310 likes | 518 Views
HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; dthrasher@constangy.com Victoria Nemerson Vice President Compliance Ceridian (904) 564-4220; victoria.nemerson@ceridian.com. CONCERNS REGARDING HEALTH INFORMATION.
E N D
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; dthrasher@constangy.com Victoria Nemerson Vice President Compliance Ceridian (904) 564-4220; victoria.nemerson@ceridian.com
CONCERNS REGARDING HEALTH INFORMATION • Need for protection of individual health information • Potential for abuse • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
HIPAA • General Rule: “Covered entities” may not use or disclose an individual’s “protected health information” without the authorization of the individual unless specifically required or allowed by the privacy regulation.
What are the Purposes of the Privacy Rule? • Consumer Control Over Health Information - Patient education on privacy protections. - Ensuring patient access to medical records. - Receiving patient consent before information is released. - Providing recourse if privacy protections are violated.
What are the Purposes of the Privacy Rule? • To Establish Boundaries on the Use and Release of Medical Records - Ensuring that health information is not used for non-health purposes. - Providing the minimum amount of information necessary.
What are the Purposes of the Privacy Rule? • To Ensure the Security of Personal Health Information - Adopt written privacy procedures. - Train employees and designate a privacy officer.
What are the Purposes of the Privacy Rule? • To establish Special Protection for Psychotherapy Notes • To Preserve Existing, Strong State Confidentiality Laws
What are the Purposes of the Privacy Rule? • To Establish Accountability for the Use and Release of Medical Records - Civil penalties - Federal criminal penalties
CIVIL PENALTIES • $100 PER VIOLATION, UP TO $25,000 PER PERSON, PER YEAR FOR EACH REQUIREMENT OR PROHIBITION VIOLATED
CRIMINAL PENALTIES • UP TO $50,000 AND 1 YEAR IN PRISON FOR OBTAINING OR DISCLOSING PHI • UP TO $100,000 AND UP TO 5 YEARS IN PRISON FOR OBTAINING PHI UNDER “FALSE PRETENSES”
CRIMINAL PENALTIES • UP TO $250,000 AND UP TO 10 YEARS IN PRISON FOR OBTAINING OR DISCLOSING PHI WITH THE INTENT TO SELL, TRANSFER OR USE IT FOR COMMERCIAL ADVANTAGE, PERSONAL GAIN OR MALICIOUS HARM
What Information Is HIPAA Designed to Protect? • Protected Health Information (“PHI”) Protected Health Information encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form.
“PHI” • “Covered Entity” A health plan, a health care provider, and health care clearinghouse. Note: Employers are NOT “covered entities.”
“PHI” • “Health Plan” - Any plan or program that provides or pays the cost of medical care. - Health care provider - Health care clearing house
How Do the HIPAA Rules Impact a Health Plan? • HIPAA does not apply to small-employer administered health plans (those with less than 50 participants). • The HIPAA requirements are more stringent for self-funded plans than for fully-insured plans. • Concerns with the sharing of information between the plan, employer and vendors.
What Must a Self-Funded Plan Do to Insure Privacy? • PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The sponsor: - cannot use or disclose PHI except as permitted by the plan or required by law; - must ensure that agents and vendors who receive PHI agree to the same restrictions; - cannot use or disclose PHI for employment- related actions or for other benefit plans;
What Must a Self-Funded Plan Do to Insure Privacy? • (cont.) - report to the Plan any violation of the privacy requirements; - make PHI available to individuals as required by HIPAA; - allow individuals to amend their PHI (by appending); - provide individuals with an accounting of disclosures of PHI;
What Must a Self-Funded Plan do to Insure Privacy? • (cont.) - make its practices available to the government to determine compliance; - return or destroy PHI received from the plan that the sponsor maintains in any form and retain no copies of such information no longer needed for the purpose for which the disclosure was made;
What Must a Self-Funded Plan do to Insure Privacy? • (cont.) - ensure that security procedures have been established that: (1) identify employees or classes of employees who will have access to PHI; (2) restrict access solely to those individuals for the functions performed for the plan; and
What Must a Self-Funded Plan do to Insure Privacy? • (cont.) (3) provide a mechanism for resolving issues of noncompliance.
What Must a Self-Funded Plan do to Insure Privacy? • Plan documents must be amended to include required provisions
What Must a Self-Insured Plan do to Insure Privacy? • Privacy policies must be developed to ensure that only the amount of information reasonably necessary to achieve the purpose of the disclosure is provided to a third person.
What Must a Self-Funded Plan do to Insure Privacy? • THE NOTICE MUST BE PROVIDED PRIOR TO APRIL 14, 2003 (APRIL 14, 2004 FOR SMALL HEALTH PLANS) TO ALL PARTICIPANTS, AND TO NEW ENROLLEES AT ENROLLMENT. • Material changes must be communicated within 60 days.
What Must a Self-Funded Plan do to Insure Privacy? • Privacy Official/Training - A privacy official must be designated for developing and implementing HIPAA-required policies and procedures. - Training (including an ongoing program for new employees) on handling PHI must be provided for each employee performing health plan administrative functions.
What Must a Self-Funded Plan do to Insure Privacy? • Business Associates - New contract provisions limiting vendor use and disclosure of PHI and requiring compliance with HIPAA will be required.
What Must a Self-Funded Plan do to Insure Privacy? • Participant Complaints - Policies and procedures must be developed and communicated, and records must be maintained. - Retaliation for complaints is prohibited.
What Must a Fully Insured Medical Plan do to Comply? • The sponsor generally can rely on information and policies developed by the insurer, unless it receives PHI. • Sponsors must review the rules with insurers to verify compliance.
Can Protected Information Be Shared Among Plans? • CONSENT IS REQUIRED!
What Must Health Providers and Clearinghouses Do to Comply? • Providers and clearinghouses must comply with the rules in a similar manner to prevent disclosure of PHI • Disclosure pursuant to authorizations must be limited to the amount “reasonably necessary” • Contracts with other entities must be revised and business associate agreements drafted
Conclusions • Compliance with the HIPAA privacy requirements will be complex and expensive and may require significant cultural and procedural changes. • Employers must reevaluate programs/plans and perform a cost/benefit analysis in light of the new compliance costs. • Immediate ACTION is required!