HIPAA: Understanding the Basics - PowerPoint PPT Presentation

Loading...

PPT – HIPAA: Understanding the Basics PowerPoint presentation | free to download - id: 6bd728-ZjZjZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

HIPAA: Understanding the Basics

Description:

HIPAA: Understanding the Basics Presenters Leanne Shank, Esquire University Counsel Jennifer Kirkland, Esquire Office of University Counsel Washington and Lee ... – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 75
Provided by: counselCu
Learn more at: http://counsel.cua.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA: Understanding the Basics


1
HIPAA Understanding the Basics
2
Presenters
  • Leanne Shank, Esquire University
    Counsel Jennifer Kirkland, Esquire Office of
    University Counsel Washington and Lee
    University Lexington, Virginia

3
HIPAA The Basics
  • What is it?
  • Why should you care?
  • How might it affect your institution?
  • What steps should you take to determine your
    institutions exposure and to comply?
  • NOTE This presentation is geared toward
    institutions without academic medical centers.

4
Health Insurance Portability and Accountability
Act of 1996
  • Kennedy-Kassebaum Bill --amended Social Security
    Act to allow for portability of health insurance
    (immediate qualification for comparable coverage
    upon change of employment.)
  • Congress desired to promote Electronic Data
    Interchange to facilitate this portable health
    insurance and to reduce administrative costs of
    health care.

5
A Little Congressional Humor
  • ADMINISTRATIVE SIMPLIFICATION
  • 42 U.S.C. 1320d-1 et seq.
  • Title II, Subtitle F, Part C of HIPAA
  • Gives HHS (Department of Health and Human
    Services) authority to mandate (1) transaction
    standards and code sets for electronic exchange
    of health care data, as well as (2) privacy and
    (3) security measures for personally identifiable
    health information.
  • Also provides for required use of national
    identifiers for providers, employers/sponsors,
    payers/plans, and patients (patient identifier
    shelved).
  • Substantial penalties for non-compliance.

6
Transaction Regulations
  • Designed to ensure format and content
    standardization in certain specific financial and
    administrative health care transactions conducted
    electronically.
  • NOTE it is important that you familiarize
    yourself with what types of transactions are
    governed by the transaction regulations not
    every health care transaction is covered only
    those defined in the regulations.
  • 45 CFR Part 162, Subparts K through R.

7
Privacy Regulations
  • Designed to establish a federal regulatory
    framework to promote the privacy of health
    information among entities covered by HIPAA, and
    those acting on their behalf.
  • Regulations restrict the use and disclosure of
    protected identifiable health information,
    provide for patient access to such information,
    and mandate administrative safeguards to promote
    privacy of protected health information.

8
Security Regulations
  • Not yet finalized! (Rumored for Dec.02)
  • Designed to establish a federal standard for the
    protection of health information maintained or
    transmitted electronically.
  • Require administrative, technical and physical
    safeguards for storage, transmission, and access.

9
Is Your Institution, or any part of it, Covered
by HIPAA? By any or all of the Transaction,
Privacy and/or Security Regs?
  • DONT ASSUME HIPAA OR THE SEPARATE SETS OF
    REGULATIONS APPLY TO THE COLLEGE OR UNIVERSITY AS
    A WHOLE!

10
Campus Entities That Are NOT Covered Entities
Per Se without further analysis
  • Colleges
  • Universities
  • Employers
  • Supervisors and Administrators
  • All University Insurance Plans
  • Health Care Providers (physicians, nurses,
    counselors, athletic trainers)

11
What is a Covered Entity under HIPAA?
  • Health Plan
  • Health Care Provider who transmits any health
    information in electronic form in connection with
    a HIPAA transaction May be broader under
    proposed security regulations
  • Health Care Clearinghouse (converts non-standard
    transactions to or from standard format)
  • 42 U.S.C. 1320d-1, 45 CFR 160.103

12
Use the CMS Covered Entity Decision Tools to Help
Determine Your Campus Coverage
  • http//www.cms.hhs.gov/hipaa/hipaa2/support/tools/
    decisionsupport/default.asp
  • This site will walk you through a series of
    questions with respect to your health care
    providers and health plans to assist you in
    determining if your campus will be covered under
    HIPAA.

13
Health Plan
  • An individual or group plan that provides, or
    pays the cost of, medical care. . .
  • INCLUDES (singly, or in combination)
  • Group health plans (ERISA plans), insured AND
    self-insured, providing medical care for
    employees or dependents
  • Plans with fewer than 50 participants that are
    administered in-house by the employer are
    excluded from this definition.
  • Health insurance issuers and HMOs

14
Health Plan (contd.)
  • Medicare, Medicaid, Veterans, CHAMPUS, and other
    federal and state health plans outlined in
    regulations
  • Issuers of long-term care policies, excluding
    nursing home fixed-indemnity policies
  • Any other individual or group plan providing or
    paying for the cost of medical care.
  • 42 U.S.C. 1320d, 45 CFR 160.103

15
Plans Not Covered By HIPAA
  • Plans, policies, or programs to the extent they
    pay for excepted benefits
  • Coverage only for accident
  • Disability income insurance
  • Coverage supplementing liability insurance
  • Liability insurance, including general and auto
  • Workers compensation insurance
  • Automobile medical payment insurance
  • Coverage for on-site medical clinics
  • 42 U.S.C. 300gg-91(c)(1)

16
Examples of Covered Health Plans in the College
or University Setting
  • Employee group health plan (fully/self-insured)
  • Employee group dental plan (fully/self-insured)
  • Employee group vision plan (fully/self-insured)
  • Employee flexible spending account
  • Employee Assistance Plan (for other than on-site
    clinic)
  • Retiree health plan (fully/self-insured)
  • Student health (fully/self-insured) (for other
    than on-campus clinic)

17
Examples of Non-Covered Plans in a College or
University Setting
  • NCAA intercollegiate accident policy
  • Employee long-term disability policy
  • Employee life insurance policy
  • Employee workers compensation coverage
  • Student health fee for on-site student health and
    counseling services

18
Is This Example a Health Plan?
  • University has a private psychiatrist on
    retainer, to evaluate students on a one-time
    referral from University physician/counselors
    when behavioral concerns arise. University pays
    psychiatrist directly for these sessions out of
    student health and counseling budget. Is this
    practice a health plan under HIPAA?
  • Presenter takes the position that this is not a
    covered health plan, but a contractual extension
    of the excluded on-site clinic exemption under
    HIPAA. (Note this is the presenters opinion,
    not an official HHS response.)

19
Plan Sponsor
  • Defined only under the privacy regulations, as
    the employer or other entity that establishes and
    maintains a group health plan. (ERISA only? 45
    CFR 164.501)
  • Employers and other Plan Sponsors are NOT covered
    entities under HIPAA, per se. However, Plan
    Sponsors do have certain specific obligations
    under the Privacy Regulations.
  • As a practical matter, employer-sponsored health
    plans have no employees and exist only as plan
    documents. So the employer/plan sponsor/plan
    administrator may need to ensure compliance,
    particularly with self-insured plans.

20
Endorsed vs. Sponsored Plans
  • Question A university endorses one student
    health insurance policy and allows that insurer
    to market the policy as the College Sponsored
    Student Health Plan. There is no contractual
    relationship between the college and the insurer
    and the students apply, pay premiums, and file
    claims on their own. Is the college a Plan
    Sponsor for HIPAA?
  • No. First, the concept of a plan sponsor as
    defined appears to apply only to ERISA plans.
    Second, the college has not undertaken any
    responsibility to pay any premiums or subject
    itself to any other liability under the policy.
    It is acting only as endorser and liaison between
    insurer and student. Under these circumstances,
    the college is not a HIPAA plan sponsor of this
    plan. (Presenters opinion)

21
Health Care Providers
  • Health care providers are only covered under
    HIPAA IF they electronically transmit any health
    information in connection with one of the
    specifically defined HIPAA transactions. May be
    broader under proposed security regulations
  • 42 U.S.C. 1320d-1, 45 CFR 160.103
  • According to HHS FAQs, paper to paper faxing (NOT
    sent via/to computer, but by telephone fax) is
    NOT electronic transmission under HIPAA, neither
    are phone mail/voice faxback systems.
  • Size of health care provider is irrelevant to
    coverage there is no small provider exception.

22
HIPAA Transactions
  • The following administrative and financial health
    care transactions are the HIPAA transactions
    required to be processed as standard
    transactions by covered entities (see
    definitions at 45 CFR Part 162, Subparts K-R)
  • Health care claims and encounters
  • Enrollment and disenrollment in a health plan
  • Eligibility for a health plan
  • Health care payment and remittance advice
  • Health plan premium payments
  • Health claim status
  • Referral certification and authorization
  • Coordination of benefits
  • First report of injury (to be adopted later)
  • Claims attachments (to be adopted later)

23
HIPAA Transactions (contd.)
  • If a health care provider transmits any of these
    transactions electronically, that health care
    provider is a covered entity. E.g., if your
    student health center bills student insurance
    electronically, or bills summer campers
    insurance electronically, or sends referral
    authorizations to insurers electronically, it has
    become a covered entity.
  • It appears from HHS comments that in connection
    with means as a part of the covered transaction
    itself, not merely in communications in any way
    related to a covered transaction (e.g.,
    electronically submitting a claim as opposed to
    emailing with a question about how to transmit a
    claim).

24
Look Closely at the Definitions of HIPAA
Transactions
  • Do not assume that you know what the listed
    transactions include. They are specifically
    defined, and most specifically pertain only to
    transactions to/from health providers from/to
    health plans.
  • E.g., student health centers that only bill
    student accounts, not third-party payers. This
    is direct billing of the patient under an
    excluded plan covering on-site clinic services,
    not a claim to a covered health plan. Thus,
    this sort of account billing is not a HIPAA
    transaction.

25
More Examples of non-HIPAA Triggering
Transactions
  • E.g., an email from one doctor to another doctor
    regarding a patients treatment is not a HIPAA
    transaction to trigger coverage as a covered
    entity or require standard formatting.
  • E.g., a flexible spending account plan does not
    involve claims from health providers to the plan,
    but merely direct reimbursement of the employee,
    so though the plan is a covered plan, it conducts
    no HIPAA claims required to be standardized.

26
Health Care Providers that May Be Covered in a
College or University Setting
  • Student Health Centers physicians, nurses, and
    other providers
  • Counseling Center staff psychiatrists, clinical
    psychologists
  • Athletic Trainers
  • ONLY IF THEY TRANSMIT HEALTH INFO.
    ELECTRONICALLY IN ONE OF THE DEFINED HIPAA
    TRANSACTIONS May be broader under proposed
    security regulations

27
Health Care Clearinghouse
  • An entity that takes non-standard health care
    transactions and converts them into standard
    form.
  • Some college and university health care providers
    or plans may use these entities in administering
    their health services or plans. Others may act
    as clearinghouses by billing third-party payers
    on behalf of other entities, such as clinics or
    practice groups.

28
Business Associates
  • Persons or entities that perform functions or
    activities on behalf of a covered entity, but
    that are not part of the covered entitys
    workforce. 45 CFR 160.103
  • Business Associates do not thereby become covered
    entities, but may be in their own right.
  • E.g., Third-Party Administrators are business
    associates that perform claims administration
    functions for self-insured health plans.
  • E.g., External Billing Services are business
    associates that perform functions on behalf of
    covered health care providers, but are not
    themselves covered entities.

29
Threshold Question Are You Covered under HIPAA?
  • Determine whether your college or university
    maintains any covered health plans.
  • Determine whether your college or university has
    any covered health care providers.
  • Survey appropriate individuals in offices dealing
    with these areas financial, personnel, business,
    student health, counseling, trainers, etc.
  • Survey the business associates of any health
    plans and health providers to determine whether
    they engage in HIPAA transactions and the extent
    to which they use/disclose health information.

30
HIPAA Transaction Regulations Overview
  • Designed to bring about the standardization of
    electronic exchange of health care information
    between health plans, providers, and their
    business associates, in certain specific key
    financial and administrative transactions. BE
    SURE YOU DETERMINE WHETHER ANY COVERED ENTITY
    ENGAGES IN ANY OF THESE TRANSACTIONS.

31
Transaction Regulations
  • HHS has adopted national standards and code sets
    (medical and administrative) that must be used in
    the electronic exchange of health information in
    connection with the HIPAA Transactions. 45 CFR
    Part 160 and 45 CFR Part 162.
  • All health plans, and covered health care
    providers that conduct HIPAA Transactions
    electronically, must use the transaction
    standards.
  • All health plans must assure that their business
    associates (e.g., Third-Party Administrators)
    comply with the transaction standards.

32
Transaction Regulations (contd.)
  • Health plans MUST be able to conduct transactions
    as standard transactions upon request, though
    they may use a clearinghouse or other business
    associate (such as a Third-Party Administrator)
    to do so.
  • Plan Sponsors are NOT required to submit HIPAA
    transactions (e.g., enrollment and premium
    submissions) using the standards, because they
    are NOT covered entities.
  • Covered health care providers do NOT have to
    transmit any of the transactions electronically
    but if they do so, they must use the standard
    transactions.

33
Transaction Regulations Compliance Deadline
  • Deadline for compliance with Transactions
    Regulations has been extended to October 16, 2003
    for covered entities IF, by October 16, 2002,
    they filed a compliance extension plan. (HR
    3323)
  • Small health plans (with annual receipts of 5
    million dollars or less) need not file any
    extension their original compliance deadline
    remains as October 16, 2003.
  • Information on correction/clarification of
    extension filings can be accessed at
    http//www.cms.gov/hipaa.

34
What if You Failed to File an Extension?
  • First, be sure you are a covered entity and
    subject to the earlier deadline, not the extended
    deadline for small health plans.
  • Covered Health Plans should contact their
    insurers to determine if insurers filed for
    extensions on behalf of the covered plans.
  • For self-insured plans, Third-Party
    Administrators are not covered entities, and so
    were not obligated to file for extensions.
    However, some TPAs may have voluntarily filed for
    their self-insured plans, so check to see if this
    was done.

35
Privacy Regulations Overview
  • Designed to protect patient rights by providing
    patient access to protected health information,
    restricting use of that information, and creating
    a nationwide framework for health privacy
    protection.

36
Status of Privacy Regulations
  • NOTE Privacy Regulations became effective April
    14, 2001, and amendments were finalized August
    14, 2002.
  • For compliance deadlines, see slide 62.

37
Application of Privacy Regulations
  • Various parts of the privacy regulations will
    apply to the following entities with respect to
    protected health information
  • Health plans and health clearinghouses
  • Health care providers who transmit health
    information electronically in a HIPAA transaction
  • Plan sponsors of group health plans
  • Covered entities must ensure that their business
    associates who create or receive protected health
    information comply with the privacy regulations
    by written contract or agreement requiring
    specific assurances. 45 CFR 164.502, -504, -532.

38
Protected Health Information
  • Individually identifiable health information
    (diagnosis, condition, treatment, payment)
    transmitted or maintained in any medium,
    including oral or hardcopy, not limited to
    electronic media. 45 CFR 164.501
  • In other words, if you are a covered entity with
    protected health information, these regulations
    apply to all forms of such records and
    information.
  • IMPORTANT EXCLUSIONS student health information
    and employment records.

39
Student Health Information Exclusion
  • Education records covered by FERPA and
  • Records of students held by colleges and
    universities used exclusively for health care
    treatment and which have not been disclosed to
    anyone other than a health care provider at the
    students request. (These are specifically
    excluded from the definition of education
    records.) 45 CFR 164.501
  • HHS expressly determined that it was not going to
    preempt FERPA, because FERPA provided a privacy
    framework for student records. So, if the
    records fit within the HIPAA FERPA exception,
    must apply FERPA.

40
Employee Records Exclusion
  • Contained in the finalized amendments to the
    privacy regulations.
  • Excludes from protected health information
    employment records held by a covered entity in
    its role as employer. 45 CFR 164.501
  • E.g., covered university physician or benefits
    office maintaining employee records regarding
    requested disability accommodation, FMLA, or on
    the job drug testing. However, the records kept
    on employee health plan participation and claims,
    as well as medical treatment of employees by any
    college/university health care providers who are
    covered entities, are PHI.

41
Disclosure of PHI Restricted
  • Covered entities allowed to disclose without
    authorization for treatment, payment, and health
    care operations (see regulations for specific
    definition of these terms). 45 CFR 164.506
  • Amended regulations remove requirement for health
    care providers to get general consent, allow for
    acknowledgement of notice on privacy practices at
    time of first visit.
  • Covered entities allowed to disclose otherwise
    with written authorization of individual. 45 CFR
    164.508

42
Disclosure of PHI Restricted (contd.)
  • Covered entities allowed to disclose certain
    types of information without individual
    authorization if opportunity to agree or opt
    out (like FERPA directory information.) 45 CFR
    164.510
  • Covered entities may disclose without
    authorization when required by HIPAA or law to do
    so (e.g., public health emergency, product
    recall) 45 CFR 164.512
  • In most disclosures, covered entities must
    disclose minimum necessary information. 45 CFR
    164.514

43
How do Restrictions on PHI Disclosure Affect
Research?
  • Research alone does not make a university a
    covered entity or a department a health care
    component, unless researchers are also treating
    and, as health care providers, are electronically
    transmitting health info in HIPAA transactions.
  • However, researchers will need to produce either
    a specific HIPAA authorization, IRB/privacy board
    waiver, or meet a specific HIPAA research
    exception in order to obtain PHI from covered
    health care providers or other covered entities
    who are data sources. 45 CFR 164.508 or
    164.512(I)
  • Contact data sources now to see what they will
    require.

44
Hybrid Entity
  • Unique to privacy regulations 42 CFR 164.504
  • A single legal entity that is a covered entity,
    that performs covered and non-covered functions,
    and that designates health care components. Most
    colleges/universities will be a hybrid.
  • E.g., university with a covered student health
    center and covered health plans. Under the hybrid
    status, the entire university does not become a
    covered entity only the designated health care
    components are required to comply with HIPAA
    privacy regulations. 45 CFR 164.504

45
Hybrid Entity (contd.)
  • Hybrid entity MUST designate any component that
    would meet the definition of a covered entity if
    it were a separate legal entity.
  • Hybrid entity MAY include other components that
    perform covered functions and activities that
    would make the component a business associate if
    it were a separate legal entity (e.g., division
    of business office involved in billing, division
    of benefits office involved in covered plans,
    division of legal counsels office involved in
    health care issues.) Can be specific as to
    individuals need not name an entire office.

46
Considerations for Selection of Optional Health
Care Components
  • A hybrid covered entity must ensure privacy
    regulations compliance by its health care
    components. 45 CFR 164.504
  • Without a HIPAA authorization, a health care
    component cant disclose PHI to another
    non-health care component of the university where
    disclosure would be prohibited if the components
    were separate legal entities.

47
Designation of Hybrid Entity Components
  • Must make this designation in writing (internal
    designation, not required to be filed, but must
    have a paper trail in case of OCR/HHS inquiry.)
  • Document any additions or removals of
    individuals/offices as health care components as
    they occur.
  • Remember only individuals/offices that deal in
    PHI are required to comply with privacy regs. If
    an office only deals with exempt student or
    employment records, it does not handle PHI and
    there may be no reason to designate it as a
    health care component if it would not meet the
    definition of a covered entity itself.

48
Considerations for Hybrid Entities (contd.)
  • If non-covered components are closely intertwined
    with covered components and have need for PHI, it
    may make sense to designate them as health care
    components.
  • But be careful of over designating! (E.g., if
    student health center not covered entity and not
    closely intertwined with covered health plans,
    designation could require unnecessary practices
    and conflicts with FERPA)
  • Other examples of potentially unnecessary
    designation athletic trainers who do no
    electronic third-party billing or referrals with
    covered plans researchers uninvolved with health
    care providers or health plans

49
Use/Disclosure by Business Associates
  • Covered entities need business associate
    contracts/agreements with all business associates
    who create or receive PHI in carrying out
    functions on behalf of the covered entity.
  • E.g., third-party administrators of university
    self-insured health plans, outside counsel
    handling matters involving PHI.
  • BA must not use or further disclose PHI other
    than as permitted or required by law.
  • BA must use appropriate privacy and security
    safeguards.

50
Use/Disclosure by Business Associates (contd.)
  • BA must report any improper use or disclosure of
    which it becomes aware to covered entity.
  • BA must ensure its agents agree to same
    restrictions.
  • Regulations provide transition timetable for
    contracts renewed at various points prior to
    compliance deadline.
  • 45 CFR 164.502,-504,-532

51
Right of Individual Patient or Plan Participant
  • Individual has a right to request confidential
    communication of health information. 45 CFR
    164.522
  • Individual has a right to access his/her health
    information. 45 CFR 164.524
  • Individual has a right to request amendment of
    incomplete or inaccurate health information. 45
    CFR 164.526
  • Individual has a right to receive an accounting
    of certain disclosures of health information. 45
    CFR 164.528

52
Required Privacy Notices by Covered Entities
  • Covered entities must provide notice of their
    privacy practices for protected health
    information. 45 CFR 164.520
  • For self-insured group health plans, the health
    plan itself must provide the notice. For an
    insured or HMO plan, the insurance issuer or HMO
    must provide the notice.
  • If a an insured/HMO group health plan creates or
    receives PHI (beyond information on
    participation, enrollment, disenrollment, or
    summary information), it is required to develop
    and maintain such notice and provide on request.
    Otherwise, not required.

53
Joint Consent and Notice Vehicles
  • Single Affiliated Covered Entity designation of
    multiple covered entities under common ownership
    or control as a single Covered Entity (e.g.,
    commonly owned health care facilities, different
    divisions of a single covered entity.)
  • 45 CFR 164.504(d)

54
Joint Consent and Notice Vehicles (contd.)
  • Organized Health Care Arrangement joint venture
    between covered entities, which allows for joint
    notice of privacy practices and joint consent for
    covered health care providers. Also allows these
    entities to use their PHI without business
    associate agreement or authorization.
  • Available for clinically integrated settings,
    insurers and group health plans, group health
    plans with the same plan sponsor. Requires
    written designation and indication on notice of
    privacy practices.
  • 45 CFR 164.501, -520(d).
  • Ambiguity re any shared liability.

55
Use of PHI by Plan Sponsors of Group Health Plans
  • Regulations restrict the disclosure of PHI by
    group health plans/insurance issuers/HMOs to
    employer plan sponsors. Designed to prevent use
    of PHI in making employment-related decisions.
  • Before a group health plan/insurance issuer/HMO
    can disclose PHI to a plan sponsor (other than
    summary/enrollment/disenrollment OR with an
    authorization), the plan sponsor must have
    amended its plan documents to agree to
  • Establish permitted and required uses of PHI
  • Ensure that agents will agree to same
    restrictions
  • Not use information for employment-related actions

56
Plan Document Amendments (contd.)
  • Report inconsistent use or disclosure of which it
    becomes aware
  • Make available information required for health
    information amendment and accounting of
    disclosures
  • Make internal practices and records available to
    HHS for determining compliance
  • Return or destroy all PHI when no longer needed
  • Ensure that adequate separation (firewalls) are
    established by identifying employees or classes
    of employees to be given access to PHI,
    restricting that use to plan administration
    functions, and providing a mechanism to resolve
    noncompliance issues.
  • 45 CFR 164.504(f)

57
Should all Plan Sponsors Amend their Plan
Documents?
  • Not necessarily, but there are several reasons
    why plan sponsors should carefully consider how
    to proceed. Ask How often/why do we get PHI?
  • Insurers/HMOs may require plan document
    amendments for continued coverage or premium
    discounts, etc.
  • The college/university may want to continue
    claims advocacy on behalf of its employees
    without obtaining an individual authorization
    each time.
  • Ultimately, if a PHI disclosure occurs, the group
    health plan could face HIPAA penalties for not
    ensuring that the amendments were made before the
    PHI was disclosed to the plan sponsor.

58
Ancillary Administrative Requirements of Privacy
Regs
  • Note Insured/HMO group health plans that neither
    create nor receive PHI except summary/participatio
    n/enrollment information are not subject to most
    of these requirements. Plan sponsors are not
    subject to these requirements as such. HOWEVER,
    self-insured health plans must comply with all of
    these requirements, as must insured/HMO plans
    that create or receive other PHI.
  • 45 CFR 164.530(k)

59
Ancillary Administrative Requirements (contd.)
  • Designate privacy official for policy development
    and receipt of complaints
  • Train workforce of covered entity (covered health
    care components) on PHI
  • Implement reasonable administrative, technical
    and physical safeguards to protect PHI
  • Provide complaint process
  • Establish and apply appropriate sanctions for
    covered entity workforce noncompliance

60
Ancillary Administrative Requirements (contd.)
  • Mitigate any harmful effect of wrongful
    disclosures of PHI
  • Take no retaliatory action against those
    exercising HIPAA rights or complainants
  • Implement written policies and procedures re PHI
    and maintain documentation required under the
    regulations for six years
  • 45 CFR 164.530

61
Attn Covered University Health Care Providers
and Student Health Plans With No PHI
  • In comments to the privacy regulations, HHS has
    stated that the privacy rules only apply to a
    covered entity to the extent it possesses PHI.
    (P. 82488 Federal Register, December 28, 2000)
  • HHS has also commented that, in light of FERPA
    exclusion (removing student health records from
    PHI), only non-FERPA schools would be subject to
    the ancillary administrative requirements as
    regards their covered health care clinics. (P.
    82595 Federal Register, December 28, 2000)

62
The 64,000 Question
  • Does the FERPA exception to PHI act to exempt a
    covered college/university health care provider
    or self-insured student health plan with only
    student records from the ancillary administrative
    requirements?
  • No definitive regulatory answer, despite noted
    comments, FERPA exemption, and administrative
    requirements exemption for insured group health
    plans with no PHI.

63
Deadlines for Privacy Regulations Compliance
  • Covered entities must comply by April 14, 2003.
  • Small health plans with annual receipts
    (essentially, total of employer and employee
    premiums) of 5 million or less have until April
    14, 2004. For self-insured plans, calculate
    using total amount of claims paid.

64
First Steps to Take Toward Compliance with
Privacy Regs
  • Inventory your campus for providers and plans
    that may be covered entities, as well as those
    departments that must/should be designated as
    health care components for a hybrid entity.
  • Determine current practices re health
    information and analyze the gaps between
    current practice and HIPAA requirements. Do the
    same for business associates of your covered
    entities and health care components.
  • Develop compliant policies, documents, and
    training, working with insurers, TPAs, other
    business associates, and research data sources to
    promote consistency of practice.

65
Security Regulations (Proposed) Overview
  • Proposed regulations are designed to provide a
    standard level of protection for health
    information housed or transmitted electronically.
  • Administrative, technical and physical safeguards
    for storage, transmission, and access of
    electronic health information.

66
Security Regulations Coverage (Proposed)
  • Potentially broader scope of covered entities
    than transaction and privacy regulations.
  • In addition to health plans, proposed regulations
    cover clearinghouses or health care providers
    that (1) process any electronic transmission
    between covered health care entities OR (2)
    electronically maintain any health information
    used in an electronic transmission between any
    combination of covered health care entities. 45
    CFR 142.302

67
Security Standards (Proposed)
  • A covered entity must assess potential risks and
    vulnerabilities to the individual health data it
    possesses and develop, implement, and maintain
    appropriate security measures to protect
    individual health information in ELECTRONIC FORM,
    not hard copy or oral. 45 CFR 142.306
  • Specifics will vary according to system,
    environment, etc.

68
Security Standards (Proposed) (contd.)
  • Minimum features (45 CFR 142.308)
  • Administrative procedures to guard data
    integrity, confidentiality, and availability
  • Physical safeguards to guard data integrity,
    confidentiality, and availability
  • Technical security services and mechanisms to
    guard data integrity, confidentiality, and
    availability
  • If covered entity elects to use electronic
    signatures in covered transactions, entity must
    apply proposed electronic signature standard. 45
    CFR 142.310

69
Security Regulations Compliance Deadline
  • Proposed effective/compliance date is 24 months
    after publication of the final rule in Federal
    Register (not yet published rumored for
    publication in December, 2002.) Small health
    plans have 36 months to comply. Small health
    plans in proposed regs fewer than 50
    participants, but expect final to mirror
    transaction/privacy regs. 45 CFR 142.312

70
General Penalty for Non-Compliance with HIPAA
  • 100 per violation
  • Cap on identical violations for one calendar year
    is 25,000.
  • Penalty may be waived if non-compliance was due
    to reasonable cause and not willful neglect.
  • 42 U.S.C. 1320d-5

71
Penalty for Knowing Wrongful Disclosure of
Individually Identifiable Health Information
  • Fine of not more than 50,000 and imprisonment
    for one year, or both
  • If committed under false pretenses, fine of not
    more than 100,000 and imprisonment for not more
    than five years, or both
  • If committed with intent to sell, transfer or use
    such health information for gain or malicious
    harm, fine of not more than 250,000 and
    imprisonment of ten years, or both
  • 42 U.S.C. 1320d-6

72
No Private Cause of Action
  • HIPAA does not provide a private cause of action
    by a patient or participant in a covered health
    plan against a covered entity or business
    associate.
  • However, the HIPAA regulations and standards may
    become the standard of care for health
    information and could be used against the entity
    in a separate cause of action.

73
Want to Know More about HIPAA?
  • We hope that this presentation has made you aware
    of HIPAA, its basic coverage, and areas where it
    might apply on your campus. To find out more,
    here are some resources

74
A Few Online Resources on HIPAA
  • http//www.acha.org/info_resources/hipaa_links.cfm
    HIPAA Resource site of American College Health
    Association
  • http//aspe.hhs.gov/admnsimp/ United States
    Department of Health and Human Services/Administra
    tive Simplification
  • http//www.hhs.gov/ocr/hipaa Office for Civil
    Rights/HIPAA
  • http//snip.wedi.org Strategic National
    Implementation Process of the Workgroup for
    Electronic Data Interchange
About PowerShow.com