The New Bermuda Quadrangle HIPAA, FMLA, ADA, and Workers Compensation

1
The New Bermuda QuadrangleHIPAA, FMLA, ADA, and
Workers Compensation
Ronald J. Andrykovitch, Esq.Anne M. Lavelle,
Esq.Fiore C. Londino, cg2
2
HIPAA - GENERAL PRIVACY CONCERNS
3
Bermuda Quadrangle(You - the Employer)
FMLA
HIPAA
WC
ADA
4
Health Insurance PortabilityAnd Accountability
Act(HIPAA)
5

• What is it?
• Who did it to us?
• What does it mean to employers? (i.e. Is it
  time to hit the panic button?)
  

6
Federal Law1996
What it is
7
The Good Ol DaysPortability
8

• Help job jumpers
• Pre-existing health conditions
• Waiting period
• Mandate
• Privacy and security

9
Department of HealthAnd Human Services(HHS)
Whos behind it
10
Administrative Simplification Standard(Do not
use acronym)
What employers should focus on

• Transaction and code sets
• Security
• Privacy!

11
General OverviewofPrivacy Rule
12
Went into effectonApril 14, 2003
13
Goal Keep health information private
14
Directly ImpactsCovered Entities

• Hospitals
• Doctors
• Pharmacists
• Physical therapists
• Health insurance plans
• Health insurers

15
HIPAA mandates that covered entities keep the
protected health information (PHI) of patients
private.
16

• By limiting
• Who can have access to PHI
• Disclosure of the PHI

17
Employers areNOTCovered Entities(as a general
rule)
18
Employers are NOT Regulated by HIPAA
19
UNLESS . . .
20
Providing services that a CE would provide.For
example . . .
21

• EAP
• More than a referral
• In-house medical staff

22

• HIPAA does not place obligations on employers to
  keep employees medical records private
  
• (Caveat Other statutes do!)

23

• BUT . . .

24

• Theres always a Catch 22

25

• HIPAA indirectly impacts
• employers because . . .

26
Employee FMLA Employee ADA Employee WC

• Employer needs PHI from covered entity

27

• Employees (or their dependents)
• Patients of covered entity
• HIPAA applies to employees PHI maintained by
  covered entity

28
First Issue for Employers

• Employers need for PHI
• v.
• CEs need to keep PHI private

29
Second Issue for Employers

• The HIPAA Miranda rights (as seen on ER!)

30

• Generous patient rights regarding PHI
• Limit employers ability to access PHI
• Limit covered entitys ability to disclose PHI

31

• The Patient has the right to
• Specific authorization
• Amendment
• Restriction
• Accounting
• Minimum necessary standard
• Complain

32
Authorization

• If you want medical information directly from CE,
  you must have your employee execute an
  authorization that includes
  
• Who
• What (with specificity)
• Purpose
• Revocation

Warning Termination date/event Sign/date Copy
33

• Watch out for
• Standardization
• Mental health/drug alcohol/AIDS

34
Amendment

• Rewrite history
• Depends on CE
• Not sure of format
• Statement of disagreement

35
Restriction

• Limits who can receive PHI
• Depends on CE
• Employers have rights too!
• Surprise, surprise!

36
Accounting

• CE must maintain log
• 1x year

37
Minimum Necessary Standard

• Relevancy determination by CE

38
Complaint Process

• Internal CE
• External HHS
• Investigation and possible fines
• 100/incident up to 25,000 per person, per
  year for each standard violated
  
• to
• 250,000/10 years in prison

39
Empty Words?!?!

• HHS HIPAA not meant to affect FMLA, ADA and WC

40
Two Issues?BUTIs there a solution?
41
Tips

• Condition employment benefits
• Get records directly from employee
• No HIPAA issue
• Trust issue?
• Preempt issue with CEs you work with
• Panel physician
• Audiologists
• Plant physician/nurse

RTW physicals Drug tests
42

• Look for red flags
• Amendments
• Not enough records
• Roadblocks

43

• If youre lucky enough to get PHI
• What can you do?
• What cant you do?

44

• From a HIPAA perspective
• Unlimited use PHI
• Unlimited disclosure
• Unless agreed to the contrary or business
  associate agreement in place

45

• From a broader perspective
• Keep it private
• Need to know only
• Limit access
• Use for appropriate purpose

46
FMLA, ADA AND WORKERS COMPENSATION
47
HIPAA AND THE FMLA
48
Does HIPAA affect employer rights under the FMLA?
49
Medical Certifications

• Clarification or completeness
• Second and third opinions
• Recertification
• Fitness for duty reports

50

• Is a FMLA Medical Certification PHI?
• Employee serious health condition
• Relative serious health condition

51

• How was it obtained?
• Directly from the employee?
• Directly from the employees healthcare
  provider?
  
• From the employers medical files?

52
Authorization

• If you want medical information directly from CE,
  you must have your employee execute an
  authorization that includes
  
• Who
• What (with specificity)
• Purpose
• Revocation

Warning Termination date/event Sign/date Copy
53
HIPAA AND THE ADA
54
Post Offer Exams and Inquiries
Drug Tests
Employment InquiriesJob Related and Consistent
with Business Necessity
55
HIPAA AND WORKERS COMPENSATION
56
Injured Employee
57
Panel Physician
58
No Panel PhysicianEmployees Own Doctor
59
Biggest Danger

• Minimum necessary standard

60
Remember

• Call/ask
• Subpoena

61
Sharing Information?
62
Red Flag Spotter

• Amendments
• Restrictions
• Insufficient records

63

• CASE STUDY

64

• 1. What does Willie do?

A (Not entitled to FMLA leave)
65

• 2. The pressure is getting to Willie, should
  he...

D or E (Entitled to FMLA leave. Could get certif
ication either way, depends on Willies
preference and whether or not he trusts Susie Q
and her daughter to handle this matter in a
timely and forthright manner.)
66

• 3. Willie should...

D or E are possibilities D is possible if there i
s a HIPAA authorization already executed and
given to the doctor E is possible if there isnt
(i.e. if Willie received the certification
directly from Susie Q or the doctor)
67

• 4. The panel physician is...

E
68

• 5. Quick-thinking Willie should...

C He could send out a HIPAA authorization some
risk is associated with threatening her benefits
to get the records.
69

• 6. Willie should...

F FMLA issue?
70

• 7. Willie makes the right choice
• because he opts to...

E
71

• 8. After reading Susies file, Green should...

A, B, or C could be applicable
72
GROUP HEALTH PLANS AND BUSINESS ASSOCIATE
AGREEMENTS
73
Group Health Plans

• Covered entity if
• 50 or more participants or
• Administered by any entity other than the
  employer/plan sponsor

74

• Includes
• Medical, dental, Rx, vision, etc.
• Does not include
• Disability or life insurance plans

75

• Heads up!
• Health Plan ? Health Insurer
• Health Plan ? Employer

76

• Both fully-insured and self-insured plans are CEs

77

• Obligations under HIPAA depend on employers
  involvement in plan

78
HIPAA Heaven

• Fully insured plan that does not receive/create
  PHI and employer only receives enrollment/
  de-identified summary information
  
• No retaliation
• Cant require individuals to waive HIPAA rights
• Ensure that insurer complies with HIPAA

79
Fully Insured Plan

• Receive/create PHI
• Help employees/dependents with claims
• Participate in claim audits
• Full HIPAA compliance

80

• ALL self-insured plans FULL HIPAA compliance
• Includes flexible spending accounts

81
Full Compliance

• Privacy officer
• Designee for complaints
• Notice of privacy practices
• Train plans work force
• Safeguards (technical/physical)
• Miranda rights
• Sanctions

82
Amend Plan Documents

• If plan wants to share PHI with employer/plan
  sponsor
  
• Amend plan documents
• Policy on disclosure
• Who
• Why

83
Compliance Deadline

• April 14, 2003
• April 14, 2004
• Small group health plans

84
Note

• If have EAP or in-house medical staff FULL
  HIPAA compliance
  
• April 14, 2003

85
Business AssociateAgreements(BAA)
86

• You are a Business Associate and should receive a
  BAA if
  
• Work with or provide services to CE
• PHI could be disclosed
• Example
• Copy service
• Law firm
• Advertising
• Storage
• Etc.

87

• You must sign if you want to continue
  relationship with CE

88

• But...

89

• Know the obligations/liability you are accepting!
  (Look before you leap!)

90
Typical Provisions

• Follow CEs Notice of Privacy Practices
• Implement your own privacy policy
• Physical/technical safeguards
• Training
• Limits use and disclosure of PHI
• Mandates similar agreements with your third party
  vendors
  
• Notification of breach
• Indemnity provisions

91
Tips

• Are you really a Business Associate?
• Negotiate?

92
ELECTRONIC RECORDKEEPING
93
Electronic Recordkeeping

• Benefits
• Helps with HIPAA compliance
• Removes associated hassles
• Files will pass an audit
• Follow through to ensure compliance
• 24/7 access

94
Benefits Document(s) Miscellaneous Documents Per
sonnel Document(s)
95
(No Transcript)
96
(No Transcript)
97
(No Transcript)
98
QUESTIONS AND ANSWERS