HIPAA: Understanding the Basics

1
HIPAA Understanding the Basics
2
Presenters

• Leanne Shank, EsquireUniversity
  CounselJennifer Kirkland, EsquireOffice of
  University CounselWashington and Lee
  UniversityLexington, Virginia

3
HIPAA The Basics

• What is it?
• Why should you care?
• How might it affect your institution?
• What steps should you take to determine your
  institutions exposure and to comply?
• NOTE This presentation is geared toward
  institutions without academic medical centers.

4
Health Insurance Portability and Accountability
Act of 1996

• Kennedy-Kassebaum Bill --amended Social Security
  Act to allow for portability of health insurance
  (immediate qualification for comparable coverage
  upon change of employment.)
• Congress desired to promote Electronic Data
  Interchange to facilitate this portable health
  insurance and to reduce administrative costs of
  health care.

5
A Little Congressional Humor

• ADMINISTRATIVE SIMPLIFICATION
• 42 U.S.C. 1320d-1 et seq.
• Title II, Subtitle F, Part C of HIPAA
• Gives HHS (Department of Health and Human
  Services) authority to mandate (1) transaction
  standards and code sets for electronic exchange
  of health care data, as well as (2) privacy and
  (3) security measures for personally identifiable
  health information.
• Also provides for required use of national
  identifiers for providers, employers/sponsors,
  payers/plans, and patients (patient identifier
  shelved).
• Substantial penalties for non-compliance.

6
Transaction Regulations

• Designed to ensure format and content
  standardization in certain specific financial and
  administrative health care transactions conducted
  electronically.
• NOTE it is important that you familiarize
  yourself with what types of transactions are
  governed by the transaction regulations not
  every health care transaction is covered only
  those defined in the regulations.
• 45 CFR Part 162, Subparts K through R.

7
Privacy Regulations

• Designed to establish a federal regulatory
  framework to promote the privacy of health
  information among entities covered by HIPAA, and
  those acting on their behalf.
• Regulations restrict the use and disclosure of
  protected identifiable health information,
  provide for patient access to such information,
  and mandate administrative safeguards to promote
  privacy of protected health information.

8
Security Regulations

• Not yet finalized! (Rumored for Dec.02)
• Designed to establish a federal standard for the
  protection of health information maintained or
  transmitted electronically.
• Require administrative, technical and physical
  safeguards for storage, transmission, and access.

9
Is Your Institution, or any part of it, Covered
by HIPAA? By any or all of the Transaction,
Privacy and/or Security Regs?

• DONT ASSUME HIPAA OR THE SEPARATE SETS OF
  REGULATIONS APPLY TO THE COLLEGE OR UNIVERSITY AS
  A WHOLE!

10
Campus Entities That Are NOT Covered Entities
Per Se without further analysis

• Colleges
• Universities
• Employers
• Supervisors and Administrators
• All University Insurance Plans
• Health Care Providers (physicians, nurses,
  counselors, athletic trainers)

11
What is a Covered Entity under HIPAA?

• Health Plan
• Health Care Provider who transmits any health
  information in electronic form in connection with
  a HIPAA transaction May be broader under
  proposed security regulations
• Health Care Clearinghouse (converts non-standard
  transactions to or from standard format)
• 42 U.S.C. 1320d-1, 45 CFR 160.103

12
Use the CMS Covered Entity Decision Tools to Help
Determine Your Campus Coverage

• http//www.cms.hhs.gov/hipaa/hipaa2/support/tools/
  decisionsupport/default.asp
• This site will walk you through a series of
  questions with respect to your health care
  providers and health plans to assist you in
  determining if your campus will be covered under
  HIPAA.

13
Health Plan

• An individual or group plan that provides, or
  pays the cost of, medical care. . .
• INCLUDES (singly, or in combination)
• Group health plans (ERISA plans), insured AND
  self-insured, providing medical care for
  employees or dependents
• Plans with fewer than 50 participants that are
  administered in-house by the employer are
  excluded from this definition.
• Health insurance issuers and HMOs

14
Health Plan (contd.)

• Medicare, Medicaid, Veterans, CHAMPUS, and other
  federal and state health plans outlined in
  regulations
• Issuers of long-term care policies, excluding
  nursing home fixed-indemnity policies
• Any other individual or group plan providing or
  paying for the cost of medical care.
• 42 U.S.C. 1320d, 45 CFR 160.103

15
Plans Not Covered By HIPAA

• Plans, policies, or programs to the extent they
  pay for excepted benefits
• Coverage only for accident
• Disability income insurance
• Coverage supplementing liability insurance
• Liability insurance, including general and auto
• Workers compensation insurance
• Automobile medical payment insurance
• Coverage for on-site medical clinics
• 42 U.S.C. 300gg-91(c)(1)

16
Examples of Covered Health Plans in the College
or University Setting

• Employee group health plan (fully/self-insured)
• Employee group dental plan (fully/self-insured)
• Employee group vision plan (fully/self-insured)
• Employee flexible spending account
• Employee Assistance Plan (for other than on-site
  clinic)
• Retiree health plan (fully/self-insured)
• Student health (fully/self-insured) (for other
  than on-campus clinic)

17
Examples of Non-Covered Plans in a College or
University Setting

• NCAA intercollegiate accident policy
• Employee long-term disability policy
• Employee life insurance policy
• Employee workers compensation coverage
• Student health fee for on-site student health and
  counseling services

18
Is This Example a Health Plan?

• University has a private psychiatrist on
  retainer, to evaluate students on a one-time
  referral from University physician/counselors
  when behavioral concerns arise. University pays
  psychiatrist directly for these sessions out of
  student health and counseling budget. Is this
  practice a health plan under HIPAA?
• Presenter takes the position that this is not a
  covered health plan, but a contractual extension
  of the excluded on-site clinic exemption under
  HIPAA. (Note this is the presenters opinion,
  not an official HHS response.)

19
Plan Sponsor

• Defined only under the privacy regulations, as
  the employer or other entity that establishes and
  maintains a group health plan. (ERISA only? 45
  CFR 164.501)
• Employers and other Plan Sponsors are NOT covered
  entities under HIPAA, per se. However, Plan
  Sponsors do have certain specific obligations
  under the Privacy Regulations.
• As a practical matter, employer-sponsored health
  plans have no employees and exist only as plan
  documents. So the employer/plan sponsor/plan
  administrator may need to ensure compliance,
  particularly with self-insured plans.

20
Endorsed vs. Sponsored Plans

• Question A university endorses one student
  health insurance policy and allows that insurer
  to market the policy as the College Sponsored
  Student Health Plan. There is no contractual
  relationship between the college and the insurer
  and the students apply, pay premiums, and file
  claims on their own. Is the college a Plan
  Sponsor for HIPAA?
• No. First, the concept of a plan sponsor as
  defined appears to apply only to ERISA plans.
  Second, the college has not undertaken any
  responsibility to pay any premiums or subject
  itself to any other liability under the policy.
  It is acting only as endorser and liaison between
  insurer and student. Under these circumstances,
  the college is not a HIPAA plan sponsor of this
  plan. (Presenters opinion)

21
Health Care Providers

• Health care providers are only covered under
  HIPAA IF they electronically transmit any health
  information in connection with one of the
  specifically defined HIPAA transactions. May be
  broader under proposed security regulations
• 42 U.S.C. 1320d-1, 45 CFR 160.103
• According to HHS FAQs, paper to paper faxing (NOT
  sent via/to computer, but by telephone fax) is
  NOT electronic transmission under HIPAA, neither
  are phone mail/voice faxback systems.
• Size of health care provider is irrelevant to
  coverage there is no small provider exception.

22
HIPAA Transactions

• The following administrative and financial health
  care transactions are the HIPAA transactions
  required to be processed as standard
  transactions by covered entities (see
  definitions at 45 CFR Part 162, Subparts K-R)
• Health care claims and encounters
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• Health claim status
• Referral certification and authorization
• Coordination of benefits
• First report of injury (to be adopted later)
• Claims attachments (to be adopted later)

23
HIPAA Transactions (contd.)

• If a health care provider transmits any of these
  transactions electronically, that health care
  provider is a covered entity. E.g., if your
  student health center bills student insurance
  electronically, or bills summer campers
  insurance electronically, or sends referral
  authorizations to insurers electronically, it has
  become a covered entity.
• It appears from HHS comments that in connection
  with means as a part of the covered transaction
  itself, not merely in communications in any way
  related to a covered transaction (e.g.,
  electronically submitting a claim as opposed to
  emailing with a question about how to transmit a
  claim).

24
Look Closely at the Definitions of HIPAA
Transactions

• Do not assume that you know what the listed
  transactions include. They are specifically
  defined, and most specifically pertain only to
  transactions to/from health providers from/to
  health plans.
• E.g., student health centers that only bill
  student accounts, not third-party payers. This
  is direct billing of the patient under an
  excluded plan covering on-site clinic services,
  not a claim to a covered health plan. Thus,
  this sort of account billing is not a HIPAA
  transaction.

25
More Examples of non-HIPAA Triggering
Transactions

• E.g., an email from one doctor to another doctor
  regarding a patients treatment is not a HIPAA
  transaction to trigger coverage as a covered
  entity or require standard formatting.
• E.g., a flexible spending account plan does not
  involve claims from health providers to the plan,
  but merely direct reimbursement of the employee,
  so though the plan is a covered plan, it conducts
  no HIPAA claims required to be standardized.

26
Health Care Providers that May Be Covered in a
College or University Setting

• Student Health Centers physicians, nurses, and
  other providers
• Counseling Center staff psychiatrists, clinical
  psychologists
• Athletic Trainers
• ONLY IF THEY TRANSMIT HEALTH INFO.
  ELECTRONICALLY IN ONE OF THE DEFINED HIPAA
  TRANSACTIONS May be broader under proposed
  security regulations

27
Health Care Clearinghouse

• An entity that takes non-standard health care
  transactions and converts them into standard
  form.
• Some college and university health care providers
  or plans may use these entities in administering
  their health services or plans. Others may act
  as clearinghouses by billing third-party payers
  on behalf of other entities, such as clinics or
  practice groups.

28
Business Associates

• Persons or entities that perform functions or
  activities on behalf of a covered entity, but
  that are not part of the covered entitys
  workforce. 45 CFR 160.103
• Business Associates do not thereby become covered
  entities, but may be in their own right.
• E.g., Third-Party Administrators are business
  associates that perform claims administration
  functions for self-insured health plans.
• E.g., External Billing Services are business
  associates that perform functions on behalf of
  covered health care providers, but are not
  themselves covered entities.

29
Threshold Question Are You Covered under HIPAA?

• Determine whether your college or university
  maintains any covered health plans.
• Determine whether your college or university has
  any covered health care providers.
• Survey appropriate individuals in offices dealing
  with these areas financial, personnel, business,
  student health, counseling, trainers, etc.
• Survey the business associates of any health
  plans and health providers to determine whether
  they engage in HIPAA transactions and the extent
  to which they use/disclose health information.

30
HIPAA Transaction Regulations Overview

• Designed to bring about the standardization of
  electronic exchange of health care information
  between health plans, providers, and their
  business associates, in certain specific key
  financial and administrative transactions. BE
  SURE YOU DETERMINE WHETHER ANY COVERED ENTITY
  ENGAGES IN ANY OF THESE TRANSACTIONS.

31
Transaction Regulations

• HHS has adopted national standards and code sets
  (medical and administrative) that must be used in
  the electronic exchange of health information in
  connection with the HIPAA Transactions. 45 CFR
  Part 160 and 45 CFR Part 162.
• All health plans, and covered health care
  providers that conduct HIPAA Transactions
  electronically, must use the transaction
  standards.
• All health plans must assure that their business
  associates (e.g., Third-Party Administrators)
  comply with the transaction standards.

32
Transaction Regulations (contd.)

• Health plans MUST be able to conduct transactions
  as standard transactions upon request, though
  they may use a clearinghouse or other business
  associate (such as a Third-Party Administrator)
  to do so.
• Plan Sponsors are NOT required to submit HIPAA
  transactions (e.g., enrollment and premium
  submissions) using the standards, because they
  are NOT covered entities.
• Covered health care providers do NOT have to
  transmit any of the transactions electronically
  but if they do so, they must use the standard
  transactions.

33
Transaction Regulations Compliance Deadline

• Deadline for compliance with Transactions
  Regulations has been extended to October 16, 2003
  for covered entities IF, by October 16, 2002,
  they filed a compliance extension plan. (HR
  3323)
• Small health plans (with annual receipts of 5
  million dollars or less) need not file any
  extension their original compliance deadline
  remains as October 16, 2003.
• Information on correction/clarification of
  extension filings can be accessed at
  http//www.cms.gov/hipaa.

34
What if You Failed to File an Extension?

• First, be sure you are a covered entity and
  subject to the earlier deadline, not the extended
  deadline for small health plans.
• Covered Health Plans should contact their
  insurers to determine if insurers filed for
  extensions on behalf of the covered plans.
• For self-insured plans, Third-Party
  Administrators are not covered entities, and so
  were not obligated to file for extensions.
  However, some TPAs may have voluntarily filed for
  their self-insured plans, so check to see if this
  was done.

35
Privacy Regulations Overview

• Designed to protect patient rights by providing
  patient access to protected health information,
  restricting use of that information, and creating
  a nationwide framework for health privacy
  protection.

36
Status of Privacy Regulations

• NOTE Privacy Regulations became effective April
  14, 2001, and amendments were finalized August
  14, 2002.
• For compliance deadlines, see slide 62.

37
Application of Privacy Regulations

• Various parts of the privacy regulations will
  apply to the following entities with respect to
  protected health information
• Health plans and health clearinghouses
• Health care providers who transmit health
  information electronically in a HIPAA transaction
• Plan sponsors of group health plans
• Covered entities must ensure that their business
  associates who create or receive protected health
  information comply with the privacy regulations
  by written contract or agreement requiring
  specific assurances. 45 CFR 164.502, -504, -532.

38
Protected Health Information

• Individually identifiable health information
  (diagnosis, condition, treatment, payment)
  transmitted or maintained in any medium,
  including oral or hardcopy, not limited to
  electronic media. 45 CFR 164.501
• In other words, if you are a covered entity with
  protected health information, these regulations
  apply to all forms of such records and
  information.
• IMPORTANT EXCLUSIONS student health information
  and employment records.

39
Student Health Information Exclusion

• Education records covered by FERPA and
• Records of students held by colleges and
  universities used exclusively for health care
  treatment and which have not been disclosed to
  anyone other than a health care provider at the
  students request. (These are specifically
  excluded from the definition of education
  records.) 45 CFR 164.501
• HHS expressly determined that it was not going to
  preempt FERPA, because FERPA provided a privacy
  framework for student records. So, if the
  records fit within the HIPAA FERPA exception,
  must apply FERPA.

40
Employee Records Exclusion

• Contained in the finalized amendments to the
  privacy regulations.
• Excludes from protected health information
  employment records held by a covered entity in
  its role as employer. 45 CFR 164.501
• E.g., covered university physician or benefits
  office maintaining employee records regarding
  requested disability accommodation, FMLA, or on
  the job drug testing. However, the records kept
  on employee health plan participation and claims,
  as well as medical treatment of employees by any
  college/university health care providers who are
  covered entities, are PHI.

41
Disclosure of PHI Restricted

• Covered entities allowed to disclose without
  authorization for treatment, payment, and health
  care operations (see regulations for specific
  definition of these terms). 45 CFR 164.506
• Amended regulations remove requirement for health
  care providers to get general consent, allow for
  acknowledgement of notice on privacy practices at
  time of first visit.
• Covered entities allowed to disclose otherwise
  with written authorization of individual. 45 CFR
  164.508

42
Disclosure of PHI Restricted (contd.)

• Covered entities allowed to disclose certain
  types of information without individual
  authorization if opportunity to agree or opt
  out (like FERPA directory information.) 45 CFR
  164.510
• Covered entities may disclose without
  authorization when required by HIPAA or law to do
  so (e.g., public health emergency, product
  recall) 45 CFR 164.512
• In most disclosures, covered entities must
  disclose minimum necessary information. 45 CFR
  164.514

43
How do Restrictions on PHI Disclosure Affect
Research?

• Research alone does not make a university a
  covered entity or a department a health care
  component, unless researchers are also treating
  and, as health care providers, are electronically
  transmitting health info in HIPAA transactions.
• However, researchers will need to produce either
  a specific HIPAA authorization, IRB/privacy board
  waiver, or meet a specific HIPAA research
  exception in order to obtain PHI from covered
  health care providers or other covered entities
  who are data sources. 45 CFR 164.508 or
  164.512(I)
• Contact data sources now to see what they will
  require.

44
Hybrid Entity

• Unique to privacy regulations 42 CFR 164.504
• A single legal entity that is a covered entity,
  that performs covered and non-covered functions,
  and that designates health care components. Most
  colleges/universities will be a hybrid.
• E.g., university with a covered student health
  center and covered health plans. Under the hybrid
  status, the entire university does not become a
  covered entity only the designated health care
  components are required to comply with HIPAA
  privacy regulations. 45 CFR 164.504

45
Hybrid Entity (contd.)

• Hybrid entity MUST designate any component that
  would meet the definition of a covered entity if
  it were a separate legal entity.
• Hybrid entity MAY include other components that
  perform covered functions and activities that
  would make the component a business associate if
  it were a separate legal entity (e.g., division
  of business office involved in billing, division
  of benefits office involved in covered plans,
  division of legal counsels office involved in
  health care issues.) Can be specific as to
  individuals need not name an entire office.

46
Considerations for Selection of Optional Health
Care Components

• A hybrid covered entity must ensure privacy
  regulations compliance by its health care
  components. 45 CFR 164.504
• Without a HIPAA authorization, a health care
  component cant disclose PHI to another
  non-health care component of the university where
  disclosure would be prohibited if the components
  were separate legal entities.

47
Designation of Hybrid Entity Components

• Must make this designation in writing (internal
  designation, not required to be filed, but must
  have a paper trail in case of OCR/HHS inquiry.)
• Document any additions or removals of
  individuals/offices as health care components as
  they occur.
• Remember only individuals/offices that deal in
  PHI are required to comply with privacy regs. If
  an office only deals with exempt student or
  employment records, it does not handle PHI and
  there may be no reason to designate it as a
  health care component if it would not meet the
  definition of a covered entity itself.

48
Considerations for Hybrid Entities (contd.)

• If non-covered components are closely intertwined
  with covered components and have need for PHI, it
  may make sense to designate them as health care
  components.
• But be careful of over designating! (E.g., if
  student health center not covered entity and not
  closely intertwined with covered health plans,
  designation could require unnecessary practices
  and conflicts with FERPA)
• Other examples of potentially unnecessary
  designation athletic trainers who do no
  electronic third-party billing or referrals with
  covered plans researchers uninvolved with health
  care providers or health plans

49
Use/Disclosure by Business Associates

• Covered entities need business associate
  contracts/agreements with all business associates
  who create or receive PHI in carrying out
  functions on behalf of the covered entity.
• E.g., third-party administrators of university
  self-insured health plans, outside counsel
  handling matters involving PHI.
• BA must not use or further disclose PHI other
  than as permitted or required by law.
• BA must use appropriate privacy and security
  safeguards.

50
Use/Disclosure by Business Associates (contd.)

• BA must report any improper use or disclosure of
  which it becomes aware to covered entity.
• BA must ensure its agents agree to same
  restrictions.
• Regulations provide transition timetable for
  contracts renewed at various points prior to
  compliance deadline.
• 45 CFR 164.502,-504,-532

51
Right of Individual Patient or Plan Participant

• Individual has a right to request confidential
  communication of health information. 45 CFR
  164.522
• Individual has a right to access his/her health
  information. 45 CFR 164.524
• Individual has a right to request amendment of
  incomplete or inaccurate health information. 45
  CFR 164.526
• Individual has a right to receive an accounting
  of certain disclosures of health information. 45
  CFR 164.528

52
Required Privacy Notices by Covered Entities

• Covered entities must provide notice of their
  privacy practices for protected health
  information. 45 CFR 164.520
• For self-insured group health plans, the health
  plan itself must provide the notice. For an
  insured or HMO plan, the insurance issuer or HMO
  must provide the notice.
• If a an insured/HMO group health plan creates or
  receives PHI (beyond information on
  participation, enrollment, disenrollment, or
  summary information), it is required to develop
  and maintain such notice and provide on request.
  Otherwise, not required.

53
Joint Consent and Notice Vehicles

• Single Affiliated Covered Entity designation of
  multiple covered entities under common ownership
  or control as a single Covered Entity (e.g.,
  commonly owned health care facilities, different
  divisions of a single covered entity.)
• 45 CFR 164.504(d)

54
Joint Consent and Notice Vehicles (contd.)

• Organized Health Care Arrangement joint venture
  between covered entities, which allows for joint
  notice of privacy practices and joint consent for
  covered health care providers. Also allows these
  entities to use their PHI without business
  associate agreement or authorization.
• Available for clinically integrated settings,
  insurers and group health plans, group health
  plans with the same plan sponsor. Requires
  written designation and indication on notice of
  privacy practices.
• 45 CFR 164.501, -520(d).
• Ambiguity re any shared liability.

55
Use of PHI by Plan Sponsors of Group Health Plans

• Regulations restrict the disclosure of PHI by
  group health plans/insurance issuers/HMOs to
  employer plan sponsors. Designed to prevent use
  of PHI in making employment-related decisions.
• Before a group health plan/insurance issuer/HMO
  can disclose PHI to a plan sponsor (other than
  summary/enrollment/disenrollment OR with an
  authorization), the plan sponsor must have
  amended its plan documents to agree to
• Establish permitted and required uses of PHI
• Ensure that agents will agree to same
  restrictions
• Not use information for employment-related actions

56
Plan Document Amendments (contd.)

• Report inconsistent use or disclosure of which it
  becomes aware
• Make available information required for health
  information amendment and accounting of
  disclosures
• Make internal practices and records available to
  HHS for determining compliance
• Return or destroy all PHI when no longer needed
• Ensure that adequate separation (firewalls) are
  established by identifying employees or classes
  of employees to be given access to PHI,
  restricting that use to plan administration
  functions, and providing a mechanism to resolve
  noncompliance issues.
• 45 CFR 164.504(f)

57
Should all Plan Sponsors Amend their Plan
Documents?

• Not necessarily, but there are several reasons
  why plan sponsors should carefully consider how
  to proceed. Ask How often/why do we get PHI?
• Insurers/HMOs may require plan document
  amendments for continued coverage or premium
  discounts, etc.
• The college/university may want to continue
  claims advocacy on behalf of its employees
  without obtaining an individual authorization
  each time.
• Ultimately, if a PHI disclosure occurs, the group
  health plan could face HIPAA penalties for not
  ensuring that the amendments were made before the
  PHI was disclosed to the plan sponsor.

58
Ancillary Administrative Requirements of Privacy
Regs

• Note Insured/HMO group health plans that neither
  create nor receive PHI except summary/participatio
  n/enrollment information are not subject to most
  of these requirements. Plan sponsors are not
  subject to these requirements as such. HOWEVER,
  self-insured health plans must comply with all of
  these requirements, as must insured/HMO plans
  that create or receive other PHI.
• 45 CFR 164.530(k)

59
Ancillary Administrative Requirements (contd.)

• Designate privacy official for policy development
  and receipt of complaints
• Train workforce of covered entity (covered health
  care components) on PHI
• Implement reasonable administrative, technical
  and physical safeguards to protect PHI
• Provide complaint process
• Establish and apply appropriate sanctions for
  covered entity workforce noncompliance

60
Ancillary Administrative Requirements (contd.)

• Mitigate any harmful effect of wrongful
  disclosures of PHI
• Take no retaliatory action against those
  exercising HIPAA rights or complainants
• Implement written policies and procedures re PHI
  and maintain documentation required under the
  regulations for six years
• 45 CFR 164.530

61
Attn Covered University Health Care Providers
and Student Health Plans With No PHI

• In comments to the privacy regulations, HHS has
  stated that the privacy rules only apply to a
  covered entity to the extent it possesses PHI.
  (P. 82488 Federal Register, December 28, 2000)
• HHS has also commented that, in light of FERPA
  exclusion (removing student health records from
  PHI), only non-FERPA schools would be subject to
  the ancillary administrative requirements as
  regards their covered health care clinics. (P.
  82595 Federal Register, December 28, 2000)

62
The 64,000 Question

• Does the FERPA exception to PHI act to exempt a
  covered college/university health care provider
  or self-insured student health plan with only
  student records from the ancillary administrative
  requirements?
• No definitive regulatory answer, despite noted
  comments, FERPA exemption, and administrative
  requirements exemption for insured group health
  plans with no PHI.

63
Deadlines for Privacy Regulations Compliance

• Covered entities must comply by April 14, 2003.
• Small health plans with annual receipts
  (essentially, total of employer and employee
  premiums) of 5 million or less have until April
  14, 2004. For self-insured plans, calculate
  using total amount of claims paid.

64
First Steps to Take Toward Compliance with
Privacy Regs

• Inventory your campus for providers and plans
  that may be covered entities, as well as those
  departments that must/should be designated as
  health care components for a hybrid entity.
• Determine current practices re health
  information and analyze the gaps between
  current practice and HIPAA requirements. Do the
  same for business associates of your covered
  entities and health care components.
• Develop compliant policies, documents, and
  training, working with insurers, TPAs, other
  business associates, and research data sources to
  promote consistency of practice.

65
Security Regulations (Proposed) Overview

• Proposed regulations are designed to provide a
  standard level of protection for health
  information housed or transmitted electronically.
• Administrative, technical and physical safeguards
  for storage, transmission, and access of
  electronic health information.

66
Security Regulations Coverage (Proposed)

• Potentially broader scope of covered entities
  than transaction and privacy regulations.
• In addition to health plans, proposed regulations
  cover clearinghouses or health care providers
  that (1) process any electronic transmission
  between covered health care entities OR (2)
  electronically maintain any health information
  used in an electronic transmission between any
  combination of covered health care entities. 45
  CFR 142.302

67
Security Standards (Proposed)

• A covered entity must assess potential risks and
  vulnerabilities to the individual health data it
  possesses and develop, implement, and maintain
  appropriate security measures to protect
  individual health information in ELECTRONIC FORM,
  not hard copy or oral. 45 CFR 142.306
• Specifics will vary according to system,
  environment, etc.

68
Security Standards (Proposed) (contd.)

• Minimum features (45 CFR 142.308)
• Administrative procedures to guard data
  integrity, confidentiality, and availability
• Physical safeguards to guard data integrity,
  confidentiality, and availability
• Technical security services and mechanisms to
  guard data integrity, confidentiality, and
  availability
• If covered entity elects to use electronic
  signatures in covered transactions, entity must
  apply proposed electronic signature standard. 45
  CFR 142.310

69
Security Regulations Compliance Deadline

• Proposed effective/compliance date is 24 months
  after publication of the final rule in Federal
  Register (not yet published rumored for
  publication in December, 2002.) Small health
  plans have 36 months to comply. Small health
  plans in proposed regs fewer than 50
  participants, but expect final to mirror
  transaction/privacy regs. 45 CFR 142.312

70
General Penalty for Non-Compliance with HIPAA

• 100 per violation
• Cap on identical violations for one calendar year
  is 25,000.
• Penalty may be waived if non-compliance was due
  to reasonable cause and not willful neglect.
• 42 U.S.C. 1320d-5

71
Penalty for Knowing Wrongful Disclosure of
Individually Identifiable Health Information

• Fine of not more than 50,000 and imprisonment
  for one year, or both
• If committed under false pretenses, fine of not
  more than 100,000 and imprisonment for not more
  than five years, or both
• If committed with intent to sell, transfer or use
  such health information for gain or malicious
  harm, fine of not more than 250,000 and
  imprisonment of ten years, or both
• 42 U.S.C. 1320d-6

72
No Private Cause of Action

• HIPAA does not provide a private cause of action
  by a patient or participant in a covered health
  plan against a covered entity or business
  associate.
• However, the HIPAA regulations and standards may
  become the standard of care for health
  information and could be used against the entity
  in a separate cause of action.

73
Want to Know More about HIPAA?

• We hope that this presentation has made you aware
  of HIPAA, its basic coverage, and areas where it
  might apply on your campus. To find out more,
  here are some resources

74
A Few Online Resources on HIPAA

• http//www.acha.org/info_resources/hipaa_links.cfm
  HIPAA Resource site of American College Health
  Association
• http//aspe.hhs.gov/admnsimp/ United States
  Department of Health and Human Services/Administra
  tive Simplification
• http//www.hhs.gov/ocr/hipaa Office for Civil
  Rights/HIPAA
• http//snip.wedi.org Strategic National
  Implementation Process of the Workgroup for
  Electronic Data Interchange