1 / 53

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information. Webinar Presented by Laura Bird January 29, 2014. Module Contents. Introduction Privacy and Security of Personally Identifiable Information under the Affordable Care Act

persephone-beryl
Télécharger la présentation

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information Webinar Presented by Laura Bird January 29, 2014

  2. Module Contents • Introduction • Privacy and Security of Personally Identifiable Information under the Affordable Care Act • Privacy and Security of Federal Tax Information under the Tax Code • Other Requirements on Certified Application Counselors and Navigators under Agreements with the Centers for Medicare & Medicaid Services • Authorized Representative Designation & Privacy • Other Considerations & Guidance

  3. Introduction

  4. Acronyms

  5. Why is Protecting Consumer Information Important? • Besides the fact that it can harm a person personally and financially… • Purpose of Marketplace is to help people get insured. • Enrollment assisters have a key role in protecting information. • Disclosure can result in civil and criminal penalties.

  6. Enrollment Assisters • Types • Navigators • Non-Navigator Assister Personnel • Certified Application Counselors • Authorized Representatives • Outreach and Enrollment Workers • Agents and Brokers (not discussed here) • Enrollment Assisters will need to be familiar with applicable privacy and security laws beyond HIPAA in providing assistance to consumers.

  7. Enrollment Assisters & Privacy • Enrollment assisters who assist consumers apply for coverage will have access to a consumer’s personal information. • Enrollment assisters are bound by the ACA, as well as other privacy laws, to protect consumer information that the enrollment assister may be exposed to and have a duty to ensure that it’s not used or shared in a harmful way.

  8. Privacy and Security of PII Under The ACA

  9. Compliance with HIPAA is not Enough • I/T/Us are required to comply with the HIPAA Privacy, Security and Breach Notification Rules as to the PHI created, maintained, or transmitted. • The ACA privacy and security standards are broader than HIPAA. Complying with HIPAA is not enough to comply with ACA privacy and security standards.

  10. Eight ACA Privacy and Security Standards • Individual access • Correction • Openness and transparency • Individual choice • Collection, use and disclosure limitations • Data quality and integrity • Safeguards • Accountability

  11. Confidentiality of Consumer’s PII Under the ACA • A consumer is required to provide only the information strictly necessary to verify identity, determine eligibility for insurance, and determine the amount of the tax credit or cost sharing reduction. • Any person (including enrollment assisters) who receives information provided by an applicant or from a Federal agency shall use the information only for the purpose of ensuring efficient operation of the Marketplace and shall not disclose the information to any other person. See Section 1411(g) of the Affordable Care Act.

  12. What is the Penalty for Disclosing PII? • A “….person who knowingly and willfully uses or discloses information in violation of section 1411 (g) of the Affordable Care Act will be subject to a civil penalty of not more than $25,000 per person or entity, per use or disclosure, in addition to other penalties that may be prescribed by law.” 45 C.F.R. § 155.260(g).

  13. Examples of Information Considered PII Under the ACA *These are only examples, the CMS Agreements include a long list of the types of PII a Navigator or CAC may receive.

  14. Non-Exchange Entity • A Marketplace must require the same or more stringent privacy and security standards as a condition of an agreement with a Non-Exchange entity. • A Non-Exchange entity specifically includes Navigators, CACs and agents and brokers. • A Tribe or organization with Outreach and Enrollment Workers may be considered a Non-Exchange entity.

  15. Non-Exchange Entity (cont’d) • A Non-Exchange entity is not specifically defined in the regulations but refers to: “…Individuals or entities, such as Navigators, agents, and brokers, that: (1) Gain access to personally identifiable information submitted to the Exchange; or (2) Collect, use or disclose personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing the functions outlined in the agreement with the Exchange….”

  16. Applicable Laws and Requirements

  17. Oversight of ACA Privacy and Security Standards

  18. Section Summary: What You Need to Know • You must keep the consumer’s information confidential, never disclose information to others. • Under ACA, there are civil penalties for disclosure of confidential information. • Critical to maintain consumer’s trust!

  19. Questions ???

  20. Privacy and Security of FTI under The Tax Code

  21. Under the Tax Code • The ACA regulations incorporate reference to the Tax Code. • Under the Tax Code, if you have access to Federal Tax Information (FTI) from the IRS or a secondary source to carry out consumer eligibility requirements for premium tax credits or any cost sharing reduction, or eligibility in a State Medicaid Program, CHIP or basic health program, you are bound not to disclose FTI obtained in any manner in connection with the serviceprovided to the consumer. • FTI includes returns and return information and must be kept confidential.

  22. Federal Tax Information (FTI)

  23. FTI Available through Marketplaces Under the Tax Code • Taxpayer identity information • Filing status (single, married, etc.) • The number of individuals for whom a deduction is allowed • The taxpayer’s modified adjusted gross income (MAGI) • The taxable year of the information, or that such information is not available. • Other information that might indicate whether an individual is eligible for the premium tax credit, or cost sharing reductions, and the amount.

  24. Protecting FTI • Do not retain the FTI after the enrollment session is over. • Never access FTI if the information is not needed for the consumer’s enrollment. • If you have access to a consumer’s FTI, do not disclose the FTI. • Criminal penalties and civil liability can result from unauthorized access or disclosure of FTI.

  25. What is Considered Unauthorized Access? • Unauthorized access occurs when an entity or individual receives or has access to FTI without authority. • Criminal penalty: Misdemeanor punishable by a fine of up to $1,000, or imprisonment of not more than one year, or both, plus the costs of prosecution. • Civil liability: A taxpayer may sue the employee or assister for damages.

  26. What is Considered Unauthorized Disclosure? • Unauthorized disclosure occurs when an entity or individual with authorization to receive FTI discloses FTI to another entity or individual who does not have the authority and a need-to-know. • Criminal penalty: Felony punishable by a fine of up to $5,000, or imprisonment of not more than one year, or both, plus the costs of prosecution. • Civil liability: A taxpayer may sue the employee or assister for damages.

  27. Section Summary: What You Need to Know • FTI is only that information received directly from the IRS or through a secondary source. • Never retain FTI after the enrollment session ends. • Even if you receive the return or return information from a consumer directly to assist with an application, do not keep this information in your files and make sure to return it to the consumer.

  28. Questions ???

  29. Other Requirements on Navigators and CACs under CMS Agreement

  30. Additional Navigator and CAC Requirements • Navigators and CACs are subject to six categories of privacy and security standards that the Navigator or CAC organization agreed to with CMS, including any attachments and referenced documents. • Note: Links to the documents are provided in the next slide. • As a Navigator or CAC, you may be required to sign an agreement with your employer to perform your duties as a Navigator or CAC. • Recommendation: These standards should also be followed by I/T/Us not under a formal agreement with CMS or a Marketplace as minimal standards to ensure the protection of consumer information.

  31. Links to Referenced Documents • Model Navigator Assistance Consent Form in FFM, available at http://oci.wi.gov/navigator/navigator-consent.pdf • Model CAC Authorization Form in FFM, available at http://enrollmentloop.org/sites/default/files/helpimages/CAC%20Consent%20Form.pdf • Appendices to Model Agreement Between CAC and Organization in FFM, available athttp://revcycle.med.umich.edu/sites/default/files/Appendices%20to%20the%20CDO-CAC%20Model%20Agreement%20%282%29.pdf • MARS-E Suite of Documents, available at http://www.cms.gov/cciio/resources/regulations-and-guidance/#MinimumAcceptableRiskStandards

  32. 6 Categories of Privacy and Security Standards 1- Individual Access: • Organization must have policies and procedures in place to provide consumers with access to PII upon request. • Organization must respond to a request for access and grant or deny request within 30 days. 2- Openness & Transparency: • Organization must provide a Privacy Notice Statement that is prominently and conspicuous displayed on a public facing website (if applicable), or in electronic form and/or paper form that will be used to gather and/or request PII.

  33. 6 Categories of Privacy and Security Standards (cont’d) 3- Individual Choice: • Organization may only use PII for the functions and purposes listed in the Privacy Notice Statement and any agreements that were in effect when PII was collected unless the consumer’s informed consent is obtained. The consent must be appropriately secured and retained for 10 years. 4- Collection, use and disclosure limitations: • Organization should always try to collect PII directly from the consumer when information may result in an adverse determination about benefits.

  34. 6 Categories of Privacy and Security Standards (cont’d) 5- Data quality & integrity: • Organization must allow a consumer the right to amend, correct, substitute or delete PII. Such request must be granted or denied within 10 working days of request. • Organization must verify consumer’s identity. • Organization must maintain an accounting of any and all disclosures for at least 10 years after the disclosure, or the life of the record, whichever is longer.

  35. 6 Categories of Privacy and Security Standards (cont’d) 6- Accountability: • Organization must implement breach and incident handling procedures. • Organization shall incorporate privacy and security standards and implementation procedures in its standard operating procedures as to PII. • Organization shall develop training and awareness programs for members of its workforce involved with PII. • Organization shall adopt and implement Security Control Standards.

  36. Model Consent Form Templates Note: See slide #31 for links to these consent forms.

  37. Consent Form Modifications • Mailing Documents for Consumers • CMS Training: The best practice discourages mailing of applications by CAC. See Privacy and Security Standards, Course 13. • Best practice is to ask the consumer to mail the application him/herself. • However, where consumer may be unable to accomplish this task, you could have a separate consent formallowing the organization/assister to mail the application releasing the organization/assister from liability.

  38. Section Summary: What You Need to Know • Always provide a Privacy Notice Statement to consumer. • Always obtain a consent form before assisting a consumer. • Always obtain informed consent (separate form) for any use or disclosure of consumer’s information outside of the Privacy Notice Statement. Consents must be kept for 10 years. • Keep track of any disclosures made as to consumer’s information. Must be kept for 10 years. • Report any breaches of the consumer’s PII or FTI.

  39. Questions ???

  40. Authorized Representative Designation & Privacy

  41. What is an Authorized Representative? • An authorized representative is a person or organization authorized by a consumer to assist the consumer with his or her application and enrollment in insurance in the Marketplace. • An authorized representative should have authority to also work with the QHP, but a separate form could be required. • A consumer should select a person or organization that the consumer trusts to act as his or her representative since this person will have access to the consumer’s PII. • The FFM paper application allows a consumer to name an authorized representative, but it may be done through the electronic application. • A consumer may revoke a designation at any time.

  42. Duties of Authorized Representative • An authorized representative may be authorized to: • Sign the application on behalf of the consumer • Submit an update or respond to a redetermination for the consumer • Receive copies of the consumer’s notices and other communications from the Marketplace; and • Act on behalf of the consumer in other matters with the Marketplace. See 45 C.F.R. § 155.227(c).

  43. Requirements of Authorized Representative Designation • Must be in a written document signed by consumer, or through another legally binding format. • Marketplace must ensure that the “…authorized representative agrees to maintain, or be legally bound to maintain, the confidentiality of any information…” regarding the consumer. • Marketplace must ensure that the representative is responsible for fulfilling all required duties. • Marketplace must provide information to both the consumer and the authorized representative regarding representative’s powers and duties. See 45 C.F.R. § 155.227(a)(2)-(5).

  44. Timing of Designation • The Marketplace must permit a consumer to designate an authorized representative: • At the time of the application; or • At other times and methods, including: • Via an internet website • By telephone through a call center • By mail • In person See 45 C.F.R. 155.227(b), 155.405(c)(2).

  45. Language in FFM Paper Application • By signing an authorized representative designation, a consumer gives the representative: • Permission to talk about the consumer’s application with the Marketplace • See consumer’s information • Act on consumer’s behalf on matters related to the application, including obtaining information about consumer’s application • Sign the application on consumer’s behalf.

  46. Authorized Representative Designation in Selected State-based Marketplaces

  47. Authorized Representative v. CAC

  48. Can a CAC also be an Authorized Representative? • Yes. A CAC can also be designed as a consumer’s authorized representative.

  49. Section Summary: What You Need to Know • Authorized representatives must agree to maintain confidentiality of consumer information. • Best practice for authorized representatives within an I/T/U would be to follow the same or similar standards as Navigators and CACs under CMS Agreements.

  50. Other Considerations & Guidance

More Related