1 / 28

Understanding HIPAA Privacy Terms for Fully-Insured and Self-Funded Group Health Plans

This document provides a comprehensive overview of HIPAA privacy terms related to fully-insured and self-funded group health plans (GHPs). It explores the four "buckets" that categorize employer-specific usages of protected health information (PHI) and summary information, distinguishing between roles of employers, and their responsibilities under HIPAA. It covers essential aspects including plan administration, compliance with privacy regulations, and the notice of privacy practices, guiding employers in understanding their obligations and ensuring proper management of health plan information.

bina
Télécharger la présentation

Understanding HIPAA Privacy Terms for Fully-Insured and Self-Funded Group Health Plans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fully-Insured GHP (Summary Info) Fully-Insured GHP (receives PHI) Self-Funded GHP Part II - Employers : “4 Buckets” EMPLOYER

  2. Employer-specific HIPAA Privacy Terms • “Summary Information” • “Plan Administration”

  3. Summary Information • Summarizes claims history, claims expenses, or claim type of participants in a GHP • Essentially is a category of information somewhere between de-identified data and PHI • “Step above” De-identified information because it has some identifiers • Uses/Disclosures are limited to 3 purposes

  4. Plan Administration • GHP “Operations” and “Payment” • Plan Administration functions performed by Plan Sponsor/Employer (or its TPA) • excludes functions performed in connection with any other plan of the Employer • unless OHCA with other GHPs

  5. BUCKET # 1 Employer as “Employer” ( HR Manager)

  6. Bucket #1: Employer • Employer as HR Manager • Hiring, Firing • FMLA Leave • Disability Leave • Workers’ Compensation Claims • Medical Absences • Drug and Alcohol Screening • Fitness for Duty Tests • HIPAA does not regulate Employer in this Bucket!

  7. BUCKET # 2 Self-Funded GHP (Receives PHI)

  8. Self-Funded GHP BUCKET # 2 - Self-Funded GHP • Health benefits funded by employer • Claims administered internally • Creates PHI • MUST provide Notice of Privacy Practices • MUST comply with all of Privacy Rule’s Administrative Requirements • MUST amend Plan Document, provide Certification Statement, and make organizational changes

  9. BUCKET # 3 Employer Insured GHP (Summary Info)

  10. Employer insured (Summary Info) BUCKET # 3 - Insured GHP • Health benefits insured by employer • Insurer does not provide PHI back to GHP or Sponsor • DOES NOT need to provide Notice and comply with most of the Privacy Rule’s Administrative Requirements (except for non-waiver and non-retaliation) • Assumption: Sponsor does not receive PHI beyond summary information for the 3 allowed uses • EXCEPTED from Plan Amendment and Certification requirements

  11. BUCKET # 4 Fully-Insured GHP (Full PHI)

  12. Fully-Insured GHP (PHI) BUCKET # 4 - Fully-Insured GHP • GHP provides health benefits solely through a health insurance issuer or HMO • If Sponsor receives more than summary information: • Unique Notice obligations • Must do Plan Amendment & Certification • Issue: Comply with all Admin. Req’ts.? • Gray area: e.g., where Plan Sponsor does not receive PHI from insurer but may assist employees with claims issues (advocacy)

  13. Privacy Rule Requirements For Self-funded GHP • Notice Requirements • Amend Plan Documents • Certification Statement • Individual Rights • Administrative Requirements

  14. Content of the Notice of Privacy Practices • Plain Language • Uniform Header • Description and at least one example each of the types of uses and disclosures made for treatment, payment, and health care operations • Description of each of the other purposes for which a use or disclosure is permitted or required without authorization

  15. Content of the Notice of Privacy Practices (cont.) • Each purpose must have “sufficient detail” to put individual on notice • Statement that all other uses or disclosures will only be made with the individual’s authorization • If applicable, a statement that the GHP, or a health insurance issuer or HMO providing benefits for GHP, will disclose PHI to Plan Sponsor

  16. Provision of Notice • No later than the Compliance Date for existing participants • At time of enrollment for all new enrollees • Within 60 days of a material change to the notice • Notification of availability of the notice every 3 years (or less) • Requirement satisfied if provided only to named insured and not dependents

  17. Health Plan Notice Issues • Notice is from Group Health Plan if there is no group insurance contract • Notice is from the HMO or health insurance issuer in the insured context • Notice maintained by the GHP if it receives PHI • Notice to the named insured is sufficient

  18. Other Notice Requirements • Specify GHP/Plan Sponsor duties • Name Contact Person • Establish Complaint Process • Optional ability to impose limitations on allowable uses and disclosures

  19. Plan Amendment & Certification • Required elements for Plan amendments • Required elements similar to elements of a BA contract • Certification by GHP to Plan Sponsor

  20. Required Amendments • Establish the permitted and required uses and disclosures of PHI by the Plan Sponsor • Not use or disclose PHI other than as permitted or required by the GHP or as required by law • Ensure that agents and subcontractors of the Plan Sponsor agree to abide by the Privacy Rule requirements

  21. Required Amendments • Provide an accounting of disclosures of PHI • Make internal practices, books and records pertaining to the use and disclosure of PHI received from the Plan available to DHHS for determining compliance • Return or destroy all PHI when no longer needed

  22. Required Amendments • Ensure adequate separation b/w the GHP and Plan Sponsor • Describe employees or classes of employees under the control of the Plan Sponsor to be given access to PHI, including individuals who receive PHI in the ordinary course of business • Provide a mechanism for resolving noncompliance

  23. Required Amendments • Plan Sponsor cannot use or disclose PHI for employment-related actions, or in connection with any other benefit or employee benefit plan of the Sponsor • Report to the GHP any inconsistent use or disclosure of which it becomes aware • Make PHI available to individuals and allow individuals to amend their PHI

  24. Individual Rights • Receive notice of privacy practices • Access: inspect or copy PHI • Amend • Accounting

  25. Individual Rights (cont.) • Authorization • Complaints to Secretary and/or GHP • Permissive right to request restriction and confidential communication

  26. Administrative Requirements • Appoint privacy official and contact person • Establish privacy policies and procedures and implementing forms e.g., request for access form • Reconfigure technical, administrative and physical safeguards (i.e., firewalls)

  27. Administrative Requirements • Develop authorizations and notices • Develop grievance/complaint procedures • Develop sanction, mitigation, non-retaliation, and non-waiver of rights policies

  28. Administrative Requirements • Communicate privacy policy • Training • Written or electronic record of the actions, policies, procedures, and other forms required to be documented by the Privacy Rule (document communications required to be in writing)

More Related