ERISA Group Health Plans: Complying With Complex HHS Regulations - - PowerPoint PPT Presentation

ERISA Group Health Plans: Complying With Complex HHS Regulations and Leveraging New Guidance

Structuring Privacy Policies, Security Breach Notifications, Business Associate Agreements, and More

Today’s faculty features:

1pm East ern | 12pm Cent ral | 11am Mount ain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUES DAY, MAY 6, 2014

Presenting a live 90-minute webinar with interactive Q&A

Ryan P . Blaney, Partner, Cozen O’Connor, Washington, D.C. Tiffany D. Downs, Partner, FordHarrison, Atlanta

Tips for Optimal Quality

S

• und Qualit y

If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-258-2056 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@ straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Qualit y To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the S

END button beside the box If you have purchased S trafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). Y

• u may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “ Conference Materials” in the middle of the left -

hand column on your screen.

• Click on the tab labeled “ Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

ERISA Group Health Plans: Complying with Complex HHS Regulations and Leveraging New Guidance

May 6, 2014 Sponsored by Legal Publishing Group of Ryan P. Blaney, Esq. Strafford Publications rblaney@cozen.com (202) 463-2528 Tiffany D. Downs, Esq. tdowns@fordharrison.com (404) 888-3961

OVERVIEW OF PRESENTATION

• Privacy Requirements and Policies
• Notice of Privacy Practices and Health Plans
• Supplemental Guidance

FINAL PRIVACY RULE

• Security Requirements and Policies
• Breach Requirements and Notifications
• Supplemental Guidance

FINAL SECURITY AND BREACH RULES

• Expanded Rules and Requirements and New Business

Associates

• Drafting and Negotiating Business Associate Agreements on

Behalf of Health Plans

HEALTH PLANS AND BUSINESS ASSOCIATES

• Distinctions between Employers, Plans Sponsors and

Health Plans

ERISA GROUP HEALTH PLANS

6

Part I. Final Privacy Rule

• A. Privacy requirements and polices
• B. Notice of privacy practices
• C. Supplemental guidance

7

“Somehow your medical records got faxed to a complete stranger. He has not idea what’s wrong with you either.”

YESTERDAY: FAXING and PAPER Medical Records

8

Today: Big Data, Texts, Twitter, Email, Personalized Medicine, Health Shopping

$3.1 Trillion

20% GDP

61% U.S. Employees rely

• n self insured

health plans 94% self insured plans for employers with more than 5000

30% Waste in 2009

FitBit, Nike+, Health tracking, sleep and food monitoring

9

1 YEAR LATER: THE “OMNIBUS RULE”

• HIPAA Privacy, Security, and

Enforcement Rules

• Interim breach notification guidance
• Certain changes to HIPAA Privacy

Rule required by GINA

January 25, 2013 HHS implements changes to:

• September 23, 2013 deadline for new

and non-compliant health plans

• One year extension (September 2014)

to update business associate agreements that are in compliance with the prior regulations.

Compliance Date

10

The Definitions Matter !!! What is PHI?

• Protected Health Information (PHI) is individually

identifiable health information that is in all forms – paper, oral, or electronic.

• PHI excludes employment records held by an

employer in its role as an employer (e.g., physician’s note submitted by employee documenting reason for absence from office)

11

What is Health Information?

• Health information includes any information created by a

health care provider, health plan, employer, school, or university

– and that relates to past, present, or future physical or mental health or condition of the individual, – the provision of health care to the individual, or – the past, present or future payment for health care to the individual.

12

What Makes Health Information “Individually Identifiable”?

• Name
• Dates: birth, admission to

hospital, discharge from hospital, death

• Telephone and fax numbers
• Social Security Number
• Account number
• Vehicle identifiers including

license plates

• Web URLs and IP address

numbers

• Genetic Information
• Geographic unit (certain zip code

information excepted)

• Ages over 89
• Email and other addresses
• Medical record numbers and health

plan numbers

• Certificate or license number
• Device identifiers and serial

numbers

• Biometric identifiers, including

finger and voice prints and full face and other identifying photographic images

13

HIPAA Definitions: Health Plans

• COVERED by HIPAA

– Medical plans – Dental plans – Vision plans – Prescription drug plans – Retiree medical plans – ERISA-Covered employee assistance plans – Health care spending accounts

• NOT COVERED by HIPAA

– Workers’ compensation – Disability plans – Accident plans – Non-ERISA Employee Assistance Plans and Long Term Care Plans – Life Insurance

14

A Balancing Act …

Employee Privacy Employee participation Employers’ rising health care expenditures Available health data on cost and quality

15

Privacy challenges for health plans

• “The tensions between having

employers manage health care coverage and employees wanting to have some private space are crashing into each

• ther … it’s probably going to get

worse.”

– Matthew T. Bodie, Law Professor at St. Louis University School of Law, quote from New York Times September 14, 2013 article, “On Campus, a Faculty Uprising Over Personal Data” 16

Update - Notice of Privacy Practices

• Health plans cannot “substantially” change their

HIPAA policies and procedures before updating their Notice of Privacy Practices to reflect those

• revisions. HHS considers the Omnibus Rule changes

to be “substantial.”

– Notices can be delivered by e-mail, if a participant agrees to electronic notice. – Notices must be distributed upon enrollment to all new participants – Participants are entitled to paper copies – At least once every 3 years, health plans must remind participants

• f the availability of the privacy notice.

17

HIPAA Requires Mandatory Training

• A health plan or its business associate

must train its workforce which has access to PHI (HIPAA Personnel) regarding the HIPAA privacy practices and procedures.

– Must be trained within a reasonable time period after his/her hire date.

18

General Privacy Rule

• A Covered Entity and its workforce may not use or

disclose PHI, except as permitted by the Privacy Rule

• Permitted uses of PHI under the Privacy Rule include:

– treatment, payment, or health care operations – under a specific authorization from the subject of the PHI, – as required by law – in response to a court order – in response to a subpoena but only with “adequate assurances” of efforts to secure a protective order or notify the subject of the request

19

Uses and Disclosures Pursuant to a Valid Authorization

• A w ritten authorization is needed for disclosures

that are not for treatment, payment, and healthcare

• perations.
• To be valid, an authorization must contain very

specific information.

• Use or disclosure of PHI must be consistent w ith

the terms of the authorization.

• An authorization can be revoked by w ritten notice.
• An authorization is not required if you must use or

disclose PHI to avert a serious threat to health or safety.

20

“Treatment, Payment, and Health Care Operations”

• Treatment: Providing, coordinating, or managing health care and related

services by health care providers

• Payment: Activities to obtain premiums, obtain or provide reimbursement

for the provision of health care, or determine the Plan’s responsibility for coverage

• Health Care Operations: General Plan administration, business

planning, quality assessments, evaluation of coverage, and case management

• Disclosing PHI to a FMLA administrator so he/she can determine if the

Participant is eligible for FMLA leave

• Giving a manager PHI about a Participant’s medical condition so he/she

can make employment-related decisions

21

Minimum Necessary Standard

• Whenever the covered entities use or disclose PHI or

requests PHI from another plan or a physician, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure or request”

– Exceptions to Minimum Necessary Standard:

• Disclosure is to the individual who is the subject
• f the PHI
• Disclosure is to health care provider for treatment

purposes

• Disclosure is pursuant to individual’s

authorization

• Disclosure is for certain legal purposes

22

De-identified Health Information – Health Plans Need More Clarity

• Limitations on use and disclosure of PHI do not apply to “de-

identified health information”

• Redacting names and other identifying information does not

render information “de-identified” under HIPAA.

• De-identification requires:

– determination by a person with “appropriate knowledge of an experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” that there is a small risk that information could be used alone or with other information to identify the subject, or – removal of 18 types of information

23

Individual Rights Under HIPAA

• Access to PHI – the right to access and copy most PHI that is

part of the records maintained by or for the health plan

• Amendment of PHI – the right to amend most PHI that is

created by or on behalf of the health plan

• Accounting of disclosures of PHI – the right to a list of certain

disclosures of PHI made by the Plan for the previous 6 years (generally does not include permitted or required disclosures)

• Confidential Communications of PHI – the right to receive

communications of PHI by other means or at a different location if the normal method could endanger the participant.

• Restrictions on the Use and Disclosure of PHI – the right to

request restrictions on the use and disclosure of the participant’s PHI.

24

Individual Rights: Anti-Retaliation

• Anti-Retaliation Policy: Health plans are prohibited

from intimidating, threatening, coercing, discriminating against or taking any retaliatory action against a participant for exercising his or her rights under HIPAA

• Waiver Policy: Participants may not be required to

waive their rights under HIPAA in order to receive Plan benefits or treatment.

25

Part II. Final Security and Breach Rules

• A. Security Requirements and Policies
• B. Breach Requirements and Notifications
• C. Supplemental Guidance

26

HIPAA Security Rule

• Addresses the security of electronic

Protected Health Information (PHI):

– Which is Individually Identifiable Health Information that is transmitted or maintained in electronic, written, or oral form.

27

HIPAA Security Rule

• Security Rule standards include the

following safeguards:

– Administrative – policies and procedures – Technical – devices and equipment – Physical – facilities, workstations, etc.

• Implementation specifications:

– Required (R) – Addressable (A)

28

Administrative Safeguards

• Security Management Process

– Risk analysis (A) – Risk management (R) – Sanctions R) – Information System Activity Review (sign-on/sign-off activity; unsuccessful log on attempts) (R)

• Security Officer (R)

29

Administrative Safeguards

• Workforce Security

– Authorization and/or supervision (A) – Workforce clearance procedures (background checks) (A) – Termination procedures (disable user ID and password) (A)

• Information Access Management

– Access authorization (controlled by user ID and password) (A) – Access establishment and modification (A)

30

Security Rule Safeguards

• Security Awareness and Training

– Security reminders (training) (A) – Protection from malicious software (anti- viral software/firewall) (A) – Log-in monitoring (report suspicious activity) (A) – Password management (change periodically) (A)

• Security Incident Procedures

(response and reporting) (R)

31

Security Rule Safeguards

• Contingency Plans

– Data backup (nightly? weekly?) (R) – Disaster recovery (R) – Emergency mode operation (R) – Testing and revision procedures (A) – Applications and data criticality analysis (A)

• Evaluation

32

Physical Safeguards

• Facility Access

– Contingency operations (A) – Facility security plan (badge readers, alarm system) (A) – Access control and validation procedures (escort visitors) (A) – Maintenance records (A)

• Workstation Use (automatic

screensavers)

33

Physical Safeguards

• Workstation Security (shut down

procedures)

• Device and Media Controls

– Disposal (delete or purge PHI first) (R) – Media Re-use (delete or purge PHI first) (R) – Accountability (A) – Data Backup and Storage (A)

34

Technical Safeguards

• Access Controls

– Unique User Identification (do not share user ID or passwords) (R) – Emergency Access Procedure (R) – Automatic Logoff (mandatory screen savers and shut down procedures) (A) – Encryption and decryption (alternative: passwords for smart phones and laptops) (A)

• Audit Controls

35

Technical Safeguards

• Data Integrity
• Person or Entity Authentication
• Transmission Security

– Integrity Controls (A) – Encryption and decryption (for emails or file transfers containing PHI) (A)

36

Summary of PHI Safeguards

• Printed Documents
• Faxes
• Electronic Information
• Verbal Communications
• Storage and Destruction
• Secure Facilities and Equipment

37

Breach Rules New Definition of Breach

• What is considered a “Breach”?
• Presumption of breach unless 4 factor

risk assessment demonstrates low probability that PHI has been compromised

• Burden shifted to CE or BA to show

notice not required

38

What is a Breach?

• Applies to “Unsecured” PHI
• PHI is unsecured if HHS-approved methodology

has not been used to render the PHI unusable, unreadable, or indecipherable to unauthorized individuals; AND

• PHI is “accessed, acquired, or disclosed” by or to

an unauthorized individual as a result of a breach.

• HHS-approved methodology includes only
• Encryption (for electronic PHI)
• Destruction (for electronic and paper PHI)

39

Exceptions to Breach

• Disclosure of PHI to unauthorized person believed unable to

retain the information (because it is encrypted or password protected);

• Any unintentional acquisition, access or use of PHI by a

workforce member or person acting under the authority of a plan sponsor, if made in good faith and within the scope of their authority and does not result in further use or disclosure in violation of the Privacy Regulations;

• Any inadvertent disclosure by a person who is authorized to

access PHI at plan sponsor to another person authorized to access PHI and the information is not further used or disclosed in a manner not permitted under the Privacy Regulations.

40

Breach Risk Assessment

– Breach is presumed unless plan sponsor

demonstrates that there is a low probability that the PHI has been compromised, by relying on at least the follow factors:

• Nature and Extent: The nature and extent of the PHI

involved, including the types of identifiers and likelihood or re-identification;

• Identity: The unauthorized person who used the PHI or

to whom the disclosure of PHI was made;

• Whether the PHI was actually viewed or acquired or,

alternatively, if only the opportunity existed for the information to be viewed or acquired; and

• Mitigation: The extent to which the risk of the PHI has

been mitigated.

41

What to do if Breach Occurs?

• Notify the HIPAA Privacy and Security

Officer.

• Determine notice obligations and

mitigation strategies

• Improper disclosure of PHI or failure to

follow privacy and security procedures could result in disciplinary action.

42

Breach Notifications

• Individual Notice: Covered Entities must notify affected individuals following the

discovery of a breach of unsecured protected health information in written form by first-class mail, or by e-mail if the affected individual has agreed to receive such notices electronically.

• Media Notice: Covered Entities that experience a breach affecting more than

500 residents of a State or jurisdiction are also required to provide notice to prominent media outlets serving the State or jurisdiction.

• Notice to the Secretary: In addition to notifying affected individuals and the

media (where appropriate), covered entities must also notify the Secretary of Health and Human Services of all breaches of unsecured protected health

• information. If a breach affects 500 or more individuals, Covered Entities must

notify the Secretary without unreasonable delay and in no later than 60 days following a breach; if a breach affects fewer than 500 individuals, Covered Entities must notify the Secretary on an annual basis, no later than 60 days after the year in which the breach occurred.

43

Supplemental Guidance

• Disclosures for Emergency

Preparedness

• Refill Reminders and Other

Communications

• Health Information of Deceased

Individuals

• Others …..

44

Part III. Business Associate Requirements

• A. Expanded Rules and Requirements and

New Business Associates

• B. Drafting Requirements for Business

Associate Agreements

45

What is a Business Associate (“BA”)?

• Definition:

– A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity

• Includes anyone with health information from your

health plans (could include attorneys, consultants, third party administrators, auditors, computer software service companies)

• Includes: Benefits Brokers and others

46

January 25, 2013 Omnibus Rule Changes to BA

• HHS published a Final Omnibus Rule on

January 25, 2013 that expanded the definition of Business Associates to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and who require routine access to such PHI, and personal health record vendors.

47

What are the Business Associate Rules?

• General Rules

– Need specific HIPAA-dictated language in a contract with all business associates – Business Associate Agreement must be written. – Must include language that specifically says that the BA will ensure that individual’s HIPAA rights are followed.

48

Continued …

• Under HITECH all of the HIPAA rules

apply directly to business associates, including penalties

– Previously, HIPAA applied only to “covered entities” – health plans, health care providers, and clearinghouses – HIPAA applied indirectly to business associates – through business associate agreements

49

Tips for Drafting & Negotiating BAAs

• Reporting requirements and timing (the

parties can and should agree on shorter periods)

• Review the underlying services agreement

and modify services agreement and BAA to be consistent

• Agency and subcontractor provisions
• Indemnification clauses
• Breach notification costs and responsibilities
• Termination and destruction of PHI

50

Part IV. Distinctions between Employer, Plan Sponsor, and Group Health Plans

51

• Employer
• Plan Sponsor
• Group Health Plan

Who is Subject to HIPAA?

52

HIPAA COVERED ENTITIES

• Health Care Clearinghouses
• Health Care Providers - who transmit any

health information in electronic form

• Health Plans - whether insured or

self-funded which have: –50 or more participants; OR –are administered by an entity other than the employer

53

Covered Health Plans

• Health (Medical)
• Dental
• Vision
• Health Care Flexible Spending Account
• Long Term Care
• Employee Assistance Program (in some

cases)

Examples of benefits subject to HIPAA:

54

Entities Not Subject to HIPAA

• Employers performing employer functions

(e.g. FMLA, drug testing, sick leave, ADA, OSHA, fitness for duty, and return to work physicals)

– But, may need authorization to obtain records

• Life, Disability, and Workers’

Compensation Insurers

• On-site Medical Clinics

55

Employment Records Exception

HIPAA excludes employment records from the definition of protected health

• information. A covered entity must use a

functional test in determining whether a record is an employment record.

56

Employment Records Test

• Functional Test: How was this

information created or received? Was it created and received in health plan capacity or employer capacity?

• NOTE: Employment records are subject

to protection under the ADA, FMLA and GINA

57

Discussion Scenarios

Requests for Leave Pre-employment physicals Requests for Accommodations HINT: Not Subject to HIPAA

58

Disclosures to Employers

• Summary health information (for renewal

purposes)

• Enrollment information (for payroll

deduction)

• To disclose any other PHI to employer,

plan documents must contain specific privacy protections (firewall)

• Employer may not use PHI to make

employment related decisions or for other benefit plans

59

Self Insured vs. Fully Insured

• Self Insured plans

– All privacy rule requirements apply

• Insured plans

– “Hands on” – plan sponsor receives PHI in addition to summary health information and participation information

• Must maintain privacy notice and provide

upon request

60

Self Insured vs. Fully Insured

• Insured plans

– “Hands off” – plan sponsor does not receive PHI other than summary health information and participation information

• No privacy notice required
• No administrative requirements except

retaliation and waiver

– No exemption from Security Rule requirements

61

Questions?

Ryan P. Blaney, Esq. Cozen O’Connor Washington, DC rblaney@cozen.com (202) 463-2528 Tiffany D. Downs, Esq. FordHarrison Atlanta, GA tdowns@fordharrison.com (404) 888-3961

62