Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy Establishing a Compliance Plan Mazursky & Dunaway LLP Monarch Tower Suite 2400 3424 Peachtree Road Atlanta, Georgia 30326-1118.

Published byMilo Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy Establishing a Compliance Plan Mazursky & Dunaway LLP Monarch Tower Suite 2400 3424 Peachtree Road Atlanta, Georgia 30326-1118."— Presentation transcript:

1 HIPAA Privacy Establishing a Compliance Plan Mazursky & Dunaway LLP Monarch Tower Suite 2400 3424 Peachtree Road Atlanta, Georgia 30326-1118

2 2 Presented by: Randall D. Grayson Monarch Tower Suite 2400 3424 Peachtree Road Atlanta, Georgia 30326- 1118 Main:404.888.8820 Direct: 404.888.8852 Fax:404.926.2952 rgrayson@mdllp.com A Human Resources Law Firm

3 3 HIPAA Privacy Presentation Outline I. Overview of HIPAA Privacy Regulations II. Organizing the Privacy Compliance Project III. Key Components of the Privacy Project

4 4 The Three Elements of HIPAA Privacy Security Electronic Data Interchange Privacy – Individual rights to control health information – Restrictions on uses and disclosures Security – Limited access to electronic systems – Physical controls Electronic Data Interchange – Standardized code sets for transactions – Uniform Medicare and Medicaid claims

5 5 Where Are We Now? Administrative Simplification Act delays effective date for Electronic Data Interchange Standards – Request for extension and compliance plan were due October 16, 2002 Final Security regulations published Tuesday, Feb. 18 Privacy Amendments finalized August 2002 Standardized electronic identifier standards slowly appearing – EIN to identify employers

6 6 HIPAA Privacy Regulations The Big Picture Regulations are applicable to – Health plans – Health care providers – Health care clearinghouses April 14, 2003 effective date for large health plans (50 or more participants, $5 million in annual receipts)

7 7 What is a Small Health Plan? Insured Plans = Total premiums Self-funded plans = claims paid + administrative fees. – Does NOT include premiums for stop-loss insurance. If you are under the receipts test, HHS guidance suggests that number of participants does not matter. Small Health Plans have an extra 12 months to comply

8 8 HIPAA Privacy Rule “Covered Entities” may not use or disclose an individual’s “Protected Health Information” without written authorization except for certain specified purposes.

9 9 Where Do Employers Fit In? Plan sponsors are not covered entities Plan administrators are covered entities New regulations exclude “employment records” from privacy requirements Focus on the purpose and need for individually identifiable health information to determine covered or not covered activities

10 10 Where do Group Plans Fit In? Employers acting as plan administrators are covered entities Self-funded plan must comply, depending on level of plan administration The insurer is deemed the “health plan” covered entity in a fully-insured health plan An employer may receive protected health information even if not administering a plan

11 11 Common Plan Administration Issues Employee concerns or questions Enrollment forms requesting health information – Pre-existing condition exclusion review Benefits Committee resolving appeals Claim payment audits

12 12 Employment Records Exclusion Employment records held by a covered entity in its role as an employer Standard was intentionally broad and vague Focus is on the reason for which the employer/covered entity obtained the information, e.g., – Processing an appeal under the group health plan – Certifying a request for sick leave

13 13 Why Covered Entity Status Might Not Matter Employment laws contain other restrictions on use of medical information – ADA calls records “confidential medical record” Preemption Analysis – More stringent state laws are not preempted by HIPAA Privacy requirements – Tort law (e.g., invasion of privacy) could be more stringent state law – HIPAA provides a road map for negligence standard

14 14 Exclusion for Enrollment Information Covered Entity can share enrollment information with a Plan Sponsor (Employer) without authorization If Plan Sponsor provides enrollment information, the Covered Entity must treat as protected health information

15 15 HIPAA Privacy Definitions Protected Health Information (PHI) is: – Individually identifiable information (oral or recorded in any form or medium) – Created, maintained or received by a health plan or provider – Related to the past, present or future physical or mental condition of, or the provision or payment for health care for an individual Employers can receive PHI without authorization if: – Health plan documents are amended to impose specified limits on the use and disclosure of PHI – PHI is used for purposes of claim appeals, audits or other administrative purposes (TPO)

16 16 HIPAA Privacy Definitions Permitted uses of PHI without authorization – Treatment = medical care – Payment = claims processing and appeals – Operations Underwriting, cost containment Internal grievances, medical peer review Quality assessment, utilization review Accreditation, licensing, credentialing Key for TPO use is Notice of Privacy Practices

17 17 HIPAA Privacy Definitions Notice of Privacy Practices – If plan sponsor uses PHI it must create its own Notice Consent – Health provider no longer required to get consent each service – Consent may be obtained. State laws may be applicable Authorization – Individual written authorizations permitting a particular use of PHI (marketing or research)

18 18 HIPAA Privacy Definitions Business Associates – Consultants, claims administrators, actuaries, etc. Business Associates who create or receive PHI must agree in writing to comply with HIPAA Privacy requirements, even if not a covered entity otherwise New amendments contain sample language for business associate contracts

19 19 HIPAA Privacy Definitions Minimum Necessary – Even when utilizing PHI for appropriate purposes – Reasonableness standard De-Identified Information – Data that cannot reasonably identify an individual – Safe harbor by eliminating identifying characteristics Summary Health Information – De-identified health information with zip code data used for underwriting, securing bids, etc.

20 20 De-Identified Information: The Named Identifiers Names Geographic subdivisions smaller than a State Dates related to individual (birth, discharge, age over 89) Telephone or fax number E-mail address Social Security number Medical record number Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, license plates Device identifiers and serial numbers URLs Internet Protocol address Biometric identifiers (finger prints) Photographs “Any other unique characteristic”

21 21 A Model for Avoiding Privacy Regulations “Hands-off” plan administration De-identified health information only Clear contractual and plan delegation of administration responsibilities to Business Associates

22 22 A Model for Complying with Privacy Regulations Define and limit employees with access to PHI Define permitted uses of PHI Create policies and procedures Notice of Privacy Practices Individual rights – correction, audit, review, complaint procedure

23 23 Special Issues Marketing – New drugs, treatments or benefits offered by an entity other than the Insurer. – Pharmaceutical advertising. Physician, Hospital, or Provider Quality Review – Performance objectives – Financial rewards to providers for outcomes Research – Independent review board exemptions – Disclosures and authorizations

24 24 Other Special Issues Public Health Agencies Law Enforcement Officials Subpoenas or Court Orders On-site clinics – OSHA, workers’ compensation and other workplace safety rules Wellness programs or employee health initiatives

25 25 WHAT NOW? Less than two months until compliance date What do I need to do? Where do I start? How do I get organized?

26 26 Modular Approach to HIPAA Compliance Assessment – “Surveying the Terrain” Design – “Bridging the Gap” Drafting – “Putting Pen to Paper” Implementation – ”Turning Words Into Action”

27 27 MODULE ONE - SURVEYING THE TERRAIN Kickoff Meeting Gap Analysis M&D presents HIPAA Privacy Overview Client discussion of privacy practices and its needs and preferences M&D tailors assessment worksheets for client’s situation M&D prepares Gap Analysis Report identifying gaps between HIPAA requirements and client practices Client completes M&D assessment worksheets Client identifies its key issues from Gap Analysis Report Identifying Current Practices

28 28 MODULE TWO - BRIDGING THE GAP Who is in Charge? M&D outlines job descriptions and assignments for compliance personnel Client identifies privacy officer and other compliance personnel M&D outlines policies and procedures and organization structure tailored to client Developing the Rules M&D and Client define business associate relationships and business associate responsibilities M&D and Client develop processes for uses of protected information M&D organizes format of policies, procedures and workflows

29 29 MODULE THREE – PUTTING PEN TO PAPER Internal Guidance Protecting Individual Rights M&D drafts policies and procedures for handling protected information Client develops internal procedures for individual access, accounting, and requests to amend protected information M&D develops notice of privacy practices M&D designs training program for personnel Notices and Contracts M&D drafts job descriptions for compliance personnel M&D and Client develop rules for dealing with HIPAA “exceptions” M&D amends client’s plan documents M&D and Client amend business associate contracts

30 30 MODULE FOUR - TURNING WORDS INTO ACTION Training for the Future The End and the Beginning… M&D designs training materials for compliance personnel Client trains future compliance personnel M&D provides compliance report detailing success of HIPAA project Client creates recordkeeping process documenting HIPAA compliance Client proceeds in full compliance with HIPAA privacy regulations Ongoing Documentation M&D trains the trainer and initial compliance personnel Client executes business associate contracts

31 31 MODULE ONE - SURVEYING THE TERRAIN Kickoff Meeting Gap Analysis M&D presents HIPAA Privacy Overview Client discussion of privacy practices and its needs and preferences M&D tailors assessment worksheets for client’s situation M&D prepares Gap Analysis Report identifying gaps between HIPAA requirements and client practices Client completes M&D assessment worksheets Client identifies its key issues from Gap Analysis Report Identifying Current Practices

32 32 Module One Key Concepts Finding Protected Health Information – Individually Identifiable Health Information – Who uses it and what for? Defining Covered Entity Functions – Payment, Treatment, Operations – Marketing, Research The Role of the Business Associate Internal Operating Structures

33 33 Business Associate Issues Identify the service that is being performed by the Business Associate and evaluate necessity What protected health information is currently being used? Are changes to information sharing and defined responsibilities appropriate?

34 34 Organizational Structure Issues Who should have access to PHI? What uses of PHI are necessary? Who has the authority and the ability to serve as a Privacy Officer? Can PHI be separated from health information in non-covered employment records?

35 35 Protected Health Information Workflow Issues Where can PHI be limited? Where is PHI absolutely necessary to the operations of the entity? How is PHI walled-off from other members of the organization?

36 36 Final Assessments Identify where the Plan is and is not in Compliance with HIPAA Recommend Operations Modifications Inventory of Policies, Procedures and Documents Needed The Foundation for Creating a Compliance Plan

37 37 MODULE TWO - BRIDGING THE GAP Who is in Charge? M&D outlines job descriptions and assignments for compliance personnel Client identifies privacy officer and other compliance personnel M&D outlines policies and procedures and organization structure tailored to client Developing the Rules M&D and Client define business associate relationships and business associate responsibilities M&D and Client develop processes for uses of protected information M&D organizes format of policies, procedures and workflows

38 38 Module Two Key Concepts Making Plan Design Choices Creating Operating Rules Defining Responsible Parties

39 39 Defining Proper Uses of PHI Inside the Organization Claims appeals (Payment) Plan exceptions (Treatment) Cost controls by plan design (Operations) Adding or Eliminating benefits (Operations) – E.g., Pharmacy formulary modifications Physician or Provider Quality Review (Operations)

40 40 Defining Roles Business Associates – What is the role of the Business Associate in handling protected health information? Privacy Officer Individuals authorized to access protected health information – Limits on access – Limits on uses and disclosures of PHI

41 41 Other Employment Uses of Medical Information Will similar restrictions be placed on uses and disclosures of employment records? Will privacy be a company wide initiative? Is there a “HIPAA Lite” for other uses of medical information?

42 42 MODULE THREE – PUTTING PEN TO PAPER Internal Guidance Protecting Individual Rights M&D drafts policies and procedures for handling protected information Client develops internal procedures for individual access, accounting, and requests to amend protected information M&D develops notice of privacy practices M&D designs training program for personnel Notices and Contracts M&D drafts job descriptions for compliance personnel M&D and Client develop rules for dealing with HIPAA “exceptions” M&D amends client’s plan documents M&D and Client amend business associate contracts

43 43 Module Three Key Concepts Business Associate Contracts Internal Operating Policies and Procedures Notice of Privacy Practices Summary Plan Description Plan Document Amendments Other forms or documents?

44 44 Internal Operations Issues Designate group or persons who receive and use information Define in writing proper uses and disclosures of information Require de-identified information when possible Name a Privacy Officer Individualized policies for security of records

45 45 Notice of Privacy Practices Health Plan must provide notice to participants – Summary Plan Description – Annual Notice – Posted in Human Resources Department – Available upon request Limited Uses of PHI, Individual Rights, and Remedies

46 46 Business Associate Contracts Written acknowledgement of HIPAA Privacy practices – Limited use of PHI – Appropriate safeguards on PHI – Access for individuals? – Duty to mitigate improper disclosures? Indemnification Provision?

47 47 Written Documents: Content of Contracts Carefully review administrative services agreements Correctly distribute compliance duties Negotiate indemnification provisions Proper description of uses and disclosures of protected health information is critical to effective contract Post-contract destruction or return of records

48 48 HIPAA Documents Policies for Individual Access? Policies for the Special Exceptions? Do Not Forget: – Summary Plan Descriptions – Welfare Wrap Plan Documents – Separate Notice of Privacy Practices

49 49 MODULE THREE – PUTTING PEN TO PAPER Internal Guidance Protecting Individual Rights M&D drafts policies and procedures for handling protected information Client develops internal procedures for individual access, accounting, and requests to amend protected information M&D develops notice of privacy practices M&D designs training program for personnel Notices and Contracts M&D drafts job descriptions for compliance personnel M&D and Client develop rules for dealing with HIPAA “exceptions” M&D amends client’s plan documents M&D and Client amend business associate contracts

50 50 Module Four Key Concepts Training of responsible individuals Keep records of compliance Ongoing compliance efforts

51 51 Training Programs Design appropriate training programs for all responsible individuals Determine appropriate level of education programs for responsible individuals “Train the Trainer” concept

52 52 Look Before You Leap Marketing – New drugs, treatments or benefits offered by an entity other than the Insurer – Pharmaceutical advertising Scientific Research or Studies Physician, Hospital, or Provider Quality Review – Performance objectives – Financial rewards to providers for outcomes Employment Uses – Hiring and firing decision

53 53 Effective Date and Beyond Allow individuals access to PHI – Accounting of disclosures (non-TPO for past six years) – Opportunity to correct PHI Provide participants with grievance procedures Privacy officer reports compliance efforts – Document compliance actions Train new employees in handling of PHI Update privacy policies and procedures Electronic data interchange will continue to evolve

54 Questions

55 55 Presented by: Randall D. Grayson Monarch Tower Suite 2400 3424 Peachtree Road Atlanta, Georgia 30326- 1118 Main:404.888.8820 Direct: 404.888.8852 Fax:404.926.2952 rgrayson@mdllp.com A Human Resources Law Firm

Download ppt "HIPAA Privacy Establishing a Compliance Plan Mazursky & Dunaway LLP Monarch Tower Suite 2400 3424 Peachtree Road Atlanta, Georgia 30326-1118."

Similar presentations

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Informed Consent.

Informed Consent.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

Similar presentations

Ads by Google