Presentation is loading. Please wait.

Presentation is loading. Please wait.

GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 1 HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY.

Published byJewel Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 1 HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY."— Presentation transcript:

1 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 1 HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY ATTORNEYS 42 ND ANNUAL CONFERENCE June 27, 2002 Judith A. Eisen, Esq. Garfunkel, Wild & Travis, P.C. 111 Great Neck Road Great Neck, New York 11021 (516) 393-2220 Email: Jeisen@gwtlaw.com

2 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 2 GENERAL OVERVIEW/STRUCTURE OF HIPAA

3 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 3 HIPAA applies to “Covered Entities” General CategoryPossible University Application ?Health Care Providers who carry out at least one “Covered Transaction” Health Care Facilities – Hospitals, etc. Faculty Practice Plan Student Health Center Health Professional Training Programs Psychology Clinics Dental Clinics EAP ?Health PlansGroup Health Plan for employees or student Self-insurance health plan for employees or students ?Health Care ClearinghousesFaculty Practice Plan Billing Company

4 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 4 HIPAA Administrative Simplification Provisions Final Privacy Regulations (Published December 28, 2000) Proposed National Provider Identifier (Published May 7, 1998) Proposed National Employer Identifier (Published June 16, 1998) Proposed Security Standards (Published August 12, 1998) Final Electronic Transaction Standards (Published August 17, 2000) Effective: October 16, 2000 Full Compliance due by October 16, 2002 1 Effective: April 14, 2001 Full Compliance due by April 14, 2003 1 Congress recently passed new legislation which will allow health care providers, health plans and health care clearinghouses to delay compliance for one full year until October 16, 2003 for HIPAA’s electronic transaction standards – if they apply for an extension. Proposed National Payor Identifier (not yet published) Expected to be Finalized June, 2002 Proposed National Individual Identifier (Tabled Indefinitely) Expected to be Finalized August 2002

5 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 5 Effect of HIPAA on State Law and Other Federal Law General Rule:The privacy regulations preempt any contrary provisions of State law or regulations. General Exception:State law that is more stringent or grants greater rights to patients will survive HIPAA. General Rule:HIPAA co-exists with other Federal law, e.g., Common Rule for Human Subject Research. Special Exception:FERPA

6 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 6 ELECTRONIC TRANSACTION AND CODE SET STANDARDS

7 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 7 Purpose of the Electronic Transaction Standards To promote efficiencies in the health care industry by: Encouraging the use of electronic data exchanges for health care transactions Simplifying health care transactions by establishing standards

8 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 8 General Rule If a Covered Entity (either itself or through an agent) conducts a Covered Transaction electronically, the transaction must be conducted using the HIPAA form. “Covered Transactions” include: Submission of claims for payment Checking eligibility Enrollment and disenrollment Checking claims status Referrals and pre-certification Claims attachments Payment and claims remittance Coordination of Benefits

9 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 9 What Does It Mean To Standardize A Transaction? Standardized Formats Standard Data Content Standard Codes

10 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 10 One Year Extension ?Covered Entities may request a one year extension of the compliance date for the transaction standards (until October 16, 2003). ?To request an extension, Covered Entities must submit a compliance plan to DHHS. ?Failure to conform to new standards or request an extension by October 16, 2002 can mean: Termination from Medicare Program Claims denials

11 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 11 SECURITY STANDARDS

12 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 12 Security Risks 1.Human Error 2.Nature (fire, earthquake, flood) 3.Technological Problems 4.Deliberate Security Breaches

13 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 13 GENERAL COMMENTS Still in Proposed Form. In current form, may apply to health care providers who do not carry out a Covered Transaction. Not Technology Specific. Scalability. Overlap with Privacy.

14 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 14 What Do The Security Regulations Require? Administrative Procedures: To protect health information and manage the conduct of personnel. Physical Safeguards: To protect physical computer systems and related buildings and equipment. Technical Security Services: Controlling access to health information at rest and in motion.

15 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 15 HIPAA PRIVACY: POLICY and PITFALLS

16 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 16 GENERAL POLICIES UNDER PRIVACY STANDARDS

17 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 17 General Policy: A Covered Entity may not use or disclose Protected Health Information (“PHI”) except as permitted by the privacy regulations. ?PHI is individually identifiable health information in any form or medium (written, electronic or oral) created or received by a Covered Entity

18 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 18 ?General Policy: If a general written consent is obtained, a Health Care Provider may use or disclose PHI for “TPO”: Treatment (provision, coordination, management of healthcare) Payment (actions to obtain payment for services) Health Care Operations (internal day-to-day business operations – QA, UR, peer review, customer service, etc.) ?The consent is effective indefinitely unless revoked in writing ________________________ * Note: On March 27, 2002, HHS published proposed changes to the Privacy Rules, including deletion of the consent requirement and addition of an acknowledgment of receipt of privacy notice. CONSENT

19 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 19 ?General Policy: If use or disclosure is not for TPO, a Covered Entity may not use or disclose PHI without a more specific authorization. Examples: Research Marketing Fundraising AUTHORIZATION

20 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 20 PRIVACY PITFALLS

21 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 21 BUSINESS ASSOCIATES A.Perform a function involving use or disclosure of PHI on behalf of a Covered Entity; or B.Perform legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a Covered Entity involving the disclosure of PHI.

22 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 22 ?Billing Companies ?Computer Vendors ?Accreditation organizations (e.g., JCAHO) ?Medical Equipment Vendors ?Management or Administrative Service Providers, etc. ?Attorneys, Accountants, Auditors, Actuaries ?Consultants ?Document Storage and Destruction or Conversion Companies EXAMPLES OF BUSINESS ASSOCIATES:

23 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 23 ?Restricts use and disclosure of PHI ?Requires appropriate safeguards ?Requires similar cooperation by its subcontractors ?Requires BA to report breaches ?Requires BA to fix breaches or risk termination of contract BUSINESS ASSOCIATE CONTRACT:

24 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 24 Marketing General Marketing Rule: A Covered Entity may not use or disclose PHI for “marketing” without an authorization. Definition: Written or oral communication made for the purpose of encouraging the recipients of the communication to purchase or use a product or service.

25 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 25 Fundraising General Rule: A Covered Entity may use certain demographic information and dates of service for the purpose of raising funds for its own benefit without an authorization. Note:Individual must be able to “opt-out” of future communications.

26 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 26 Uses and Disclosures for Research Purposes ?Must obtain patient authorization unless: Meet certain criteria for a waiver; or Meet one of HIPAA’s exceptions >New role for Institutional Review Board (IRB)

27 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 27 Special “Carrier” Concerns ?Students in Health Care Professional Training Programs Student Access to PHI Student Discipline ?Researchers involved in Human Subject Research

28 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 28 Hybrid Entity Qualifications: Single legal entity Primary business is not healthcare* University Must:** Identify healthcare components Identify components that act as business associates to HC components Erect firewalls between health care and non-health care components Ensure compliance by health care components ______________________ *Proposed changes do not require that non-covered functions be primary purpose **Proposed changes would require that health care proponents conduct a Covered Transaction electronically.

29 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 29 Joint Consent and Notice Concepts ?Single Affiliated Covered Entity: designating Covered Entities under “common control” or ownership as a single Covered Entity Ex: Commonly owned healthcare facilities in health system ?Organized Health Care Arrangement: two or more Covered Entities in a clinically integrated setting or a joint venture Ex: hospital and its voluntary medical staff ?Both arrangements: Permit combined consent and privacy notice Permit sharing of PHI Negate Business Associate relationship

30 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 30 University as Employer ?Clarification under proposed changes to privacy rule: “Employment records” held by a CE in its role as an employer are not covered by privacy regulations. (FMLA, Disability, Non-Health Benefit Plans) ?University student health clinics may provide health care to employees and faculty ?EAPs may be Health Care Providers ?Group Health Plans (medical, dental, vision) Commercial – defined insurer or HMO Self-insured – with or without TPA

31 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 31 Group Health Plans ?Group Health Plans must comply with: Privacy rules (with some minor exceptions Security rules TCS rules (must be prepared to carry out transactions electronically) ?For commercial plans – insurer or HMO ensures compliance ?For self-insured plans – TPA or Plan itself must ensure compliance. ?Plan sponsor that receives PHI from Plan/insurer must: Keep PHI confidential Not use PHI for employment purposes Amend Plan documents

32 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 32 Administrative Requirements of the Privacy Regulations Policies related to the Minimum Necessary Rule Adoption of Policies and Procedures Safeguards Designation of a Privacy Officer Privacy Notices Complaints Accountings* Amendments to PHI Training for all personnel Sanctions Mitigation Documentation/Retention of Records (for 6 years) _______________ * Note:Proposed changes would eliminate the need to account for disclosures where an authorization was obtained.

33 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 33 PENALTIES AND ENFORCEMENT: Both individuals and entities can incur civil and/or criminal liability for violating HIPAA.

34 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 34 Civil Penalties: Fines up to $100 per violation; maximum of $25,000 in each calendar year for identical violations Criminal Penalties For “Knowing Misuse” of PHI: - Three Degrees: Simple violations: fine of up to $50,000 plus prison of up to 1 year. False pretenses: fine of up to $100,000 plus prison of up to 5 years. For gain or harm: fine of up to $250,000 plus prison term of up to 10 years.

35 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 35 HIPAA Compliance STAGE I: Organize and Educate STAGE II: Analyze and Compare STAGE III: Plan and Implement STAGE IV: Audit and Monitor

36 GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 36 DISCUSSION/QUESTIONS

Download ppt "GW&T © 2002 Garfunkel, Wild & Travis, P.C. 263907 1 HIPAA: What University Counsel Needs to Know -- The Basics NATIONAL ASSOCIATION OF COLLEGE AND UNIVERSITY."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.

1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.

1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept

Similar presentations

Ads by Google