Complying with HIPAA Privacy Rules - PowerPoint Presentation

Slide1

Complying with HIPAA Privacy Rules

Presented by: Larry

Grudzien

, Attorney at LawSlide2

Why are we holding this Webinar?

As a Service to our clients

To assist in complying with the HIPAA privacy requirements

New final regulations released by HHS in January 2013Health plans must comply by September 23,2013New increased penalties for noncomplianceNote: GriffinEstep is not a law firm and does not provide legal advice

2Slide3

What is HIPAA?Health Insurance Portability and Accountability (HIPAA)

Federal

law

enacted in 1996 and amended in 2003 that protects the security and privacy of an individual’s protected health information (PHI)Most health care providers and health plans were required to be in compliance with HIPAA Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance. In 2009 Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was passed by congress. It substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA

.

In January 2013 HHS issued

amendments to the HIPAA Privacy Rule, Security Rule and the Breach Notification rule. HIPAA also specifically protects the electronic transmission of PHI

3Slide4

Plan Sponsors

An employer’s Health Plan is considered a covered entity under HIPAA and must abide by the HIPAA rules

Vendors who provide services to the health plan must also comply with these Privacy rules (Business Associates)

These rules apply to anyone who maintains Protected Health Information (PHI) by or for a covered entity4Slide5

HIPAA Non compliance Penalties

No Knowledge.

Where a person does not know, and by exercising due diligence would not have known, that the person violated HIPAA's administrative simplification provisions, the minimum penalty is $100 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. Reasonable Cause. Where a violation is due to “reasonable cause” and not “willful neglect,” the minimum penalty is $1,000 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 5Slide6

HIPAA Non compliance Penalties

Willful

Neglect (but Corrected).

Where a violation is due to “willful neglect,” but was corrected, the minimum penalty is $10,000 to $50,000 per violation. The maximum penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year.Willful Neglect (but not Corrected). Where a violation is due to “willful neglect,” but was not corrected, the minimum penalty is $50,000 per violation; there is no maximum per violation. The total penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 6Slide7

HIPAA Docs for Employers

A HIPAA Privacy Policy

A Plan Amendment for Privacy PracticesA HIPAA Use and Disclosure FormA Summary of Material Modifications to amend the Employer's SPDA Notice of Privacy PracticesA HIPAA Training Acknowledgment

A Business Associates Agreement

A Request for Alternative Communications

An Authorization for Release of Information

A Request for an Accounting or Disclosure of Protected Health Information

A HIPAA Security Standards Checklist

A Request to Amend or Correct Protected Health Information

A Plan Sponsor Certification Form

A Request to Inspect or Copy Protected Health Information. 

A HIPAA Privacy Compliance Checklist 

7Slide8

HIPAA Privacy Policy

What is it? Most

covered entities must implement policies

with respect to PHI that are designed to comply with the privacy rule's requirementsWhich groups need it? Any employer who stores or transmits PHIInformation in the Privacy policy includes the names of certain employees who have access to PHI8Slide9

HIPAA Use and Disclosure Form

What is it? This form details how the covered entity will implement the adopted HIPAA Policy by establishing procedures.

Which groups need it? Any employer who stores or transmits PHI

These Use and Disclosure Procedures include two Parts:A) Procedures for Use and Disclosure of PHI” includes the use and disclosure procedures that must be followed when PHI will be used or disclosed for the plan's own payment and health care operations purposes and when PHI will be disclosed to third parties (but not the individual).B) Procedures for Complying With Individual Rights” includes procedures for complying with an individual's right to access, amendment, and accounting of PHI held in a designated record set. This section also includes procedures for addressing individual requests for confidential communications and for limits on use and disclosure.

9Slide10

HIPAA Notice of Privacy Practices

What is it? Discloses to the employees how the plan will use and protect PHI under the privacy rules, what steps it will take to protect PHI and the rights held by employees.

Which groups need it? Any employer who stores or transmits PHI

HIPAA requires that the Notice of Privacy Practices describe the uses and disclosures of PHI that may be made by the covered entity; the individual's rights; and the covered entity's legal duties with respect to the PHI. All Self Insured employer plans must provide this notice to participants when they store or transmit PHI (Fully insured carriers will sometimes provide this notice on behalf of an employer’s plan)10Slide11

Business Associates Agreement

What is it? It is an agreement with the outside vendor that the vendor agrees to protect PHI under the HIPAA Privacy Rules

Which groups need it? Any covered entity that shares or transmits PHI to an outside vendor such as a broker or a TPA.A business associate can provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, if the performance of such services involves disclosure of PHI from the covered entity, or from another business associate of the covered entity or OHCA, to the service provider. 11Slide12

Authorization for Release of Information

What is it? An individual authorization for the use or disclosure of PHI is required whenever the use or disclosure is not otherwise permitted under the privacy rule.

Which groups need it? Anytime the disclosure or use of PHI is outside the Privacy policy.

An individual may wish to have PHI disclosed by a covered entity for a variety of reasons, including applications for life or disability insurance or for purposes of a lawsuit. A covered entity itself may request an authorization to use or disclose PHI that it maintains for a purpose other than one for which an authorization is not required. Finally, a covered entity may request an authorization that permits another covered entity to disclose information to the requesting covered entity.12Slide13

HIPAA Security Standards Check List

What is it? It details how the covered entity will comply with the security requirements under HIPAA Privacy

Which groups need it? Any group that stores or transmits electronic PHIExample: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA security requirements13Slide14

Plan Sponsor Certification Form

What is it? Under HIPAA, a group health plan may not disclose PHI to a plan sponsor unless certain firewalls are in place and the plan document is amended to limit a plan sponsor’s use and disclosure of PHI received from a group health plan. A group health plan may rely on a plan sponsor’s certification that such an amendment is in place.

The Plan Sponsor Certification to Group Health Plan is designed for use by a group health plan that wishes to rely on a plan sponsor’s certification that an appropriate HIPAA privacy plan amendment is in place.

Which groups need it? Any employer that stores or transmits PHI14Slide15

HIPAA Privacy Compliance Checklist

What is it? It details the employer’s efforts to comply with HIPAA Privacy rules

Which groups need it? Any group that is subject to the HIPAA rules

Example: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA privacy requirements15Slide16

Plan Amendment for Privacy Practices

What is it? An employer’s plan document must be amended to provide a mention of the Privacy requirements

Which groups need it? Any employer subject to the HIPAA requirements

Example: HIPAA rules effective 1/1/2013 require this amendment to your Plan Document16Slide17

Summary of Material Modification (SMM) to the SPD

What is it? Any employer Summary Plan Description must be amended to provide an explanation of HIPAA Privacy

Which groups need it? Any employer subject to the HIPAA requirements

Example: HIPAA rules effective 1/1/2013 require this amendment to your SPD17Slide18

HIPAA Training Acknowledgment

What is it? There is a requirements that employees who handle HIPAA PHI must receive ongoing training.

Which groups need it? Any employer subject to the HIPAA requirements.

There is a requirement that those personnel who handle PHI must receive periodic training. This form shows evidence of that training.18Slide19

Request for Alternative Communication

What is it? A health plan must permit individuals to request to receive communications of PHI from the plan by alternative means or at alternative locations, and it must accommodate such reasonable requests, if the individual clearly states that disclosure of all or part of that information could endanger the individual

Which groups need it? Any employer subject to the HIPAA requirements

An Employer group might be asked to not to send claim information to a home address but keep it at the office.19Slide20

Request for Accounting or Disclosure of PHI

What is it? It is a request asking to whom the health plan disclosed PHI.

Which groups need it? Any employer subject to the HIPAA requirements

Example: An Employer group might be asked for an accounting of who they disclosed PHI to in the administration of the plan20Slide21

Request to Amend or Correct PHI

What is it? An individual has the right to amend or correct PHI maintained in a designated record set if the PHI is inaccurate or incomplete.

Which groups need it? Any employer subject to the HIPAA requirements

Example: An Employer group might be asked to change their records to correct mistakes21Slide22

Request to Inspect or Copy PHI

What is it? With a few exceptions, an individual has the right to inspect and copy his or her own PHI that is maintained in a designated record set. On May 31, 2012, the Director of OCR posted a message on the OCR website reminding consumers of their right to—

ask to see and get a copy of their health records from most doctors, hospitals, and other health care providers such as pharmacies and nursing homes, as well as from their health plan; and

get the records electronically or on paper if their plan or provider is able to do soWhich groups need it? Any employer subject to the HIPAA requirementsExample: An Employer group might be asked to review claim records.22Slide23

HIPAA Resource Links

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

23Slide24

Request a template copy of these documents

If you are interested, please request a copy of these template documents from :

___________________________

You will also be receiving an email with this order information. Once we receive your request, we will send you an order form (with signature line)Once signed order is received, we will send you the documents. Requests for these documents must be made by ______________ Questions about these documents must be addressed to your legal counsel.24Slide25

Thank you!