erisa group health plans: complying with complex hhs...
TRANSCRIPT
ERISA Group Health Plans: Complying With Complex HHS Regulations and Leveraging New Guidance Structuring Privacy Policies, Security Breach Notifications, Business Associate Agreements, and More
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, MAY 6, 2014
Presenting a live 90-minute webinar with interactive Q&A
Ryan P. Blaney, Partner, Cozen O’Connor, Washington, D.C.
Tiffany D. Downs, Partner, FordHarrison, Atlanta
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-258-2056 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).
You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
ERISA Group Health Plans: Complying with Complex
HHS Regulations and Leveraging New Guidance
May 6, 2014 Sponsored by Legal Publishing Group of Ryan P. Blaney, Esq. Strafford Publications [email protected] (202) 463-2528 Tiffany D. Downs, Esq. [email protected] (404) 888-3961
OVERVIEW OF PRESENTATION
• Privacy Requirements and Policies • Notice of Privacy Practices and Health Plans • Supplemental Guidance
FINAL PRIVACY RULE
• Security Requirements and Policies • Breach Requirements and Notifications • Supplemental Guidance
FINAL SECURITY AND BREACH
RULES
• Expanded Rules and Requirements and New Business Associates
• Drafting and Negotiating Business Associate Agreements on Behalf of Health Plans
HEALTH PLANS AND BUSINESS
ASSOCIATES
• Distinctions between Employers, Plans Sponsors and Health Plans
ERISA GROUP HEALTH PLANS
6
Part I. Final Privacy Rule
A. Privacy requirements and polices B. Notice of privacy practices
C. Supplemental guidance
7
“Somehow your medical records got faxed to a complete stranger. He has not idea what’s wrong with you either.”
YESTERDAY: FAXING and PAPER Medical Records
8
Today: Big Data, Texts, Twitter, Email, Personalized Medicine, Health Shopping
$3.1 Trillion
20% GDP
61% U.S. Employees rely on self insured
health plans
94% self insured plans for
employers with more than 5000
30% Waste in 2009
FitBit, Nike+, Health tracking, sleep and food
monitoring
9
1 YEAR LATER: THE “OMNIBUS RULE”
• HIPAA Privacy, Security, and Enforcement Rules
• Interim breach notification guidance • Certain changes to HIPAA Privacy
Rule required by GINA
January 25, 2013 HHS implements changes to:
• September 23, 2013 deadline for new and non-compliant health plans
• One year extension (September 2014) to update business associate agreements that are in compliance with the prior regulations.
Compliance Date
10
The Definitions Matter !!! What is PHI?
• Protected Health Information (PHI) is individually identifiable health information that is in all forms – paper, oral, or electronic.
• PHI excludes employment records held by an employer in its role as an employer (e.g., physician’s note submitted by employee documenting reason for absence from office)
11
What is Health Information? • Health information includes any information created by a
health care provider, health plan, employer, school, or university
– and that relates to past, present, or future physical or mental health or condition of the individual,
– the provision of health care to the individual, or
– the past, present or future payment for health care to the individual.
12
What Makes Health Information “Individually Identifiable”?
• Name • Dates: birth, admission to
hospital, discharge from hospital, death
• Telephone and fax numbers • Social Security Number • Account number • Vehicle identifiers including
license plates • Web URLs and IP address
numbers • Genetic Information
• Geographic unit (certain zip code information excepted)
• Ages over 89 • Email and other addresses • Medical record numbers and health
plan numbers • Certificate or license number • Device identifiers and serial
numbers • Biometric identifiers, including
finger and voice prints and full face and other identifying photographic images
13
HIPAA Definitions: Health Plans
• COVERED by HIPAA – Medical plans – Dental plans – Vision plans – Prescription drug plans – Retiree medical plans – ERISA-Covered
employee assistance plans
– Health care spending accounts
• NOT COVERED by HIPAA – Workers’ compensation – Disability plans – Accident plans – Non-ERISA Employee
Assistance Plans and Long Term Care Plans
– Life Insurance
14
A Balancing Act …
Employee Privacy Employee
participation
Employers’ rising health care
expenditures Available health data on cost and
quality
15
Privacy challenges for health plans
• “The tensions between having employers manage health care coverage and employees wanting to have some private space are crashing into each other … it’s probably going to get worse.”
– Matthew T. Bodie, Law Professor at St. Louis University School of Law, quote from New York Times September 14, 2013 article, “On Campus, a Faculty Uprising Over Personal Data”
16
Update - Notice of Privacy Practices
• Health plans cannot “substantially” change their HIPAA policies and procedures before updating their Notice of Privacy Practices to reflect those revisions. HHS considers the Omnibus Rule changes to be “substantial.” – Notices can be delivered by e-mail, if a participant agrees to
electronic notice. – Notices must be distributed upon enrollment to all new
participants – Participants are entitled to paper copies – At least once every 3 years, health plans must remind participants
of the availability of the privacy notice.
17
HIPAA Requires Mandatory Training
• A health plan or its business associate must train its workforce which has access to PHI (HIPAA Personnel) regarding the HIPAA privacy practices and procedures. – Must be trained within a reasonable time
period after his/her hire date.
18
General Privacy Rule • A Covered Entity and its workforce may not use or
disclose PHI, except as permitted by the Privacy Rule • Permitted uses of PHI under the Privacy Rule include:
– treatment, payment, or health care operations – under a specific authorization from the subject of the PHI, – as required by law – in response to a court order – in response to a subpoena but only with “adequate
assurances” of efforts to secure a protective order or notify the subject of the request
19
Uses and Disclosures Pursuant to a Valid Authorization
• A written authorization is needed for disclosures that are not for treatment, payment, and healthcare operations.
• To be valid, an authorization must contain very specific information.
• Use or disclosure of PHI must be consistent with the terms of the authorization.
• An authorization can be revoked by written notice. • An authorization is not required if you must use or
disclose PHI to avert a serious threat to health or safety.
20
“Treatment, Payment, and Health Care Operations”
• Treatment: Providing, coordinating, or managing health care and related
services by health care providers • Payment: Activities to obtain premiums, obtain or provide reimbursement
for the provision of health care, or determine the Plan’s responsibility for coverage
• Health Care Operations: General Plan administration, business planning, quality assessments, evaluation of coverage, and case management
• Disclosing PHI to a FMLA administrator so he/she can determine if the Participant is eligible for FMLA leave
• Giving a manager PHI about a Participant’s medical condition so he/she can make employment-related decisions
21
Minimum Necessary Standard • Whenever the covered entities use or disclose PHI or
requests PHI from another plan or a physician, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure or request” – Exceptions to Minimum Necessary Standard:
• Disclosure is to the individual who is the subject of the PHI
• Disclosure is to health care provider for treatment purposes
• Disclosure is pursuant to individual’s authorization
• Disclosure is for certain legal purposes
22
De-identified Health Information – Health Plans Need More Clarity
• Limitations on use and disclosure of PHI do not apply to “de-identified health information”
• Redacting names and other identifying information does not render information “de-identified” under HIPAA.
• De-identification requires: – determination by a person with “appropriate knowledge of
an experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” that there is a small risk that information could be used alone or with other information to identify the subject, or
– removal of 18 types of information
23
Individual Rights Under HIPAA • Access to PHI – the right to access and copy most PHI that is
part of the records maintained by or for the health plan • Amendment of PHI – the right to amend most PHI that is
created by or on behalf of the health plan • Accounting of disclosures of PHI – the right to a list of certain
disclosures of PHI made by the Plan for the previous 6 years (generally does not include permitted or required disclosures)
• Confidential Communications of PHI – the right to receive communications of PHI by other means or at a different location if the normal method could endanger the participant.
• Restrictions on the Use and Disclosure of PHI – the right to request restrictions on the use and disclosure of the participant’s PHI.
24
Individual Rights: Anti-Retaliation
• Anti-Retaliation Policy: Health plans are prohibited from intimidating, threatening, coercing, discriminating against or taking any retaliatory action against a participant for exercising his or her rights under HIPAA
• Waiver Policy: Participants may not be required to waive their rights under HIPAA in order to receive Plan benefits or treatment.
25
Part II. Final Security and Breach Rules
A. Security Requirements and Policies B. Breach Requirements and Notifications
C. Supplemental Guidance
26
HIPAA Security Rule
• Addresses the security of electronic Protected Health Information (PHI): – Which is Individually Identifiable Health
Information that is transmitted or maintained in electronic, written, or oral form.
27
HIPAA Security Rule
• Security Rule standards include the following safeguards: – Administrative – policies and procedures – Technical – devices and equipment – Physical – facilities, workstations, etc.
• Implementation specifications: – Required (R) – Addressable (A)
28
Administrative Safeguards
• Security Management Process – Risk analysis (A) – Risk management (R) – Sanctions R) – Information System Activity Review
(sign-on/sign-off activity; unsuccessful log on attempts) (R)
• Security Officer (R)
29
Administrative Safeguards
• Workforce Security – Authorization and/or supervision (A) – Workforce clearance procedures
(background checks) (A) – Termination procedures (disable user ID
and password) (A) • Information Access Management
– Access authorization (controlled by user ID and password) (A)
– Access establishment and modification (A)
30
Security Rule Safeguards • Security Awareness and Training
– Security reminders (training) (A) – Protection from malicious software (anti-
viral software/firewall) (A) – Log-in monitoring (report suspicious
activity) (A) – Password management (change
periodically) (A) • Security Incident Procedures
(response and reporting) (R)
31
Security Rule Safeguards • Contingency Plans
– Data backup (nightly? weekly?) (R) – Disaster recovery (R) – Emergency mode operation (R) – Testing and revision procedures (A) – Applications and data criticality analysis
(A) • Evaluation
32
Physical Safeguards
• Facility Access – Contingency operations (A) – Facility security plan (badge readers,
alarm system) (A) – Access control and validation
procedures (escort visitors) (A) – Maintenance records (A)
• Workstation Use (automatic screensavers)
33
Physical Safeguards
• Workstation Security (shut down procedures)
• Device and Media Controls – Disposal (delete or purge PHI first) (R) – Media Re-use (delete or purge PHI first) (R) – Accountability (A) – Data Backup and Storage (A)
34
Technical Safeguards
• Access Controls – Unique User Identification (do not share
user ID or passwords) (R) – Emergency Access Procedure (R) – Automatic Logoff (mandatory screen
savers and shut down procedures) (A) – Encryption and decryption (alternative:
passwords for smart phones and laptops) (A)
• Audit Controls 35
Technical Safeguards
• Data Integrity • Person or Entity Authentication • Transmission Security
– Integrity Controls (A) – Encryption and decryption (for emails or file
transfers containing PHI) (A)
36
Summary of PHI Safeguards
• Printed Documents • Faxes • Electronic Information • Verbal Communications • Storage and Destruction • Secure Facilities and Equipment
37
Breach Rules New Definition of Breach
• What is considered a “Breach”? • Presumption of breach unless 4 factor
risk assessment demonstrates low probability that PHI has been compromised
• Burden shifted to CE or BA to show notice not required
38
What is a Breach? • Applies to “Unsecured” PHI
- PHI is unsecured if HHS-approved methodology has not been used to render the PHI unusable, unreadable, or indecipherable to unauthorized individuals; AND
- PHI is “accessed, acquired, or disclosed” by or to an unauthorized individual as a result of a breach.
- HHS-approved methodology includes only Encryption (for electronic PHI) Destruction (for electronic and paper PHI)
39
Exceptions to Breach • Disclosure of PHI to unauthorized person believed unable to
retain the information (because it is encrypted or password protected);
• Any unintentional acquisition, access or use of PHI by a
workforce member or person acting under the authority of a plan sponsor, if made in good faith and within the scope of their authority and does not result in further use or disclosure in violation of the Privacy Regulations;
• Any inadvertent disclosure by a person who is authorized to
access PHI at plan sponsor to another person authorized to access PHI and the information is not further used or disclosed in a manner not permitted under the Privacy Regulations.
40
Breach Risk Assessment – Breach is presumed unless plan sponsor
demonstrates that there is a low probability that the PHI has been compromised, by relying on at least the follow factors: • Nature and Extent: The nature and extent of the PHI
involved, including the types of identifiers and likelihood or re-identification;
• Identity: The unauthorized person who used the PHI or to whom the disclosure of PHI was made;
• Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired; and
• Mitigation: The extent to which the risk of the PHI has been mitigated.
41
What to do if Breach Occurs?
• Notify the HIPAA Privacy and Security Officer.
• Determine notice obligations and mitigation strategies
• Improper disclosure of PHI or failure to follow privacy and security procedures could result in disciplinary action.
42
Breach Notifications • Individual Notice: Covered Entities must notify affected individuals following the
discovery of a breach of unsecured protected health information in written form by first-class mail, or by e-mail if the affected individual has agreed to receive such notices electronically.
• Media Notice: Covered Entities that experience a breach affecting more than 500 residents of a State or jurisdiction are also required to provide notice to prominent media outlets serving the State or jurisdiction.
• Notice to the Secretary: In addition to notifying affected individuals and the media (where appropriate), covered entities must also notify the Secretary of Health and Human Services of all breaches of unsecured protected health information. If a breach affects 500 or more individuals, Covered Entities must notify the Secretary without unreasonable delay and in no later than 60 days following a breach; if a breach affects fewer than 500 individuals, Covered Entities must notify the Secretary on an annual basis, no later than 60 days after the year in which the breach occurred.
43
Supplemental Guidance • Disclosures for Emergency
Preparedness • Refill Reminders and Other
Communications • Health Information of Deceased
Individuals • Others …..
44
Part III. Business Associate Requirements
A. Expanded Rules and Requirements and New Business Associates
B. Drafting Requirements for Business Associate Agreements
45
What is a Business Associate (“BA”)?
• Definition: – A person who (i) performs for or on behalf of a covered entity, or assists
a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity
• Includes anyone with health information from your health plans (could include attorneys, consultants, third party administrators, auditors, computer software service companies)
• Includes: Benefits Brokers and others
46
January 25, 2013 Omnibus Rule Changes to BA
• HHS published a Final Omnibus Rule on January 25, 2013 that expanded the definition of Business Associates to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and who require routine access to such PHI, and personal health record vendors.
47
What are the Business Associate Rules?
• General Rules
– Need specific HIPAA-dictated language in a contract with all business associates
– Business Associate Agreement must be written.
– Must include language that specifically says that the BA will ensure that individual’s HIPAA rights are followed.
48
Continued …
• Under HITECH all of the HIPAA rules apply directly to business associates, including penalties
– Previously, HIPAA applied only to “covered entities” – health plans, health care providers, and clearinghouses
– HIPAA applied indirectly to business associates – through business associate agreements
49
Tips for Drafting & Negotiating BAAs
• Reporting requirements and timing (the parties can and should agree on shorter periods)
• Review the underlying services agreement and modify services agreement and BAA to be consistent
• Agency and subcontractor provisions • Indemnification clauses • Breach notification costs and responsibilities • Termination and destruction of PHI
50
Part IV. Distinctions between Employer, Plan Sponsor, and
Group Health Plans
51
• Employer • Plan Sponsor • Group Health Plan
Who is Subject to HIPAA?
52
HIPAA COVERED ENTITIES
• Health Care Clearinghouses • Health Care Providers - who transmit any
health information in electronic form • Health Plans - whether insured or self-funded which have:
– 50 or more participants; OR – are administered by an entity other than
the employer 53
Covered Health Plans
• Health (Medical) • Dental • Vision • Health Care Flexible Spending Account • Long Term Care • Employee Assistance Program (in some
cases)
Examples of benefits subject to HIPAA:
54
Entities Not Subject to HIPAA
• Employers performing employer functions (e.g. FMLA, drug testing, sick leave, ADA, OSHA, fitness for duty, and return to work physicals) – But, may need authorization to obtain records
• Life, Disability, and Workers’ Compensation Insurers
• On-site Medical Clinics
55
Employment Records Exception
HIPAA excludes employment records from the definition of protected health
information. A covered entity must use a functional test in determining whether a
record is an employment record.
56
Employment Records Test
• Functional Test: How was this information created or received? Was it created and received in health plan capacity or employer capacity?
• NOTE: Employment records are subject to protection under the ADA, FMLA and GINA
57
Discussion Scenarios
Requests for Leave Pre-employment physicals
Requests for Accommodations
HINT: Not Subject to HIPAA
58
Disclosures to Employers
• Summary health information (for renewal purposes)
• Enrollment information (for payroll deduction)
• To disclose any other PHI to employer, plan documents must contain specific privacy protections (firewall)
• Employer may not use PHI to make employment related decisions or for other benefit plans
59
Self Insured vs. Fully Insured
• Self Insured plans – All privacy rule requirements apply
• Insured plans – “Hands on” – plan sponsor receives PHI
in addition to summary health information and participation information
• Must maintain privacy notice and provide upon request
60
Self Insured vs. Fully Insured • Insured plans
– “Hands off” – plan sponsor does not receive PHI other than summary health information and participation information
• No privacy notice required • No administrative requirements except
retaliation and waiver – No exemption from Security Rule
requirements
61
Questions?
Ryan P. Blaney, Esq. Cozen O’Connor Washington, DC [email protected] (202) 463-2528
Tiffany D. Downs, Esq. FordHarrison Atlanta, GA [email protected] (404) 888-3961
62