Presented by Larry Grudzien Attorney at Law Why are we holding this Webinar As a Service to our clients To assist in complying with the HIPAA privacy requirements New final regulations released by HHS in January 2013 ID: 642763
Download Presentation The PPT/PDF document "Complying with HIPAA Privacy Rules" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Complying with HIPAA Privacy Rules
Presented by: Larry
Grudzien
, Attorney at LawSlide2
Why are we holding this Webinar?
As a Service to our clients
To assist in complying with the HIPAA privacy requirements
New final regulations released by HHS in January 2013Health plans must comply by September 23,2013New increased penalties for noncomplianceNote: GriffinEstep is not a law firm and does not provide legal advice
2Slide3
What is HIPAA?Health Insurance Portability and Accountability (HIPAA)
Federal
law
enacted in 1996 and amended in 2003 that protects the security and privacy of an individual’s protected health information (PHI)Most health care providers and health plans were required to be in compliance with HIPAA Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance. In 2009 Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was passed by congress. It substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA
.
In January 2013 HHS issued
amendments to the HIPAA Privacy Rule, Security Rule and the Breach Notification rule. HIPAA also specifically protects the electronic transmission of PHI
3Slide4
Plan Sponsors
An employer’s Health Plan is considered a covered entity under HIPAA and must abide by the HIPAA rules
Vendors who provide services to the health plan must also comply with these Privacy rules (Business Associates)
These rules apply to anyone who maintains Protected Health Information (PHI) by or for a covered entity4Slide5
HIPAA Non compliance Penalties
No Knowledge.
Where a person does not know, and by exercising due diligence would not have known, that the person violated HIPAA's administrative simplification provisions, the minimum penalty is $100 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. Reasonable Cause. Where a violation is due to “reasonable cause” and not “willful neglect,” the minimum penalty is $1,000 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 5Slide6
HIPAA Non compliance Penalties
Willful
Neglect (but Corrected).
Where a violation is due to “willful neglect,” but was corrected, the minimum penalty is $10,000 to $50,000 per violation. The maximum penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year.Willful Neglect (but not Corrected). Where a violation is due to “willful neglect,” but was not corrected, the minimum penalty is $50,000 per violation; there is no maximum per violation. The total penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 6Slide7
HIPAA Docs for Employers
A HIPAA Privacy Policy
A Plan Amendment for Privacy PracticesA HIPAA Use and Disclosure FormA Summary of Material Modifications to amend the Employer's SPDA Notice of Privacy PracticesA HIPAA Training Acknowledgment
A Business Associates Agreement
A Request for Alternative Communications
An Authorization for Release of Information
A Request for an Accounting or Disclosure of Protected Health Information
A HIPAA Security Standards Checklist
A Request to Amend or Correct Protected Health Information
A Plan Sponsor Certification Form
A Request to Inspect or Copy Protected Health Information.
A HIPAA Privacy Compliance Checklist
7Slide8
HIPAA Privacy Policy
What is it? Most
covered entities must implement policies
with respect to PHI that are designed to comply with the privacy rule's requirementsWhich groups need it? Any employer who stores or transmits PHIInformation in the Privacy policy includes the names of certain employees who have access to PHI8Slide9
HIPAA Use and Disclosure Form
What is it? This form details how the covered entity will implement the adopted HIPAA Policy by establishing procedures.
Which groups need it? Any employer who stores or transmits PHI
These Use and Disclosure Procedures include two Parts:A) Procedures for Use and Disclosure of PHI” includes the use and disclosure procedures that must be followed when PHI will be used or disclosed for the plan's own payment and health care operations purposes and when PHI will be disclosed to third parties (but not the individual).B) Procedures for Complying With Individual Rights” includes procedures for complying with an individual's right to access, amendment, and accounting of PHI held in a designated record set. This section also includes procedures for addressing individual requests for confidential communications and for limits on use and disclosure.
9Slide10
HIPAA Notice of Privacy Practices
What is it? Discloses to the employees how the plan will use and protect PHI under the privacy rules, what steps it will take to protect PHI and the rights held by employees.
Which groups need it? Any employer who stores or transmits PHI
HIPAA requires that the Notice of Privacy Practices describe the uses and disclosures of PHI that may be made by the covered entity; the individual's rights; and the covered entity's legal duties with respect to the PHI. All Self Insured employer plans must provide this notice to participants when they store or transmit PHI (Fully insured carriers will sometimes provide this notice on behalf of an employer’s plan)10Slide11
Business Associates Agreement
What is it? It is an agreement with the outside vendor that the vendor agrees to protect PHI under the HIPAA Privacy Rules
Which groups need it? Any covered entity that shares or transmits PHI to an outside vendor such as a broker or a TPA.A business associate can provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, if the performance of such services involves disclosure of PHI from the covered entity, or from another business associate of the covered entity or OHCA, to the service provider. 11Slide12
Authorization for Release of Information
What is it? An individual authorization for the use or disclosure of PHI is required whenever the use or disclosure is not otherwise permitted under the privacy rule.
Which groups need it? Anytime the disclosure or use of PHI is outside the Privacy policy.
An individual may wish to have PHI disclosed by a covered entity for a variety of reasons, including applications for life or disability insurance or for purposes of a lawsuit. A covered entity itself may request an authorization to use or disclose PHI that it maintains for a purpose other than one for which an authorization is not required. Finally, a covered entity may request an authorization that permits another covered entity to disclose information to the requesting covered entity.12Slide13
HIPAA Security Standards Check List
What is it? It details how the covered entity will comply with the security requirements under HIPAA Privacy
Which groups need it? Any group that stores or transmits electronic PHIExample: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA security requirements13Slide14
Plan Sponsor Certification Form
What is it? Under HIPAA, a group health plan may not disclose PHI to a plan sponsor unless certain firewalls are in place and the plan document is amended to limit a plan sponsor’s use and disclosure of PHI received from a group health plan. A group health plan may rely on a plan sponsor’s certification that such an amendment is in place.
The Plan Sponsor Certification to Group Health Plan is designed for use by a group health plan that wishes to rely on a plan sponsor’s certification that an appropriate HIPAA privacy plan amendment is in place.
Which groups need it? Any employer that stores or transmits PHI14Slide15
HIPAA Privacy Compliance Checklist
What is it? It details the employer’s efforts to comply with HIPAA Privacy rules
Which groups need it? Any group that is subject to the HIPAA rules
Example: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA privacy requirements15Slide16
Plan Amendment for Privacy Practices
What is it? An employer’s plan document must be amended to provide a mention of the Privacy requirements
Which groups need it? Any employer subject to the HIPAA requirements
Example: HIPAA rules effective 1/1/2013 require this amendment to your Plan Document16Slide17
Summary of Material Modification (SMM) to the SPD
What is it? Any employer Summary Plan Description must be amended to provide an explanation of HIPAA Privacy
Which groups need it? Any employer subject to the HIPAA requirements
Example: HIPAA rules effective 1/1/2013 require this amendment to your SPD17Slide18
HIPAA Training Acknowledgment
What is it? There is a requirements that employees who handle HIPAA PHI must receive ongoing training.
Which groups need it? Any employer subject to the HIPAA requirements.
There is a requirement that those personnel who handle PHI must receive periodic training. This form shows evidence of that training.18Slide19
Request for Alternative Communication
What is it? A health plan must permit individuals to request to receive communications of PHI from the plan by alternative means or at alternative locations, and it must accommodate such reasonable requests, if the individual clearly states that disclosure of all or part of that information could endanger the individual
Which groups need it? Any employer subject to the HIPAA requirements
An Employer group might be asked to not to send claim information to a home address but keep it at the office.19Slide20
Request for Accounting or Disclosure of PHI
What is it? It is a request asking to whom the health plan disclosed PHI.
Which groups need it? Any employer subject to the HIPAA requirements
Example: An Employer group might be asked for an accounting of who they disclosed PHI to in the administration of the plan20Slide21
Request to Amend or Correct PHI
What is it? An individual has the right to amend or correct PHI maintained in a designated record set if the PHI is inaccurate or incomplete.
Which groups need it? Any employer subject to the HIPAA requirements
Example: An Employer group might be asked to change their records to correct mistakes21Slide22
Request to Inspect or Copy PHI
What is it? With a few exceptions, an individual has the right to inspect and copy his or her own PHI that is maintained in a designated record set. On May 31, 2012, the Director of OCR posted a message on the OCR website reminding consumers of their right to—
ask to see and get a copy of their health records from most doctors, hospitals, and other health care providers such as pharmacies and nursing homes, as well as from their health plan; and
get the records electronically or on paper if their plan or provider is able to do soWhich groups need it? Any employer subject to the HIPAA requirementsExample: An Employer group might be asked to review claim records.22Slide23
HIPAA Resource Links
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
23Slide24
Request a template copy of these documents
If you are interested, please request a copy of these template documents from :
___________________________
You will also be receiving an email with this order information. Once we receive your request, we will send you an order form (with signature line)Once signed order is received, we will send you the documents. Requests for these documents must be made by ______________ Questions about these documents must be addressed to your legal counsel.24Slide25
Thank you!