1 Student Health Director Briefing Frequently Asked Questions HIPAA May 23, 2012.

1

Student Health Director BriefingFrequently Asked Questions

HIPAA

May 23, 2012

Disclaimers

2

• This training session is for educational purposes only and does not constitute legal advice. If as a result of this training session you have questions about your HIPAA status or your organizations privacy or security compliance, please contact your SUNY Counsel.

• This training session is not intended to cover all of the privacy and security laws/regulations training requirements. Slides are provided for informational purposes only.

???

3

• Frequently Asked Questions:– Do electronic health record transactions make me

HIPAA covered?– What type of billing activities make me HIPAA

covered?– Do transactions between my campus and my

student health insurance company make me HIPAA covered?

– My campus would like to engage in new revenue producing enterprises related to our Student Health Centers, are there any issues that I need to address prior to implementing?

To answer these questions

4

Administrative Simplification

5

• “ADMINISTRATIVE SIMPLIFICATION” (HIPAA Rules)– Title 42 The Public Health and Welfare U.S. Code

1320d-1 et seq.• Subtitle F of Title II of HIPAA, Part C (HIPAA

Provisions)• National standards to protect the confidentiality of patient

health information via regulations in three areas:– Privacy (Privacy Rule)

» Applies to information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral known as Protected Health Information (PHI)

– Electronic Exchange (Transaction and Code Set Regulations)– Security measures (Security Rule)

Privacy Rule

6

• Excludes from protected health information– Employment records– Education records and other records as defined

in, the Family Educational Rights and Privacy Act, 20 U.S.C. section 1232g

• Goal: Is to assure individuals that their health information with covered entities will be properly protected while allowing the flow of health information needed to provide and promote high quality health care.

Student Health Information - Exclusion

7

• Employment Records: Are excluded from the definition of PHI, and therefore not subject to the protections of HIPAA. Other laws and regulations that cover uses and disclosures of information in such records may apply -- such as OSHA, Family and Medical Leave Act (FMLA), workers' compensation, and alcohol and drug free workplace laws.

• Education records covered by FERPA Records of students held by colleges and universities used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student’s request. (These are specifically excluded from the definition of “education records.”) 45 CFR 164.501

• HHS expressly determined that it was not going to preempt FERPA, because FERPA provided a privacy framework for student records. So, if the records fit within the “HIPAA FERPA” exception, must apply FERPA.

*HIPAA Basics: 2002 Washington and Lee University

Determination

8

• Remember: only individuals/offices that deal in PHI are required to comply with HIPAA privacy regulations. If your office only deals with student or employment records, and does not handle PHI it may not be necessary to designate it as a covered care component of SUNY as a hybrid HIPAA covered entity.


Covered Entities

9

1. Health Plans

2. Health Care Providers

3. Health Care Clearinghouses

Covered Entities – 1. Health Plan

10

• Health Plans – provide or pay the cost of medical care (42 U.S.C. 1320d, 45 CFR 160.103)

– Include: health, dental, vision, prescription drug insurers, HMOs, Medicare, Medicaid…

– Excludes: (reference 42 U.S.C. 300 gg-91(c) (1))• Group health plan with less than 50 participants that is

administered solely by the employer and established and maintains the plan

• Two types of governmental funded programs– Those whose principle purpose is not providing or paying the cost

of health care, such as food stamps program– Those whose principle activity is directly providing health care,

such as community health center• Certain other entities providing: workers compensation,

automobile insurance, and property and casualty insurance, coverage for on-site medical clinics

Examples of Covered Health Plans in the College or University Setting*

11

• Employee group health plan (fully/self-insured)• Employee group dental plan (fully/self-insured)• Employee group vision plan (fully/self-insured)• Employee flexible spending account• Employee Assistance Plan (for other than on-site

clinic)• Retiree health plan (fully/self-insured)• Student health (fully/self-insured) (for other than

on-campus clinic)


Examples of Non-Covered Plans in a College or University Setting*

12

• NCAA intercollegiate accident policy• Employee long-term disability policy• Employee life insurance policy• Employee workers’ compensation

coverage• Student health fee for on-site student

health and counseling services


Evaluate Activity – An Example

13

• University has a private psychiatrist on retainer, to evaluate students on a one-time referral from University physician/counselors when behavioral concerns arise. University pays psychiatrist directly for these sessions out of student health and counseling budget. Is this practice a “health plan” under HIPAA?

• This is not a covered health plan, but a contractual extension of the excluded on-site clinic exemption as an excerpted benefit excluded from HIPAA privacy and security rule.


Endorsed vs. Sponsored Plans

14

• Question: A university endorses one student health insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college and the insurer and the students apply, pay premiums, and file claims on their own. Is the college a Plan Sponsor for HIPAA?

• No. First, the concept of a plan sponsor as defined appears to apply only to ERISA plans. Second, the college has not undertaken any responsibility to pay any premiums or subject itself to any other liability under the policy. It is acting only as endorser and liaison between insurer and student. Under these circumstances, the college is not a HIPAA plan sponsor of this plan. (Presenter’s opinion)


Who is the Covered Entity – Student Health Insurance

15

• Best practice – in case of an issue with HIPAA and Student Health Insurance - Know which entity is covered (many colleges and university’s utilize group health insurance companies such as Aetna for their student health insurance, these entities are the HIPAA covered entity and comply with regulations).

• Why does it matter? Most campuses exchange information as it relates to students and their health insurance. This information should be verified as not PHI and that only summary/participation/enrollment is being transacted. You can verify this will your student health insurance carrier.

Covered Entities – 2. Health Care Providers

16


17

• If a health care provider transmits any of these transactions electronically, that health care provider is a covered entity. E.g., if your student health center bills student insurance electronically, or bills summer campers’ insurance electronically, or sends referral authorizations to insurers electronically, it has become a covered entity.

• It appears from HHS comments that “in connection with” means as a part of the covered transaction itself, not merely in communications in any way related to a covered transaction (e.g., electronically submitting a claim as opposed to emailing with a question about how to transmit a claim).


Evaluate Activity - Examples

18

• Student health centers that only bill student accounts, not third-party payers. This is direct billing of the patient under an excluded plan covering on-site clinic services, not a “claim” to a covered health plan. Thus, this sort of account billing is not a HIPAA transaction.

• An email from one doctor to another doctor regarding a patient’s treatment is not a HIPAA transaction to trigger coverage as a “covered entity” or require standard formatting.

• A flexible spending account plan does not involve claims from health providers to the plan, but merely direct reimbursement of the employee, so though the plan is a covered plan, it conducts no HIPAA “claims” required to be standardized.


Health Care Providers Double Check

19

• Student Health Centers – physicians, nurses, and other providers

• Counseling Center staff – psychiatrists, clinical psychologists

• Athletic TrainersONLY IF THEY TRANSMIT HEALTH INFO. ELECTRONICALLY IN ONE OF THE DEFINED HIPAA TRANSACTIONS


Covered Entity – 3. Health Care Clearinghouses

20

• Entities that process nonstandard information they receive from another entity into a standard format

• They include: billing services, re-pricing companies, community health management information systems, and value-added networks and switches if the entity performs clearinghouse functions.


21

• Universities or Colleges may act as clearinghouses by billing third-party payers on behalf of other entities, such as clinics or practice groups and which makes the university/college a HIPAA covered entity


Evaluate Activity – Electronic Health Record

22

• In and of itself an electronic health record does not make a institution HIPAA covered, an evaluation of the activities processed through the electronic health record determines whether the entity is HIPAA covered (refer to covered electronic transactions)

• Note: Even where not HIIPAA covered, institutions should apply the highest in privacy and security safeguards with respect to access, use and transmission of electronic health records.

Business Associates

23

SUNY and Business Associate Agreements

24

• SUNY has a standard template for Business Associate Agreements. Please contact SUNY Counsel should you be asked about entering into a Business Associate Agreement.

• Business Associates must use appropriate privacy and security safeguards.

Still have questions….

25

• Contact your SUNY counsel and they will work with designated campus and System Administration personnel to help assist you to determine which privacy and security regulations apply.

Helpful Training

26

• Contact your human resources representative to see about GOER training and your access.

• If you have an ability to access the GOER training, please make sure to check out the learning module titled “Privacy and Security of Health Information in New York State”.

SUNY Resources

27

• Policy 4200 HIPAA

• Policy 6608 Information Security Guidelines

• Privacy and Safety on Campus – A legal framework

HIPAA Resources

28

• Presentation Source Material– U.S. Department of Health and Human

Services Office of Civil Rights• www.hhs.gov/ocr/privacy

– HIPAACOW.org – HIPAA Basics: Washington and Lee

University

http://www.hhs.gov/ocr/privacy

1 Student Health Director Briefing Frequently Asked Questions HIPAA May 23, 2012.

Documents

Transcript of 1 Student Health Director Briefing Frequently Asked Questions HIPAA May 23, 2012.