specialize in healthcare, corporate law, labor and employment, litigation and government relations.  We believe a cross-disciplinary approach will help you tackle the complexities of HIPAA in a more comprehensive and cost-effective manner.  For more information concerning the individual members of Miller & Martin’s HIPAA practice group, click on the HIPAA icon at

25 HIPAA For further information, please contact CLAY PHILLIPS ) or CHRISTIE GROT ) MILLER & MARTIN LLP