Presentation is loading. Please wait.

Presentation is loading. Please wait.

Today’s webinar will begin shortly

Published byMyles Chambers Modified over 7 years ago

Similar presentations

Presentation on theme: "Today’s webinar will begin shortly"— Presentation transcript:

1 Today’s webinar will begin shortly
Today’s webinar will begin shortly. We are waiting for attendees to log on. Presented by: Tabatha George Phone: (504) Please remember, employment and benefits law compliance depends on multiple factors – particularly those unique to each employer’s circumstances. Numerous laws, regulations, interpretations, administrative rulings, court decisions, and other authorities must be specifically evaluated in applying the topics covered by this webinar. The webinar is intended for general-information purposes only. It is not a comprehensive or all-inclusive explanation of the topics or concepts covered by the webinar.

2 What Employers Need to Know About HIPAA and HITECH
Tabatha George Fisher Phillips, LLP

3 Back to the Basics

4 HIPAA Health Insurance Portability And Accountability Act Of 1996
Title I: Portability and Nondiscrimination Title II: “Administrative Simplification” Includes the Privacy and Security Rules

5 HITECH and the Omnibus Rule
The Health Information Technology for Economic and Clinical Health Act of 2009 was passed to create a national network of electronic health records. Among other things, it changed: Business Associate liability Breach analysis and notification Enforcement The Omnibus Rule followed

6 Who must comply? Group Health Plans Health Care Providers
Includes medical, dental, vision, health FSAs, HRAs, some EAPs Does not include workers comp, life insurance or disability plans Excluded if <50 participants, self-funded and self-administered Health Care Providers Who transmit health information in electronic form in connection with specific transactions Health Care Clearinghouses Does Not Include Employers, Just Their Plans

7 Who else must comply? Business Associates are service providers that perform a function or activity for a Covered Entity TPA Attorney Broker Actuary Accountant Service providers

8 Fully-insured Plans Most fully-insured plans will attempt to keep a “hands off” approach Summary Health Information Claims assistance Enrollment data FSAs and HRAs

9 Self-insured Plans

10 What does it mean to comply?

11 Compliance Obligations
Safeguard PHI and ePHI Adhere to use and disclosure requirements Allow individuals to exercise individual rights Provide Privacy Notice, if applicable Fulfill administrative requirements Amend plan document (Plan Sponsor) Execute Business Associate agreements

12 Protected Health Information

13 Protected Health Information (PHI)
Individually-identifiable health information created or received by a Covered Entity or Business Associate which relates to past, present, or future health care or payment for health care. Excludes employment records pre-employment drug screens, sick leave requests, fitness-for-duty examinations, ADA or FMLA records, doctor’s note from employee Examine source, purpose and use to determine whether a document is an employment record PHI that is sent or stored electronically is ePHI

14 Electronic PHI (ePHI) PHI maintained or transmitted in electronic form. Electronic storage media Computer hard drive, digital memory card, mobile devices Electronic transmission media Extranet, leased lines, private networks Physical movement of electronic storage media Faxes, telephone calls, video conferencing, and voic are not typically ePHI

15 You have PHI. Now what?

16 Use and Disclosure Rules: The Minimum Necessary Standard
Covered Entity/Business Associate must limit disclosure of PHI to the minimum necessary Only employees with a need to know may have access Identify employees who need access to PHI and limit access to those employees and the specific PHI necessary for them to perform job function Requests: establish policies and procedures limiting PHI disclosure to amount and type necessary

17 Use and Disclosure Rules: Authorizations
Must obtain Authorization for most uses and disclosures of PHI other than those allowable for enrollment tracking, treatment, payment or health care operations. Authorization must describe particular purpose and must contain specific elements. Must be revocable, in writing and voluntary, and individual must receive copy Get Authorization for Claims Assistance to assist employees with plan claim denials Employer may need Authorization to get PHI from doctors for employment purposes (FMLA Leave, Workers Comp, hardship distributions)

18 Use and Disclosure of PHI Allowed Without an Authorization
Treatment Payment Activity undertaken to fulfill plan responsibility for provision of benefits or obtain reimbursement for health care. Includes eligibility and coverage determinations, adjudication of benefit claims, coordination of benefits, determining cost-sharing, risk adjusting, billing, premium collection, claims management, medical necessity, cost review and utilization review. Healthcare Operations Activities directly related to treatment or payment. Includes internal quality oversight review, credentialing, legal services, audit functions, general administration, placing reinsurance, underwriting renewal or replacement of a contract of health insurance. Other Disclosures To the individual, Business Associates, or as required by law Emergencies

19 Other HIPAA Requirements

20 Privacy Notice Content Specific content and format
Describes rights, plan duties and types of disclosures available without an Authorization HHS has prepared a model notice New participants receive upon enrollment Send revised Notice within 60 days of material change Remind participants every 3 years of Notice availability Copy on intranet and paper copy must be available

21 Individual Rights Right to Request Restrictions on Use or Disclosure
Right to Access PHI to copy/inspect Right to Amend Right to an Accounting of Uses and Disclosures Right to Limit PHI re: Out of Pocket Care

22 Execute a Plan Amendment
Must amend plan if Plan Sponsor receives more than SHI or uses SHI beyond limited purposes Plan document must incorporate HIPAA Privacy provisions Plan Sponsor must certify its adoption of and compliance with amendment

23 Execute BAAs Covered Entity must identify Business Associates and obtain assurances that the Business Associate will protect PHI and ePHI that it uses or discloses on behalf of the Covered Entity Specific content Effective February 17, 2010, Business Associates also responsible for ensuring BAA in place. Effective September 23 ,2013, Business Associates must get their subcontractors to agree in writing to safeguard PHI. DUAs

24 Security Rules

25 Security Rule Structure
Security Rule requirement are called “Standards.” Each Standard has a general security requirement and identifies what a Covered Entity/Business Associate must do to meet a Standard (“implementation specifications”) Implementation specifications are either required (“R”) or addressable (“A”) R = must be implemented as stated in Security Regulations A = addressable

26 Three Types of Safeguards
Administrative Safeguards Actions and policies to manage selection, development, implementation and maintenance of security measures to protect ePHI and measure conduct of workforce in relation to protection of ePHI. Physical Safeguards Concern the physical protection of data systems and data from intrusion and from environmental or natural hazards Technical Safeguards Technology and policies for its use that protect ePHI and control access to ePHI

27 Annual Risk Assessment
A risk assessment should be conducted every year A free interactive tool is available at: assessment

28 Best Practices for Compliance
Designate Privacy & Security Officials Conduct annual risk assessment Maintain Written Policies Honor Individual Rights Audit both Privacy and Security Practices Maintain a Notice of Privacy Practices Obtain Individual Authorizations for non-plan functions Enter into agreements with Business Associates Amend your plan Report any breach

29 What is a Breach?

30 What is a Breach? Unauthorized acquisition, access, use, or disclosure of unsecured PHI in a manner not allowed by the Privacy Rule which compromises the security and privacy of an Individual’s PHI.  PHI is unsecure if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology approved by HHS.

31 Causes of Breach: Curiosity

32 Causes of Breach: Theft
Stolen medical information is valuable Physical theft Phishing Viruses Ransomware

33 Causes of Breach: Carelessness

34 Breach Analysis After HITECH
The 2013 final rule to the HITECH Act provides that a covered entity or business associate must presume that an acquisition, access, use, or disclosure of PHI in violation of the privacy rule is a breach. This presumption holds unless the covered entity or business associate demonstrates that there is a “low probability” that the PHI has been compromised based on a risk assessment which considers at least the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.

35 Breach Procedures All unauthorized acquisition, access, use, or disclosure of PHI must be reported to the Privacy Official immediately. Notice to the Individual, Health and Human Services, and the Media may be required.

36 Consider state privacy laws
Almost all states have their own privacy laws with respect to medical information Some laws defer to HIPAA Other states require additional reporting Laws changing quickly

37 Final Questions Presented by: Tabatha George Phone: (504)

38 Thank You Presented by: Tabatha George Phone: (504)

Download ppt "Today’s webinar will begin shortly"

Similar presentations

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Understanding Medical Privacy in the Work Place © Copyright 2005 The Nugent Law Firm, P.C. All Rights Reserved.

HIPAA Understanding Medical Privacy in the Work Place © Copyright 2005 The Nugent Law Firm, P.C. All Rights Reserved.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google