permitted disclosures under glb & hipaa miriam j. paramore pci 9001 shelbyville road itrc...
TRANSCRIPT
![Page 1: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/1.jpg)
Permitted DisclosuresUnder GLB & HIPAA
Miriam J. Paramore
PCI
9001 Shelbyville Road
iTRC Building
Louisville, KY 40222
502-429-8555
www.hipaasurvival.com© Paramore Consulting, Inc.
![Page 2: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/2.jpg)
Slide 2© Paramore Consulting, Inc.
Project Overview
• Client: Large Health Plan
– Health insurer, Disease management, HMO, Hospital, Primary Care, Clinic, Home health
• Privacy Compliance Assessment
– GLB Primary Focus
– HIPAA (where overlaps exist)
• Timeline: 6-8 weeks
![Page 3: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/3.jpg)
Slide 3© Paramore Consulting, Inc.
Project Overview
• Objectives
– Uses & Disclosures Inventory
– Determine which disclosures are permitted under GLB & HIPAA, Identify gaps
– Develop baseline HIPAA gap analysis
• #1 Priority
– Identify changes in disclosure practices needed before July 1, 2001
![Page 4: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/4.jpg)
Slide 4© Paramore Consulting, Inc.
Project Team
• Paramore Consulting, Inc. (PCI)
– Business & technical consulting
– Data gathering, Disclosure analysis, Document cataloging, Information Inventory
– Facilitated sessions
• Gardner, Carton & Douglas (GCD)
– Document review, Privilege
– Legal interpretation & analysis
![Page 5: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/5.jpg)
Slide 5© Paramore Consulting, Inc.
Project Team
• The Client
– Dedicated team of internal staff
– Coordinated by Corporate Compliance Manager
– Representatives from all affected business units & departments
– Educated on the relevant laws
– Motivated
![Page 6: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/6.jpg)
Slide 6© Paramore Consulting, Inc.
The Laws
• HIPAA
– Health plans, Clearinghouses, Providers that transmit electronically
– Use and disclosure of protected health information
• GLB
– Insurance institutions, Agents & Insurance support organizations
– Disclosure of personal information
![Page 7: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/7.jpg)
Slide 7© Paramore Consulting, Inc.
“Information” Under the Laws
• HIPAA
– Protected Health Information
– Use
– Disclosure
• GLB
– Personal Information
– Privileged Information
![Page 8: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/8.jpg)
Slide 8© Paramore Consulting, Inc.
GLB:Personal Information
“Any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual’s character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. It includes an individual’s name and address and medical-record information, but does not include privileged information or any information that is publicly available.”
![Page 9: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/9.jpg)
Slide 9© Paramore Consulting, Inc.
GLB:Privileged Information
“Any individually identifiable information that relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual and is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual.”
![Page 10: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/10.jpg)
Slide 10© Paramore Consulting, Inc.
HIPAA:Use v. Disclosure
• Use – “the employment, application, utilization, examination, or analysisof protected information within an entity that maintains the information.”
• Disclosure – “the release, transfer, provision of access to, or divulgingin any other manner of protected information outside the entity holding the information.”
In short, 'use' occurs inside an entity, while
'disclosure' occurs outside an entity.
![Page 11: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/11.jpg)
Slide 11© Paramore Consulting, Inc.
Permitted DisclosureComparison
• HIPAA
– Written Authorization
– Minimum Necessary
– Written Business Associate Agreements
• GLB
– Written Authorization
– Reasonably Necessary
– Written or Oral Agreements With Recipient
![Page 12: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/12.jpg)
Slide 12© Paramore Consulting, Inc.
Project Process
• Planning
– Client, PCI, & GCD responsibilities assigned and coordinated
• Attorney-Client Privilege
• Information Capture
• Legal & Risk Analysis
• Reporting
![Page 13: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/13.jpg)
Slide 13© Paramore Consulting, Inc.
Attorney-Client Privilege
• Established early
• Underlying information not covered
• Review of all documents prior to distribution to project team
• Legal interpretation to in-house counsel prior to distribution
• Analysis and reporting through GCD
![Page 14: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/14.jpg)
Slide 14© Paramore Consulting, Inc.
Information Capture
• Document gathering (547 documents)
• Questionnaires
• Cross-functional facilitated sessions (4 days)
• Detailed interviews with each affected department
![Page 15: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/15.jpg)
Slide 15© Paramore Consulting, Inc.
Work Products
• PHI Flow Diagram
• Business Associate Inventory
• Uses & Disclosures Inventory
• HIPAA Disclosures Key
• GLB Disclosures Key
• Master Document Catalog
![Page 16: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/16.jpg)
Customers Payers Providers
Disease Mgt Group
HMOs
A Large BCBS Plan
BCBS Group
Plan Services
Group
Others
Groups
Applicant / Member
Broker
Other Blue Plans
Fulfillment Vendors
Providers •Hospitals •Physicians •Skilled Nursing Facilities •Long-term Care •Home Health Agencies •Clinics •Etc.
Pharmacies
BCBS Assoc.
Law, Auditor, (non-claim)
Off-site Storage Vendors
Accreditation Organizations
Regulatory Agencies
Research Vendors
Clearing Houses
Vendors
Data Entry Vendors
Outside Medical Review
Consultant
• Elig. Info Req. • Quote Info • Enroll Reject Notice • Aggregate Data • Claims Data • High Dollar/ Stop Loss • Premium/Cost-Plus Bill’g
• Elig. Info Req. • Quote Info • Enroll Reject Notice (no meds)
• Pre-Auth/Cert Denials
• Elig. Info / Changes • Quote Info • Enroll Reject Notice • Mbr. Comm. Ltrs. • Pre-Auth/Cert Comms • Paid Claim Info • Dependent Benefits/claims Info • Record Request Comms • Dis. Mgmt/Baby Info • Case Mgmt • Release Coord
• Mktg. Matl. • Benefits Packs
• Mailing List Info • Claims info to generate mailing lists
V
V
• Paper Applications
• Underwriting • Claims Info
• Medical Review Info • Denial of Claims Info • Dental Apps
• Presc. Drug Info • HCFA and DSR claims
• Correspondence
• Data Mining • Drug Studies
• Secondary Cross-over Info
• Eligibility Feed • Claims info for fraud investigation
Other Insurance
• Subrogation • COB info • Claim info for fraud investigation
V
PHI Disclosures Diagram
• Wellness Newsletter
• Crisis Phone line • Elig. Roster
• Cap Report • Membership Lists • Pre-Auth/Cert Comms • Claim Info • Daily Error Report • Paid Claim Info • Case Mgmt Negotiation • Utilization Data for Hemophiliacs
• Eligibility Approval
• Drug Claim Info • Paid Claim Info
Financial Institutions
• Verification of Benefits data
• Eligibility Info • Pre-Auth/Cert Comms
• Claim Info
• Drug Interactions Notification
• Auditable info • Accreditation info • Medical info in support of provider audits
• Data to attorneys or courts in support of litigation/ fraud invest.
• Fraud and abuse case information
• Appeals/Complaints Unusual Cases Claims
• Transplant Network info
•TPAs • Clinical Information • Patient Demographic Info
• Eligibility Info • Membership Lists
• Claims Info • Baby Benefits Info
Key
V - Vendor may be involved
• - Disclosed information
- Organizations
![Page 17: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/17.jpg)
Slide 17© Paramore Consulting, Inc.
Uses & DisclosuresInventory
• From
• To
• What Information
• Purpose
• On Whose Behalf
• BAA Required?
• Permitted Disclosure Rationale (Key)
• Notes / Additional Detail / Issues
![Page 18: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/18.jpg)
Slide 18© Paramore Consulting, Inc.
Disclosure Analysis
• To, From, What, Purpose, On Who’s Behalf
• Recipients
– Affiliate, nonaffiliate
– Covered entity, non-covered entity
– Business associate
• Marketing purpose
![Page 19: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/19.jpg)
Slide 19© Paramore Consulting, Inc.
Disclosure Analysis
• Permitted
• Permitted but limited to minimum necessary
• Permitted with agreement or written contract
• Permitted with authorization and/or opt out
• Not permitted
![Page 20: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/20.jpg)
Slide 20© Paramore Consulting, Inc.
Disclosure AnalysisExample
• Pharmacy benefits program to identify drug abuse
• Disclose to prescribing physicians
– Name of member
– Names of all other prescribing physicians
– Drugs & doses prescribed
– Dispensing pharmacies
![Page 21: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/21.jpg)
Slide 21© Paramore Consulting, Inc.
Disclosure AnalysisExample
• Purpose of disclosure
– Determine validity of benefit claim
– Determine medical necessity
– Alert physicians of abuse problem
– Establish coordination of care
• Principle compliance issue
– Minimum necessary under GLB & HIPAA
![Page 22: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/22.jpg)
Slide 22© Paramore Consulting, Inc.
Disclosure AnalysisExample
• GLB Standard– Determining eligibility for the benefit
– Detecting or preventing fraud
– To a medical professional to:• Verify coverage
• Inform individual of medical problem of which he may not be aware
• Provided only that information is disclosed as is reasonably necessary to accomplish the purpose of the disclosure
![Page 23: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/23.jpg)
Slide 23© Paramore Consulting, Inc.
Disclosure AnalysisExample
• HIPAA Standard
– “Payment” includes medical necessity & appropriateness of care
– “Health care operations” includes medical review for fraud and abuse detection
– Reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose
![Page 24: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/24.jpg)
Slide 24© Paramore Consulting, Inc.
Disclosure AnalysisExample
• No support for disclosing names of dispensing pharmacies
• Limit disclosure to drug & dosage
• Determine referral relationships
• If referral relationships exist– Disclose names of other physicians
• If no relationship– Assurance that physician will consult with
other physicians
![Page 25: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/25.jpg)
Slide 25© Paramore Consulting, Inc.
Disclosure AnalysisExample
• Develop criteria to determine when disclosing names of physicians is needed
• Where criteria not met, analyze facts & circumstances
• Document basis for position that disclosure is the minimum necessary to accomplish intended purpose
![Page 26: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/26.jpg)
Slide 26© Paramore Consulting, Inc.
Reporting
• Master Document Catalog
– Reusable, electronic workbook
• Uses & Disclosures Inventory
– Reusable, electronic workbook
– Hyperlinked to MDC
• Disclosure Flow Diagram
• Gap Analysis Report
• Presentation to Senior Staff
![Page 27: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/27.jpg)
Slide 27© Paramore Consulting, Inc.
Findings
• Written authorizations required if information disclosed by Client to subsidiary is used beyond its work for Client
• Document minimum necessary
• Written business associate agreements
• Revise and issue privacy notices
![Page 28: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/28.jpg)
Slide 28© Paramore Consulting, Inc.
Next Steps
• Incorporate into compliance plan
• Full HIPAA privacy assessment
– Policy & procedure development
– Privacy training
– Minimum necessary
– Authorization forms
– Business associate agreements
• Full HIPAA security assessment
![Page 29: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/29.jpg)
Slide 29© Paramore Consulting, Inc.
Lessons Learned
• Communication is key
• Combine GLB & HIPAA efforts
• Determine your organizations’ definition of “disclosure”
• Determine when attorney-client privilege is necessary
• Examine identity of subsidiaries
• Map information exchanges
![Page 30: Permitted Disclosures Under GLB & HIPAA Miriam J. Paramore PCI 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555](https://reader030.vdocument.in/reader030/viewer/2022012922/56649da75503460f94a92839/html5/thumbnails/30.jpg)
Slide 30© Paramore Consulting, Inc.
Questions?
Colleen M. Roberts
Gardner, Carton & Douglas
321 N. Clark Street
Suite 3400
Chicago, Illinois 60610
(312) 245-8534
Miriam J. Paramore
PCI: e-commerce for healthcare
218 Crescent Court
Suite 100
Louisville, Kentucky 40206
(502) 895-2196