DEALING WITH HIPAA - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

DEALING WITH HIPAA

Description:

Electronic Transaction Standards. Compliance Deadline: October 16, 2003. Security Standards ... Compliance Deadline: April 21, 2005. Privacy Standards ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 40
Provided by: anitab8
Category:

less

Transcript and Presenter's Notes

Title: DEALING WITH HIPAA


1
DEALING WITH HIPAA
An Overview For Human Resources Professionals
  • Actions Without BordersJune 12, 2003
  • Frank A. Chernak
  • Edward I. Leeds

2
HIPAA Administrative Simplification
  • Health Insurance Portability and Accountability
    Act of 1996
  • Statute was enacted to reduce health care
    administrative costs through standardization of
    electronic healthcare transactions while
    protecting security and privacy of information.

3
Three Principal Sets of Regulations
  • Electronic Transaction Standards Compliance
    Deadline October 16, 2003
  • Security Standards Compliance Deadline April
    21, 2005
  • Privacy Standards Compliance Deadline April
    14, 2003

4
Electronic Transaction Standards
  • Regulations establish uniform standards for
    the content and format of electronic transmission
    of health information in covered transactions

5
Electronic Transaction StandardsCovered
Transactions
  • Eligibility
  • Enrollment/ disenrollment
  • Premium payments
  • Claims and encounter data submissions
  • Payment and remittance advice
  • COB
  • Claim status
  • Referral certifications and authorizations
  • First report of injury (no standards yet)
  • Health claims attachments (no standards yet)

6
Security Standards
  • Regulations establish standards to protect
    health information in electronic form against
    loss, damage and inappropriate disclosure through
    physical, technical and administrative safeguards

7
Security Standards
  • Security Management Process
  • Security Management Official
  • Workforce Security Measures
  • Information Access Management
  • Security Awareness and Training
  • Policies for Addressing Security Incidents
  • Contingency Plans
  • Periodic Evaluations
  • Vendor Agreements
  • Plan Amendments
  • Physical Safeguards
  • Technical Safeguards
  • Policies Procedures
  • Documentation
  • Electronic Signatures (still proposed)

8
  • HIPAA LAW AND REGULATIONS
  • Privacy Standards

9
Privacy Standards
Privacy is a fundamental right.
10
Privacy
  • A Covered Entity may not use or disclose
    Protected Health Information unless the
    regulations require or permit that use or
    disclosure.

11
Covered Entities are Subject to HIPAA
  • Health Plans
  • Health Care Providers who transmit data
    electronically in covered transactions
  • Health Care Clearinghouses

12
Health Plans
  • Covered Entity
  • Employer-sponsored Group Health Plan
  • Insurer
  • HMO
  • Non-Covered Entity
  • Plan Sponsor
  • Employer
  • Other plans and programs (disability, life)
  • Third Party administrators and professional
    service providers

13
If not subject, why be concerned?
  • Greater sensitivity to privacy issues in general
  • Confidentiality policies and practices will be
    influenced by HIPAA
  • HIPAA issues may arise in future
  • Coordination will be required with those who are
    affected

14
Protected Health Information (PHI)
  • Any information, whether oral or recorded in
    any form or medium that
  • Is created or received by a health care provider,
    health plan, health care clearinghouse or
    employer AND
  • Relates to the past, present or future physical
    or mental health or condition of an individual,
    or the provision or payment for health care for
    an individual AND
  • Is individually identifiable
  • Employment records are not PHI and special
    rules apply to enrollment information.

15
Required Uses and Disclosures
  • Respond to exercise of individual rights
  • Receive notice of privacy practices
  • Inspect and copy designated record set
  • Amend record
  • Obtain an accounting of certain disclosures
  • Request restrictions on use and disclosure
  • Respond to Department of Health and Human
    Services Audit

16
Permitted Uses and Disclosures
  • Treatment, payment or health care operations
    (TPO)
  • Legal requirements or governmental concerns
  • Public health, law enforcement, judicial
    proceedings
  • Prevention or reduction of threat to health and
    safety
  • Workers compensation and other legal
    requirements
  • Authorization
  • De-identified information

17
Compliance Administrative Measures
  • Safeguards
  • Physical (lock and key)
  • Technical (password access)
  • Administrative
  • Those who need to know
  • Minimum necessary to achieve purpose
  • De-identification
  • Personal verification
  • Limit to health plan purposes
  • Use of authorization forms

18
Compliance - Personnel
  • Privacy Official
  • Complaint/Information Contact
  • Training
  • Sanctions for violations

19
Compliance - Documentation
  • Internal Policies and Procedures
  • Notice of Privacy Practices
  • Plan Amendments and Certification
  • Business Associate Contracts
  • Authorization Forms
  • Records Retention

20
Other Limitations
  • More stringent state laws not preempted by HIPAA
    (ERISA preemption still applies)
  • Providers may be subject to professional and
    ethical standards
  • Consistency with privacy documentation

21
Penalties for Non-Compliance
  • 100 per person per violation but not more than
    25,000 per violation of a single standard per
    year
  • Fines of up to 50,000 and/or imprisonment for up
    to 1 year for a knowing misuse of unique health
    identifiers and individually identifiable health
    information

22
Penalties for Non-Compliance
  • Fines of up to 100,000 and imprisonment for up
    to 5 years for misuse under false pretenses
  • Fines of up to 250,000 and/or imprisonment for
    up to 10 years if misuse is with intent to sell,
    transfer, or to use individually identifiable
    information for commercial advantage, personal
    gain or with malicious harm
  • Exposure to civil liability

23
Employment Matters
24
Employment Matters
  • Employment situations may require employee
    medical information
  • Keep medical information separate from regular
    employment information and from health plan
    information

25
Employment Matters
  • To receive employee medical information
  • Employee may authorize Company to get information
    from physician
  • Provide employee with authorization form
  • Use physicians form
  • Employee may obtain information and provide it to
    Company

26
Authorization Forms
  • Sources
  • Information from doctors offices
  • Information from corporate medical
  • Information from health plan
  • Employer assistance with claims
  • Requirement applies to the one who discloses

27
Authorization Forms
  • Content Requirements
  • Identify information to be used or disclosed in
    specific and meaningful fashion
  • Identify persons authorized to disclose and
    receive of PHI
  • Describe purpose of use or disclosure
  • Expiration date or event
  • Signature of individual or personal
    representative

28
Authorization Forms
  • Content Requirements
  • Individual may revoke authorization to the extent
    Covered Entity has not taken action in reliance
    on authorization
  • Information no longer be subject to HIPAA and may
    be disclosed again
  • Statement of what is or is not conditioned on
    authorization

29
Authorization Forms
  • No compound authorizations
  • May not condition treatment, payment, enrollment
    in health plan or health plan eligibility on
    authorization
  • Special form required for psychotherapy notes

30
Employment Matters
  • Family and Medical Leave Act
  • FMLA Certification is Employer function
  • May obtain medical certification from employees
    treating physician to verify existence of serious
    health condition
  • Covered provider should require HIPAA compliant
    authorization form
  • If employee refuses to authorize, FMLA leave will
    not be substantiated

31
Employment Matters
  • Americans with Disabilities Act
  • May seek PHI about an employee from treating
    physician to
  • Verify existence of protected disability
  • Determine whether employee can safely and
    effectively perform job duties
  • Address reasonable accommodation issues
  • Covered provider should require HIPAA compliant
    authorization
  • Employee will likely be deemed uncooperative if
    employee refuses to authorize

32
Employment Matters
  • Paid Medical Leave
  • May seek PHI about an employee from treating
    physician
  • Covered provider should require HIPAA compliant
    authorization
  • If employee refuses to authorize, possible basis
    for denying claim

33
Employment Matters
  • Workers Compensation
  • Not considered health plan
  • Covered Entities may disclose PHI to the extent
    necessary to comply with workers compensation
    laws

34
Employment Matters
  • Return to Work / Modified Duty
  • May seek medical evaluation of employees ability
    to work or limitations from treating physician
  • Covered provider should require HIPAA compliant
    authorization
  • Request may be denied if employee refuses to
    authorize

35
Employment Matters
  • Occupational Safety and Health Act
  • Employer required to
  • Complete OSHA forms regarding nature of medical
    condition reported by employee
  • Conduct employee medical monitoring
  • Therefore, employer may be required to obtain PHI
    from health care provider

36
Employment Matters
  • Occupational Safety and Health Act
  • No authorization required if
  • Service is provided at request of employer
  • Service relates to whether individual has
    work-related illness/injury or medical
    monitoring
  • Employer has a duty to keep records and/or act on
    such information
  • Provider furnishes notice of disclosure (posting
    permitted)
  • Otherwise, HIPAA compliant authorization form
    required

37
Employment Matters
  • Post-Offer Physicals
  • Covered provider performing physical cannot
    disclose results to employer without HIPAA
    compliant authorization
  • Can condition employment on authorization

38
Employment Matters
  • Substance Abuse Testing
  • Covered lab should require HIPAA-compliant
    authorization form
  • The test (and, therefore, employment) may be
    conditioned on the provision of authorization

39
Summary
  • Do not ignore common sense
  • Know your role (and roles others play)
  • Consider HIPAA in developing clear policies
  • Address violations promptly
  • Use authorization forms appropriately
  • Employees can provide you with information
  • Keep medical records separate/limit access
  • Document conversations
Write a Comment
User Comments (0)
About PowerShow.com