1 / 27

The HIPAA Privacy Rule And Its Impact On Agents And Employers

The HIPAA Privacy Rule And Its Impact On Agents And Employers. National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan, JD Morris, Manning & Martin, LLP Washington, DC 202.408.0705 jholahan@mmmlaw.com. Road Map. Overview of the HIPAA Privacy Rule

benny
Download Presentation

The HIPAA Privacy Rule And Its Impact On Agents And Employers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The HIPAA Privacy RuleAnd Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan, JD Morris, Manning & Martin, LLP Washington, DC 202.408.0705 jholahan@mmmlaw.com

  2. Road Map • Overview of the HIPAA Privacy Rule • Covered entities and products • Compliance deadlines • General requirements • Impact on agents • Business associate contract • Disclosures to agents by insurers • Impact on employers

  3. Covered Entities Health plans Health care providers engaging standard electronic transactions Health care clearinghouses

  4. Health Plans—Provide or Pay Cost of Medical Care • Health insurance issuers and HMOs • Issuers of Medicare supplemental policies • Issuers of long-term care policies (except nursing home fixed-indemnity policies) • Group health plans (except self-administered with fewer than 50 participants) • MEWAs • State high risk pools • Medicare, Medicare+Choice, CHAMPUS and certain other programs • Any other individual or group health plan that provides or pays for the cost of medical care

  5. Covered Products • Major medical • HMO • Dental and vision • Most long-term care • Medicare supplemental • Medicare+Choice

  6. Excluded Products • Life • Accident only • Disability income • Coverage issued as supplement to liability insurance • Liability insurance, including general liability and auto liability insurance • Auto medical payment • Credit-only • Coverage for on-site medical clinics

  7. Gray Area • Specified disease • Hospital indemnity

  8. Compliance Deadlines • Most health insurance issuers and HMOs and any group health plans—April 14, 2003 • Small health plans (annual receipts of $5 million or less)—April 14, 2004

  9. General Requirements • Restricts use and disclosure of “protected health information” (PHI) without written authorization • Minimum necessary standard • Individual Rights • Restrictions on use and disclosure • Access • Accounting of disclosures • Amendment • Business associate contracts • Amend group health plan documents in some cases to impose requirements on sponsor

  10. General Requirements, Con’t. • Notice of privacy practices • Administrative requirements, including: • Privacy officer • Privacy contact office • Privacy policies and procedures • Training—workforce only

  11. Permitted Uses and Disclosures • Pursuant to written authorization compliant with HIPAA • For treatment, payment or health care operations • To individual or personal representative • Friend, family member or other person identified by individual with written or oral agreement • Required by law • Regulators • Judicial and administrative proceedings • Law enforcement • To “health oversight agency” as authorized by law

  12. Permitted Uses and Disclosures—Health Care Operations “Health care operations” include: • Activities by or on behalf of health plan relating to the creation, renewal or replacement of a contract for health insurance or health benefits • Customer service by or on behalf of health plan

  13. Permitted Uses and Disclosures—“Payment” “Payment” includes: • Activities by or on behalf of health plan to determine eligibility or coverage • Claims management by on behalf of health plan

  14. Disclosure By Health Plan To Agent • Payment or health care operations • Friend, family member or other person identified by individual: • PHI directly relevant to person’s involvement in individual’s health care • Written or oral “agreement”, opportunity to object and no objection or reasonable inference of no objection based on professional judgment • Written authorization

  15. Required Uses and Disclosures • Individual access to PHI • Secretary of DHHS for investigating covered entity’s compliance

  16. Required Elements of the Business Associate Agreement—Part I • Establish permitted and required uses and disclosures of PHI by business associate • May not authorize the business associate to use or disclose information in a way that would violate the Privacy Rule if done by covered entity, with exceptions where necessary for business associate’s management and administration and for data aggregation services

  17. Required Elements of the Business Associate Agreement—Part II Provide that the business associate will: • Not further use or disclose PHI other than as permitted or required by law • Use appropriate safeguards to prevent use or disclosure other than as provided by the agreement • If aware of any use or disclosure not provided by the agreement, report it to covered entity • Ensure that any agents, including subcontractors, to whom it provides PHI agree to same restrictions

  18. Required Elements of the Business Associate Agreement—Part III • Provide that the business associate will: • Make PHI available for access by the individual • Make PHI available for amendment and incorporate any amendments • Make PHI available to provide an accounting of disclosures • Make its internal practices, books, and records available to DHHS for investigating covered entity’s compliance

  19. Required Elements of the Business Associate Agreement—Part IV • At termination of contract, if feasible, return or destroy all PHI received from covered entity or created or received on behalf of covered entity and retain no copies. • If return or destruction not feasible, extend protections of contract to information retained and limit use and disclosure to purposes for which information must be retained.

  20. Permitted Elements of the Business Associate Agreement • May permit the business associate to use and disclose PHI as necessary for: • Management and administration of its business; and • To carry out its legal responsibilities • But unless disclosure required by law, business associate must obtain “reasonable assurances” from person to whom PHI is disclosed that: • PHI will be held confidentially; • PHI will be further disclosed only as required by law or for purpose for which it was disclosed to the person; and • Person will notify business associate of any known breach of confidentiality

  21. Breach of Business Associate Contract—Required Action By Covered Entity • Take reasonable steps to cure the breach • If unsuccessful, terminate contract if feasible • If termination not feasible, report problem to DHHS • To extent practicable, mitigate any known harm from violation

  22. Group Health Plans • Self-insured plans—all of the Privacy Rule’s provisions apply, including: • Provide privacy notice • Implement policies and procedures • Train workforce • Plans offering flexible savings accounts—may need to treat as a self-insured plan • Insured plans—depends on how much PHI created or received from issuer or HMO

  23. Insured Group Health Plans • If group health plan creates or receives only “summary PHI” and information about whether individual has enrolled or disenrolled, duties greatly reduced—for example: • No notice required • No need for written policies and procedures • No training required • If group health plan creates or receive other PHI, then: • Must maintain notice and provide on request • All other requirements of Privacy Rule apply

  24. Plan Sponsor • No requirements, if plan sponsor only receives: • “Summary PHI” for purpose of obtaining premium bids or modifying, amending or terminating plan; • Information on whether individual has enrolled or disenrolled; or • PHI disclosed pursuant to a written authorization • If sponsor receives other PHI, must amend plan documents and group health plan must receive written certification of amendment and give notice

  25. Amendment of Group Health Plan Documents • Much like business associate contract, with added provisions • Not use or disclose PHI for employment-related actions and decisions • Not use or disclose PHI in connection with any other benefit or employee benefit plan of sponsor • Ensure “adequate separation” between group health plan and sponsor

  26. “Adequate Separation” • Describe employees or classes of employees and other persons under control of plan sponsor with access to PHI • Restrict access to and use of PHI by employees and other persons to plan administration functions • Provide effective mechanism for resolving issues of noncompliance by employees and persons with access to PHI

  27. The HIPAA Privacy RuleAnd Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan, JD Morris, Manning & Martin, LLP Washington, DC 202.408.0705 jholahan@mmmlaw.com

More Related