the hipaa privacy rule and its impact on agents and employers l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The HIPAA Privacy Rule And Its Impact On Agents And Employers PowerPoint Presentation
Download Presentation
The HIPAA Privacy Rule And Its Impact On Agents And Employers

Loading in 2 Seconds...

play fullscreen
1 / 27

The HIPAA Privacy Rule And Its Impact On Agents And Employers - PowerPoint PPT Presentation


  • 168 Views
  • Uploaded on

The HIPAA Privacy Rule And Its Impact On Agents And Employers. National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan, JD Morris, Manning & Martin, LLP Washington, DC 202.408.0705 jholahan@mmmlaw.com. Road Map. Overview of the HIPAA Privacy Rule

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The HIPAA Privacy Rule And Its Impact On Agents And Employers' - Faraday


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the hipaa privacy rule and its impact on agents and employers

The HIPAA Privacy RuleAnd Its Impact On Agents And Employers

National Association of Health Underwriters

Capitol Conference

March 23, 2003

Joseph T. Holahan, JD

Morris, Manning & Martin, LLP

Washington, DC

202.408.0705

jholahan@mmmlaw.com

road map
Road Map
  • Overview of the HIPAA Privacy Rule
    • Covered entities and products
    • Compliance deadlines
    • General requirements
  • Impact on agents
    • Business associate contract
    • Disclosures to agents by insurers
  • Impact on employers
covered entities

Covered Entities

Health plans

Health care providers engaging standard electronic transactions

Health care clearinghouses

health plans provide or pay cost of medical care
Health Plans—Provide or Pay Cost of Medical Care
  • Health insurance issuers and HMOs
  • Issuers of Medicare supplemental policies
  • Issuers of long-term care policies (except nursing home fixed-indemnity policies)
  • Group health plans (except self-administered with fewer than 50 participants)
  • MEWAs
  • State high risk pools
  • Medicare, Medicare+Choice, CHAMPUS and certain other programs
  • Any other individual or group health plan that provides or pays for the cost of medical care
covered products
Covered Products
  • Major medical
  • HMO
  • Dental and vision
  • Most long-term care
  • Medicare supplemental
  • Medicare+Choice
excluded products
Excluded Products
  • Life
  • Accident only
  • Disability income
  • Coverage issued as supplement to liability insurance
  • Liability insurance, including general liability and auto liability insurance
  • Auto medical payment
  • Credit-only
  • Coverage for on-site medical clinics
gray area
Gray Area
  • Specified disease
  • Hospital indemnity
compliance deadlines
Compliance Deadlines
  • Most health insurance issuers and HMOs and any group health plans—April 14, 2003
  • Small health plans (annual receipts of $5 million or less)—April 14, 2004
general requirements
General Requirements
  • Restricts use and disclosure of “protected health information” (PHI) without written authorization
  • Minimum necessary standard
  • Individual Rights
    • Restrictions on use and disclosure
    • Access
    • Accounting of disclosures
    • Amendment
  • Business associate contracts
  • Amend group health plan documents in some cases to impose requirements on sponsor
general requirements con t
General Requirements, Con’t.
  • Notice of privacy practices
  • Administrative requirements, including:
    • Privacy officer
    • Privacy contact office
    • Privacy policies and procedures
    • Training—workforce only
permitted uses and disclosures
Permitted Uses and Disclosures
  • Pursuant to written authorization compliant with HIPAA
  • For treatment, payment or health care operations
  • To individual or personal representative
  • Friend, family member or other person identified by individual with written or oral agreement
  • Required by law
    • Regulators
    • Judicial and administrative proceedings
    • Law enforcement
  • To “health oversight agency” as authorized by law
permitted uses and disclosures health care operations
Permitted Uses and Disclosures—Health Care Operations

“Health care operations” include:

  • Activities by or on behalf of health plan relating to the creation, renewal or replacement of a contract for health insurance or health benefits
  • Customer service by or on behalf of health plan
permitted uses and disclosures payment
Permitted Uses and Disclosures—“Payment”

“Payment” includes:

  • Activities by or on behalf of health plan to determine eligibility or coverage
  • Claims management by on behalf of health plan
disclosure by health plan to agent
Disclosure By Health Plan To Agent
  • Payment or health care operations
  • Friend, family member or other person identified by individual:
    • PHI directly relevant to person’s involvement in individual’s health care
    • Written or oral “agreement”, opportunity to object and no objection or reasonable inference of no objection based on professional judgment
  • Written authorization
required uses and disclosures
Required Uses and Disclosures
  • Individual access to PHI
  • Secretary of DHHS for investigating covered entity’s compliance
required elements of the business associate agreement part i
Required Elements of the Business Associate Agreement—Part I
  • Establish permitted and required uses and disclosures of PHI by business associate
  • May not authorize the business associate to use or disclose information in a way that would violate the Privacy Rule if done by covered entity, with exceptions where necessary for business associate’s management and administration and for data aggregation services
required elements of the business associate agreement part ii
Required Elements of the Business Associate Agreement—Part II

Provide that the business associate will:

  • Not further use or disclose PHI other than as permitted or required by law
  • Use appropriate safeguards to prevent use or disclosure other than as provided by the agreement
  • If aware of any use or disclosure not provided by the agreement, report it to covered entity
  • Ensure that any agents, including subcontractors, to whom it provides PHI agree to same restrictions
required elements of the business associate agreement part iii
Required Elements of the Business Associate Agreement—Part III
  • Provide that the business associate will:
    • Make PHI available for access by the individual
    • Make PHI available for amendment and incorporate any amendments
    • Make PHI available to provide an accounting of disclosures
    • Make its internal practices, books, and records available to DHHS for investigating covered entity’s compliance
required elements of the business associate agreement part iv
Required Elements of the Business Associate Agreement—Part IV
  • At termination of contract, if feasible, return or destroy all PHI received from covered entity or created or received on behalf of covered entity and retain no copies.
  • If return or destruction not feasible, extend protections of contract to information retained and limit use and disclosure to purposes for which information must be retained.
permitted elements of the business associate agreement
Permitted Elements of the Business Associate Agreement
  • May permit the business associate to use and disclose PHI as necessary for:
    • Management and administration of its business; and
    • To carry out its legal responsibilities
  • But unless disclosure required by law, business associate must obtain “reasonable assurances” from person to whom PHI is disclosed that:
    • PHI will be held confidentially;
    • PHI will be further disclosed only as required by law or for purpose for which it was disclosed to the person; and
    • Person will notify business associate of any known breach of confidentiality
breach of business associate contract required action by covered entity
Breach of Business Associate Contract—Required Action By Covered Entity
  • Take reasonable steps to cure the breach
  • If unsuccessful, terminate contract if feasible
  • If termination not feasible, report problem to DHHS
  • To extent practicable, mitigate any known harm from violation
group health plans
Group Health Plans
  • Self-insured plans—all of the Privacy Rule’s provisions apply, including:
    • Provide privacy notice
    • Implement policies and procedures
    • Train workforce
  • Plans offering flexible savings accounts—may need to treat as a self-insured plan
  • Insured plans—depends on how much PHI created or received from issuer or HMO
insured group health plans
Insured Group Health Plans
  • If group health plan creates or receives only “summary PHI” and information about whether individual has enrolled or disenrolled, duties greatly reduced—for example:
    • No notice required
    • No need for written policies and procedures
    • No training required
  • If group health plan creates or receive other PHI, then:
    • Must maintain notice and provide on request
    • All other requirements of Privacy Rule apply
plan sponsor
Plan Sponsor
  • No requirements, if plan sponsor only receives:
    • “Summary PHI” for purpose of obtaining premium bids or modifying, amending or terminating plan;
    • Information on whether individual has enrolled or disenrolled; or
    • PHI disclosed pursuant to a written authorization
  • If sponsor receives other PHI, must amend plan documents and group health plan must receive written certification of amendment and give notice
amendment of group health plan documents
Amendment of Group Health Plan Documents
  • Much like business associate contract, with added provisions
  • Not use or disclose PHI for employment-related actions and decisions
  • Not use or disclose PHI in connection with any other benefit or employee benefit plan of sponsor
  • Ensure “adequate separation” between group health plan and sponsor
adequate separation
“Adequate Separation”
  • Describe employees or classes of employees and other persons under control of plan sponsor with access to PHI
  • Restrict access to and use of PHI by employees and other persons to plan administration functions
  • Provide effective mechanism for resolving issues of noncompliance by employees and persons with access to PHI
the hipaa privacy rule and its impact on agents and employers27

The HIPAA Privacy RuleAnd Its Impact On Agents And Employers

National Association of Health Underwriters

Capitol Conference

March 23, 2003

Joseph T. Holahan, JD

Morris, Manning & Martin, LLP

Washington, DC

202.408.0705

jholahan@mmmlaw.com