1 / 23

Special Issues in Privacy Compliance for Payors/Managed Care Organizations

Understand the special challenges and practical issues faced by payors and managed care organizations in maintaining privacy compliance. Topics include managing enrollee and employer expectations, regulatory schemes, consent and authorization requirements, and more.

jesses
Download Presentation

Special Issues in Privacy Compliance for Payors/Managed Care Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Special Issues in Privacy Compliance forPayors/Managed Care Organizations Presented by: Tobi Tanzer VP Corporate Integrity, Corporate Compliance Officer & Privacy Officer HealthPartners, Inc.

  2. Overview • The HealthPartners Perspective • Managing Enrollee Expectations • Managing Employer Expectations • Other Practical Issues

  3. The HealthPartners Perspective • Commercial and government-sponsored health plans • 600,000+ members • Medical and dental plans • Fully-insured (HMO and Indemnity) • Self-insured (TPA) • Multi-specialty medical and dental providers • Approx. 33 outpatient medical clinics • Approx. 16 dental clinics • Hospital (Academic Medical Center; Level I Trauma) • Transitional care center • Home health and hospice • Clinical labs (clinic-based and central) • Pharmacy (clinic-based and central) • Eye care • Ancillary • Health Research • Institute for Medical Education • Foundation

  4. The HealthPartners Perspective • Mission-driven • Minnesota-based • Multiple regulators • Multiple regulatory schemes • Attorney General • Other jurisdictions • Electronic medical record • Huge data warehouses • Multiple covered functions (plan and provider)

  5. How Are Plan Privacy Practices “Regulated”? • Federal Laws • HIPAA • GLBA • ERISA • Research – Common Rule for Human Subject Protection and others • Special Rules for Special Types of Information – for example: • HIV/AIDS • Chemical Dependency Treatment • Social Security Number • State Laws • Plans (HMO, Indemnity, TPA) • Providers (Re-releases of info received from providers) • Fair Trade Practices • Data Practices Act • Accreditation • Contracts • Government Programs • Commercial Products

  6. Managing Enrollee Expectations • Notice of Privacy Practices • Consents and Authorizations • Caller Verification • Special Communications • Notification of Unauthorized Disclosures • Accounting of Disclosures • Complaints and Appeals

  7. Managing Enrollee Expectations – When Things Go Right • Notice of Privacy Practices • GLBA requires it annually; HIPAA does not • Make sure it’s accurate – enrollees think of it as a contract (and so do regulators) • The best way to avoid surprises • What you will do • What you will not do • Opt-out forms and instructions

  8. Managing Enrollee ExpectationsSURVEY QUESTION #1 – CONSENTS Does your organization obtain a written consent from enrollees/members prior to releasing PHI to Business Associates or others for purposes of Treatment, Payment or Health Care Operations (TPO)? (Note: Although HIPAA would not require consent in this situation, some state laws might.) • We never obtain enrollee/member consent prior to releases for TPO. We do obtain written authorization prior to releases for non-TPO activities. • We do obtain enrollee/member consent prior to releases for TPO because state law requires it. • We do obtain enrollee/member consent prior to releases for TPO because we think it’s the right thing to do. • We obtain enrollee/member consent prior to releases for TPO, but only when it is administratively feasible (for example, when individuals enroll directly with the health plan, but not through their employer).

  9. Managing Enrollee Expectations – When Things Go Right • Consents • Enrollee permission to use/disclose protected information for treatment, payment and health care operations (TPO) • Not required by HIPAA • State law may be “more stringent” • If required, how do you deal with… • Electronic enrollment? • People who refuse to sign or who alter the form? • Authorizations • Enrollee permission to use/disclose protected information for activities other than TPO • At the request of the enrollee • At another party’s request • Family and caregivers • Insurers, law enforcement, litigants • Research

  10. Managing Enrollee Expectations – When Things Go Right • Caller Verification • Identifying the enrollee, family member/caregiver, parents • Set up passwords and hints, if possible • Ask for multiple identifiers • Explain why – you’ll get a lot of resistance • Requests for Special Communications • Cover all bases • Member services • Membership accounting • Collections • All other areas and systems that communicate with the enrollee • Sync with employers • Reconfirm periodically

  11. Managing Enrollee ExpectationsSURVEY QUESTION #2 – NOTIFICATION Under what circumstances would you directly notify an enrollee/member that there has been an unauthorized disclosure of his/her PHI? • We would directly notify the enrollee/member if the release could result in obvious harm to the person (for example, information related to a claim for pregnancy services was erroneously released to a person’s estranged husband). • We would directly notify the enrollee/member if the release could result in foreseeable harm to the person (for example, social security numbers of all enrollees/members was erroneously posted on the company’s website, but only for a couple hours). • We would directly notify the enrollee/member regardless of the “severity” of the release (for example, a person’s plan ID was mailed to the wrong subscriber). • We would never directly notify an enrollee/member that there has been an unauthorized disclosure of his/her PHI. We would provide this information to the enrollee/member when they requested an accounting of disclosures.

  12. Managing Enrollee Expectations – When Things Go “Wrong” • Notification of Unauthorized Disclosures • HIPAA requires if to “mitigate harm” • State law may require it in other or all situations • Establish written procedures • Who sends the letter • How much information do you provide • Information released/disclosed • To whom • How it happened • How discovered • Corrective action taken • Point person for follow-up inquiries • If state law requires notification, do you have a different process for self-insured enrollees?

  13. Managing Enrollee Expectations – When Things Go “Wrong” • Accounting of Disclosures • Include if previous notification? • Collect the “accountings” at the time of the disclosure • Manage centrally • Complaints and Appeals • Train privacy officer and staff on dealing with difficult/angry people • Acknowledge and apologize • How to “appeal” a breach?

  14. Managing Employer Expectations • Fully-insured (we’re the Covered Entity) • Self-insured (we’re the Business Associate) • Employer Reporting • Data Aggregators, Brokers, Consultants • Notification of Unauthorized Disclosures

  15. Managing Employer Expectations • Employer Reporting – Fully-Insured • Certification of De-Identification • If you get it, abide by it

  16. Managing Employer ExpectationsSURVEY QUESTION #3 – EMPLOYER REPORTING What is your organization’s approach to reporting claims and other information to self-insured employers (where the employer’s plan is the “covered entity” and your organization is the “business associate”)? • Our view is that as the “covered entity” the employer is entitled to all of the PHI it wants, regardless of type or purpose. We give them whatever they want. • Our view is that we only provide de-identified or aggregated information to self-insured employers. • We provide PHI, but only with appropriate assurances from the employer, such as a representation that it has appropriate firewalls in place. • We negotiate this with each employer on a case-by-case basis.

  17. Managing Employer Expectations • Employer Reporting – Self-Insured • Paperwork – SPDs, Certifications • Data Aggregators, Brokers, Consultants • What is the relationship between two Business Associates? • Get direction in writing • 3-party confidentiality agreement • Negotiate to de-identify and aggregate • Indemnification

  18. Managing Employer Expectations – Self-Insured • Notification of Unauthorized Disclosures • Detail expectations in the BAA • By event? • Regular reports? • “Reportable incidents” only? • How does it tie to accounting of disclosures

  19. Other Practical Issues • Disease Management • Quality vs. Research • Workforce Issues

  20. Other Practical Issues • Disease Management • Treatment vs. health care operations • External vendors • Manage the message • Manage the messenger • Allocate responsibilities

  21. Other Practical Issues • Quality vs. Research • “Research” is the systematic evaluation and examination of medical information, the results of which are intended to be shared in the public domain • How does this differ from HEDIS and other quality-oriented information-gathering exercises? • HIPAA on “Research” • Activities preparatory to research • “Privacy board” waiver process (or get consent before disclosure)

  22. Other Practical Issues • Workforce • Access to own information • Discipline expectations • “But dental claims are not as sensitive as reproductive claims” • Training

  23. Questions?

More Related