Client Advisory Seminar Series - Lockton Companies · medical, ERISA, and non-ERISA healthcare...
Transcript of Client Advisory Seminar Series - Lockton Companies · medical, ERISA, and non-ERISA healthcare...
Tuesday, April 15, 2014
Presented by:
Elizabeth E. Vollmar, J.D.
Compliance Services, Lockton Benefit Group
Client Advisory Seminar Series Spring Semester 2014 HIPAA Privacy and Security Refresher Training
Click the Lockton Logo to
Access the Presentation
PLEASE NOTE:
The audio portion of this presentation will be broadcast through your PC.
Please DO NOT attempt to dial-in to the webcast on your telephone.
Haven’t Received Your Handouts Yet?
Some spam filters intercept messages sent from our group mail server. If you have not yet received your
handouts, please e-mail Shannon Hopfinger and we’ll send a copy of the handouts to you in an individual e-
mail.
Questions?
You may submit questions using the Q&A box on your computer screen.
Please wait until we near the end of the presentation—
or leave the topic to which your question pertains—before submitting your question.
CEUs?
This presentation has been pre-approved for 1.5 general recertification credit hours toward
PHR, SPHR and GPHR recertification through the HR Certification Institute (HRCI).
Please contact [email protected] for the
program ID number to use when requesting recertification credits through the HRCI website.
To be eligible to receive credit, you must log on
individually so that your attendance may be verified.
Tuesday, April 15, 2014
Presented by:
Elizabeth E. Vollmar, J.D.
Compliance Services, Lockton Benefit Group
Client Advisory Seminar Series Spring Semester 2014 HIPAA Privacy and Security Refresher Training
Agenda
Why are we doing HIPAA training?
Overview of HIPAA requirements
Entities subject to HIPAA
Information HIPAA protects
Requirements for health plans
Enforcement environment
Compliance strategies
PPACA changes to EDI rules
7
Why HIPAA Training?
8
Federal regulations require periodic privacy and security training for staff who may have access to confidential medical information under the employer’s health plan
Training on HIPAA requirements
Training on the specific plan’s policies and procedures for HIPAA compliance
Stiff penalties can apply for non-compliance
No training required for staff who do not need to access confidential medical information under the health plan
But training may help them prevent problems arising from use or disclosure of confidential medical information under the health plan
HIPAA Training Overview
9
“Administrative Simplification”
HIPAA’s five components:
Portability*
Nondiscrimination (including wellness)*
Privacy (including breach notification)
Data security
EDI**
* We will not discuss
** We will briefly discuss
HIPAA Training Overview
10
HIPAA Privacy and Security Basics
Privacy
Covered entities may not access, use or disclose protected health information (PHI) except as required or permitted under HHS rules
For permissible purposes specified in regulations, subject to several limitations
As the individual to whom it relates specifically authorizes in writing
To the individual to whom it relates (mandatory, in some cases)
As HHS requests (mandatory)
Many administrative and documentation requirements, including policies and procedures, organizational documents, processes for exercise of individual rights
Violations of privacy rules may trigger breach notifications to those whose information was affected
11
HIPAA Privacy and Security Basics
Security
Covered entities must implement reasonable safeguards to protect the confidentiality, integrity and availability of electronic PHI (ePHI)
Security management process determines safeguards
Many administrative and documentation requirements, including policies and procedures and organizational documents
12
The Entities and Plans to Which HIPAA Applies
13
HIPAA privacy and security rules and regulations apply to “covered entities”
Healthcare providers*
Healthcare clearinghouses*
Healthcare plans
Includes insurance carriers issuing health insurance policies**
Includes plans established by employers that provide virtually any health benefits
For HIPAA purposes, employer plans are treated as separate entities from the sponsoring employer
NOT employers (unless the employer is a healthcare provider)
* We will not discuss ** We will discuss only as related to employer-sponsored health plans
Entities Subject to HIPAA
14
Entities Subject to HIPAA
Health plans include employer-sponsored –
Medical, dental, vision, EAPs, health FSAs, HRAs, long-term care, wellness, executive physical programs
Insured and self-insured healthcare plans
Contributory, non-contributory, voluntary, major medical, limited medical, ERISA, and non-ERISA healthcare plans
Plans exempt from HIPAA:
Narrow exception for small, self-insured, self-administered programs (fewer than 50 eligible employees or retirees)
On-site clinics are not health plans, but may be providers
STD/LTD, workers’ compensation, life insurance, and retirement plans
Although the health information they receive/use remains highly confidential (other confidentiality requirements apply)
15
Information that HIPAA Protects
16
Protected Health Information (PHI)
What information does HIPAA protect?
Health information
Past, present, or future physical or mental health (including genetic information
Provision of health care
Past, present or future payment for health care
If the information that can be tied back to an individual
And if the information is created or received by an employer or a covered entity
Almost all information a health plan uses is PHI
Includes claims payment information (e.g., EOBs and claim reports)
Includes enrollment and participation information (subject to an exception for employers’ use of enrollment information)
17
Protected Health Information (PHI)
Not ALL individualized health information gets protected—only the information that moves through the healthcare plans
FMLA leave requests
Sick leave requests
Pre-employment screens
Workers’ compensation claims
Return to work notes
STD or LTD applications or claims
Life insurance applications
Anecdotal information and gossip
BUT, when it comes to securing individualized health information, keep it all “top secret”
18
Does it really matter if confidential information is not PHI?
Plan participants cannot sue (yet) under HIPAA, and the HIPAA enforcement environment (via CMS) is rather benign vis-à-vis health plans
But ramping up…and
Under the law, state attorneys general may sue…
But participants CAN sue to enforce terms of employer-sponsored plan, which must include privacy and security protections if employer receives PHI or e-PHI
Protected Health Information (PHI)
19
Does it really matter?
So, when it comes to securing individualized health information, from whatever source, keep it all “top secret”
It is an easier approach to apply
May supply some protection against state law problems
But it is also helpful, or comforting, to know that HIPAA’s reach is limited, so we don’t need to sweat the many “HIPAA hassles” with respect to non-PHI
Protected Health Information (PHI)
20
HIPAA’s Requirements for Health Plans
21
Health Plan Requirements
Self-insured plans (e.g., HRAs, FSAs, but not HSAs) are subject to the full array of HIPAA requirements
Insured plans: whether the full array of rules applies to employer with fully insured plans depends on whether the sponsor can keep “hands off” the plan’s PHI
If “hands off,” can rely on insurer for most compliance duties
Exceptions –
Enrollment information
De-identified information and summary health information
Information disclosed under an authorization
However, it is not always easy to do so . . .
Wellness programs
Internal payment process
Handling requests for claims assistance
22
Health Plan Requirements
HIPAA requirements for health plans
Privacy and security official(s)
Privacy and security policies and procedures
Security gap analysis and documentation
Firewalls
Training
Administrative procedures and forms
Document retention and recordkeeping requirements
Individuals’ rights with respect to their PHI
Business associate agreements
Privacy notice
Notification duties if breach results in unpermitted use or disclosure of unsecured PHI
23
Business Associates
24
Business Associates
“Business associate” is an entity that performs services for the health plan that involve the use of PHI
Examples include TPA, wellness vendor, broker/consultant, etc.
Regulations require that health plans enter into written contracts with business associates
HHS regulations dictate content of agreement (BAA)
Plan sponsor (employer) and its staff are never a business associate with respect to the employer’s own health plan
But plan document must include provisions imposing similar standards
25
Business Associates
Rules relating to content of business associate agreements changed September 23, 2013
But, a special rule for BAAs in place on January 25, 2013
If not renewed or modified between March 26, 2013 and September 23, 2013, required amendments delayed until September 23, 2014
Or, if earlier, the date the agreement is renewed or modified on or after 09/23/2013
26
Privacy Notices
27
Privacy Notice
Requirements for privacy notice distribution
Distributed at enrollment
Reissued within 60 days of a material change
Electronic delivery OK if person consents
Privacy notice reminder required every three years
Best practice is to distribute annually with open enrollment materials
28
Breach Notification Requirements
29
HIPAA Breach Notification Requirements
Notification requirements for breaches of unsecured PHI
Definition of “breach”
Any impermissible acquisition, access, use, or disclosure of PHI is a breach unless the health plan demonstrates that there is a low probability that the PHI has been “compromised” (undefined)
Examples of breaches can include errant e-mails, EOBs, and theft of unencrypted laptops or storage devices, including thumb drives
Documented risk assessment for each potential breach that includes –
Nature and extent of PHI involved, including identifiers and chances of re-identification
Unauthorized person who used the PHI or to whom the disclosure was made
Whether PHI was acquired or viewed
The extent to which the risk to the PHI has been mitigated
30
HIPAA Breach Notification Requirements
General rule
Plan must provide notice without unreasonable delay and within 60 days of discovery
Notice requirements vary depending on the number affected and ability to find them
Exceptions
Secured = Encrypted or destroyed per HHS requirements
Encryption: Convert data to code requiring a password or key to decipher
Practical advice: encrypt, encrypt, encrypt!
Other exceptions to breach notification requirements may apply, but don’t rely on them
31
HIPAA Breach Notification Requirements
HIPAA breach notice overview and decision tree
Was there PHI involved?
Was it “unsecured”?
Was there a use or disclosure of the PHI in violation of the HIPAA privacy rules?
Is there a low probability that the protected health information has been compromised?
Is the breach otherwise forgiven (under the “incidental” exceptions)?
Common health plan issues
Wrongful disclosure of PHI
Mailing EOBs to wrong addresses
Theft of laptops, flash drives, PDAs or other hardware containing PHI
32
HIPAA: Enforcement Environment
33
Enforcement
Penalties for noncompliance
Civil and criminal actions may be brought by HHS to enforce privacy rules
If HHS fails to act, State AGs may bring civil suits
Health plans and business associates also subject to periodic audits by HHS
34
Enforcement
Penalties for noncompliance
$100 per violation if person does not know of the violation, up to $25,000 per year for identical violations
$1,000 per violation due to reasonable cause, up to $100,000 per year for identical violations
$10,000 per violation due to willful neglect, up to $250,000 per year for identical violations
$50,000 per violation due to willful neglect where the entity did not correct the problem, up to $1.5 million per year for identical violations
35
Enforcement
Factors HHS will weigh in determining penalty amounts:
The number of individuals affected
The time period during which the violation occurred
The nature and extent of the harm resulting from the violation including whether the violation caused –
Physical harm,
Financial harm
Reputational harm
Hindered an individual's ability to obtain healthcare
History of prior compliance or noncompliance with the HIPAA rules
Whether financial difficulties affected the ability to comply
Whether the imposition of a civil money penalty would jeopardize the ability of the health plan or business associate to continue to provide, or to pay for, healthcare
36
Compliance Strategies
37
Keep it simple (that is, practical)
With respect to information received from or in connection with a health plan, assume it’s PHI, think “Top Secret”
Also assume it’s ePHI, unless spoken in person or hand-written
Use or disclose only as permitted by plan’s policies and procedures
Authorization = HIPAA magic
None of the restrictions apply so long as within the authorization terms
Consider using an authorization whenever an employee asks for assistance
Compliance Strategies
38
“TPO”
Under HIPAA, plans may use and disclose PHI for treatment, payment, and operations, without authorization
Only the “minimum necessary” PHI for the purpose may be used or disclosed
If disclosing, need to ensure that recipient is entitled to receive PHI for the stated purpose
Compliance Strategies
39
TPO = Plan purposes for use or disclosure of PHI
Employer (plan sponsor) may only use or disclose PHI as plan permits
Plan may only permit employer to use or disclose for plan administration functions
Only designated employees may access PHI for plan administration functions
Designated employees must be identified in plan document (plans typically do this by referring to job titles)
All other employees need to be walled off from accessing PHI
Compliance Strategies
40
Keep it simple (that is, practical)
What do the restrictions require?
For each use or disclosure of health plan information can you cite a valid purpose?
Plans rarely have treatment purposes
Consider what information is needed for the purpose
Can any identifiers be omitted?
Does the identity of a participant matter?
Who are you providing PHI to?
Ensure there are reasonable barriers between the information in your custody, and those who do not have a need to see it—think “defensively”
Compliance Strategies
41
The practicalities
Acquiring information
Paper, electronic, telephonic, etc.
Where and how received?
What do you do with it when you receive it?
Compliance Strategies
42
The practicalities
Using information
Paper, electronic, telephonic, etc.
Where and how used?
Who do you share it with internally; how, when, where, and why?
How readily may someone view the information on your desk, computer screen, other location?
Compliance Strategies
43
The practicalities
Storing information
Paper, electronic, voice mail, etc.
Where and how stored?
Passwords and user IDs must be secure
Paper should be locked up
ePHI should be saved to secure file location
Laptops should be encrypted and tethered under lock and key; keep key separate; avoid maintaining ePHI (including in e-mails) on laptop’s hard drive unless absolutely necessary
Be VERY careful using other portable e-storage devices for storing PHI
Loss of PDA = information accessible thereby is compromised; use phone locks etc.
Delete unneeded voice mail, e-mails, etc.
Compliance Strategies
44
The practicalities
Transmitting information
Paper, electronic, voice mail, etc.
Know who you’re sending it to and know their authority to receive it.
How best to transmit paper?
How best to transmit electronically.
Password protect files.
Encryption of e-mails.
What is being archived, and where?
From where do you place sensitive telephone calls?
Compliance Strategies
45
The practicalities
Disposing of information
Paper, electronic, voice mail, etc.
Shredding, trashing, deleting
Be careful of electronic storage devices (is the data really deleted?)
Compliance Strategies
46
The practicalities
When things go wrong
Notify plan’s privacy official, security official or both immediately
They will want to take immediate and aggressive remedial action
“Get the cows back in the barn” if possible
Compliance Strategies
47
HIPAA and Health Reform
48
Health Reform and HIPAA
PPACA expands requirements for electronic data interchange (EDI)
Unique health plan identifiers: Must obtain by November 5, 2014, with one year delay for small plans ($5M or less in annual receipts)
All plans must use the HPID in standard transactions beginning November 7, 2016 (no delay for small plans)
“Controlling health plans” are required to obtain an HPID
Appears to include employer-sponsored health plans
Certification of compliance for various electronic transactions required from controlling health plans by December 31, 2015
49
Questions?
50
Our Mission
To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management
Our Goal
To be the best place to do business and to work
www.lockton.com
© 2013 Lockton, Inc. All rights reserved.
Images © 2013 Thinkstock. All rights reserved.