HITECH, HIPAA & SCHIP:

SO MANY ACRONYMS, SO LITTLE TIME

Alphabet Soup

American Recovery and Reinvestment Act of 2009

“ARRA”Health Insurance Portability and Accountability Act of 1996

“HIPAA”Health Information Technology for Economic and Clinical Health Act of 2009

“HITECH”State Children's Health Insurance Act

“SCHIP”

Stimulus Spending for Health Care

$87 billion in increased Medicaid funding

(Kentucky’s share $990 million)

$17 billion to reimburse physicians and hospitals who embrace electronic medical records

$25 billion in COBRA subsidies

$8.2 billion to NIH for grants to promote large-scale research, support community health including $500 million to train professionals in rural areas through National Health Service Corps

$1.5 billion for “comparative effectiveness research”

Total: $130+ billion

Publicized Kentucky Initiatives to Date

13.6 percent increase in food stamp benefits for recipient families

$450,000 for training and part-time employment for low income persons age 55+

Restoration of funds cut from 50 agencies caring for children in state custody ($4 million)

Temporary increase in hospital reimbursements to settle outstanding appeals

Kentucky’s Share of Medicaid Funding = $990 Million

Prior to ARRA, federal contribution per $100 of Medicaid funds paid out in Kentucky was $70.13

Under ARRA, Kentucky receives increased federal contribution of $78.61

Incentives for Hospitals to Implement Electronic Health Records

HITECH Infrastructure

Significant HITECH provisions Federal Gov’t now officially the coordinator of federal HIT policy

Federal Gov’t has expanded role in HIT testing and research (NIST to test/certify)

Federal subsidies for states, nonprofits, and educational institutions to promote/implement HIT

Significant revisions to HIPAA privacy/security

Significant new burdens for HIPAA “business associates”

HITECH – Role in Healthcare Reform

Why now?

HITECH reflects federal government’s intent for HIT to play a transformative role in health care reform

Reduce adverse events, increase quality

Eliminate errors & duplication

Accelerate and expand pool of useful data comparative effectiveness researchidentify provider variations & inefficiencies

Contain costs in government healthcare programs

Incentives

Adopting EHR is still voluntary, but HITECH offers inducements to adopt, penalties for those who don’t

EHR stimulus money available AFTER adoption and demonstration “meaningful use” – yet to be defined

HITECH – Loans and Grants

HITECH provides stimulus money to states to “promote HIT”

State can use grant money for EHR Adoption Loan Programs

Loans cannot be made before January 1, 2010

HITECH – Loans and Grants

Providers can use loan to purchase, upgrade, obtain training, or improve security

Providers who get a HITECH funded loan mustSubmit “quality reports”Demonstrate that EHR satisfies standards and improves quality of care – “meaningful use” ruleInclude plan for EHR maintenance over timeSubmit clinical quality info (TBD)

Must provider maintain the EHR after loan is repaid?

Not addressed

Why EHR?

Physician Office Productivity Fewer chart pullsImproved efficiency in communicating with patients and pharmaciesImproved billing accuracyReduced transcription costsClearer, safer prescribing through e-prescribing technology

Why EHR?

Quality of Care ImprovementComprehensive point-of-care decision support – clinical guidelines, drug interactions, etc.Rapid and remote access to patient informationIntegration of evidence-based clinical guidelinesPatient-specific alerts – current drug regimen, allergies, etc.Reduction of redundant, unnecessary servicesDecrease frequency of medical error

HITECH’s Expansion of HIPAA

Who Must Comply? “Covered Entities”

Includes Health Plans

Doesn’t HIPAA apply only to health plans and health care providers? In other words, aren’t employers exempted?

No. HIPAA applies to any “covered entity,” provided that certain other requirements are met. A covered entity means a health plan, health care clearinghouse or health care provider (to the extent that it engages in the electronic transmission of confidential health information).

Under what circumstances will a group health plan be a covered entity?

If the plan either (i) has 50 or more participants; or (ii) is administered by a third party (e.g., an insurance carrier).

What Health Information is Protected by the HIPAA Privacy Rule (“PHI”)?

All Medical Records ANDOther “Individually Identifiable Health Information” created or received by a Covered Entity or an employerIn ANY form or medium:

electronicpaperoral

An Important Distinction

Employment records held by a covered entity in its role as employer are not protected by the Privacy Rule

Information an employer receives from a health plan it sponsors or obtains from an employee’s medical record is protected by the Privacy Rule

New Rules on Privacy

HIPAA ChangesStricter Requirements for “Covered Entities” under HIPAA

Heath Plans (including employer-sponsored)Health Care ProvidersHealth Data Clearinghouses

Direct Regulation of “Business Associates”Person or entity who performs functions on behalf of a covered entity involving use or disclosure of PHIAccountants, lawyers, software vendors, TPAs, utilization reviewers, transcriptionists, interpreters, collection agencies and more

Tougher Rules for Covered Entities

Stricter rules re: honoring requests about use/disclosure of PHI

Self-pay

Contraction of “minimum necessary” concept governing use/disclosure for payment and operations

Limited Data Set “safe harbor”

Expanded requirement to account for disclosuresAll disclosures made via EHR must be tracked, reported

Tougher Rules for Covered Entities (cont’d)

Prohibition on any remuneration for PHI without authorization (some exceptions, like research, public health, sale of entity)

Access requirement includes production in electronic form

New restrictions on marketing communications require conspicuous notice about opting out

New Data Breach Notification Rules

“Breach” is unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the information

Applies to “unsecured PHI”

Duty to notify each individual whose PHI “has been, or is reasonably believed by the covered entity to have been,” accessed, acquired, or disclosed due to the breach

Notification (cont’d)Notification requirement also applies to BAs

BAs to provide notice to the covered entity

“Safe Harbor” for secured PHI based on guidance issues by HHS

HHS Guidance issued April 27, 2009 says, in effect, encrypt or destroy. Encrypted data is secure only if the key has not been breached

Notification (cont’d)

A breach is considered “discovered” on the first day it is known to the BA or covered entity, including

any employee, officer or other agent of such entity or associate

All notifications must be made “without unreasonable delay”

no later than 60 calendar days after discoveryburden on notifying entity to demonstrate that

all required notifications were made andexplain any details

If the entity lacks sufficient contact information for 10+ individuals, notification must be made on the entity’s home page, or in major print or broadcast media

Notification (cont’d)

Notice must bein writingby first class mailsent to the last known address of individual or next of kin

if individual specified preference for e-mail notification, that method shall be used

one or more mailings (as more information becomes available)

Notification (cont’d)

If more than 500 residents of a state or jurisdiction are affected

notices as described above ANDnotification to “prominent media outlets” in such state or jurisdiction

Exception: if notice will “impede a criminal investigation or cause damage to national security,” then notice may be delayed

Notification (cont’d)

Notice to Secretaryif more than 500 individuals affectedHHS to publicize breaching entities on its website

If breach impacts more than 500, notice to HHS must occur immediately

Entities are permitted to keep a log of breaches effecting less than 500 individuals and submit to HHS annually

Notification (cont’d)

All notices, to the extent possible, must include

Description of breach

Description of the types of information involved

Steps individuals should take to protect themselves from potential harm resulting from the breach

Description of covered entity’s actions to investigate the breach, mitigate losses, and protect against any further breaches.

Contact information

New Regime for Business Associates

HIPAA is not just a contractual responsibility now

Regulatory requirements toNotify covered entities of a data breachDirectly comply with administrative, physical, and technical safeguards and documentation requirements under the HIPAA security rule, just like covered entities

New Regime for Business Associates (cont’d)

Use or disclose PHI only if such use or disclosure is in compliance with the privacy provisions of their business associate contracts

Take action if covered entity has pattern or practice of violating HIPAA

New Regime for Business Associates (cont’d)

Practical Effects

Security officer or task force

Multi-department risk assessment of how information is received, accessed and used, stored and disclosed to others

Adopt and implement written policies and procedures

Increased Enforcement and Penalties

Historically, HIPAA enforcement has been complaint-driven

ARRA appropriated $24.3 billion to the privacy and security goals. Of this amount, $9.5 million is set aside to fund proactive HIPAA compliance audits by the Office for Civil Rights and CMS

The GAO is directed to prepare a report within 18 months of HITECH’s enactment establishing a method for allowing affected individuals to share in civil monetary penalties imposed under HIPAA

Old: $100/violation, max of $25,000/year - no intent was factored in

Increased Enforcement and Penalties (cont’d).

Under HITECH, potential penalties are increased significantly, and are tiered to take into account the intent of the violator. The tiers are as follows:

Tier A – if the violator did not know (and by exercising reasonable diligence would not have known) that its actions violated the HIPAA laws or regulations, a penalty of at least $100 per violation but not more than $25,000 per violation for multiple violations the same requirement in a calendar year; and up to $50,000 per violation not to exceed $1.5 million for same requirement

Tier B – if the violation was due to reasonable cause and not willful neglect, a penalty of at least $1,000 per violation but not more than $50,000 per violation of the same requirement in a calendar year; and up to $50,000 per violation not to exceed $1.5 million for same requirement

Increased Enforcement and Penalties (cont’d).

Tier C – if the violation was due to willful neglect and is corrected, a penalty of at least $10,000 per violation but not more than $250,000 for multiple violations the same requirement in a calendar year; and up to $50,000 per violation but not more than $1.5 million for multiple violations the same requirement in a calendar year

Tier D – if the violation was due to willful neglect and is not corrected, a fine of $50,000 per violation but not more than $1.5 million for multiple violations the same requirement in a calendar year

Increased Enforcement and Penalties (cont’d).State Attorneys General may now file a civil action against HIPAA violators on behalf of residents of their state.

$100 per violation, not to exceed $25,000 per calendar year.

Criminal penalties:Up to $50,000 and up to one year in prison, or both, if a person knowingly obtains individually identifiable health information relating to an individual or discloses the information to another person in a manner that violates HIPAA. Up to $100,000 and up to five years in prison or both if the information was obtained under false pretenses. Up to $250,000 and up to ten years in prison or both if the violation involves commercial advantage, personal gain, or malicious harm.

STEP 1: IDENTIFY THE GROUP HEALTH PLANS THAT THE EMPLOYER SPONSORS

major medical plansdental plans vision planshealth care flexible

spending accounts

health reimbursement arrangements

high-deductible health plans

health savings accounts cancer insurance and other

employee-pay-all plansemployee assistance plans

providing counselingretiree health planslong-term care planswellness programs

STEP 2: IDENTIFY FULLY-INSURED PLANS AND SELF-INSURED PLANS

Fully-insured: If no access to PHI (except for summary and enrollment/disenrollment information), then group health plan has minimal HIPAA privacy compliance issuesSelf-insured (or fully insured with access to PHI): HIPAA Privacy Rule will apply and sponsor will have to implement

STEP 3: IDENTIFY WHAT PHI YOU RECEIVE AND WHAT PHI YOU REALLY NEED

Employer can receive summary health information - to obtain premium bids, or to modify, amend or terminate plan, and information on enrollment and disenrollmentEmployer can receive de-identified informationEmployer can receive PHI the employee authorizes it to receiveWhat other information does the employer receive from the health plan that it doesn’t need? LESS IS MORE

The less PHI an employer receives from a plan, the better off it is . . .

An employer cannot use or disclose PHI received from the plan for employment-related decisions unless authorized by the employee

If an employer receives health information about an employee from someone other than the health plan (including the employee or a co-worker), it’s not PHI

STEP 4 – IMPLEMENT A HIPAA PRIVACY AND SECURITY COMPLIANCE PLAN(S) FOR YOUR GROUP HEALTH PLANS

Because a fully-insured plan that is “hands off” PHI will have minimal HIPAA privacy requirements, an employer might want to have a separate privacy compliance policy for that plan

SCHIP/KCHIP

SCHIPSCHIP

Created in 1997, Title XXI of the Social Security Act

State and federal combination funded children’s health insurance

Families earning too much for Medicaid, with uninsured children

Within federal guidelines – each state determines design of its SCHIP program.

KY = KCHIP

SCHIPChildren’s Health Insurance Program Reauthorization Act (“CHIPRA”)

Signed into law February 4, 2009Renews and expands SCHIP from 7 million to projected 11 million children$33 billion expansionFunded primarily by boosting the federal cigarette tax from 61 cents to $1.00 per packIn addition to 30 million of nation’s poorest children covered under Medicaid

CHIPRA Impacts Employer Health Plans

Premium Assistance Subsidy

CHIPRA allows a state to provide health plan premium assistance subsidies for certain low‑income children

To be eligible a child must be eligible for SCHIP and eligible for coverage under a “qualified employer‑sponsored health plan” – or employer‑sponsored health plan under which the employer contributes at least 40% toward the employee’s premium

Does not include health flexible spending arrangements or high‑deductible health plans

In general, the premium assistance subsidy under SCHIP is the difference between the employee contribution for employee‑only coverage and the employee contribution for coverage of the employee and the child

CHIPRA Impacts Employer Health Plans (cont’d)

Special Enrollment Rights Became effective April1, 2009CHIPRA requires group health plans to permit an employee (or a dependent) who is eligible for plan coverage to enroll in the plan without waiting for an open enrollment period if:

The employee or dependent loses SCHIP (or Medicaid) coverage because of a loss of eligibility (rather than non-payment), and the employee requests coverage under the group health plan within 60 days after the termination; orThe employee or dependent becomes eligible for an SCHIP (or Medicaid) premium assistance subsidy and the employee requests coverage under the group health plan within 60 days after the eligibility determination

KyHealth Choices

CHIPRA Impacts Employer Health Plans (cont’d)

Notices to Employees of State AssistanceCHIPRA requires employers in states that provide Medicaid or SCHIP premium assistance subsidies to notify their employees in writing of the premium assistance and their enrollment rights under CHIPRA

Model notices will be available no later than February 4, 2010

Employers will be required to provide this notice starting with the first plan year after the model notice is issued

The notice may be provided as part of: the annual open enrollment materials; the initial offering of coverage to new eligible employees; orwhen providing the summary plan description

CHIPRA Impacts Employer Health Plans (cont’d)

Disclosure of Plan Information to States

CHIPRA requires group health plan administrators to disclose certain plan information (e.g., benefits information) to a state that requests the information

Intended to help a state determine the cost‑effectiveness of providing premium assistance

State governments may not request this information until a model coverage coordination disclosure form has been developed and regulations have been issued in connection with it

CHIPRA Impacts Employer Health Plans (cont’d)

Penalties

CHIPRA will subject employers to penalties of up to $100 a day for each failure to timely provide the required notices and disclosures

Some CHIPRA Action ItemsBegin offering special enrollmentPrepare a summary of material modifications (SMM) or restate your summary plan descriptions (SPD) to include new special enrollment rightsUpdate special enrollment rights notice provided prior to or at time of enrollmentWait to comply with notice requirements until model notice is issuedDisclose plan information when requested by stateDecide whether to opt out of direct payment from the state and require employee to pay entire premium and seek state reimbursement

KCHIPChildren under the age of 19

Family income must not exceed 200% of federal poverty level (before taxes)

Family of 2: $29,140Family of 3: $36,620Family of 4: $44,100

A “family” is considered as a child or children and the natural or adoptive parents residing together in a household

KCHIP Contact Information

Contact Information

KCHIP Toll-Free Hotline: (877) KCHIP-18 (877-524-4718)

HITECH

Questions?

Steven D. GossmanWyatt, Tarrant & Combs, LLP

500 West Jefferson St., Suite 2800 Louisville, KY 40202

(502) 562-7330sgossman@wyattfirm.com

www.wyattfirm.com

Copyright reserved.©