HIPAA Privacy Establishing a Compliance Plan - PowerPoint PPT Presentation

1 / 55

About This Presentation

Title:

HIPAA Privacy Establishing a Compliance Plan

Description:

27. MODULE ONE - SURVEYING THE TERRAIN. Kickoff. Meeting. Gap. Analysis ... Summary Plan Description. Plan Document Amendments. Other forms or documents? 44 ... – PowerPoint PPT presentation

Number of Views:380

Avg rating:3.0/5.0

Slides: 56

Provided by: randyg5

Category:

more less

Transcript and Presenter's Notes

Title: HIPAA Privacy Establishing a Compliance Plan

1
HIPAA Privacy Establishing a Compliance Plan

Mazursky Dunaway LLP
Monarch Tower
Suite 2400
3424 Peachtree Road
Atlanta, Georgia 30326-1118

2
A Human Resources Law Firm

Presented by
Randall D. Grayson

Monarch Tower
Suite 2400
3424 Peachtree Road
Atlanta, Georgia 30326-1118
Main 404.888.8820
Direct 404.888.8852
Fax 404.926.2952
rgrayson_at_mdllp.com

3
HIPAA Privacy Presentation Outline

Overview of HIPAA Privacy Regulations
Organizing the Privacy Compliance Project
Key Components of the Privacy Project

4
The Three Elements of HIPAA

Privacy
Security
Electronic Data Interchange

Privacy
Individual rights to control health information
Restrictions on uses and disclosures
Security
Limited access to electronic systems
Physical controls
Electronic Data Interchange
Standardized code sets for transactions
Uniform Medicare and Medicaid claims

5
Where Are We Now?

Administrative Simplification Act delays
effective date for Electronic Data Interchange
Standards
Request for extension and compliance plan were
due
October 16, 2002
Final Security regulations published Tuesday,
Feb. 18
Privacy Amendments finalized August 2002
Standardized electronic identifier standards
slowly appearing
EIN to identify employers

6
HIPAA Privacy RegulationsThe Big Picture

Regulations are applicable to
Health plans
Health care providers
Health care clearinghouses
April 14, 2003 effective date for large health
plans (50 or more participants, 5 million in
annual receipts)

7
What is a Small Health Plan?

Insured Plans Total premiums
Self-funded plans claims paid administrative
fees.
Does NOT include premiums for stop-loss
insurance.
If you are under the receipts test, HHS guidance
suggests that number of participants does not
matter.
Small Health Plans have an extra 12 months to
comply

8
HIPAA Privacy Rule

Covered Entities may not use or disclose an
individuals Protected Health Information
without written authorization except for certain
specified purposes.

9
Where Do Employers Fit In?

Plan sponsors are not covered entities
Plan administrators are covered entities
New regulations exclude employment records from
privacy requirements
Focus on the purpose and need for individually
identifiable health information to determine
covered or not covered activities

10
Where do Group Plans Fit In?

Employers acting as plan administrators are
covered entities
Self-funded plan must comply, depending on level
of plan administration
The insurer is deemed the health plan covered
entity in a fully-insured health plan
An employer may receive protected health
information even if not administering a plan

11
Common Plan Administration Issues

Employee concerns or questions
Enrollment forms requesting health information
Pre-existing condition exclusion review
Benefits Committee resolving appeals
Claim payment audits

12
Employment Records Exclusion

Employment records held by a covered entity in
its role as an employer
Standard was intentionally broad and vague
Focus is on the reason for which the
employer/covered entity obtained the information,
e.g.,
Processing an appeal under the group health plan
Certifying a request for sick leave

13
Why Covered Entity Status Might Not Matter

Employment laws contain other restrictions on use
of medical information
ADA calls records confidential medical record
Preemption Analysis
More stringent state laws are not preempted by
HIPAA Privacy requirements
Tort law (e.g., invasion of privacy) could be
more stringent state law
HIPAA provides a road map for negligence standard

14
Exclusion for Enrollment Information

Covered Entity can share enrollment information
with a Plan Sponsor (Employer) without
authorization
If Plan Sponsor provides enrollment information,
the Covered Entity must treat as protected health
information

15
HIPAA Privacy Definitions

Protected Health Information (PHI) is
Individually identifiable information (oral or
recorded in any form or medium)
Created, maintained or received by a health plan
or provider
Related to the past, present or future physical
or mental condition of, or the provision or
payment for health care for an individual
Employers can receive PHI without authorization
if
Health plan documents are amended to impose
specified limits on the use and disclosure of PHI
PHI is used for purposes of claim appeals, audits
or other administrative purposes (TPO)

16
HIPAA Privacy Definitions

Permitted uses of PHI without authorization
Treatment medical care
Payment claims processing and appeals
Operations
Underwriting, cost containment
Internal grievances, medical peer review
Quality assessment, utilization review
Accreditation, licensing, credentialing
Key for TPO use is Notice of Privacy Practices

17
HIPAA Privacy Definitions

Notice of Privacy Practices
If plan sponsor uses PHI it must create its own
Notice
Consent
Health provider no longer required to get consent
each service
Consent may be obtained. State laws may be
applicable
Authorization
Individual written authorizations permitting a
particular use of PHI (marketing or research)

18
HIPAA Privacy Definitions

Business Associates
Consultants, claims administrators, actuaries,
etc.
Business Associates who create or receive PHI
must agree in writing to comply with HIPAA
Privacy requirements, even if not a covered
entity otherwise
New amendments contain sample language for
business associate contracts

19
HIPAA Privacy Definitions

Minimum Necessary
Even when utilizing PHI for appropriate purposes
Reasonableness standard
De-Identified Information
Data that cannot reasonably identify an
individual
Safe harbor by eliminating identifying
characteristics
Summary Health Information
De-identified health information with zip code
data used for underwriting, securing bids, etc.

20
De-Identified InformationThe Named Identifiers

Names
Geographic subdivisions smaller than a State
Dates related to individual (birth, discharge,
age over 89)
Telephone or fax number
E-mail address
Social Security number
Medical record number
Health plan beneficiary numbers
Account numbers

Certificate/license numbers
Vehicle identifiers and serial numbers, license
plates
Device identifiers and serial numbers
URLs
Internet Protocol address
Biometric identifiers (finger prints)
Photographs
Any other unique characteristic

21
A Model for Avoiding Privacy Regulations

Hands-off plan administration
De-identified health information only
Clear contractual and plan delegation of
administration responsibilities to Business
Associates

22
A Model for Complying with Privacy Regulations

Define and limit employees with access to PHI
Define permitted uses of PHI
Create policies and procedures
Notice of Privacy Practices
Individual rights correction, audit, review,
complaint procedure

23
Special Issues

Marketing
New drugs, treatments or benefits offered by an
entity other than the Insurer.
Pharmaceutical advertising.
Physician, Hospital, or Provider Quality Review
Performance objectives
Financial rewards to providers for outcomes
Research
Independent review board exemptions
Disclosures and authorizations

24
Other Special Issues

Public Health Agencies
Law Enforcement Officials
Subpoenas or Court Orders
On-site clinics
OSHA, workers compensation and other workplace
safety rules
Wellness programs or employee health initiatives

25
WHAT NOW?

Less than two months until compliance date
What do I need to do?
Where do I start?
How do I get organized?

26
Modular Approach to HIPAA Compliance

Assessment
Surveying the Terrain
Design
Bridging the Gap
Drafting
Putting Pen to Paper
Implementation
Turning Words Into Action

27
MODULE ONE - SURVEYING THE TERRAIN
Kickoff Meeting
Gap Analysis
Identifying Current Practices
MD presents HIPAA Privacy Overview
MD prepares Gap Analysis Report identifying gaps
between HIPAA requirements and client practices
MD tailors assessment worksheets for clients
situation
Client discussion of privacy practices and its
needs and preferences
Client completes MD assessment worksheets
Client identifies its key issues from Gap
Analysis Report
28
MODULE TWO - BRIDGING THE GAP
Who is in Charge?
Developing the Rules
Client identifies privacy officer and other
compliance personnel
MD outlines policies and procedures and
organization structure tailored to client
MD and Client develop processes for uses of
protected information
MD outlines job descriptions and assignments for
compliance personnel
MD organizes format of policies, procedures and
workflows
MD and Client define business associate
relationships and business associate
responsibilities
29
MODULE THREE PUTTING PEN TO PAPER
Internal Guidance
Notices and Contracts
Protecting Individual Rights
MD drafts policies and procedures for handling
protected information
Client develops internal procedures for
individual access, accounting, and requests to
amend protected information
MD develops notice of privacy practices
MD drafts job descriptions for compliance
personnel
MD amends clients plan documents
MD and Client develop rules for dealing with
HIPAA exceptions
MD and Client amend business associate contracts
MD designs training program for personnel
30
MODULE FOUR - TURNING WORDS INTO ACTION
The End and the Beginning
Training for the Future
Ongoing Documentation
Client creates recordkeeping process documenting
HIPAA compliance
MD designs training materials for compliance
personnel
MD provides compliance report detailing success
of HIPAA project
MD trains the trainer and initial compliance
personnel
Client proceeds in full compliance with HIPAA
privacy regulations
Client executes business associate contracts
Client trains future compliance personnel
31
MODULE ONE - SURVEYING THE TERRAIN
Kickoff Meeting
Gap Analysis
Identifying Current Practices
MD presents HIPAA Privacy Overview
MD prepares Gap Analysis Report identifying gaps
between HIPAA requirements and client practices
MD tailors assessment worksheets for clients
situation
Client discussion of privacy practices and its
needs and preferences
Client completes MD assessment worksheets
Client identifies its key issues from Gap
Analysis Report
32
Module One Key Concepts

Finding Protected Health Information
Individually Identifiable Health Information
Who uses it and what for?
Defining Covered Entity Functions
Payment, Treatment, Operations
Marketing, Research
The Role of the Business Associate
Internal Operating Structures

33
Business Associate Issues

Identify the service that is being performed by
the Business Associate and evaluate necessity
What protected health information is currently
being used?
Are changes to information sharing and defined
responsibilities appropriate?

34
Organizational Structure Issues

Who should have access to PHI?
What uses of PHI are necessary?
Who has the authority and the ability to serve as
a Privacy Officer?
Can PHI be separated from health information in
non-covered employment records?

35
Protected Health Information Workflow Issues

Where can PHI be limited?
Where is PHI absolutely necessary to the
operations of the entity?
How is PHI walled-off from other members of the
organization?

36
Final Assessments

Identify where the Plan is and is not in
Compliance with HIPAA
Recommend Operations Modifications
Inventory of Policies, Procedures and Documents
Needed
The Foundation for Creating a Compliance Plan

37
MODULE TWO - BRIDGING THE GAP
Who is in Charge?
Developing the Rules
Client identifies privacy officer and other
compliance personnel
MD outlines policies and procedures and
organization structure tailored to client
MD and Client develop processes for uses of
protected information
MD outlines job descriptions and assignments for
compliance personnel
MD organizes format of policies, procedures and
workflows
MD and Client define business associate
relationships and business associate
responsibilities
38
Module Two Key Concepts

Making Plan Design Choices
Creating Operating Rules
Defining Responsible Parties

39
Defining Proper Uses of PHI Inside the
Organization

Claims appeals (Payment)
Plan exceptions (Treatment)
Cost controls by plan design (Operations)
Adding or Eliminating benefits (Operations)
E.g., Pharmacy formulary modifications
Physician or Provider Quality Review (Operations)

40
Defining Roles

Business Associates
What is the role of the Business Associate in
handling protected health information?
Privacy Officer
Individuals authorized to access protected health
information
Limits on access
Limits on uses and disclosures of PHI

41
Other Employment Uses of Medical Information

Will similar restrictions be placed on uses and
disclosures of employment records?
Will privacy be a company wide initiative?
Is there a HIPAA Lite for other uses of medical
information?

42
MODULE THREE PUTTING PEN TO PAPER
Internal Guidance
Notices and Contracts
Protecting Individual Rights
MD drafts policies and procedures for handling
protected information
Client develops internal procedures for
individual access, accounting, and requests to
amend protected information
MD develops notice of privacy practices
MD drafts job descriptions for compliance
personnel
MD amends clients plan documents
MD and Client develop rules for dealing with
HIPAA exceptions
MD and Client amend business associate contracts
MD designs training program for personnel
43
Module Three Key Concepts

Business Associate Contracts
Internal Operating Policies and Procedures
Notice of Privacy Practices
Summary Plan Description
Plan Document Amendments
Other forms or documents?

44
Internal Operations Issues

Designate group or persons who receive and use
information
Define in writing proper uses and disclosures of
information
Require de-identified information when possible
Name a Privacy Officer
Individualized policies for security of records

45
Notice of Privacy Practices

Health Plan must provide notice to participants
Summary Plan Description
Annual Notice
Posted in Human Resources Department
Available upon request
Limited Uses of PHI, Individual Rights, and
Remedies

46
Business Associate Contracts

Written acknowledgement of HIPAA Privacy
practices
Limited use of PHI
Appropriate safeguards on PHI
Access for individuals?
Duty to mitigate improper disclosures?
Indemnification Provision?

47
Written Documents Content of Contracts

Carefully review administrative services
agreements
Correctly distribute compliance duties
Negotiate indemnification provisions
Proper description of uses and disclosures of
protected health information is critical to
effective contract
Post-contract destruction or return of records

48
HIPAA Documents

Policies for Individual Access?
Policies for the Special Exceptions?
Do Not Forget
Summary Plan Descriptions
Welfare Wrap Plan Documents
Separate Notice of Privacy Practices

49
MODULE THREE PUTTING PEN TO PAPER
Internal Guidance
Notices and Contracts
Protecting Individual Rights
MD drafts policies and procedures for handling
protected information
Client develops internal procedures for
individual access, accounting, and requests to
amend protected information
MD develops notice of privacy practices
MD drafts job descriptions for compliance
personnel
MD amends clients plan documents
MD and Client develop rules for dealing with
HIPAA exceptions
MD and Client amend business associate contracts
MD designs training program for personnel
50
Module Four Key Concepts