on HIPAA

What is HIPAA?

O HIPAA stands for the Health Insurance

and Portability Act of 1996. It essentially

governs health insurance for employees,

as well as specifying the minimum

standards for the secure file transfer and

protection of electronic health records.

O 1/1/15 Strict Data Breach Updates to

HIPAA Security Rules

www.GWHumanResources.com © Copyright 2016 GW Human Resources 2

Who Does HIPAA Apply To?

O HIPAA applies to “covered entities and business associates”, to use the technical terms from the Act.

O “Covered entities” refers to any healthcare provider (e.g. doctors, dentists, clinics, chiropractors, pharmacies etc), health plans or health care clearinghouses that transmit health information in electronic form.

O “Business associates” are any persons or organizations who provide specific services to a covered entity that involve the “use or disclosure of individually identifiable health information” e.g. data analysis, claims processing, billing etc.

O And even though HIPAA is an Act passed by the US Government, it affects companies outside the US who wish to provide services as a “business associate” or even exchange patient information as a “covered entity”.

O In other words, HIPAA applies to you, whether or not you’re based in the US.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 3

What Does HIPAA Provide?

O Provides for the portability of employee health care plans and provides for the protection of certain health care-related information

O HIPAA protects the privacy of medical records and personal health information (PHI)

O HIPAA's provisions affect group health plan coverage in the following ways: O Provide certain individuals special enrollment rights in group health

coverage when specific events occur, e.g., birth of a child (regardless of any open season);

O Prohibit discrimination in group health plan eligibility, benefits, and premiums based on specific health factors; and

O While HIPAA previously provided for limits with respect to preexisting condition exclusions, new protections under the Affordable Care Act now prohibit preexisting condition exclusions for plan years beginning on or after January 1, 2014.

O See Cobra for post employment information.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 4

What is “special enrollment?” O Group health plans are required to provide special enrollment periods

during which individuals who previously declined health coverage for themselves and their dependents may be allowed to enroll (regardless of any open enrollment period). In addition to HIPAA special enrollment rights, the Children’s Health Insurance Program Reauthorization Act (CHIPRA) added additional special enrollment rights under ERISA. Rights related to CHIPRA special enrollment are discussed in this section.

O Special enrollment rights can occur when: O An individual loses eligibility for coverage under a group health plan or

other health insurance coverage or when an employer terminates contributions toward health coverage;

O An individual becomes a new dependent through marriage, birth, adoption, or being placed for adoption; and

O An individual loses coverage under a State Children’s Health Insurance Program (CHIP) or Medicaid, or becomes eligible to receive premium assistance under those programs for group health plan coverage.

O Employees must receive a description of special enrollment rights on or before the date they are first offered the opportunity to enroll in the group health plan

O The special enrollment notice can be included in the SPD (Summary Plan Description) and in initial benefit applications.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 5

What Info is Protected (PHI)? O Electronic, Paper or Oral Information created or received by a

health care provider, health plan, employer, etc., that relates to the past, present or future physical or mental health of an individual, the provision of health care to an individual or the payment for provision of health care to an individual

O Examples of PHI: O Health care claims or health care encounter information, such as

documentation of doctor's visits and notes made by physicians and other provider staff;

O Health care payment and remittance advice;

O Coordination of health care benefits;

O Health care claim status;

O Enrollment and disenrollment in a health plan;

O Eligibility for a health plan;

O Health plan premium payments;

O Referral certifications and authorization;

O First report of injury;

O Health claims attachments;

O Health care electronic funds transfers (EFT) and remittance advice;

O and Other transactions that HHS may prescribe in future regulations.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 6

When Does HIPAA Impact Employers?

O When they need to obtain and use

protected information

O If they administer their own health care

plan or review health benefit decisions

O Data Breaches

O Note: Additional restrictions/obligations

apply to health care plans and other

health care-related entities

www.GWHumanResources.com © Copyright 2016 GW Human Resources 7

Why Would an Employer Need to Obtain Protected Info (PHI)?

O When obtaining medical information for FMLA purposes: O To determine whether an employee has a serious

medical condition

O To determine whether an employee is able to return to work

O When trying to determine the parameters of a reasonable accommodation under the ADA

O When trying to determine an appropriate modified work schedule for an employee returning to work after suffering a work-related injury

O Claims – employers should direct claim questions to the insurance provider. HR should not assist with specific health related insurance claims.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 8

How Would an Employer Obtain Protected Info (PHI)? O The employer must obtain a valid authorization that

includes the following: O A description of the information

O The identity of the person/entity authorized to make the disclosure

O The identity of the person/entity to which the disclosure may be made

O A description of each purpose of the requested information

O The signature of the individual whose information is sought

O Certain statements notifying the individual of his or her rights, including that s/he is entitled to revoke the authorization and receive a copy of the requested information

O An expiration date

www.GWHumanResources.com © Copyright 2016 GW Human Resources 9

What Records Must Be Retained?

O HIPAA privacy record documents must be kept for six years from the date it was created or the date it was last in effect, whichever is later,

O Under HIPAA, employers are required to protect the privacy of employees' personal health-related information by designating an in-house privacy official, adopting policies and procedures to keep this information private.

O With some limited exceptions, HIPAA applies to all health plans, including self-insured and fully insured plan

O HR should retain a copy of notices sent to the organization.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 10

Required Notices O Covered entities are required to provide a notice in plain language

that describes: O How the individual’s PDI will be used and disclosed.

O The individual’s rights with respect to the information and how the individual may exercise these rights.

O The employer’s legal duties with respect to the information, including a statement that is required by law to maintain the privacy of PDI.

O Who employees can contact for questions and privacy policies.

O The notice must include an effective date.

O Must update as changes occur, new policies, open enrollment, etc.

O Employers must make its notice available to any person who asks for it.

O Employer must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.

O Effective 1/1/2015, you no longer have to provide HIPAA Certificates. The final regulations released in February 2014 clearly stated that the requirement to provide Certificates is eliminated for all individuals (both grandfathered & non-grandfathered plans) for plan years beginning on and after December 31, 2014.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 11

What are the Potential Penalties?

O Civil and criminal fines

O Imprisonment

www.GWHumanResources.com © Copyright 2016 GW Human Resources 12

What you can do to Stay on the Safe Side of HIPAA!

O Limit use of any protected information to

those specifically provided in the

authorization signed by the employee

O Request and use only the minimum

amount of medical information necessary

for your purpose

O Keep all health information confidential

and separate from other

employee/personnel files

www.GWHumanResources.com © Copyright 2016 GW Human Resources 13

GW Human Resources & Business Services

For more great tools, tips, guidance and training, visit www.GWHumanResources.com

Disclaimer: Upon purchasing our product you are understanding, acknowledging and agreeing with this disclaimer. This information is provided for general informational purposes only. GW Human Resources and Business Services makes no warranties, express, implied or statutory, as to the adequacy, timelines, completeness or accuracy of the information provided. The provided information does not constitute advice and does not bind us in any way to a business-client relationship. Laws are numerous. The amount of regulations is rising. Statements concerning legal matters should be understood to be general observations and should not be relied upon as legal advice, which we are not authorized to provide. Consult legal counsel to make sure that you are fully compliant.

www.GWHumanResources.com © Copyright 2016 GW Human Resources 14