AGENDA HIPAA Privacy and Security for Group Health Plans: The Changing Landscape Under HITECH Sponsored By: HR Benefit Advisors Presenter: Catherine (Katy) Stowers, Senior Attorney Krieg DeVault LLP
Welcome/Introduction Overview of HIPAA Privacy and Security Rules; HITECH Act • • • • • • • •
What types of plans must comply? How are fully-insured plans different? What is “protected health information”? What employment records are included/excluded? Why adopt HIPAA privacy and security policies and procedures for your group health plan? How do HIPAA’s requirements apply to plan business associates? Who is a business associate? What has changed under HITECH? o Breach notification obligations o Increased penalties and enforcement by HHS o Direct application to business associates
Practical Application in Plan Administration for Human Resources and Benefits Professionals • •
• • •
How do you protect paper PHI at your workplace? How do you protect electronic PHI at your workplace? o Review of Security Rule “safeguards” o Encryption, password protection, and other IT issues o Handling mobile technology How do you conduct a breach “risk assessment”? What steps are required for breach notification? How can your business associates help you comply? o Compliance measures implemented by Blue Water Benefits
Addressing Common HIPAA Issues Arising in the HR/Benefits Department Discussion/Questions
PDF processed with CutePDF evaluation edition www.CutePDF.com
I. HIPAA Privacy and Security Rules – Overview A. Original Legislation. “HIPAA” and “HIPAA compliance” are common terms in the health benefits industry. The legislation known as HIPAA was enacted by Congress as the Health Insurance Portability and Accountability Act of 1996. Since that time, this legislation has had far reaching consequences in many areas related to health benefit plan administration. It was this legislation that limited a health plan’s ability to exclude preexisting conditions from coverage, and invented the idea of creditable coverage for new employees previously covered by another plan. It was also this legislation that refined the concept of “nondiscrimination” in providing benefits. However, in addition to its provisions related to preexisting condition exclusions, creditable coverage, and nondiscrimination in benefits, HIPAA also contained a section called the “administrative simplification provisions.” These provisions allowed the Department of Labor to enact regulations related to issues such as the electronic exchange of claims information, also known as EDI, and the privacy and security of a patient’s individually identifiable health information, known as the Privacy Rule and the Security Rule. The Privacy Rule and Security Rule are the subjects of this training course. The terms will be used separately in these materials where necessary; collective references will often be made just to the Privacy Rule, as this is the most common terminology. B. Recent Amendments – the “HITECH” Act. Amendments to the Privacy and Security Rules were included in the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was part of the American Recovery and Reinvestment Act of 2009, commonly known as the Stimulus Act. Unless regulations related to various HITECH Act requirements are yet to be implemented, or were implemented with alternative effective dates, the HITECH Act is effective February 17, 2010. The HITECH Act introduced the following key changes to the Privacy Rule and Security Rule: Expanded the obligations of plan “business associates”, making business associates directly required to comply with the Security Rule, and making Privacy Rule obligations in business associate agreement enforceable with civil and criminal penalties under HIPAA; Created affirmative breach notification obligations, more specifically described in “Breach Notification” regulations effective on September 23, 2009;
Increased enforcement and penalties for violations of any aspect of HIPAA’s privacy and security requirements; Included additional guidance to define the “minimum necessary” standard; Included additional restrictions on marketing as a part of “health care operations”, and additional prohibitions on the sale of PHI; Applied specific requirements with respect to Electronic Health Records, which are created by EHR vendors, clinicians and health care providers (limited applicability to group health plans).
C. Deadline for Compliance. •
The original deadline to begin compliance with the Privacy Rule was April 14, 2003 for plans with 5 million dollars or more in annual receipts (“large health plans”), and April 14, 2004 for plans with less than 5 million dollars in annual receipts (“small health plans”). The original deadline for compliance with the Security Rule was April 20, 2005 for large health plans and April 20, 2006 for small health plans. All Covered Entities should be compliant with both the Privacy Rule and Security Rule at this stage, and should be taking action to update Privacy and Security Rule compliance to comply with the HITECH Act and its implementing regulations beginning February 17, 2010.
Compliance is NOT voluntary; all covered entities were required to comply with these Rules on or before these deadlines mandated by the regulations.
D. The Privacy Rule and Protected Health Information. The Privacy Rule is the common name for a set of requirements and guidelines that directly impact how a health plan is able to receive, use and release individually identifiable health information that it receives. Specifically, the health information protected by the Privacy Rule is called “protected health information,” or PHI. If this information is in electronic format, it is called ePHI, and the Security Rule is also applicable. The definition of PHI is very specific in the regulations: PHI is any information about a participant’s past, present, or future physical or mental health condition, or payment for medical care and treatment, if that information identifies or could be used to identify the participant, and that is transmitted or maintained in electronic or any other medium. This definition can be broken down into the following elements: You know you are handling PHI if you have: 1) Information in electronic or any other form;
2) About a plan participant’s past, present or future physical or mental health condition; or 3) About payment for medical care and treatment; 4) Which identifies (or could reasonably identify) the participant. •
How does this relate to enrollment and disenrollment information obtained by an employer? Basic information about enrollment and disenrollment in a group health plan is not PH unless it contains substantial clinical data about a participant and/or his dependents.
What about employment records, FMLA records, disability insurance records, sick leave requests and justifications, ADA information, drug screening results, fitness for duty tests, maintained by the employer outside of its role as Plan Sponsor? These are specifically excluded from the definition of PHI.
II. Impact on Health Plans. A. Overview. The Privacy Rule, Security Rule, and HITECH Act amendments apply to all group health plans that provide or pay the cost of medical care. Employee welfare benefit plans, as defined by ERISA, whether insured or self-funded, are covered. There is just one narrow exception for small, self-administered group health plans. If a group health plan has fewer than 50 participants and is selfadministered, it is exempt from HIPAA Privacy and Security Rule compliance. The HITECH Act did not modify this exemption. A Plan Sponsor may avoid most of the Privacy and Security Rule requirements if its group health plan is fully-insured and if the Plan Sponsor does not create, receive or maintain participants’ PHI. For fully-insured plans (those that solely provide health benefits through a contract with a health insurance issuer or an HMO), the health insurance issuer or HMO has the responsibility to comply with the Privacy and most of the Security Rule requirements, as long as the Plan Sponsor limits its access to PHI to enrollment and disenrollment information, and summary health information for purposes of obtaining premium bids. However, fully-insured group health plans are not completely exempt from HIPAA compliance. A fully-insured group health plan must comply with the Breach Notification regulations, must comply with the Security Rule, and must take steps to ensure that its vendors and service providers handling PHI comply with the Privacy Rule, the Security Rule, and the HITECH Act with respect to the plan’s PHI. A Plan Sponsor of a self-funded plan is required to fully comply with the Privacy and Security Rule, and all aspects of the HITECH Act and its implementing regulations. A self-funded plan is one in which the employer, acting as Plan Sponsor, designed what benefits that its employees and dependents receive, and provides the funding for payment of claims for those benefits. Practically speaking, this process is completed through certain individuals that work for the employer, who complete “plan administration” functions, as well as through a third party administrator appointed by the plan sponsor, and often with the assistance of a consultant or agency representing the Plan Sponsor. The Security Rule requires health plans to implement certain security safeguards with regard to ePHI, but gives them significant latitude in determining how to achieve an appropriate level of security. As a practical matter, compliance with the Security Rule is generally handled at the level that ePHI is most frequently exchanged, which would be by the claims administrator. However, each Plan Sponsor (whether fully-insured or self-funded) must complete an assessment of its compliance (and necessity to comply) with the administrative, technical, and physical safeguards required to be addressed under the Security Rule.
B. Use and Disclosure of PHI Expressly Permitted by the Privacy Rule. PHI may be disclosed by a health plan without violation of the Privacy Rule under certain specified circumstances enumerated below. 1) PHI may always be shared between “covered entities.” Covered entities include: • • •
health care providers (e.g. doctors, hospitals, clinics, etc.) health care clearinghouses (e.g. repricing entities, billing services) health plans (e.g. fully-insured health plans, HMOs, self-funded health plans, health FSAs, HRAs)
2) PHI may also be disclosed without violation of the Privacy Rule for the following reasons:
Treatment Including the provision, coordination, and management of health care
Payment Including the premium payments, contributions, benefits, and cost sharing amounts, determinations of eligibility and coverage, utilization review, coordination of benefits, subrogation, and activities related to reimbursement through reinsurance
Health care operations Including quality assessments, underwriting or premium rating for contract renewals, performance or arrangement of audits and legal services, various business planning and management activities, aggregating and analyzing PHI, resolution of initial grievances, and due diligence in corporate transactions. Under HITECH Act, regulations further defining “health care operations” expected; marketing communications are excluded unless describing a product included in the plan’s benefit provisions, is for treatment, or is for individual case management purposes.
3 ) PHI may be disclosed to and used by Business Associates of the health plan, who have entered into a valid Business Associate agreement with the health plan (or one of its Business Associates). Business Associate Agreements should be modified to incorporate the HITECH Act provisions, most importantly with regard to notification to the group health plan regarding a breach of unsecured PHI. 4) PHI may be disclosed if the health plan has a valid authorization form containing all elements required by the regulations, signed by the participant, authorizing the disclosure at issue. Elements of a valid authorization include: • •
A statement informing the participant that the health plan will not condition enrollment in the health plan on signing an authorization; and A clear and specific description of the information to be used and disclosed;
• • • • • • • •
The specific person(s) or class of persons authorized to make the requested use or disclosure; The specific person(s) or class of persons authorized to receive or use the PHI that is subject of the disclosure; A description of each purpose of the requested use or disclosure (unless the use or disclosure is requested by the participant himself); A statement informing the participant of his right to revoke the authorization; A statement that the information to be used or disclosed may no longer be protected once it is used and disclosed in accordance with the authorization. An expiration date OR description of the expiration event; The signature of the participant and date If the authorization is signed by a personal representative, a description of his/her authority to sign on behalf of the participant.
Covered entities can release information regarding minor dependents to the Member and his/her spouse without a specific authorization, because a parent is considered a personal representative under the Privacy Rule. Under the payment exception, covered entities may also release to the participant basic claim payment information about all of a participant’s dependents, including a spouse and a non-minor dependent, without a separate authorization. Spousal and non-minor dependent disclosures are handled differently by different administrators. Most should require specific authorizations. Plan administrators should be required to verify caller identities prior to releasing PHI to callers over the telephone. C. Minimum Necessary Standard A covered entity (or its business associate) must make reasonable efforts to limit the PHI used, disclosed, or requested to the minimum amount necessary to achieve the purpose of the use, disclosure, or request (the “minimum necessary standard”). Under the HITECH Act, uses and disclosures of PHI must be limited to a “Limited Data Set” – with 16 regulatory identifiers removed – unless impracticable. Further regulation is anticipated under the HITECH Act requirements. 1) Minimum Necessary Uses of PHI. The minimum necessary standard requires that all individuals who perform health plan functions use the minimum amount of PHI necessary to perform their duties. To effectuate this, the covered entity must: • • •
identify all individuals who need access to PHI according to their function in plan administration, payment or health care operations; determine the circumstances under which individuals who perform plan functions may use PHI; ensure that all individuals who use PHI follow this determination of the circumstances in which use of PHI is permitted; and
ensure that all individuals use only a Limited Data Set, and if impracticable, only the minimum amount of PHI necessary to effectively administer the health plan. Reasons for the use of more than a Limited Data Set should be documented.
2) Minimum Necessary Disclosures of PHI. The minimum necessary standard also requires that all individuals performing health plan functions disclose only the minimum necessary PHI necessary to achieve the purpose of the disclosure. To effectuate this, the covered entity must: •
identify all disclosures of PHI made on a routine and recurring basis, and determine that the minimum amount of PHI to effectuate its purpose is included in those disclosures, and document if more than a Limited Data Set is needed; submit non-routine disclosures to the privacy officer on a case-by-case basis to determine if the request is limited to the minimum necessary PHI, and seek clarification or modification to the request if needed.
3) Minimum Necessary Requests for PHI. Covered entities must limit requests for PHI (such as requests for medical records of a participant) to the minimum amount necessary to achieve the purpose of the request. Accordingly, requests for medical records should be only those related to the claims at issue. Requests for an entire file should be rare, and the requesting party should provide specific justification for the request. D. Responsibility to Protect Participant’s PHI: Nondisclosure Except for those specific exceptions to the nondisclosure rule which are included in this presentation, PHI may not be disclosed without violation of the Privacy Rule. In addition, covered entities (and their business associates) have a responsibility to protect participants’ PHI from inadvertent disclosure. In order to do so, covered entities are required by the Privacy and Security Rule to take the following steps: a) Create “firewalls.” This means that the Plan Sponsor must erect barriers between PHI and all other information maintained by the health plan and/or the employer. This should be done through a process called “adequate separation,” which is effectuated by implementing the following elements: •
Keeping PHI separate from all other records maintained by the health plan and/or the employer, including employment records;
Keeping the separately maintained PHI in a locked filing cabinet, locked office, or other secure location that requires key or password access;
Allowing access to the secure location where PHI is maintained only by individuals specifically designated by the health plan/plan sponsor; 7
Ensuring that all individuals with access to secured PHI are trained in the health plan’s privacy and security policies and procedures;
b) Maintain secure communications. Make certain that if PHI is received by mail, facsimile, or e-mail, that those methods of communication are as secure as reasonably possible. This means that the facsimile from which you receive communications regarding claims issues, communications from your TPA, or from providers, should be separate from other fax machines, in a secure location, monitored by someone who is allowed to access PHI and has been trained on how to handle it. E-mail should be encrypted if possible, or at a minimum, password protected, and mail containing PHI should not be opened in a general area. c) Complete assessment of Security Rule safeguards and document compliance. The Security Rule requires compliance with enumerated administrative, technical and physical safeguards for electronic PHI. Adoption of Security Policies is required, as well as the appointment of a Security Officer. Assessment of compliance with required and addressable security safeguards should be completed in conjunction with the Plan Sponsor’s IT department to ensure technical compliance. E. Participant Rights. Participants have specific rights with regard to their PHI. Those rights should be enumerated in the Notice of Privacy Practices distributed by the group health plan, or the health insurance issuer in the case of a fully-insured plan. Participant rights must be specifically addressed in the Privacy and Security Policies and Procedures of a self-funded group health plan. Those rights include: • • • • • •
The right to request a paper copy of the health plan’s Notice of Privacy Rights (especially if originally available in electronic format); The right to request restrictions on the uses and disclosures of PHI; The right to receive confidential communications; The right of access to their PHI; The right to request amendment of inaccurate or incomplete PHI; The right to request an accounting of disclosures of PHI.
F. Additional Elements of Compliance. All covered entities must take several steps to comply with the Privacy and Security Rules and the HITECH Act. These steps include: 1) Development and Distribution of a Notice of Privacy Practices: Every participant in your group health plans should receive a Notice of Privacy
Practices, either directly from the self-funded plan (or its TPA) or from the health insurance issuer. That Notice contains a specific listing of the rights of participants with respect to the individual’s own PHI, and the health plan’s obligations. The Notice of Privacy Practices must be redistributed (or notice given to participants that they may request a copy) every three years. 2) Appointment of a Privacy and Security Officer: Each covered entity must appoint a Privacy Officer and Security Officer. This Privacy Officer and Security Officer, which may be the same or different individuals, are the resources that plan participants should consult with all questions and issues related to uses and disclosure of PHI, as well as a health plan’s procedures for maintaining PHI, implementation of the administrative, technical, and physical safeguards required by the Security Rule, and the privacy and security-related policies and procedures adopted by a health plan. Fullyinsured plans are exempt from the requirement to appoint a Privacy Officer, although such plans may consider appointing a Privacy Officer to ensure that the HITECH Act obligations in the event of a breach of unsecured PHI are taken care of in a timely manner as required by the Breach Notification regulations. Both self-funded and fully-insured plans must appoint a Security Officer. 3) Development and Adoption of Policies and Procedures for Use and Disclosure of PHI: All health plans should have adopted policies and procedures related to the use and disclosure of PHI. Those policies and procedures are maintained by the health plan’s Privacy Officer. Fullyinsured plans are technically exempt from this requirement, although such plans may consider adopting limited policies expressly delegating Privacy Rule obligations to the insurance company, and addressing the nonretaliation and Breach Notification requirements that remain applicable. Fully-insured plans should adopt security policies that demonstrate compliance with Security Rule safeguards, even if just to document review of those safeguards and delegation to the insurance company. 4) Authorization Forms. The Privacy Rule created new requirements for authorization forms, all of which must contain certain elements in order to be compliant with the Privacy Rule’s requirements. All group health plans should be using a HIPAA compliant authorization form when seeking to use or disclose PHI when authorization is required. 5) Creation of Contractual Business Associate Relationships. Your group health plan has likely already secured Business Associate agreements with its service providers. Once that has been done, all communication of PHI between the group health plan and those service providers, such as your consulting firm, your TPA, your accounting firm, and your legal counsel, will be permissible, as long as the appropriate safeguards are being used by each party. The existence of the Business Associate agreement is intended
to ensure that each party receiving PHI is employing those appropriate safeguards, and is now also intended to ensure that service providers notify the covered entity in a timely manner if a breach of PHI for which notification is required occurs. 6) Adoption of Steps for Disclosure to Plan Sponsor. Self-funded plans must formally amend their group health plan document in order for the Plan Sponsor to access PHI, and must address the following steps:
Plan Amendment Plan Sponsor Certification Identification and Training of Employees with Access to PHI Implementation of Firewalls and other Security Safeguards
Fully-insured plan sponsors should also amend the group health plan document to set forth the delegation of its HIPAA Privacy and Security Rule obligations to the insurer. 7) Adoption of a Complaint Procedure. In order to be compliant with the regulations, group health plans are required to provide a process for individuals to make complaints regarding privacy violations. Plans are also required to identify in the Notice a contact person or office responsible for receiving those complaints, and document any complaints received and retain the documentation for a period of six (6) years from its date of creation. There is no timeframe required for resolving complaints; however, if a complaint is not resolved to an individualâ€™s satisfaction, he or she has the option of filing the complaint with the Department of Health and Human Services. 8) Adoption of a Risk Assessment and Breach Notification Procedure. As part of the HITECH Actâ€™s provisions, the group health planâ€™s privacy and security procedures must now contain a procedure for determining if a breach of unsecured PHI occurred for which notification to affected individuals is required. A breach of unsecured PHI occurs when PHI is used or disclosed in a manner not authorized by the Privacy Rule, and that use or disclosure creates a substantial risk of financial, reputational, or other harm to the individuals whose PHI was the subject of the breach. The risk assessment procedure should address the objective and subjective factors considered by the covered entity in determining the likelihood of financial, reputational or other harm to affected individuals resulting from the incident. The breach notification procedure should address how and when individuals will be notified if the risk assessment determines that a breach of unsecured PHI occurred, the contents of those notices, and the timing of those notices. It should also address the circumstances and timing of media notifications and notifications to the Secretary of HHS, when such notices are required under the Breach Notification regulations.
III. Sanctions for Violations of Privacy and Security Rules A. Sanctions Against Workforce Members. The Privacy Rule requires that covered entities adopt written policies and procedures to sanction workforce members who violate the Privacy Rule. Specific sanctions are not included in the Privacy Rule, and the details of the sanction policy and procedure are left to the discretion of the health plan. This requirement applies to both fully-insured and self-funded plans. Determination of the appropriateness of sanctions should be based on the nature of the violation, and whether the violation was intentional or unintentional. These can follow a progressive discipline policy already in place, and can range from verbal warnings to termination of employment. All records of sanctions for violations of the Privacy Rule must be maintained for six (6) years. B. Treatment of Whistleblowers. The Privacy Rule specifically protects “whistleblowers” – individuals who report privacy violations to a health care oversight committee or attorney investigating wrongdoing. The Rule prohibits any acts of intimidation, coercion, or retaliation against any individual who makes a complaint to the health plan or to DHHS, or who chooses to exercise any rights granted by the Privacy Rule. In addition, covered entities cannot sanction employees who refuse to follow a policy or procedure believed in good faith to be a violation of the Privacy Rule. This requirement applies to both fully-insured and self-funded plans. C. Duty to Mitigate Harm. The Privacy Rule imposes a duty on covered entities to mitigate any harmful effects of a privacy violation. This means that if the covered entity becomes aware of any unlawful use or disclosure of PHI, either intentional or unintentional, it must take reasonable steps to minimize the harm caused, and protect against the recurrence of the problem. These steps might include, in the plan’s discretion, notification of the participants affected by the disclosure, modification of policies and procedures, and applying individual sanctions to the members of the workforce responsible for the unlawful disclosure. D. Documentation Requirements. All policies, procedures, communications, actions, activities, or designations required to be documented by the Privacy Rule, the Security Rule, the HITECH Act, and any implementing regulations must be maintained in either written or electronic form for six (6) years. The six year period runs from the date that the documentation was created or the date the policy or procedure was last in effect, whichever is later.
E. Governmental Enforcement. 1) HHS Complaint Process. There is no private right of action afforded to an individual plan participant under the Privacy or Security Rule, or under the HITECH Act. This means that an aggrieved individual cannot sue a covered entity or a business associate for perceived violations of the Privacy Rule. However, privacy and security provisions that appear in a plan document may be enforceable by plan participants and beneficiaries under ERISA. A covered entity must also be mindful that an individual may try to bring a state law action, such as for negligence or invasion of privacy, and utilize the Privacy Rule as a basis for that action. Individuals may file formal complaints for alleged Privacy Rule violations with the Department of Health and Human Services. (“HHS”) Violations may also be discovered by formal compliance audits conducted by HHS. Under the HITECH Act, penalties have been increased and HHS has indicated it will begin conducting compliance audits of group health plans. The previously implemented graduated enforcement system, beginning with an informal complaint resolution process, has been replaced by a requirement in the HITECH Act to formally investigate any compliant alleging willful neglect of privacy and security obligations by a covered entity or business associate. Prior to the HITECH Act, governmental enforcement for Privacy and Security Rule violations would be taken against covered entities only. However, under the HITECH Act, business associates are now directly required to comply with the Security Rule, and are subject to civil and criminal sanctions for any violation of the Security Rule, as well as any breach of the privacy obligations outlined in the business associate agreement. 2) Required Investigations, Audits, and Penalty Assessments. Under the preamble to the original HIPAA enforcement regulations, the governmental agencies intended to refrain from levying civil monetary penalties until an informal resolution process failed. Under the provisions of the HITECH Act, the regulatory environment is much less friendly, especially since the HITECH Act requires formal investigation of any complaint, and an audit when a preliminary investigation indicates “willful neglect” by a covered entity or business associate. In addition, HHS is required to impose a penalty for any violation based on willful neglect. The required investigation, audit and penalty assessment process will be the subject of additional regulation to be issued by August of 2010, and will be effective in February of 2011.
3) Civil Penalty Assessments. Under the HITECH Act and new penalty regulations effective November 30, 2009 (and applicable to any violation after February 17, 2010), penalties have been substantially increased. Penalties now assessed under a 4 tiered structure as follows: a. Tier 1: If violation unknown (and would not have known with reasonable diligence), penalty is a minimum of $100, with perviolation max of $50,000, and an overall limit of $1,500,000 for identical violations during calendar year. b. Tier 2: If violation due to reasonable cause and not willful neglect, minimum is $1,000 per violation, with per-violation maximum of $50,000, an overall $1,500,000 limit for identical violations per calendar year. c. Tier 3: If violation resulted from willful neglect but is corrected within 30 days of discovery, minimum is $10,000 per violation, with per-violation max of $50,000, and an overall $1,500,000 limit for identical violations per calendar year. d. Tier 4: If violation is due to willful neglect and not corrected, minimum is $50,000 per violation, and an overall $1,500,000 limit for identical violations per calendar year. 4) Criminal Penalty Assessments. Criminal violations are reserved for the most severe cases of knowing violations of the Privacy Rule. These penalties (upon conviction) range from a fine of up to $50,000 up to one year imprisonment for knowing violations. Unlawful uses or disclosures made under “false pretenses” are punishable with a fine of up to $100,000 and up to five years imprisonment. Finally, unlawful uses or disclosures made with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm are punishable with a fine of up to $250,000 and up to ten years imprisonment. The United States Department of Justice has the authority to enforce HIPAA’s criminal penalties. 5) Other Enforcement Mechanisms. Under the HITECH Act, State Attorneys General are authorized to bring a civil action for HIPAA violations on behalf of state residence adversely impacted; can seek both injunctive relief and civil damages. There is also a mechanism in the HITECH Act for individuals to recover a portion of a civil penalty or monetary settlement assessed by HHS for HIPAA violations.
HIPAA Security Requirements at a Glance Administrative Safeguards • • • • • • • • •
Security Officer Adoption of Security Processes Workforce Training Risk/Access Management Security Incident Procedures Contingency Planning Sanction Policies Periodic Evaluation of Systems Execution of BA Agreements
Physical Safeguards • • • •
Facility Access Controls Workstation Access and Use Workstation Security Device and Media Controls
Technical Safeguards • • • • • •
Access Controls – Passwords/User IDs Audit Controls – Viruses/Spyware Person/Entity Authentication Encryption System Integrity Transmission Security
Organizational Requirements • • •
Business Associate Agreements Written Policies and Procedures Maintenance of Records
Top Ten HIPAA Workplace Questions: What do I do if….? 1. What if an employee brings me an adverse benefit determination from the plan and asks me to help her resolve the dispute? Employee can share her own PHI with you, so to the extent employee provides the PHI to resolve the question, you can assist in resolution. If you have access to PHI through role in Plan administration, you can access Plan PHI from claims administrator or business associate to assist in dispute. If you don’t have access to PHI, such as in fully-insured plan context, you must seek a signed authorization from the employee. 2. What if the claims dispute involves the employee’s spouse or dependents? If you have access to PHI, you can access from claims administrator or business associate to assist in dispute; however, authorization from spouse or adult dependent is required before communicating any PHI related to the dispute with employee, except for disclosure of payment information. Employee can share minor dependents’ PHI in the same manner that employee can share her own. If you don’t have access to PHI, such as in fully-insured plan context, you must have a signed authorization from the spouse or adult dependent, or from the employee on behalf of a minor dependent. 3. What if the employee’s spouse calls and asks for assistance in resolving claim issue for the employee? If you have access to PHI, you can access from claims administrator or business associate to assist in dispute; however, authorization from employee is required before communicating any PHI related to the dispute with employee. Spouse can share minor dependents’ PHI in the same manner that spouse can share her own. If you don’t have access to PHI, such as in fully-insured plan context, you must have a signed authorization from the employee, before accessing the employee’s PHI. 4. Should I be concerned if my TPA’s claims website allows employees to access claims payment information for the employee and all of the employees’ dependents participating in the plan? As long as the website is limited to claims payment information (similar to what is contained on an EOB, this is a permissible “payment” disclosure. 5. What do I do if an employee has a baby (is recovering well from surgery, is absent due to family illness, etc.) and I want to share information with other employees? As long as medical information is not received from the group health plan, but is instead received from the employee, a family member or another coworker, then the information is not PHI, and is not governed by HIPAA. Employee privacy concerns should be addressed, but not due to HIPAA.
6. What if an employee asks for an ADA accommodation, or requests a leave of absence under FMLA? As long as medical information from group health plan is not utilized to address ADA or FMLA request, HIPAA does not govern the employer’s use or disclosure of medical information. Medical information provided by the employee to the employer is not governed by HIPAA, but should be maintained separately from other personnel records per EEOC guidelines. The employer will need a written authorization to communicate directly with the medical provider due to the health care provider’s HIPAA obligations. 7. If my company requires employee testing for illegal drugs, can I receive the results of those tests from the health care provider? The results are not Plan PHI unless obtained from the group health plan records, which would be an impermissible use of PHI for employment purposes. The health care provider is required to have a written authorization from the employee before releasing drug testing results to the employer, however, the employer may make signing the authorization a condition for continued employment. 8. What if my company conditions continued employment on participation in an employee assistance program for an employee with performance issues – can I obtain information about the employee’s compliance with treatment from the EAP provider? The results are not Plan PHI unless obtained from the group health plan records, which would be an impermissible use of PHI for employment purposes. The health care provider is required to have a written authorization from the employee before releasing EAP participation information to the employer, however, the employer may make signing the authorization to obtain EAP treatment information a condition for continued employment. 9. What if my employee is involved in a lawsuit, and the Plan receives a request for claim payment records or other PHI from another party to the lawsuit? The plan’s HIPAA policies should describe the circumstances in which PHI will be disclosed in litigation; the Privacy Rule permits disclosure in administrative and judicial proceedings if there is a valid court order, subpoena, or protective order in place. A procedure for evaluating and responding to requests for PHI in litigation should be established in conjunction with the claims administrator. 10. May my company obtain PHI from the group health plan to corroborate a medical excuse from an employee who has missed work? The Privacy Rule, and the required health plan amendment, prohibits the use of PHI from the group health plan for employment purposes, so this would not be permitted. If corroboration is necessary, the employer should request an authorization from the employee to obtain medical treatment information directly from the physician. KD_3035121_1.DOC