may 2, 2002 (updated 11/02/02) hipaa basics: 2002 washington and lee university 1 hipaa:...
TRANSCRIPT
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University1
HIPAA: HIPAA: Understanding the BasicsUnderstanding the Basics
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University2
PresentersPresenters
Leanne Shank, EsquireUniversity Counsel
Jennifer Kirkland, EsquireOffice of University Counsel
Washington and Lee UniversityLexington, Virginia
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University3
HIPAA: The Basics HIPAA: The Basics
What is it? Why should you care? How might it affect your institution? What steps should you take to determine
your institution’s exposure and to comply?
NOTE: This presentation is geared toward institutions without academic medical centers.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University4
HHealth ealth IInsurance nsurance PPortability ortability and and AAccountability ccountability AAct of 1996 ct of 1996 Kennedy-Kassebaum Bill --amended Social
Security Act to allow for portability of health insurance (immediate qualification for comparable coverage upon change of employment.)
Congress desired to promote Electronic Data Interchange to facilitate this portable health insurance and to reduce administrative costs of health care.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University5
A Little Congressional Humor:A Little Congressional Humor: “ADMINISTRATIVE SIMPLIFICATION” 42 U.S.C. 1320d-1 et seq.
Title II, Subtitle F, Part C of HIPAA• Gives HHS (Department of Health and Human Services)
authority to mandate (1) transaction standards and code sets for electronic exchange of health care data, as well as (2) privacy and (3) security measures for personally identifiable health information.
• Also provides for required use of national identifiers for providers, employers/sponsors, payers/plans, and patients (patient identifier shelved).
• Substantial penalties for non-compliance.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University6
Transaction RegulationsTransaction Regulations
Designed to ensure format and content standardization in certain specific financial and administrative health care transactions conducted electronically.
NOTE: it is important that you familiarize yourself with what types of transactions are governed by the transaction regulations – not every health care transaction is covered – only those defined in the regulations.
45 CFR Part 162, Subparts K through R.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University7
Privacy RegulationsPrivacy Regulations
Designed to establish a federal regulatory framework to promote the privacy of health information among entities covered by HIPAA, and those acting on their behalf.
Regulations restrict the use and disclosure of protected identifiable health information, provide for patient access to such information, and mandate administrative safeguards to promote privacy of protected health information.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University8
Security RegulationsSecurity Regulations
Not yet finalized! (Rumored for Dec.’02) Designed to establish a federal standard
for the protection of health information maintained or transmitted electronically.
Require administrative, technical and physical safeguards for storage, transmission, and access.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University9
Is Your Institution, or any part Is Your Institution, or any part of it, Covered by HIPAA? By of it, Covered by HIPAA? By any or all of the Transaction, any or all of the Transaction, Privacy and/or Security Regs?Privacy and/or Security Regs?
DON’T ASSUME HIPAA OR THE SEPARATE SETS OF REGULATIONS APPLY TO THE COLLEGE OR UNIVERSITY AS A WHOLE!
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University10
Campus Entities That Are NOT Campus Entities That Are NOT “Covered Entities” “Covered Entities” Per Se Per Se without further analysis:without further analysis: Colleges Universities Employers Supervisors and Administrators All University Insurance Plans Health Care Providers (physicians, nurses,
counselors, athletic trainers)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University11
What is a “Covered Entity” What is a “Covered Entity” under HIPAA?under HIPAA? Health Plan Health Care Provider who transmits any health
information in electronic form in connection with a HIPAA transaction [May be broader under proposed security regulations]
Health Care Clearinghouse (converts non-standard transactions to or from standard format)
42 U.S.C. 1320d-1, 45 CFR 160.103
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University12
Use the CMS Covered Entity Use the CMS Covered Entity Decision Tools to Help Decision Tools to Help Determine Your Campus Determine Your Campus CoverageCoverage
http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
This site will walk you through a series of questions with respect to your health care providers and health plans to assist you in determining if your campus will be covered under HIPAA.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University13
Health PlanHealth Plan
“An individual or group plan that provides, or pays the cost of, medical care. . .”
INCLUDES (singly, or in combination):• Group health plans (ERISA plans), insured AND self-
insured, providing medical care for employees or dependents
Plans with fewer than 50 participants that are administered in-house by the employer are excluded from this definition.
• Health insurance issuers and HMOs
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University14
Health Plan (cont’d.)Health Plan (cont’d.)
• Medicare, Medicaid, Veterans, CHAMPUS, and other federal and state health plans outlined in regulations
• Issuers of long-term care policies, excluding nursing home fixed-indemnity policies
• *Any other individual or group plan providing or paying for the cost of medical care.
• 42 U.S.C. 1320d, 45 CFR 160.103
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University15
Plans Not Covered By HIPAAPlans Not Covered By HIPAA
Plans, policies, or programs to the extent they pay for excepted benefits:• Coverage only for accident• Disability income insurance• Coverage supplementing liability insurance• Liability insurance, including general and auto• Workers’ compensation insurance• Automobile medical payment insurance• Coverage for on-site medical clinics• 42 U.S.C. 300gg-91(c)(1)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University16
Examples of Covered Health Examples of Covered Health Plans in the College or Plans in the College or University SettingUniversity Setting Employee group health plan (fully/self-insured) Employee group dental plan (fully/self-insured) Employee group vision plan (fully/self-insured) Employee flexible spending account Employee Assistance Plan (for other than on-site
clinic) Retiree health plan (fully/self-insured) Student health (fully/self-insured) (for other than
on-campus clinic)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University17
Examples of Non-Covered Examples of Non-Covered Plans in a College or University Plans in a College or University SettingSetting NCAA intercollegiate accident policy Employee long-term disability policy Employee life insurance policy Employee workers’ compensation
coverage Student health fee for on-site student
health and counseling services
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University18
Is This Example a Health Plan?Is This Example a Health Plan? University has a private psychiatrist on retainer,
to evaluate students on a one-time referral from University physician/counselors when behavioral concerns arise. University pays psychiatrist directly for these sessions out of student health and counseling budget. Is this practice a “health plan” under HIPAA?
Presenter takes the position that this is not a covered health plan, but a contractual extension of the excluded on-site clinic exemption under HIPAA. (Note: this is the presenter’s opinion, not an official HHS response.)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University19
““Plan Sponsor”Plan Sponsor” Defined only under the privacy regulations, as the
employer or other entity that establishes and maintains a group health plan. (ERISA only? 45 CFR 164.501)
Employers and other Plan Sponsors are NOT covered entities under HIPAA, per se. However, Plan Sponsors do have certain specific obligations under the Privacy Regulations.
As a practical matter, employer-sponsored health plans have no employees and exist only as plan documents. So the employer/plan sponsor/plan administrator may need to ensure compliance, particularly with self-insured plans.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University20
Endorsed vs. Sponsored PlansEndorsed vs. Sponsored Plans Question: A university endorses one student health
insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college and the insurer and the students apply, pay premiums, and file claims on their own. Is the college a Plan Sponsor for HIPAA?
No. First, the concept of a plan sponsor as defined appears to apply only to ERISA plans. Second, the college has not undertaken any responsibility to pay any premiums or subject itself to any other liability under the policy. It is acting only as endorser and liaison between insurer and student. Under these circumstances, the college is not a HIPAA plan sponsor of this plan. (Presenter’s opinion)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University21
““Health Care Providers”Health Care Providers” Health care providers are only covered under
HIPAA IF they electronically transmit any health information in connection with one of the specifically defined HIPAA transactions. [May be broader under proposed security regulations]
42 U.S.C. 1320d-1, 45 CFR 160.103 According to HHS FAQs, paper to paper faxing
(NOT sent via/to computer, but by telephone fax) is NOT electronic transmission under HIPAA, neither are phone mail/voice faxback systems.
Size of health care provider is irrelevant to coverage – there is no small provider exception.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University22
HIPAA TransactionsHIPAA Transactions The following administrative and financial health care
transactions are the HIPAA transactions required to be processed as “standard transactions” by covered entities (see definitions at 45 CFR Part 162, Subparts K-R):• Health care claims and encounters• Enrollment and disenrollment in a health plan• Eligibility for a health plan• Health care payment and remittance advice• Health plan premium payments• Health claim status• Referral certification and authorization• Coordination of benefits• First report of injury (to be adopted later)• Claims attachments (to be adopted later)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University23
HIPAA Transactions (cont’d.)HIPAA Transactions (cont’d.) If a health care provider transmits any of these
transactions electronically, that health care provider is a covered entity. E.g., if your student health center bills student insurance electronically, or bills summer campers’ insurance electronically, or sends referral authorizations to insurers electronically, it has become a covered entity.
It appears from HHS comments that “in connection with” means as a part of the covered transaction itself, not merely in communications in any way related to a covered transaction (e.g., electronically submitting a claim as opposed to emailing with a question about how to transmit a claim).
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University24
Look Closely at the Definitions Look Closely at the Definitions of HIPAA Transactionsof HIPAA Transactions Do not assume that you know what the listed
transactions include. They are specifically defined, and most specifically pertain only to transactions to/from health providers from/to health plans.
E.g., student health centers that only bill student accounts, not third-party payers. This is direct billing of the patient under an excluded plan covering on-site clinic services, not a “claim” to a covered health plan. Thus, this sort of account billing is not a HIPAA transaction.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University25
More Examples of non-HIPAA More Examples of non-HIPAA Triggering Transactions Triggering Transactions E.g., an email from one doctor to another doctor
regarding a patient’s treatment is not a HIPAA transaction to trigger coverage as a “covered entity” or require standard formatting.
E.g., a flexible spending account plan does not involve claims from health providers to the plan, but merely direct reimbursement of the employee, so though the plan is a covered plan, it conducts no HIPAA “claims” required to be standardized.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University26
Health Care Providers that May Health Care Providers that May Be Covered in a College or Be Covered in a College or University SettingUniversity Setting Student Health Centers – physicians, nurses, and
other providers Counseling Center staff – psychiatrists, clinical
psychologists Athletic Trainers
ONLY IF THEY TRANSMIT HEALTH INFO. ELECTRONICALLY IN ONE OF THE DEFINED HIPAA TRANSACTIONS [May be broader under proposed security regulations]
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University27
Health Care ClearinghouseHealth Care Clearinghouse
An entity that takes non-standard health care transactions and converts them into standard form.
Some college and university health care providers or plans may use these entities in administering their health services or plans. Others may act as clearinghouses by billing third-party payers on behalf of other entities, such as clinics or practice groups.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University28
Business AssociatesBusiness Associates Persons or entities that perform functions or activities
on behalf of a covered entity, but that are not part of the covered entity’s workforce. 45 CFR 160.103
Business Associates do not thereby become covered entities, but may be in their own right.
E.g., Third-Party Administrators are business associates that perform claims administration functions for self-insured health plans.
E.g., External Billing Services are business associates that perform functions on behalf of covered health care providers, but are not themselves covered entities.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University29
Threshold Question: Are You Threshold Question: Are You Covered under HIPAA?Covered under HIPAA? Determine whether your college or university
maintains any covered health plans. Determine whether your college or university has
any covered health care providers. Survey appropriate individuals in offices dealing
with these areas: financial, personnel, business, student health, counseling, trainers, etc.
Survey the business associates of any health plans and health providers to determine whether they engage in HIPAA transactions and the extent to which they use/disclose health information.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University30
HIPAA Transaction Regulations: HIPAA Transaction Regulations: Overview Overview
Designed to bring about the standardization of electronic exchange of health care information between health plans, providers, and their business associates, in certain specific key financial and administrative transactions. BE SURE YOU DETERMINE WHETHER ANY COVERED ENTITY ENGAGES IN ANY OF THESE TRANSACTIONS.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University31
Transaction RegulationsTransaction Regulations HHS has adopted national standards and code sets
(medical and administrative) that must be used in the electronic exchange of health information in connection with the HIPAA Transactions. 45 CFR Part 160 and 45 CFR Part 162.
All health plans, and covered health care providers that conduct HIPAA Transactions electronically, must use the transaction standards.
All health plans must assure that their business associates (e.g., Third-Party Administrators) comply with the transaction standards.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University32
Transaction Regulations Transaction Regulations (cont’d.)(cont’d.) Health plans MUST be able to conduct transactions
as standard transactions upon request, though they may use a clearinghouse or other business associate (such as a Third-Party Administrator) to do so.
Plan Sponsors are NOT required to submit HIPAA transactions (e.g., enrollment and premium submissions) using the standards, because they are NOT covered entities.
Covered health care providers do NOT have to transmit any of the transactions electronically; but if they do so, they must use the standard transactions.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University33
Transaction Regulations Transaction Regulations Compliance DeadlineCompliance Deadline Deadline for compliance with Transactions
Regulations has been extended to October 16, 2003 for covered entities IF, by October 16, 2002, they filed a compliance extension plan. (HR 3323)
Small health plans (with annual receipts of $5 million dollars or less) need not file any extension – their original compliance deadline remains as October 16, 2003.
Information on correction/clarification of extension filings can be accessed at: http://www.cms.gov/hipaa.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University34
What if You Failed to File an What if You Failed to File an Extension?Extension? First, be sure you are a covered entity and subject
to the earlier deadline, not the extended deadline for small health plans.
Covered Health Plans should contact their insurers to determine if insurers filed for extensions on behalf of the covered plans.
For self-insured plans, Third-Party Administrators are not covered entities, and so were not obligated to file for extensions. However, some TPAs may have voluntarily filed for their self-insured plans, so check to see if this was done.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University35
Privacy Regulations: OverviewPrivacy Regulations: Overview
Designed to protect patient rights by providing patient access to protected health information, restricting use of that information, and creating a nationwide framework for health privacy protection.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University36
Status of Privacy RegulationsStatus of Privacy Regulations
NOTE: Privacy Regulations became effective April 14, 2001, and amendments were finalized August 14, 2002.
For compliance deadlines, see slide #62.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University37
Application of Privacy Application of Privacy RegulationsRegulations Various parts of the privacy regulations will
apply to the following entities with respect to protected health information:• Health plans and health clearinghouses• Health care providers who transmit health
information electronically in a HIPAA transaction• Plan sponsors of group health plans
Covered entities must ensure that their business associates who create or receive protected health information comply with the privacy regulations by written contract or agreement requiring specific assurances. 45 CFR 164.502, -504, -532.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University38
““Protected Health Information”Protected Health Information” Individually identifiable health information
(diagnosis, condition, treatment, payment) transmitted or maintained in any medium, including oral or hardcopy, not limited to electronic media. 45 CFR 164.501
In other words, if you are a covered entity with protected health information, these regulations apply to all forms of such records and information.
IMPORTANT EXCLUSIONS: student health information and employment records.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University39
Student Health Information Student Health Information ExclusionExclusion
Education records covered by FERPA and Records of students held by colleges and
universities used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student’s request. (These are specifically excluded from the definition of “education records.”) 45 CFR 164.501
HHS expressly determined that it was not going to preempt FERPA, because FERPA provided a privacy framework for student records. So, if the records fit within the “HIPAA FERPA” exception, must apply FERPA.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University40
Employee Records ExclusionEmployee Records Exclusion Contained in the finalized amendments to the privacy
regulations. Excludes from protected health information
employment records held by a covered entity in its role as employer. 45 CFR 164.501
E.g., covered university physician or benefits office maintaining employee records regarding requested disability accommodation, FMLA, or on the job drug testing. However, the records kept on employee health plan participation and claims, as well as medical treatment of employees by any college/university health care providers who are covered entities, are PHI.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University41
Disclosure of PHI RestrictedDisclosure of PHI Restricted
Covered entities allowed to disclose without authorization for treatment, payment, and health care operations (see regulations for specific definition of these terms). 45 CFR 164.506
Amended regulations remove requirement for health care providers to get general consent, allow for acknowledgement of notice on privacy practices at time of first visit.
Covered entities allowed to disclose otherwise with written authorization of individual. 45 CFR 164.508
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University42
Disclosure of PHI Restricted Disclosure of PHI Restricted (cont’d.)(cont’d.) Covered entities allowed to disclose certain types
of information without individual authorization if opportunity to “ agree or opt out” (like FERPA directory information.) 45 CFR 164.510
Covered entities may disclose without authorization when required by HIPAA or law to do so (e.g., public health emergency, product recall) 45 CFR 164.512
In most disclosures, covered entities must disclose “minimum necessary” information. 45 CFR 164.514
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University43
How do Restrictions on PHI How do Restrictions on PHI Disclosure Affect Research?Disclosure Affect Research? Research alone does not make a university a
covered entity or a department a health care component, unless researchers are also treating and, as health care providers, are electronically transmitting health info in HIPAA transactions.
However, researchers will need to produce either a specific HIPAA authorization, IRB/privacy board waiver, or meet a specific HIPAA research exception in order to obtain PHI from covered health care providers or other covered entities who are data sources. 45 CFR 164.508 or 164.512(I)
Contact data sources now to see what they will require.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University44
““Hybrid Entity”Hybrid Entity”
Unique to privacy regulations – 42 CFR 164.504 A single legal entity that is a covered entity, that
performs covered and non-covered functions, and that designates health care components. Most colleges/universities will be a hybrid.
E.g., university with a covered student health center and covered health plans. Under the hybrid status, the entire university does not become a covered entity – only the designated health care components are required to comply with HIPAA privacy regulations. 45 CFR 164.504
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University45
““Hybrid Entity” (cont’d.)Hybrid Entity” (cont’d.) Hybrid entity MUST designate any component
that would meet the definition of a covered entity if it were a separate legal entity.
Hybrid entity MAY include other components that perform covered functions and activities that would make the component a business associate if it were a separate legal entity (e.g., division of business office involved in billing, division of benefits office involved in covered plans, division of legal counsel’s office involved in health care issues.) Can be specific as to individuals – need not name an entire office.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University46
Considerations for Selection of Considerations for Selection of Optional Health Care Optional Health Care ComponentsComponents A hybrid covered entity must ensure privacy
regulations compliance by its health care components. 45 CFR 164.504
Without a HIPAA authorization, a health care component can’t disclose PHI to another non-health care component of the university where disclosure would be prohibited if the components were separate legal entities.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University47
Designation of Hybrid Entity Designation of Hybrid Entity ComponentsComponents Must make this designation in writing (internal
designation, not required to be filed, but must have a paper trail in case of OCR/HHS inquiry.)
Document any additions or removals of individuals/offices as health care components as they occur.
Remember: only individuals/offices that deal in PHI are required to comply with privacy regs. If an office only deals with exempt student or employment records, it does not handle PHI and there may be no reason to designate it as a health care component if it would not meet the definition of a covered entity itself.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University48
Considerations for Hybrid Considerations for Hybrid Entities (cont’d.)Entities (cont’d.) If non-covered components are closely
intertwined with covered components and have need for PHI, it may make sense to designate them as health care components.
But be careful of over designating! (E.g., if student health center not covered entity and not closely intertwined with covered health plans, designation could require unnecessary practices and conflicts with FERPA)
Other examples of potentially unnecessary designation: athletic trainers who do no electronic third-party billing or referrals with covered plans; researchers uninvolved with health care providers or health plans
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University49
Use/Disclosure by Business Use/Disclosure by Business AssociatesAssociates
Covered entities need business associate contracts/agreements with all business associates who create or receive PHI in carrying out functions on behalf of the covered entity.
E.g., third-party administrators of university self-insured health plans, outside counsel handling matters involving PHI.
BA must not use or further disclose PHI other than as permitted or required by law.
BA must use appropriate privacy and security safeguards.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University50
Use/Disclosure by Business Use/Disclosure by Business Associates (cont’d.)Associates (cont’d.) BA must report any improper use or
disclosure of which it becomes aware to covered entity.
BA must ensure its agents agree to same restrictions.
Regulations provide transition timetable for contracts renewed at various points prior to compliance deadline.
45 CFR 164.502,-504,-532
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University51
Right of Individual Patient or Right of Individual Patient or Plan ParticipantPlan Participant Individual has a right to request confidential
communication of health information. 45 CFR 164.522
Individual has a right to access his/her health information. 45 CFR 164.524
Individual has a right to request amendment of incomplete or inaccurate health information. 45 CFR 164.526
Individual has a right to receive an accounting of certain disclosures of health information. 45 CFR 164.528
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University52
Required Privacy Notices by Required Privacy Notices by Covered EntitiesCovered Entities
Covered entities must provide notice of their privacy practices for protected health information. 45 CFR 164.520
For self-insured group health plans, the health plan itself must provide the notice. For an insured or HMO plan, the insurance issuer or HMO must provide the notice.
If a an insured/HMO group health plan creates or receives PHI (beyond information on participation, enrollment, disenrollment, or summary information), it is required to develop and maintain such notice and provide on request. Otherwise, not required.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University53
Joint Consent and Notice Joint Consent and Notice VehiclesVehicles Single Affiliated Covered Entity:
designation of multiple covered entities under common ownership or control as a single Covered Entity (e.g., commonly owned health care facilities, different divisions of a single covered entity.)
45 CFR 164.504(d)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University54
Joint Consent and Notice Joint Consent and Notice Vehicles (cont’d.)Vehicles (cont’d.) Organized Health Care Arrangement: joint
venture between covered entities, which allows for joint notice of privacy practices and joint consent for covered health care providers. Also allows these entities to use their PHI without business associate agreement or authorization.
Available for clinically integrated settings, insurers and group health plans, group health plans with the same plan sponsor. Requires written designation and indication on notice of privacy practices.
45 CFR 164.501, -520(d). Ambiguity re: any shared liability.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University55
Use of PHI by Plan Sponsors of Use of PHI by Plan Sponsors of Group Health PlansGroup Health Plans Regulations restrict the disclosure of PHI by
group health plans/insurance issuers/HMOs to employer plan sponsors. Designed to prevent use of PHI in making employment-related decisions.
Before a group health plan/insurance issuer/HMO can disclose PHI to a plan sponsor (other than summary/enrollment/disenrollment), the plan sponsor must have amended its plan documents to agree to:• Establish permitted and required uses of PHI• Ensure that agents will agree to same restrictions• Not use information for employment-related actions
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University56
Plan Document Amendments Plan Document Amendments (cont’d.)(cont’d.)
• Report inconsistent use or disclosure of which it becomes aware
• Make available information required for health information amendment and accounting of disclosures
• Make internal practices and records available to HHS for determining compliance
• Return or destroy all PHI when no longer needed• Ensure that adequate separation (“firewalls) are
established by identifying employees or classes of employees to be given access to PHI, restricting that use to plan administration functions, and providing a mechanism to resolve noncompliance issues.
• 45 CFR 164.504(f)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University57
Should all Plan Sponsors Should all Plan Sponsors Amend their Plan Documents?Amend their Plan Documents? Not necessarily, but there are several reasons why
plan sponsors should carefully consider how to proceed.• Insurers/HMOs may require plan document
amendments for continued coverage or premium discounts, etc.
• The college/university may want to continue a practice of assisting employees with claims.
• Ultimately, if a PHI disclosure occurs, the group health plan could face HIPAA penalties for not ensuring that the amendments were made before the PHI was disclosed to the plan sponsor.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University58
Ancillary Administrative Ancillary Administrative Requirements of Privacy RegsRequirements of Privacy Regs Note: Insured/HMO group health plans that
neither create nor receive PHI except summary/participation/enrollment information are not subject to most of these requirements. Plan sponsors are not subject to these requirements as such. HOWEVER, self-insured health plans must comply with all of these requirements, as must insured/HMO plans that create or receive other PHI.
45 CFR 164.530(k)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University59
Ancillary Administrative Ancillary Administrative Requirements (cont’d.)Requirements (cont’d.) Designate privacy official for policy
development and receipt of complaints Train workforce of covered entity (covered
health care components) on PHI Implement reasonable administrative, technical
and physical safeguards to protect PHI Provide complaint process Establish and apply appropriate sanctions for
covered entity workforce noncompliance
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University60
Ancillary Administrative Ancillary Administrative Requirements (cont’d.)Requirements (cont’d.) Mitigate any harmful effect of wrongful
disclosures of PHI Take no retaliatory action against those
exercising HIPAA rights or complainants Implement written policies and procedures
re: PHI and maintain documentation required under the regulations for six years
45 CFR 164.530
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University61
Attn: Covered University Health Attn: Covered University Health Care Providers and Student Care Providers and Student Health Plans With No PHIHealth Plans With No PHI In comments to the privacy regulations, HHS has
stated that the privacy rules only apply to a covered entity “to the extent” it possesses PHI. (P. 82488 Federal Register, December 28, 2000)
HHS has also commented that, in light of FERPA exclusion (removing student health records from PHI), only non-FERPA schools would be subject to the ancillary administrative requirements as regards their covered health care clinics. (P. 82595 Federal Register, December 28, 2000)
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University62
The $64,000 Question:The $64,000 Question: Does the FERPA exception to PHI act to
exempt a covered college/university health care provider or self-insured student health plan with only student records from the ancillary administrative requirements?
No definitive regulatory answer, despite noted comments, FERPA exemption, and administrative requirements exemption for insured group health plans with no PHI.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University63
Deadlines for Privacy Deadlines for Privacy Regulations ComplianceRegulations Compliance Covered entities must comply by April 14,
2003. Small health plans with annual receipts
(essentially, total of employer and employee premiums) of $5 million or less have until April 24, 2004. For self-insured plans, calculate using total amount of claims paid.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University64
First Steps to Take Toward First Steps to Take Toward Compliance with Privacy RegsCompliance with Privacy Regs Inventory your campus for providers and plans that
may be covered entities, as well as those departments that must/should be designated as health care components for a hybrid entity.
Determine current practices re: health information and analyze the “gaps” between current practice and HIPAA requirements. Do the same for business associates of your covered entities and health care components.
Develop compliant policies, documents, and training, working with insurers, TPAs, other business associates, and research data sources to promote consistency of practice.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University65
Security Regulations Security Regulations (Proposed): Overview(Proposed): Overview
Proposed regulations are designed to provide a standard level of protection for health information housed or transmitted electronically.
Administrative, technical and physical safeguards for storage, transmission, and access of electronic health information.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University66
Security Regulations Coverage Security Regulations Coverage (Proposed)(Proposed) Potentially broader scope of covered entities than
transaction and privacy regulations. In addition to health plans, proposed regulations
cover clearinghouses or health care providers that (1) process any electronic transmission between covered health care entities OR (2) electronically maintain any health information used in an electronic transmission between any combination of covered health care entities. 45 CFR 142.302
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University67
Security Standards (Proposed)Security Standards (Proposed)
A covered entity must assess potential risks and vulnerabilities to the individual health data it possesses and develop, implement, and maintain appropriate security measures to protect individual health information in ELECTRONIC FORM, not hard copy or oral. 45 CFR 142.306
Specifics will vary according to system, environment, etc.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University68
Security Standards (Proposed) Security Standards (Proposed) (cont’d.)(cont’d.) Minimum features (45 CFR 142.308):
• Administrative procedures to guard data integrity, confidentiality, and availability
• Physical safeguards to guard data integrity, confidentiality, and availability
• Technical security services and mechanisms to guard data integrity, confidentiality, and availability
If covered entity elects to use electronic signatures in covered transactions, entity must apply proposed electronic signature standard. 45 CFR 142.310
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University69
Security Regulations Security Regulations Compliance DeadlineCompliance Deadline Proposed effective/compliance date is 24
months after publication of the final rule in Federal Register (not yet published – rumored for publication in December, 2002.) Small health plans have 36 months to comply. [Small health plans in proposed regs = fewer than 50 participants, but expect final to mirror transaction/privacy regs.] 45 CFR 142.312
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University70
General Penalty for Non-General Penalty for Non-Compliance with HIPAACompliance with HIPAA
$100 per violation Cap on identical
violations for one calendar year is $25,000.
Penalty may be waived if non-compliance was due to reasonable cause and not willful neglect.
42 U.S.C. 1320d-5
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University71
Penalty for Knowing Wrongful Penalty for Knowing Wrongful Disclosure of Individually Disclosure of Individually Identifiable Health InformationIdentifiable Health Information Fine of not more than $50,000 and imprisonment
for one year, or both If committed under false pretenses, fine of not
more than $100,000 and imprisonment for not more than five years, or both
If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000 and imprisonment of ten years, or both
42 U.S.C. 1320d-6
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University72
No Private Cause of ActionNo Private Cause of Action
HIPAA does not provide a private cause of action by a patient or participant in a covered health plan against a covered entity or business associate.
However, the HIPAA regulations and standards may become the standard of care for health information and could be used against the entity in a separate cause of action.
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University73
Want to Know More about Want to Know More about HIPAA?HIPAA?
We hope that this presentation has made you aware of HIPAA, its basic coverage, and areas where it might apply on your campus. To find out more, here are some resources:
May 2, 2002 (updated 11/02/02)
HIPAA Basics: 2002 Washington and Lee University74
A Few Online Resources on A Few Online Resources on HIPAAHIPAA http://www.acha.org/info_resources/hipaa_links.
cfm = HIPAA Resource site of American College Health Association
http://aspe.hhs.gov/admnsimp/ = United States Department of Health and Human Services/Administrative Simplification
http://www.hhs.gov/ocr/hipaa = Office for Civil Rights/HIPAA
http://snip.wedi.org = Strategic National Implementation Process of the Workgroup for Electronic Data Interchange