complying with hipaa privacy rules

25
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law

Upload: shiro

Post on 25-Feb-2016

44 views

Category:

Documents


1 download

DESCRIPTION

Complying with HIPAA Privacy Rules. Presented by: Larry Grudzien , Attorney at Law. Why are we holding this Webinar?. As a Service to our clients To assist in complying with the HIPAA privacy requirements New final regulations released by HHS in January 2013 - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Complying with HIPAA Privacy Rules

COMPLYING WITH HIPAA PRIVACY RULES

Presented by: Larry Grudzien, Attorney at Law

Page 2: Complying with HIPAA Privacy Rules

Why are we holding this Webinar? As a Service to our clients

To assist in complying with the HIPAA privacy requirements

• New final regulations released by HHS in January 2013

• Health plans must comply by September 23,2013

• New increased penalties for noncompliance

Note: GriffinEstep is not a law firm and does not provide legal advice

2

Page 3: Complying with HIPAA Privacy Rules

What is HIPAA?Health Insurance Portability and Accountability (HIPAA)

Federal law enacted in 1996 and amended in 2003 that protects the security and privacy of an individual’s protected health information (PHI)

Most health care providers and health plans were required to be in compliance with HIPAA Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance.

In 2009 Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was passed by congress. It substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA.

In January 2013 HHS issued amendments to the HIPAA Privacy Rule, Security Rule and the Breach Notification rule.

HIPAA also specifically protects the electronic transmission of PHI3

Page 4: Complying with HIPAA Privacy Rules

Plan Sponsors

An employer’s Health Plan is considered a covered entity under HIPAA and must abide by the HIPAA rules

Vendors who provide services to the health plan must also comply with these Privacy rules (Business Associates)

These rules apply to anyone who maintains Protected Health Information (PHI) by or for a covered entity

4

Page 5: Complying with HIPAA Privacy Rules

HIPAA Non compliance Penalties No Knowledge. Where a person does not know, and by

exercising due diligence would not have known, that the person violated HIPAA's administrative simplification provisions, the minimum penalty is $100 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 

Reasonable Cause. Where a violation is due to “reasonable cause” and not “willful neglect,” the minimum penalty is $1,000 per violation. The maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 

5

Page 6: Complying with HIPAA Privacy Rules

HIPAA Non compliance Penalties

Willful Neglect (but Corrected). Where a violation is due to “willful neglect,” but was corrected, the minimum penalty is $10,000 to $50,000 per violation. The maximum penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year.

Willful Neglect (but not Corrected). Where a violation is due to “willful neglect,” but was not corrected, the minimum penalty is $50,000 per violation; there is no maximum per violation. The total penalty is capped at $1.5 million for violations of an identical requirement or prohibition within the same calendar year. 

6

Page 7: Complying with HIPAA Privacy Rules

HIPAA Docs for Employers•  

A HIPAA Privacy Policy A Plan Amendment for Privacy PracticesA HIPAA Use and Disclosure Form A Summary of Material Modifications to

amend the Employer's SPDA Notice of Privacy Practices A HIPAA Training AcknowledgmentA Business Associates Agreement A Request for Alternative CommunicationsAn Authorization for Release of Information

A Request for an Accounting or Disclosure of Protected Health Information

A HIPAA Security Standards Checklist A Request to Amend or Correct Protected Health Information

A Plan Sponsor Certification Form A Request to Inspect or Copy Protected Health Information. 

A HIPAA Privacy Compliance Checklist 

7

Page 8: Complying with HIPAA Privacy Rules

HIPAA Privacy Policy What is it? Most covered entities must implement

policies with respect to PHI that are designed to comply with the privacy rule's requirements

Which groups need it? Any employer who stores or transmits PHI

Information in the Privacy policy includes the names of certain employees who have access to PHI

8

Page 9: Complying with HIPAA Privacy Rules

HIPAA Use and Disclosure Form What is it? This form details how the covered entity will implement the adopted

HIPAA Policy by establishing procedures.

Which groups need it? Any employer who stores or transmits PHI

These Use and Disclosure Procedures include two Parts:

A) Procedures for Use and Disclosure of PHI” includes the use and disclosure procedures that must be followed when PHI will be used or disclosed for the plan's own payment and health care operations purposes and when PHI will be disclosed to third parties (but not the individual).

B) Procedures for Complying With Individual Rights” includes procedures for complying with an individual's right to access, amendment, and accounting of PHI held in a designated record set. This section also includes procedures for addressing individual requests for confidential communications and for limits on use and disclosure.

9

Page 10: Complying with HIPAA Privacy Rules

HIPAA Notice of Privacy Practices What is it? Discloses to the employees how the plan will use and

protect PHI under the privacy rules, what steps it will take to protect PHI and the rights held by employees.

Which groups need it? Any employer who stores or transmits PHI HIPAA requires that the Notice of Privacy Practices describe the

uses and disclosures of PHI that may be made by the covered entity; the individual's rights; and the covered entity's legal duties with respect to the PHI.

All Self Insured employer plans must provide this notice to participants when they store or transmit PHI (Fully insured carriers will sometimes provide this notice on behalf of an employer’s plan)

10

Page 11: Complying with HIPAA Privacy Rules

Business Associates Agreement

What is it? It is an agreement with the outside vendor that the vendor agrees to protect PHI under the HIPAA Privacy Rules

Which groups need it? Any covered entity that shares or transmits PHI to an outside vendor such as a broker or a TPA.

A business associate can provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, if the performance of such services involves disclosure of PHI from the covered entity, or from another business associate of the covered entity or OHCA, to the service provider.

11

Page 12: Complying with HIPAA Privacy Rules

Authorization for Release of Information What is it? An individual authorization for the use or disclosure of PHI

is required whenever the use or disclosure is not otherwise permitted under the privacy rule.

Which groups need it? Anytime the disclosure or use of PHI is outside the Privacy policy.

An individual may wish to have PHI disclosed by a covered entity for a variety of reasons, including applications for life or disability insurance or for purposes of a lawsuit. A covered entity itself may request an authorization to use or disclose PHI that it maintains for a purpose other than one for which an authorization is not required. Finally, a covered entity may request an authorization that permits another covered entity to disclose information to the requesting covered entity.

12

Page 13: Complying with HIPAA Privacy Rules

HIPAA Security Standards Check List

What is it? It details how the covered entity will comply with the security requirements under HIPAA Privacy

Which groups need it? Any group that stores or transmits electronic PHI

Example: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA security requirements

13

Page 14: Complying with HIPAA Privacy Rules

Plan Sponsor Certification Form What is it? Under HIPAA, a group health plan may not disclose

PHI to a plan sponsor unless certain firewalls are in place and the plan document is amended to limit a plan sponsor’s use and disclosure of PHI received from a group health plan. A group health plan may rely on a plan sponsor’s certification that such an amendment is in place.

The Plan Sponsor Certification to Group Health Plan is designed for use by a group health plan that wishes to rely on a plan sponsor’s certification that an appropriate HIPAA privacy plan amendment is in place.

Which groups need it? Any employer that stores or transmits PHI

14

Page 15: Complying with HIPAA Privacy Rules

HIPAA Privacy Compliance Checklist

What is it? It details the employer’s efforts to comply with HIPAA Privacy rules

Which groups need it? Any group that is subject to the HIPAA rules

Example: An Employer would provide this checklist if they were being audited, to show good faith compliance with the HIPAA privacy requirements

15

Page 16: Complying with HIPAA Privacy Rules

Plan Amendment for Privacy Practices What is it? An employer’s plan document must be

amended to provide a mention of the Privacy requirements

Which groups need it? Any employer subject to the HIPAA requirements

Example: HIPAA rules effective 1/1/2013 require this amendment to your Plan Document

16

Page 17: Complying with HIPAA Privacy Rules

Summary of Material Modification (SMM) to the SPD What is it? Any employer Summary Plan Description

must be amended to provide an explanation of HIPAA Privacy

Which groups need it? Any employer subject to the HIPAA requirements

Example: HIPAA rules effective 1/1/2013 require this amendment to your SPD

17

Page 18: Complying with HIPAA Privacy Rules

HIPAA Training Acknowledgment What is it? There is a requirements that employees

who handle HIPAA PHI must receive ongoing training.

Which groups need it? Any employer subject to the HIPAA requirements.

There is a requirement that those personnel who handle PHI must receive periodic training. This form shows evidence of that training.

18

Page 19: Complying with HIPAA Privacy Rules

Request for Alternative Communication

What is it? A health plan must permit individuals to request to receive communications of PHI from the plan by alternative means or at alternative locations, and it must accommodate such reasonable requests, if the individual clearly states that disclosure of all or part of that information could endanger the individual

Which groups need it? Any employer subject to the HIPAA requirements

An Employer group might be asked to not to send claim information to a home address but keep it at the office.

19

Page 20: Complying with HIPAA Privacy Rules

Request for Accounting or Disclosure of PHI What is it? It is a request asking to whom the

health plan disclosed PHI.

Which groups need it? Any employer subject to the HIPAA requirements

Example: An Employer group might be asked for an accounting of who they disclosed PHI to in the administration of the plan

20

Page 21: Complying with HIPAA Privacy Rules

Request to Amend or Correct PHI What is it? An individual has the right to amend or

correct PHI maintained in a designated record set if the PHI is inaccurate or incomplete.

Which groups need it? Any employer subject to the HIPAA requirements

Example: An Employer group might be asked to change their records to correct mistakes

21

Page 22: Complying with HIPAA Privacy Rules

Request to Inspect or Copy PHI What is it? With a few exceptions, an individual has the right to

inspect and copy his or her own PHI that is maintained in a designated record set. On May 31, 2012, the Director of OCR posted a message on the OCR website reminding consumers of their right to—• ask to see and get a copy of their health records from most

doctors, hospitals, and other health care providers such as pharmacies and nursing homes, as well as from their health plan; and

• get the records electronically or on paper if their plan or provider is able to do so

Which groups need it? Any employer subject to the HIPAA requirements

Example: An Employer group might be asked to review claim records.22

Page 23: Complying with HIPAA Privacy Rules

HIPAA Resource Links

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

23

Page 24: Complying with HIPAA Privacy Rules

Request a template copy of these documentsIf you are interested, please request a copy of these template documents from :

___________________________

You will also be receiving an email with this order information. Once we receive your request, we will send you an order form (with signature line) Once signed order is received, we will send you the documents. Requests for these documents must be made by ______________ Questions about these documents must be addressed to your legal counsel.

24

Page 25: Complying with HIPAA Privacy Rules

THANK YOU!