HIPAAPrivacy

Training

2

HIPAA

Background

Health Insurance Portability and Accountability Act of 1996

Copyright 2010 MHM Resources LLC

Copyright 2010 MHM Resources LLC 3

Portability

Part One – Portability, access, and renewability requirements

Copyright 2010 MHM Resources LLC 4

Administrative Simplification

Part Two – Administrative Simplification

Standards for maintenance and transmission of health information

Copyright 2010 MHM Resources LLC 5

Privacy

Part Three – Privacy

The privacy regulations govern how individually identifiable medical information must be protected.

Security

Part Four – Security

Regulates how health plans and other covered entities that electronically maintain or transmit PHI implement reasonable and appropriate safeguards for the availability and protection of electronic protected health information (PHI)

Copyright 2010 MHM Resources LLC 6

Breach Notification

Part Five – Breach Notification

Health Information Technology for Economic and Clinical Health (HITECH) Act

Outlines how affected individuals must be notified if there is a breach of their “unsecured” PHI

Disclosure Log

Effective September 23, 2009

Copyright 2010 MHM Resources LLC 7

Copyright 2010 MHM Resources LLC 8

Flexible Benefit Plans

The Health Flexible Spending Account (FSA), or unreimbursed medical portion of a cafeteria plan; or a Health Reimbursement Arrangement (HRA) are considered to be health and welfare benefit plans.

Copyright 2010 MHM Resources LLC 9

HIPAA Definitions

Covered Entity

A healthcare provider that conducts certain transactions in electronic form

A healthcare clearinghouse

A health plan - includes all the employer's welfare benefit plans like health insurance, a Health FSA within a cafeteria plan, and any HRAs.

Copyright 2010 MHM Resources LLC 10

HIPAA Definitions

If you are an employer, you are generally not a covered entity. Employees, the plan, and its Business Associates may not freely share information with the employer unless firewalls exist to contain the information.

Copyright 2010 MHM Resources LLC 11

HIPAA Definitions

Covered Transactions

Healthcare or dental claims administration

Healthcare eligibility

Benefits enrollment and maintenance

Payroll deduction and group premium payment

Retail pharmacy transactions

Copyright 2010 MHM Resources LLC 12

HIPAA Definitions

Business Associate

A person, business, or agency that conducts covered transactions for another legal entity.

Copyright 2010 MHM Resources LLC 13

HIPAA Definitions

Business Associate Agreement

The health plan must engage in a Business Associate Agreement with all Business Associates.

Copyright 2010 MHM Resources LLC 14

HIPAA Definitions

Protected Health Information (PHI)

Individually identifiable medical information in any form, including oral communication that is created or received by a covered entity or employer.

Breach of Unsecured PHI

A breach is the unauthorized access, use or disclosure of unsecured PHI.

PHI must be encrypted or destroyed

In motion, in use, at rest

Access controls do not make PHI secure

Copyright 2010 MHM Resources LLC 15

HIPAA Definitions

Significant risk of harm to individual

Immediate steps were taken to obtain guarantee that PHI will not be used or disclosed

PHI returned prior to be accessed

Determine type or amount of PHI disclosed

Copyright 2010 MHM Resources LLC 16

HIPAA Definitions

Copyright 2010 MHM Resources LLC 17

HIPAA Overview

Individuals “own” their PHI

HIPAA defines what PHI is

Privacy notice tells employees how their PHI will be used and disclosed. No other notice is required

Privacy notice gives employees certain rights to their PHI

Copyright 2010 MHM Resources LLC 18

Where does PHI Come From?

Mail

Fax

Front desk

Phones

Electronically

Orally, in person

Copyright 2010 MHM Resources LLC 19

Who Can See PHI?

Covered entities with privacy policies in place

Business Associates that have signed Business Associate Agreements in place with the covered entities and also have privacy policies in place

Individual employees may review and change their own PHI

Copyright 2010 MHM Resources LLC 20

When Can You Reveal PHI?

Healthcare operations

Payment

Treatment

As permitted or required by law

Pursuant to an authorization

Copyright 2010 MHM Resources LLC 21

When Can You Reveal PHI?

Identify individual with whom you are speaking

Verify SSN, gender, birth date, and/or address

Authorization signed by participant

“Minimum Necessary” standard

Reveal the minimum necessary information when releasing information

Copyright 2010 MHM Resources LLC 22

Applies to All Covered Entities

Employers are generally not covered entities

A covered entity may not freely share an individual's PHI with the employer or a non-health plan.

Copyright 2010 MHM Resources LLC 23

Protect PHI in Your Office

Train all workers with access to PHIDon’t enter PHI into a software system

or program unless information encrypted while at rest or in transit

Create a “clean desk” policy Store PHI under lock and keyDon’t discuss an individual’s health

information in publicIdentify callers

Copyright 2010 MHM Resources LLC 24

Protect PHI in Your Office

Letters to participants should not contain their SSNs

Offsite storage Retain complete list of claim forms, etc.

offsite Use security tape on boxes to reveal

unauthorized entry.

TrashShredding

Copyright 2010 MHM Resources LLC 25

Protect Participant’s Privacy

Right to inspect and copyAccounting of disclosuresAmendRequest restrictionsRequest confidential communicationsRight to receive a paper copy of the

privacy notice

Copyright 2010 MHM Resources LLC 26

Employers

Employer puts in place HIPAA privacy policies and procedures

Plan documents and Summary Plan Descriptions for all employer-sponsored health plans

Assign a HIPAA Compliance OfficialEmployer must certify to plan that

HIPAA privacy rules are being followed

Employers

The health plan must distribute a notice of privacy practices for employees

Business Associate Agreements must be in place

Train workforce on HIPPA compliance

Train workforce on breach reporting

Copyright 2010 MHM Resources LLC 27

Breach Notification

Accounting for Disclosures of PHI

PHI may be disclosed for public policy and safety reasons and other mandatory disclosures listed below without an individual’s authorization

These disclosures must be logged since they were disclosed without the individual’s knowledge. The disclosure log must be made available to the individual upon request.

Copyright 2010 MHM Resources LLC 28

Breach Notification

Individuals must be notified if their PHI has been disclosed and the information is unsecured PHI

Safe harbor to avoid breach notification:

Encryption whether PHI is at rest, in use or in transit

Destruction

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

Copyright 2010 MHM Resources LLC 29

Copyright 2010 MHM Resources LLC 30

Plan Service Provider

HIPAA privacy policies and procedures

Business Associate Agreements must be in place between the plan service provider (Business Associate) and the plan.

Copyright 2010 MHM Resources LLC 31

Exception to Compliance

Self-administered health plans with fewer than 50 participants are exempt from privacy compliance

Copyright 2010 MHM Resources LLC 32

Civil and Criminal Penalties

Substantial civil and criminal penalties apply to noncompliance of HIPAA regulations

Be aware of your state laws

Get legal counsel

HIPAA

Privacy – Your business depends on it