hitech, hipaa & schip: so many acronyms, so little time
Post on 29-Dec-2015
217 Views
Preview:
TRANSCRIPT
HITECH, HIPAA & SCHIP:
SO MANY ACRONYMS, SO LITTLE TIME
Alphabet Soup
American Recovery and Reinvestment Act of 2009
“ARRA”Health Insurance Portability and Accountability Act of 1996
“HIPAA”Health Information Technology for Economic and Clinical Health Act of 2009
“HITECH”State Children's Health Insurance Act
“SCHIP”
Stimulus Spending for Health Care
$87 billion in increased Medicaid funding
(Kentucky’s share $990 million)
$17 billion to reimburse physicians and hospitals who embrace electronic medical records
$25 billion in COBRA subsidies
$8.2 billion to NIH for grants to promote large-scale research, support community health including $500 million to train professionals in rural areas through National Health Service Corps
$1.5 billion for “comparative effectiveness research”
Total: $130+ billion
Publicized Kentucky Initiatives to Date
13.6 percent increase in food stamp benefits for recipient families
$450,000 for training and part-time employment for low income persons age 55+
Restoration of funds cut from 50 agencies caring for children in state custody ($4 million)
Temporary increase in hospital reimbursements to settle outstanding appeals
Kentucky’s Share of Medicaid Funding = $990 Million
Prior to ARRA, federal contribution per $100 of Medicaid funds paid out in Kentucky was $70.13
Under ARRA, Kentucky receives increased federal contribution of $78.61
Incentives for Hospitals to Implement Electronic Health Records
HITECH Infrastructure
Significant HITECH provisions Federal Gov’t now officially the coordinator of federal HIT policy
Federal Gov’t has expanded role in HIT testing and research (NIST to test/certify)
Federal subsidies for states, nonprofits, and educational institutions to promote/implement HIT
Significant revisions to HIPAA privacy/security
Significant new burdens for HIPAA “business associates”
HITECH – Role in Healthcare Reform
Why now?
HITECH reflects federal government’s intent for HIT to play a transformative role in health care reform
Reduce adverse events, increase quality
Eliminate errors & duplication
Accelerate and expand pool of useful data comparative effectiveness researchidentify provider variations & inefficiencies
Contain costs in government healthcare programs
Incentives
Adopting EHR is still voluntary, but HITECH offers inducements to adopt, penalties for those who don’t
EHR stimulus money available AFTER adoption and demonstration “meaningful use” – yet to be defined
HITECH – Loans and Grants
HITECH provides stimulus money to states to “promote HIT”
State can use grant money for EHR Adoption Loan Programs
Loans cannot be made before January 1, 2010
HITECH – Loans and Grants
Providers can use loan to purchase, upgrade, obtain training, or improve security
Providers who get a HITECH funded loan mustSubmit “quality reports”Demonstrate that EHR satisfies standards and improves quality of care – “meaningful use” ruleInclude plan for EHR maintenance over timeSubmit clinical quality info (TBD)
Must provider maintain the EHR after loan is repaid?
Not addressed
Why EHR?
Physician Office Productivity Fewer chart pullsImproved efficiency in communicating with patients and pharmaciesImproved billing accuracyReduced transcription costsClearer, safer prescribing through e-prescribing technology
Why EHR?
Quality of Care ImprovementComprehensive point-of-care decision support – clinical guidelines, drug interactions, etc.Rapid and remote access to patient informationIntegration of evidence-based clinical guidelinesPatient-specific alerts – current drug regimen, allergies, etc.Reduction of redundant, unnecessary servicesDecrease frequency of medical error
HITECH’s Expansion of HIPAA
Who Must Comply? “Covered Entities”
Includes Health Plans
Doesn’t HIPAA apply only to health plans and health care providers? In other words, aren’t employers exempted?
No. HIPAA applies to any “covered entity,” provided that certain other requirements are met. A covered entity means a health plan, health care clearinghouse or health care provider (to the extent that it engages in the electronic transmission of confidential health information).
Under what circumstances will a group health plan be a covered entity?
If the plan either (i) has 50 or more participants; or (ii) is administered by a third party (e.g., an insurance carrier).
What Health Information is Protected by the HIPAA Privacy Rule (“PHI”)?
All Medical Records ANDOther “Individually Identifiable Health Information” created or received by a Covered Entity or an employerIn ANY form or medium:
electronicpaperoral
An Important Distinction
Employment records held by a covered entity in its role as employer are not protected by the Privacy Rule
Information an employer receives from a health plan it sponsors or obtains from an employee’s medical record is protected by the Privacy Rule
New Rules on Privacy
HIPAA ChangesStricter Requirements for “Covered Entities” under HIPAA
Heath Plans (including employer-sponsored)Health Care ProvidersHealth Data Clearinghouses
Direct Regulation of “Business Associates”Person or entity who performs functions on behalf of a covered entity involving use or disclosure of PHIAccountants, lawyers, software vendors, TPAs, utilization reviewers, transcriptionists, interpreters, collection agencies and more
Tougher Rules for Covered Entities
Stricter rules re: honoring requests about use/disclosure of PHI
Self-pay
Contraction of “minimum necessary” concept governing use/disclosure for payment and operations
Limited Data Set “safe harbor”
Expanded requirement to account for disclosuresAll disclosures made via EHR must be tracked, reported
Tougher Rules for Covered Entities (cont’d)
Prohibition on any remuneration for PHI without authorization (some exceptions, like research, public health, sale of entity)
Access requirement includes production in electronic form
New restrictions on marketing communications require conspicuous notice about opting out
New Data Breach Notification Rules
“Breach” is unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the information
Applies to “unsecured PHI”
Duty to notify each individual whose PHI “has been, or is reasonably believed by the covered entity to have been,” accessed, acquired, or disclosed due to the breach
Notification (cont’d)Notification requirement also applies to BAs
BAs to provide notice to the covered entity
“Safe Harbor” for secured PHI based on guidance issues by HHS
HHS Guidance issued April 27, 2009 says, in effect, encrypt or destroy. Encrypted data is secure only if the key has not been breached
Notification (cont’d)
A breach is considered “discovered” on the first day it is known to the BA or covered entity, including
any employee, officer or other agent of such entity or associate
All notifications must be made “without unreasonable delay”
no later than 60 calendar days after discoveryburden on notifying entity to demonstrate that
all required notifications were made andexplain any details
If the entity lacks sufficient contact information for 10+ individuals, notification must be made on the entity’s home page, or in major print or broadcast media
Notification (cont’d)
Notice must bein writingby first class mailsent to the last known address of individual or next of kin
if individual specified preference for e-mail notification, that method shall be used
one or more mailings (as more information becomes available)
Notification (cont’d)
If more than 500 residents of a state or jurisdiction are affected
notices as described above ANDnotification to “prominent media outlets” in such state or jurisdiction
Exception: if notice will “impede a criminal investigation or cause damage to national security,” then notice may be delayed
Notification (cont’d)
Notice to Secretaryif more than 500 individuals affectedHHS to publicize breaching entities on its website
If breach impacts more than 500, notice to HHS must occur immediately
Entities are permitted to keep a log of breaches effecting less than 500 individuals and submit to HHS annually
Notification (cont’d)
All notices, to the extent possible, must include
Description of breach
Description of the types of information involved
Steps individuals should take to protect themselves from potential harm resulting from the breach
Description of covered entity’s actions to investigate the breach, mitigate losses, and protect against any further breaches.
Contact information
New Regime for Business Associates
HIPAA is not just a contractual responsibility now
Regulatory requirements toNotify covered entities of a data breachDirectly comply with administrative, physical, and technical safeguards and documentation requirements under the HIPAA security rule, just like covered entities
New Regime for Business Associates (cont’d)
Use or disclose PHI only if such use or disclosure is in compliance with the privacy provisions of their business associate contracts
Take action if covered entity has pattern or practice of violating HIPAA
New Regime for Business Associates (cont’d)
Practical Effects
Security officer or task force
Multi-department risk assessment of how information is received, accessed and used, stored and disclosed to others
Adopt and implement written policies and procedures
Increased Enforcement and Penalties
Historically, HIPAA enforcement has been complaint-driven
ARRA appropriated $24.3 billion to the privacy and security goals. Of this amount, $9.5 million is set aside to fund proactive HIPAA compliance audits by the Office for Civil Rights and CMS
The GAO is directed to prepare a report within 18 months of HITECH’s enactment establishing a method for allowing affected individuals to share in civil monetary penalties imposed under HIPAA
Old: $100/violation, max of $25,000/year - no intent was factored in
Increased Enforcement and Penalties (cont’d).
Under HITECH, potential penalties are increased significantly, and are tiered to take into account the intent of the violator. The tiers are as follows:
Tier A – if the violator did not know (and by exercising reasonable diligence would not have known) that its actions violated the HIPAA laws or regulations, a penalty of at least $100 per violation but not more than $25,000 per violation for multiple violations the same requirement in a calendar year; and up to $50,000 per violation not to exceed $1.5 million for same requirement
Tier B – if the violation was due to reasonable cause and not willful neglect, a penalty of at least $1,000 per violation but not more than $50,000 per violation of the same requirement in a calendar year; and up to $50,000 per violation not to exceed $1.5 million for same requirement
Increased Enforcement and Penalties (cont’d).
Tier C – if the violation was due to willful neglect and is corrected, a penalty of at least $10,000 per violation but not more than $250,000 for multiple violations the same requirement in a calendar year; and up to $50,000 per violation but not more than $1.5 million for multiple violations the same requirement in a calendar year
Tier D – if the violation was due to willful neglect and is not corrected, a fine of $50,000 per violation but not more than $1.5 million for multiple violations the same requirement in a calendar year
Increased Enforcement and Penalties (cont’d).State Attorneys General may now file a civil action against HIPAA violators on behalf of residents of their state.
$100 per violation, not to exceed $25,000 per calendar year.
Criminal penalties:Up to $50,000 and up to one year in prison, or both, if a person knowingly obtains individually identifiable health information relating to an individual or discloses the information to another person in a manner that violates HIPAA. Up to $100,000 and up to five years in prison or both if the information was obtained under false pretenses. Up to $250,000 and up to ten years in prison or both if the violation involves commercial advantage, personal gain, or malicious harm.
STEP 1: IDENTIFY THE GROUP HEALTH PLANS THAT THE EMPLOYER SPONSORS
major medical plansdental plans vision planshealth care flexible
spending accounts
health reimbursement arrangements
high-deductible health plans
health savings accounts cancer insurance and other
employee-pay-all plansemployee assistance plans
providing counselingretiree health planslong-term care planswellness programs
STEP 2: IDENTIFY FULLY-INSURED PLANS AND SELF-INSURED PLANS
Fully-insured: If no access to PHI (except for summary and enrollment/disenrollment information), then group health plan has minimal HIPAA privacy compliance issuesSelf-insured (or fully insured with access to PHI): HIPAA Privacy Rule will apply and sponsor will have to implement
STEP 3: IDENTIFY WHAT PHI YOU RECEIVE AND WHAT PHI YOU REALLY NEED
Employer can receive summary health information - to obtain premium bids, or to modify, amend or terminate plan, and information on enrollment and disenrollmentEmployer can receive de-identified informationEmployer can receive PHI the employee authorizes it to receiveWhat other information does the employer receive from the health plan that it doesn’t need? LESS IS MORE
The less PHI an employer receives from a plan, the better off it is . . .
An employer cannot use or disclose PHI received from the plan for employment-related decisions unless authorized by the employee
If an employer receives health information about an employee from someone other than the health plan (including the employee or a co-worker), it’s not PHI
STEP 4 – IMPLEMENT A HIPAA PRIVACY AND SECURITY COMPLIANCE PLAN(S) FOR YOUR GROUP HEALTH PLANS
Because a fully-insured plan that is “hands off” PHI will have minimal HIPAA privacy requirements, an employer might want to have a separate privacy compliance policy for that plan
SCHIP/KCHIP
SCHIPSCHIP
Created in 1997, Title XXI of the Social Security Act
State and federal combination funded children’s health insurance
Families earning too much for Medicaid, with uninsured children
Within federal guidelines – each state determines design of its SCHIP program.
KY = KCHIP
SCHIPChildren’s Health Insurance Program Reauthorization Act (“CHIPRA”)
Signed into law February 4, 2009Renews and expands SCHIP from 7 million to projected 11 million children$33 billion expansionFunded primarily by boosting the federal cigarette tax from 61 cents to $1.00 per packIn addition to 30 million of nation’s poorest children covered under Medicaid
CHIPRA Impacts Employer Health Plans
Premium Assistance Subsidy
CHIPRA allows a state to provide health plan premium assistance subsidies for certain low‑income children
To be eligible a child must be eligible for SCHIP and eligible for coverage under a “qualified employer‑sponsored health plan” – or employer‑sponsored health plan under which the employer contributes at least 40% toward the employee’s premium
Does not include health flexible spending arrangements or high‑deductible health plans
In general, the premium assistance subsidy under SCHIP is the difference between the employee contribution for employee‑only coverage and the employee contribution for coverage of the employee and the child
CHIPRA Impacts Employer Health Plans (cont’d)
Special Enrollment Rights Became effective April1, 2009CHIPRA requires group health plans to permit an employee (or a dependent) who is eligible for plan coverage to enroll in the plan without waiting for an open enrollment period if:
The employee or dependent loses SCHIP (or Medicaid) coverage because of a loss of eligibility (rather than non-payment), and the employee requests coverage under the group health plan within 60 days after the termination; orThe employee or dependent becomes eligible for an SCHIP (or Medicaid) premium assistance subsidy and the employee requests coverage under the group health plan within 60 days after the eligibility determination
KyHealth Choices
CHIPRA Impacts Employer Health Plans (cont’d)
Notices to Employees of State AssistanceCHIPRA requires employers in states that provide Medicaid or SCHIP premium assistance subsidies to notify their employees in writing of the premium assistance and their enrollment rights under CHIPRA
Model notices will be available no later than February 4, 2010
Employers will be required to provide this notice starting with the first plan year after the model notice is issued
The notice may be provided as part of: the annual open enrollment materials; the initial offering of coverage to new eligible employees; orwhen providing the summary plan description
CHIPRA Impacts Employer Health Plans (cont’d)
Disclosure of Plan Information to States
CHIPRA requires group health plan administrators to disclose certain plan information (e.g., benefits information) to a state that requests the information
Intended to help a state determine the cost‑effectiveness of providing premium assistance
State governments may not request this information until a model coverage coordination disclosure form has been developed and regulations have been issued in connection with it
CHIPRA Impacts Employer Health Plans (cont’d)
Penalties
CHIPRA will subject employers to penalties of up to $100 a day for each failure to timely provide the required notices and disclosures
Some CHIPRA Action ItemsBegin offering special enrollmentPrepare a summary of material modifications (SMM) or restate your summary plan descriptions (SPD) to include new special enrollment rightsUpdate special enrollment rights notice provided prior to or at time of enrollmentWait to comply with notice requirements until model notice is issuedDisclose plan information when requested by stateDecide whether to opt out of direct payment from the state and require employee to pay entire premium and seek state reimbursement
KCHIPChildren under the age of 19
Family income must not exceed 200% of federal poverty level (before taxes)
Family of 2: $29,140Family of 3: $36,620Family of 4: $44,100
A “family” is considered as a child or children and the natural or adoptive parents residing together in a household
KCHIP Contact Information
Contact Information
KCHIP Toll-Free Hotline: (877) KCHIP-18 (877-524-4718)
HITECH
Questions?
Steven D. GossmanWyatt, Tarrant & Combs, LLP
500 West Jefferson St., Suite 2800 Louisville, KY 40202
(502) 562-7330sgossman@wyattfirm.com
www.wyattfirm.com
Copyright reserved.©
top related