ERISA Group Health Plans: Complying With Complex HHS Regulations - PowerPoint PPT Presentation

Presenting a live 90-minute webinar with interactive Q&A ERISA Group Health Plans: Complying With Complex HHS Regulations and Leveraging New Guidance Structuring Privacy Policies, Security Breach Notifications, Business Associate Agreements, and More TUES DAY, MAY 6, 2014 1pm East ern | 12pm Cent ral | 11am Mount ain | 10am Pacific Today’s faculty features: Ryan P . Blaney, Partner, Cozen O’Connor , Washington, D.C. Tiffany D. Downs, Partner, FordHarrison , Atlanta The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .

Tips for Optimal Quality FOR LIVE EVENT ONLY S ound Qualit y If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-258-2056 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@ straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Qualit y To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: • In the chat box, type (1) your company name and (2) the number of attendees at your location • Click the S END button beside the box If you have purchased S trafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). Y ou may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: • Click on the ^ symbol next to “ Conference Materials” in the middle of the left - hand column on your screen. • Click on the tab labeled “ Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. • Print the slides by clicking on the printer icon.

ERISA Group Health Plans: Complying with Complex HHS Regulations and Leveraging New Guidance May 6, 2014 Sponsored by Legal Publishing Group of Ryan P. Blaney, Esq. Strafford Publications rblaney@cozen.com (202) 463-2528 Tiffany D. Downs, Esq. tdowns@fordharrison.com (404) 888-3961

OVERVIEW OF PRESENTATION FINAL PRIVACY • Privacy Requirements and Policies • Notice of Privacy Practices and Health Plans RULE • Supplemental Guidance FINAL SECURITY • Security Requirements and Policies AND BREACH • Breach Requirements and Notifications • Supplemental Guidance RULES HEALTH PLANS • Expanded Rules and Requirements and New Business Associates AND BUSINESS • Drafting and Negotiating Business Associate Agreements on ASSOCIATES Behalf of Health Plans ERISA GROUP • Distinctions between Employers, Plans Sponsors and Health Plans HEALTH PLANS 6

Part I. Final Privacy Rule A. Privacy requirements and polices B. Notice of privacy practices C. Supplemental guidance 7

“Somehow your medical records got faxed to a complete stranger. He has not idea what’s wrong with you either.” YESTERDAY: FAXING and PAPER Medical Records 8

Today: Big Data, Texts, Twitter, Email, Personalized Medicine, Health Shopping $3.1 Trillion 30% Waste 20% GDP in 2009 61% U.S. 94% self insured FitBit, Nike+, Employees rely plans for Health tracking, on self insured employers with sleep and food health plans more than 5000 monitoring 9

1 YEAR LATER: THE “OMNIBUS RULE” January 25, • HIPAA Privacy, Security, and Enforcement Rules 2013 HHS • Interim breach notification guidance implements • Certain changes to HIPAA Privacy changes to: Rule required by GINA • September 23, 2013 deadline for new and non-compliant health plans Compliance • One year extension (September 2014) Date to update business associate agreements that are in compliance with the prior regulations. 10

The Definitions Matter !!! What is PHI? • Protected Health Information (PHI) is individually identifiable health information that is in all forms – paper, oral, or electronic. • PHI excludes employment records held by an employer in its role as an employer ( e.g., physician ’ s note submitted by employee documenting reason for absence from office) 11

What is Health Information? • Health information includes any information created by a health care provider, health plan, employer, school, or university – and that relates to past, present, or future physical or mental health or condition of the individual, – the provision of health care to the individual, or – the past, present or future payment for health care to the individual. 12

What Makes Health Information “ Individually Identifiable ” ? • Name • Geographic unit (certain zip code information excepted) • Dates: birth, admission to hospital, discharge from hospital, • Ages over 89 death • Email and other addresses • Telephone and fax numbers • Medical record numbers and health • Social Security Number plan numbers • Account number • Certificate or license number • Vehicle identifiers including • Device identifiers and serial license plates numbers • Web URLs and IP address • Biometric identifiers, including numbers finger and voice prints and full face and other identifying photographic • Genetic Information images 13

HIPAA Definitions: Health Plans • • COVERED by HIPAA NOT COVERED by HIPAA – Workers ’ compensation – Medical plans – Dental plans – Disability plans – Vision plans – Accident plans – Prescription drug plans – Non-ERISA Employee Assistance Plans and – Retiree medical plans Long Term Care Plans – ERISA-Covered – Life Insurance employee assistance plans – Health care spending accounts 14

A Balancing Act … Employee Privacy Employee participation Employers’ rising health care expenditures Available health data on cost and quality 15

Privacy challenges for health plans • “The tensions between having employers manage health care coverage and employees wanting to have some private space are crashing into each other … it’s probably going to get worse.” – Matthew T. Bodie, Law Professor at St. Louis University School of Law, quote from New York Times September 14, 2013 article, “On Campus, a Faculty Uprising Over Personal Data” 16

Update - Notice of Privacy Practices • Health plans cannot “substantially” change their HIPAA policies and procedures before updating their Notice of Privacy Practices to reflect those revisions. HHS considers the Omnibus Rule changes to be “substantial.” – Notices can be delivered by e-mail, if a participant agrees to electronic notice. – Notices must be distributed upon enrollment to all new participants – Participants are entitled to paper copies – At least once every 3 years, health plans must remind participants of the availability of the privacy notice. 17

HIPAA Requires Mandatory Training • A health plan or its business associate must train its workforce which has access to PHI (HIPAA Personnel) regarding the HIPAA privacy practices and procedures. – Must be trained within a reasonable time period after his/her hire date. 18

General Privacy Rule • A Covered Entity and its workforce may not use or disclose PHI, except as permitted by the Privacy Rule • Permitted uses of PHI under the Privacy Rule include: – treatment, payment, or health care operations – under a specific authorization from the subject of the PHI, – as required by law – in response to a court order – in response to a subpoena but only with “ adequate assurances ” of efforts to secure a protective order or notify the subject of the request 19

Uses and Disclosures Pursuant to a Valid Authorization • A w ritten authorization is needed for disclosures that are not for treatment, payment, and healthcare operations. • To be valid, an authorization must contain very specific information. • Use or disclosure of PHI must be consistent w ith the terms of the authorization. • An authorization can be revoked by w ritten notice. • An authorization is not required if you must use or disclose PHI to avert a serious threat to health or safety. 20