Post on 13-Jun-2018
Davis Wright Tremaine Davis Wright Tremaine LLPLLP
Case Study: Small Group Health Plan HIPAA Privacy Compliance for
EmployersSeptember 15, 2003
SpeakerJason FroggattBecky Williams
Davis Wright Tremaine2600 Century Square1501 Fourth AvenueSeattle WA 98101
(206) 622-3150Email: jasonfroggatt@dwt.com
beckywilliams@dwt.comFax: (206) 628-7699
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
2
Case Study: Happy PTCase Study: Happy PT
Happy Physical Therapy AssociatesApproximately 100 employeesOperations in two statesSelf-insured medical/visionInsured dental; two insurersHealth Flexible Spending AccountEAP
Happy Physical Therapy AssociatesApproximately 100 employeesOperations in two statesSelf-insured medical/visionInsured dental; two insurersHealth Flexible Spending AccountEAP
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
3
Case Study: Happy PTCase Study: Happy PT
Happy PT Goals:HIPAA ComplianceLimited BudgetEmployee-Friendly
Happy PT Goals:HIPAA ComplianceLimited BudgetEmployee-Friendly
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
4
Approach to HIPAAApproach to HIPAA
1. Covered entity analysis ─ Employer and Plan
2. Information flow analysis ─ determination of contact with PHI
3. Identification of internal compliance tasks4. Address Use and Disclosure: business
associate and other contractors
1. Covered entity analysis ─ Employer and Plan
2. Information flow analysis ─ determination of contact with PHI
3. Identification of internal compliance tasks4. Address Use and Disclosure: business
associate and other contractors
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
5
Covered Entity Analysis: EmployersCovered Entity Analysis: Employers
What about Employers?Employers are not Covered Entities simply because of their status as employersEmployers have unique responsibilities
As the fiduciary of a Group Health PlanAs a Plan Sponsor under Privacy Rules
What about Employers?Employers are not Covered Entities simply because of their status as employersEmployers have unique responsibilities
As the fiduciary of a Group Health PlanAs a Plan Sponsor under Privacy Rules
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
6
Covered Entity Analysis: Health PlanCovered Entity Analysis: Health Plan
Includes any individual or group plan, private or governmental, that provides or pays for medical care (including employer-sponsored group health plan)Essentially, in employer context, employee welfare benefit plan under ERISAIncludes self-insured and insured plans Except self-administered employee health plans with fewer than 50 participantsExcept for some but not all “excepted benefits”
Includes any individual or group plan, private or governmental, that provides or pays for medical care (including employer-sponsored group health plan)Essentially, in employer context, employee welfare benefit plan under ERISAIncludes self-insured and insured plans Except self-administered employee health plans with fewer than 50 participantsExcept for some but not all “excepted benefits”
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
7
Covered PlansMedical Benefit PlansLong-Term CareDental PlansVision PlansPrescription Drug PlansMost EAPsHealth FSAs
Covered PlansMedical Benefit PlansLong-Term CareDental PlansVision PlansPrescription Drug PlansMost EAPsHealth FSAs
ExcludedLife InsuranceAD&DSTD and LTDWorker’s CompensationAuto InsuranceStop Loss/ ReinsuranceOther Property/ Casualty
ExcludedLife InsuranceAD&DSTD and LTDWorker’s CompensationAuto InsuranceStop Loss/ ReinsuranceOther Property/ Casualty
Covered Entity Analysis: Health PlanCovered Entity Analysis: Health Plan
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
8
Covered Entity AnalysisCovered Entity Analysis
HMO/Insurer
Group Health Plan
CoveredEntities
Employer/ Plan
Sponsor
Employer HR/
Manage-ment
Non-CoveredEntities
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
9
Covered Entity Analysis: Small Health PlanCovered Entity Analysis: Small Health Plan
Small Health PlanLess Than $5,000,000 in receipts
Insured Plan = PremiumsSelf-Insured Plan = Benefit Claims Paid OutInsured/Self Insured = BlendPrior Fiscal Year
Compliance Date: April 14, 2004
Small Health PlanLess Than $5,000,000 in receipts
Insured Plan = PremiumsSelf-Insured Plan = Benefit Claims Paid OutInsured/Self Insured = BlendPrior Fiscal Year
Compliance Date: April 14, 2004
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
10
Case Study: Covered Entity DeterminationCase Study: Covered Entity Determination
100 Employees$900,000 in ReceiptsSmall Group Health Plan
100 Employees$900,000 in ReceiptsSmall Group Health Plan
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
11
Information FlowInformation Flow
Identify where protected health information goes, and whyDetermine whether plan sponsor is hands-on or hands-off PHIFully Insured Plans that receive no PHI
No Individual RightsNo Administrative Procedure
Identify where protected health information goes, and whyDetermine whether plan sponsor is hands-on or hands-off PHIFully Insured Plans that receive no PHI
No Individual RightsNo Administrative Procedure
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
12
Compliance Tasks: HIPAA Privacy RuleCompliance Tasks: HIPAA Privacy Rule
Creates individual rights with respect to health informationMandates administrative actions for covered entitiesImposes use, disclosure and receipt requirements for health information
Creates individual rights with respect to health informationMandates administrative actions for covered entitiesImposes use, disclosure and receipt requirements for health information
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
13
Basic Compliance TasksBasic Compliance Tasks
Appoint Privacy OfficialAmend Plan Documents (if necessary)Prepare Notice of Privacy PracticesBusiness Associate ContractsReasonable Policies and ProceduresVaries depending on Information Flow
Appoint Privacy OfficialAmend Plan Documents (if necessary)Prepare Notice of Privacy PracticesBusiness Associate ContractsReasonable Policies and ProceduresVaries depending on Information Flow
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
14
Individual RightsIndividual Rights
Right to Adequate Notice of Privacy Practices
How much detail?Readability
Right to Access Health InformationRight to Request Amendment of Health InformationRight to an Accounting of DisclosuresRight to Request Restriction of Uses and DisclosuresRight to Request Restrictions Communicating Health Information
Right to Adequate Notice of Privacy Practices
How much detail?Readability
Right to Access Health InformationRight to Request Amendment of Health InformationRight to an Accounting of DisclosuresRight to Request Restriction of Uses and DisclosuresRight to Request Restrictions Communicating Health Information
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
15
Administrative ProceduresAdministrative Procedures
Covered Entities must have policies, procedures and systems in place to protect health information and individual rights.Designation of a privacy officialComplaint mechanism/contact personPrivacy training for employeesSafeguards to prevent misuses of protected health informationSanctions for employee violations
Covered Entities must have policies, procedures and systems in place to protect health information and individual rights.Designation of a privacy officialComplaint mechanism/contact personPrivacy training for employeesSafeguards to prevent misuses of protected health informationSanctions for employee violations
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
16
Generally, plan sponsor may only receive PHI from group health plan to carry out plan administrative functions if
Amends plan documentsControls flow of PHIIssues a certification to the group health plan about protections for PHI
Amendments and certification must:Establish uses and disclosures of PHI by plan sponsorEnsure adequate separation between group health plan and plan sponsor
Permitted disclosures to plan sponsor must be described in plan’s privacy notice
Generally, plan sponsor may only receive PHI from group health plan to carry out plan administrative functions if
Amends plan documentsControls flow of PHIIssues a certification to the group health plan about protections for PHI
Amendments and certification must:Establish uses and disclosures of PHI by plan sponsorEnsure adequate separation between group health plan and plan sponsor
Permitted disclosures to plan sponsor must be described in plan’s privacy notice
Use and Disclosure: Plan SponsorUse and Disclosure: Plan Sponsor
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
17
If plan sponsor does not make required changes to plan document and practices or does not certify that it has done so
Plan may only disclose “summary information” to plan sponsor to obtain premium bids for insurance coverage or to modify, amend or terminate the plan
If plan sponsor does not make required changes to plan document and practices or does not certify that it has done so
Plan may only disclose “summary information” to plan sponsor to obtain premium bids for insurance coverage or to modify, amend or terminate the plan
Use and Disclosure: Plan SponsorUse and Disclosure: Plan Sponsor
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
18
Case Study: Amend PlanCase Study: Amend Plan
One Plan AmendmentSelf-Insured Medical PlanHealth FSAEAPInsured Dental Plans
One Plan AmendmentSelf-Insured Medical PlanHealth FSAEAPInsured Dental Plans
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
19
Use and Disclosure:Business AssociatesUse and Disclosure:Business Associates
May disclose PHI to its business associates if it obtains satisfactory assurances, through written contract, that the business associate will appropriately safeguard the information.Specific requirements for business associate contract
May disclose PHI to its business associates if it obtains satisfactory assurances, through written contract, that the business associate will appropriately safeguard the information.Specific requirements for business associate contract
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
20
Use and Disclosure:Business AssociatesUse and Disclosure:Business Associates
Group Health Plan
COBRA Administrators
VendorsConsultants
AuditorsLawyers
ActuariesAccountants
FSA Administrators
TPAs
Others
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
21
Case Study: Business Associate ContractsCase Study: Business Associate Contracts
Medical Plan TPAHealth FSA TPAEAP – Health Care ProviderTemplate for Attorneys, Accountants and OthersBroker?
Medical Plan TPAHealth FSA TPAEAP – Health Care ProviderTemplate for Attorneys, Accountants and OthersBroker?
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
22
PenaltiesPenaltiesCivil penalties
$100 per violation$25,000 annual cap for violations of “identical” requirement
Criminal penaltiesFor profit/with malice: up to $250,000 and/or 10 yrs in jail
Other “penalties” or liabilityStandard of careReputationERISABreach of fiduciary duties
Civil penalties$100 per violation$25,000 annual cap for violations of “identical” requirement
Criminal penaltiesFor profit/with malice: up to $250,000 and/or 10 yrs in jail
Other “penalties” or liabilityStandard of careReputationERISABreach of fiduciary duties
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
23
Don’t ForgetDon’t Forget
Analyze implications of Standard Transactions and Code Set Rules
Plans must be able to accommodate standard transactions if requestedGet commitments from insurance carriers/ TPAs
Security RegulationsBeware mini-security rule in Privacy Regulations
State Law
Analyze implications of Standard Transactions and Code Set Rules
Plans must be able to accommodate standard transactions if requestedGet commitments from insurance carriers/ TPAs
Security RegulationsBeware mini-security rule in Privacy Regulations
State Law