Title: DEALING WITH HIPAA
1DEALING WITH HIPAA
An Overview For Human Resources Professionals
- Actions Without BordersJune 12, 2003
- Frank A. Chernak
- Edward I. Leeds
2HIPAA Administrative Simplification
- Health Insurance Portability and Accountability
Act of 1996 - Statute was enacted to reduce health care
administrative costs through standardization of
electronic healthcare transactions while
protecting security and privacy of information.
3Three Principal Sets of Regulations
- Electronic Transaction Standards Compliance
Deadline October 16, 2003 - Security Standards Compliance Deadline April
21, 2005 - Privacy Standards Compliance Deadline April
14, 2003
4Electronic Transaction Standards
- Regulations establish uniform standards for
the content and format of electronic transmission
of health information in covered transactions
5Electronic Transaction StandardsCovered
Transactions
- Eligibility
- Enrollment/ disenrollment
- Premium payments
- Claims and encounter data submissions
- Payment and remittance advice
- COB
- Claim status
- Referral certifications and authorizations
- First report of injury (no standards yet)
- Health claims attachments (no standards yet)
6Security Standards
- Regulations establish standards to protect
health information in electronic form against
loss, damage and inappropriate disclosure through
physical, technical and administrative safeguards
7Security Standards
- Security Management Process
- Security Management Official
- Workforce Security Measures
- Information Access Management
- Security Awareness and Training
- Policies for Addressing Security Incidents
- Contingency Plans
- Periodic Evaluations
- Vendor Agreements
- Plan Amendments
- Physical Safeguards
- Technical Safeguards
- Policies Procedures
- Documentation
- Electronic Signatures (still proposed)
8 - HIPAA LAW AND REGULATIONS
- Privacy Standards
9Privacy Standards
Privacy is a fundamental right.
10Privacy
- A Covered Entity may not use or disclose
Protected Health Information unless the
regulations require or permit that use or
disclosure.
11Covered Entities are Subject to HIPAA
- Health Plans
- Health Care Providers who transmit data
electronically in covered transactions - Health Care Clearinghouses
12Health Plans
- Covered Entity
- Employer-sponsored Group Health Plan
- Insurer
- HMO
- Non-Covered Entity
- Plan Sponsor
- Employer
- Other plans and programs (disability, life)
- Third Party administrators and professional
service providers
13If not subject, why be concerned?
- Greater sensitivity to privacy issues in general
- Confidentiality policies and practices will be
influenced by HIPAA - HIPAA issues may arise in future
- Coordination will be required with those who are
affected
14Protected Health Information (PHI)
- Any information, whether oral or recorded in
any form or medium that - Is created or received by a health care provider,
health plan, health care clearinghouse or
employer AND - Relates to the past, present or future physical
or mental health or condition of an individual,
or the provision or payment for health care for
an individual AND - Is individually identifiable
- Employment records are not PHI and special
rules apply to enrollment information.
15Required Uses and Disclosures
- Respond to exercise of individual rights
- Receive notice of privacy practices
- Inspect and copy designated record set
- Amend record
- Obtain an accounting of certain disclosures
- Request restrictions on use and disclosure
- Respond to Department of Health and Human
Services Audit
16Permitted Uses and Disclosures
- Treatment, payment or health care operations
(TPO) - Legal requirements or governmental concerns
- Public health, law enforcement, judicial
proceedings - Prevention or reduction of threat to health and
safety - Workers compensation and other legal
requirements - Authorization
- De-identified information
17Compliance Administrative Measures
- Safeguards
- Physical (lock and key)
- Technical (password access)
- Administrative
- Those who need to know
- Minimum necessary to achieve purpose
- De-identification
- Personal verification
- Limit to health plan purposes
- Use of authorization forms
18Compliance - Personnel
- Privacy Official
- Complaint/Information Contact
- Training
- Sanctions for violations
19Compliance - Documentation
- Internal Policies and Procedures
- Notice of Privacy Practices
- Plan Amendments and Certification
- Business Associate Contracts
- Authorization Forms
- Records Retention
20Other Limitations
- More stringent state laws not preempted by HIPAA
(ERISA preemption still applies) - Providers may be subject to professional and
ethical standards - Consistency with privacy documentation
21Penalties for Non-Compliance
- 100 per person per violation but not more than
25,000 per violation of a single standard per
year - Fines of up to 50,000 and/or imprisonment for up
to 1 year for a knowing misuse of unique health
identifiers and individually identifiable health
information
22Penalties for Non-Compliance
- Fines of up to 100,000 and imprisonment for up
to 5 years for misuse under false pretenses - Fines of up to 250,000 and/or imprisonment for
up to 10 years if misuse is with intent to sell,
transfer, or to use individually identifiable
information for commercial advantage, personal
gain or with malicious harm - Exposure to civil liability
23 Employment Matters
24Employment Matters
- Employment situations may require employee
medical information - Keep medical information separate from regular
employment information and from health plan
information
25Employment Matters
- To receive employee medical information
- Employee may authorize Company to get information
from physician - Provide employee with authorization form
- Use physicians form
- Employee may obtain information and provide it to
Company
26Authorization Forms
- Sources
- Information from doctors offices
- Information from corporate medical
- Information from health plan
- Employer assistance with claims
- Requirement applies to the one who discloses
27Authorization Forms
- Content Requirements
- Identify information to be used or disclosed in
specific and meaningful fashion - Identify persons authorized to disclose and
receive of PHI - Describe purpose of use or disclosure
- Expiration date or event
- Signature of individual or personal
representative
28Authorization Forms
- Content Requirements
- Individual may revoke authorization to the extent
Covered Entity has not taken action in reliance
on authorization - Information no longer be subject to HIPAA and may
be disclosed again - Statement of what is or is not conditioned on
authorization
29Authorization Forms
- No compound authorizations
- May not condition treatment, payment, enrollment
in health plan or health plan eligibility on
authorization - Special form required for psychotherapy notes
30Employment Matters
- Family and Medical Leave Act
- FMLA Certification is Employer function
- May obtain medical certification from employees
treating physician to verify existence of serious
health condition - Covered provider should require HIPAA compliant
authorization form - If employee refuses to authorize, FMLA leave will
not be substantiated
31Employment Matters
- Americans with Disabilities Act
- May seek PHI about an employee from treating
physician to - Verify existence of protected disability
- Determine whether employee can safely and
effectively perform job duties - Address reasonable accommodation issues
- Covered provider should require HIPAA compliant
authorization - Employee will likely be deemed uncooperative if
employee refuses to authorize
32Employment Matters
- Paid Medical Leave
- May seek PHI about an employee from treating
physician - Covered provider should require HIPAA compliant
authorization - If employee refuses to authorize, possible basis
for denying claim
33Employment Matters
- Workers Compensation
- Not considered health plan
- Covered Entities may disclose PHI to the extent
necessary to comply with workers compensation
laws
34Employment Matters
- Return to Work / Modified Duty
- May seek medical evaluation of employees ability
to work or limitations from treating physician - Covered provider should require HIPAA compliant
authorization - Request may be denied if employee refuses to
authorize
35Employment Matters
- Occupational Safety and Health Act
- Employer required to
- Complete OSHA forms regarding nature of medical
condition reported by employee - Conduct employee medical monitoring
- Therefore, employer may be required to obtain PHI
from health care provider
36Employment Matters
- Occupational Safety and Health Act
- No authorization required if
- Service is provided at request of employer
- Service relates to whether individual has
work-related illness/injury or medical
monitoring - Employer has a duty to keep records and/or act on
such information - Provider furnishes notice of disclosure (posting
permitted) - Otherwise, HIPAA compliant authorization form
required
37Employment Matters
- Post-Offer Physicals
- Covered provider performing physical cannot
disclose results to employer without HIPAA
compliant authorization - Can condition employment on authorization
38Employment Matters
- Substance Abuse Testing
- Covered lab should require HIPAA-compliant
authorization form - The test (and, therefore, employment) may be
conditioned on the provision of authorization
39Summary
- Do not ignore common sense
- Know your role (and roles others play)
- Consider HIPAA in developing clear policies
- Address violations promptly
- Use authorization forms appropriately
- Employees can provide you with information
- Keep medical records separate/limit access
- Document conversations