1 / 74

HIPAA: Understanding the Basics

HIPAA: Understanding the Basics. Presenters. Leanne Shank, Esquire University Counsel Jennifer Kirkland, Esquire Office of University Counsel Washington and Lee University Lexington, Virginia. HIPAA: The Basics. What is it? Why should you care? How might it affect your institution?

ryan-torres
Télécharger la présentation

HIPAA: Understanding the Basics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA: Understanding the Basics HIPAA Basics: 2002 Washington and Lee University

  2. Presenters Leanne Shank, EsquireUniversity CounselJennifer Kirkland, EsquireOffice of University CounselWashington and Lee UniversityLexington, Virginia HIPAA Basics: 2002 Washington and Lee University

  3. HIPAA: The Basics • What is it? • Why should you care? • How might it affect your institution? • What steps should you take to determine your institution’s exposure and to comply? • NOTE: This presentation is geared toward institutions without academic medical centers. HIPAA Basics: 2002 Washington and Lee University

  4. Health Insurance Portability and Accountability Act of 1996 • Kennedy-Kassebaum Bill --amended Social Security Act to allow for portability of health insurance (immediate qualification for comparable coverage upon change of employment.) • Congress desired to promote Electronic Data Interchange to facilitate this portable health insurance and to reduce administrative costs of health care. HIPAA Basics: 2002 Washington and Lee University

  5. A Little Congressional Humor: • “ADMINISTRATIVE SIMPLIFICATION” 42 U.S.C. 1320d-1 et seq. • Title II, Subtitle F, Part C of HIPAA • Gives HHS (Department of Health and Human Services) authority to mandate (1) transaction standards and code sets for electronic exchange of health care data, as well as (2) privacy and (3) security measures for personally identifiable health information. • Also provides for required use of national identifiers for providers, employers/sponsors, payers/plans, and patients (patient identifier shelved). • Substantial penalties for non-compliance. HIPAA Basics: 2002 Washington and Lee University

  6. Transaction Regulations • Designed to ensure format and content standardization in certain specific financial and administrative health care transactions conducted electronically. • NOTE: it is important that you familiarize yourself with what types of transactions are governed by the transaction regulations – not every health care transaction is covered – only those defined in the regulations. • 45 CFR Part 162, Subparts K through R. HIPAA Basics: 2002 Washington and Lee University

  7. Privacy Regulations • Designed to establish a federal regulatory framework to promote the privacy of health information among entities covered by HIPAA, and those acting on their behalf. • Regulations restrict the use and disclosure of protected identifiable health information, provide for patient access to such information, and mandate administrative safeguards to promote privacy of protected health information. HIPAA Basics: 2002 Washington and Lee University

  8. Security Regulations • Not yet finalized! (Rumored for Dec.’02) • Designed to establish a federal standard for the protection of health information maintained or transmitted electronically. • Require administrative, technical and physical safeguards for storage, transmission, and access. HIPAA Basics: 2002 Washington and Lee University

  9. Is Your Institution, or any part of it, Covered by HIPAA? By any or all of the Transaction, Privacy and/or Security Regs? • DON’T ASSUME HIPAA OR THE SEPARATE SETS OF REGULATIONS APPLY TO THE COLLEGE OR UNIVERSITY AS A WHOLE! HIPAA Basics: 2002 Washington and Lee University

  10. Campus Entities That Are NOT “Covered Entities” Per Se without further analysis: • Colleges • Universities • Employers • Supervisors and Administrators • All University Insurance Plans • Health Care Providers (physicians, nurses, counselors, athletic trainers) HIPAA Basics: 2002 Washington and Lee University

  11. What is a “Covered Entity” under HIPAA? • Health Plan • Health Care Provider who transmits any health information in electronic form in connection with a HIPAA transaction [May be broader under proposed security regulations] • Health Care Clearinghouse (converts non-standard transactions to or from standard format) • 42 U.S.C. 1320d-1, 45 CFR 160.103 HIPAA Basics: 2002 Washington and Lee University

  12. Use the CMS Covered Entity Decision Tools to Help Determine Your Campus Coverage • http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp • This site will walk you through a series of questions with respect to your health care providers and health plans to assist you in determining if your campus will be covered under HIPAA. HIPAA Basics: 2002 Washington and Lee University

  13. Health Plan • “An individual or group plan that provides, or pays the cost of, medical care. . .” • INCLUDES (singly, or in combination): • Group health plans (ERISA plans), insured AND self-insured, providing medical care for employees or dependents • Plans with fewer than 50 participants that are administered in-house by the employer are excluded from this definition. • Health insurance issuers and HMOs HIPAA Basics: 2002 Washington and Lee University

  14. Health Plan (cont’d.) • Medicare, Medicaid, Veterans, CHAMPUS, and other federal and state health plans outlined in regulations • Issuers of long-term care policies, excluding nursing home fixed-indemnity policies • *Any other individual or group plan providing or paying for the cost of medical care. • 42 U.S.C. 1320d, 45 CFR 160.103 HIPAA Basics: 2002 Washington and Lee University

  15. Plans Not Covered By HIPAA • Plans, policies, or programs to the extent they pay for excepted benefits: • Coverage only for accident • Disability income insurance • Coverage supplementing liability insurance • Liability insurance, including general and auto • Workers’ compensation insurance • Automobile medical payment insurance • Coverage for on-site medical clinics • 42 U.S.C. 300gg-91(c)(1) HIPAA Basics: 2002 Washington and Lee University

  16. Examples of Covered Health Plans in the College or University Setting • Employee group health plan (fully/self-insured) • Employee group dental plan (fully/self-insured) • Employee group vision plan (fully/self-insured) • Employee flexible spending account • Employee Assistance Plan (for other than on-site clinic) • Retiree health plan (fully/self-insured) • Student health (fully/self-insured) (for other than on-campus clinic) HIPAA Basics: 2002 Washington and Lee University

  17. Examples of Non-Covered Plans in a College or University Setting • NCAA intercollegiate accident policy • Employee long-term disability policy • Employee life insurance policy • Employee workers’ compensation coverage • Student health fee for on-site student health and counseling services HIPAA Basics: 2002 Washington and Lee University

  18. Is This Example a Health Plan? • University has a private psychiatrist on retainer, to evaluate students on a one-time referral from University physician/counselors when behavioral concerns arise. University pays psychiatrist directly for these sessions out of student health and counseling budget. Is this practice a “health plan” under HIPAA? • Presenter takes the position that this is not a covered health plan, but a contractual extension of the excluded on-site clinic exemption under HIPAA. (Note: this is the presenter’s opinion, not an official HHS response.) HIPAA Basics: 2002 Washington and Lee University

  19. “Plan Sponsor” • Defined only under the privacy regulations, as the employer or other entity that establishes and maintains a group health plan. (ERISA only? 45 CFR 164.501) • Employers and other Plan Sponsors are NOT covered entities under HIPAA, per se. However, Plan Sponsors do have certain specific obligations under the Privacy Regulations. • As a practical matter, employer-sponsored health plans have no employees and exist only as plan documents. So the employer/plan sponsor/plan administrator may need to ensure compliance, particularly with self-insured plans. HIPAA Basics: 2002 Washington and Lee University

  20. Endorsed vs. Sponsored Plans • Question: A university endorses one student health insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college and the insurer and the students apply, pay premiums, and file claims on their own. Is the college a Plan Sponsor for HIPAA? • No. First, the concept of a plan sponsor as defined appears to apply only to ERISA plans. Second, the college has not undertaken any responsibility to pay any premiums or subject itself to any other liability under the policy. It is acting only as endorser and liaison between insurer and student. Under these circumstances, the college is not a HIPAA plan sponsor of this plan. (Presenter’s opinion) HIPAA Basics: 2002 Washington and Lee University

  21. “Health Care Providers” • Health care providers are only covered under HIPAA IF they electronically transmit any health information in connection with one of the specifically defined HIPAA transactions. [May be broader under proposed security regulations] 42 U.S.C. 1320d-1, 45 CFR 160.103 • According to HHS FAQs, paper to paper faxing (NOT sent via/to computer, but by telephone fax) is NOT electronic transmission under HIPAA, neither are phone mail/voice faxback systems. • Size of health care provider is irrelevant to coverage – there is no small provider exception. HIPAA Basics: 2002 Washington and Lee University

  22. HIPAA Transactions • The following administrative and financial health care transactions are the HIPAA transactions required to be processed as “standard transactions” by covered entities (see definitions at 45 CFR Part 162, Subparts K-R): • Health care claims and encounters • Enrollment and disenrollment in a health plan • Eligibility for a health plan • Health care payment and remittance advice • Health plan premium payments • Health claim status • Referral certification and authorization • Coordination of benefits • First report of injury (to be adopted later) • Claims attachments (to be adopted later) HIPAA Basics: 2002 Washington and Lee University

  23. HIPAA Transactions (cont’d.) • If a health care provider transmits any of these transactions electronically, that health care provider is a covered entity. E.g., if your student health center bills student insurance electronically, or bills summer campers’ insurance electronically, or sends referral authorizations to insurers electronically, it has become a covered entity. • It appears from HHS comments that “in connection with” means as a part of the covered transaction itself, not merely in communications in any way related to a covered transaction (e.g., electronically submitting a claim as opposed to emailing with a question about how to transmit a claim). HIPAA Basics: 2002 Washington and Lee University

  24. Look Closely at the Definitions of HIPAA Transactions • Do not assume that you know what the listed transactions include. They are specifically defined, and most specifically pertain only to transactions to/from health providers from/to health plans. • E.g., student health centers that only bill student accounts, not third-party payers. This is direct billing of the patient under an excluded plan covering on-site clinic services, not a “claim” to a covered health plan. Thus, this sort of account billing is not a HIPAA transaction. HIPAA Basics: 2002 Washington and Lee University

  25. More Examples of non-HIPAA Triggering Transactions • E.g., an email from one doctor to another doctor regarding a patient’s treatment is not a HIPAA transaction to trigger coverage as a “covered entity” or require standard formatting. • E.g., a flexible spending account plan does not involve claims from health providers to the plan, but merely direct reimbursement of the employee, so though the plan is a covered plan, it conducts no HIPAA “claims” required to be standardized. HIPAA Basics: 2002 Washington and Lee University

  26. Health Care Providers that May Be Covered in a College or University Setting • Student Health Centers – physicians, nurses, and other providers • Counseling Center staff – psychiatrists, clinical psychologists • Athletic Trainers ONLY IF THEY TRANSMIT HEALTH INFO. ELECTRONICALLY IN ONE OF THE DEFINED HIPAA TRANSACTIONS [May be broader under proposed security regulations] HIPAA Basics: 2002 Washington and Lee University

  27. Health Care Clearinghouse • An entity that takes non-standard health care transactions and converts them into standard form. • Some college and university health care providers or plans may use these entities in administering their health services or plans. Others may act as clearinghouses by billing third-party payers on behalf of other entities, such as clinics or practice groups. HIPAA Basics: 2002 Washington and Lee University

  28. Business Associates • Persons or entities that perform functions or activities on behalf of a covered entity, but that are not part of the covered entity’s workforce. 45 CFR 160.103 • Business Associates do not thereby become covered entities, but may be in their own right. • E.g., Third-Party Administrators are business associates that perform claims administration functions for self-insured health plans. • E.g., External Billing Services are business associates that perform functions on behalf of covered health care providers, but are not themselves covered entities. HIPAA Basics: 2002 Washington and Lee University

  29. Threshold Question: Are You Covered under HIPAA? • Determine whether your college or university maintains any covered health plans. • Determine whether your college or university has any covered health care providers. • Survey appropriate individuals in offices dealing with these areas: financial, personnel, business, student health, counseling, trainers, etc. • Survey the business associates of any health plans and health providers to determine whether they engage in HIPAA transactions and the extent to which they use/disclose health information. HIPAA Basics: 2002 Washington and Lee University

  30. HIPAA Transaction Regulations: Overview • Designed to bring about the standardization of electronic exchange of health care information between health plans, providers, and their business associates, in certain specific key financial and administrative transactions. BE SURE YOU DETERMINE WHETHER ANY COVERED ENTITY ENGAGES IN ANY OF THESE TRANSACTIONS. HIPAA Basics: 2002 Washington and Lee University

  31. Transaction Regulations • HHS has adopted national standards and code sets (medical and administrative) that must be used in the electronic exchange of health information in connection with the HIPAA Transactions. 45 CFR Part 160 and 45 CFR Part 162. • All health plans, and covered health care providers that conduct HIPAA Transactions electronically, must use the transaction standards. • All health plans must assure that their business associates (e.g., Third-Party Administrators) comply with the transaction standards. HIPAA Basics: 2002 Washington and Lee University

  32. Transaction Regulations (cont’d.) • Health plans MUST be able to conduct transactions as standard transactions upon request, though they may use a clearinghouse or other business associate (such as a Third-Party Administrator) to do so. • Plan Sponsors are NOT required to submit HIPAA transactions (e.g., enrollment and premium submissions) using the standards, because they are NOT covered entities. • Covered health care providers do NOT have to transmit any of the transactions electronically; but if they do so, they must use the standard transactions. HIPAA Basics: 2002 Washington and Lee University

  33. Transaction Regulations Compliance Deadline • Deadline for compliance with Transactions Regulations has been extended to October 16, 2003 for covered entities IF, by October 16, 2002, they filed a compliance extension plan. (HR 3323) • Small health plans (with annual receipts of $5 million dollars or less) need not file any extension – their original compliance deadline remains as October 16, 2003. • Information on correction/clarification of extension filings can be accessed at: http://www.cms.gov/hipaa. HIPAA Basics: 2002 Washington and Lee University

  34. What if You Failed to File an Extension? • First, be sure you are a covered entity and subject to the earlier deadline, not the extended deadline for small health plans. • Covered Health Plans should contact their insurers to determine if insurers filed for extensions on behalf of the covered plans. • For self-insured plans, Third-Party Administrators are not covered entities, and so were not obligated to file for extensions. However, some TPAs may have voluntarily filed for their self-insured plans, so check to see if this was done. HIPAA Basics: 2002 Washington and Lee University

  35. Privacy Regulations: Overview • Designed to protect patient rights by providing patient access to protected health information, restricting use of that information, and creating a nationwide framework for health privacy protection. HIPAA Basics: 2002 Washington and Lee University

  36. Status of Privacy Regulations • NOTE: Privacy Regulations became effective April 14, 2001, and amendments were finalized August 14, 2002. • For compliance deadlines, see slide #62. HIPAA Basics: 2002 Washington and Lee University

  37. Application of Privacy Regulations • Various parts of the privacy regulations will apply to the following entities with respect to protected health information: • Health plans and health clearinghouses • Health care providers who transmit health information electronically in a HIPAA transaction • Plan sponsors of group health plans • Covered entities must ensure that their business associates who create or receive protected health information comply with the privacy regulations by written contract or agreement requiring specific assurances. 45 CFR 164.502, -504, -532. HIPAA Basics: 2002 Washington and Lee University

  38. “Protected Health Information” • Individually identifiable health information (diagnosis, condition, treatment, payment) transmitted or maintained in any medium, including oral or hardcopy, not limited to electronic media. 45 CFR 164.501 • In other words, if you are a covered entity with protected health information, these regulations apply to all forms of such records and information. • IMPORTANT EXCLUSIONS: student health information and employment records. HIPAA Basics: 2002 Washington and Lee University

  39. Student Health Information Exclusion • Education records covered by FERPA and • Records of students held by colleges and universities used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student’s request. (These are specifically excluded from the definition of “education records.”) 45 CFR 164.501 • HHS expressly determined that it was not going to preempt FERPA, because FERPA provided a privacy framework for student records. So, if the records fit within the “HIPAA FERPA” exception, must apply FERPA. HIPAA Basics: 2002 Washington and Lee University

  40. Employee Records Exclusion • Contained in the finalized amendments to the privacy regulations. • Excludes from protected health information employment records held by a covered entity in its role as employer. 45 CFR 164.501 • E.g., covered university physician or benefits office maintaining employee records regarding requested disability accommodation, FMLA, or on the job drug testing. However, the records kept on employee health plan participation and claims, as well as medical treatment of employees by any college/university health care providers who are covered entities, are PHI. HIPAA Basics: 2002 Washington and Lee University

  41. Disclosure of PHI Restricted • Covered entities allowed to disclose without authorization for treatment, payment, and health care operations (see regulations for specific definition of these terms). 45 CFR 164.506 • Amended regulations remove requirement for health care providers to get general consent, allow for acknowledgement of notice on privacy practices at time of first visit. • Covered entities allowed to disclose otherwise with written authorization of individual. 45 CFR 164.508 HIPAA Basics: 2002 Washington and Lee University

  42. Disclosure of PHI Restricted (cont’d.) • Covered entities allowed to disclose certain types of information without individual authorization if opportunity to “ agree or opt out” (like FERPA directory information.) 45 CFR 164.510 • Covered entities may disclose without authorization when required by HIPAA or law to do so (e.g., public health emergency, product recall) 45 CFR 164.512 • In most disclosures, covered entities must disclose “minimum necessary” information. 45 CFR 164.514 HIPAA Basics: 2002 Washington and Lee University

  43. How do Restrictions on PHI Disclosure Affect Research? • Research alone does not make a university a covered entity or a department a health care component, unless researchers are also treating and, as health care providers, are electronically transmitting health info in HIPAA transactions. • However, researchers will need to produce either a specific HIPAA authorization, IRB/privacy board waiver, or meet a specific HIPAA research exception in order to obtain PHI from covered health care providers or other covered entities who are data sources. 45 CFR 164.508 or 164.512(I) • Contact data sources now to see what they will require. HIPAA Basics: 2002 Washington and Lee University

  44. “Hybrid Entity” • Unique to privacy regulations – 42 CFR 164.504 • A single legal entity that is a covered entity, that performs covered and non-covered functions, and that designates health care components. Most colleges/universities will be a hybrid. • E.g., university with a covered student health center and covered health plans. Under the hybrid status, the entire university does not become a covered entity – only the designated health care components are required to comply with HIPAA privacy regulations. 45 CFR 164.504 HIPAA Basics: 2002 Washington and Lee University

  45. “Hybrid Entity” (cont’d.) • Hybrid entity MUST designate any component that would meet the definition of a covered entity if it were a separate legal entity. • Hybrid entity MAY include other components that perform covered functions and activities that would make the component a business associate if it were a separate legal entity (e.g., division of business office involved in billing, division of benefits office involved in covered plans, division of legal counsel’s office involved in health care issues.) Can be specific as to individuals – need not name an entire office. HIPAA Basics: 2002 Washington and Lee University

  46. Considerations for Selection of Optional Health Care Components • A hybrid covered entity must ensure privacy regulations compliance by its health care components. 45 CFR 164.504 • Without a HIPAA authorization, a health care component can’t disclose PHI to another non-health care component of the university where disclosure would be prohibited if the components were separate legal entities. HIPAA Basics: 2002 Washington and Lee University

  47. Designation of Hybrid Entity Components • Must make this designation in writing (internal designation, not required to be filed, but must have a paper trail in case of OCR/HHS inquiry.) • Document any additions or removals of individuals/offices as health care components as they occur. • Remember: only individuals/offices that deal in PHI are required to comply with privacy regs. If an office only deals with exempt student or employment records, it does not handle PHI and there may be no reason to designate it as a health care component if it would not meet the definition of a covered entity itself. HIPAA Basics: 2002 Washington and Lee University

  48. Considerations for Hybrid Entities (cont’d.) • If non-covered components are closely intertwined with covered components and have need for PHI, it may make sense to designate them as health care components. • But be careful of over designating! (E.g., if student health center not covered entity and not closely intertwined with covered health plans, designation could require unnecessary practices and conflicts with FERPA) • Other examples of potentially unnecessary designation: athletic trainers who do no electronic third-party billing or referrals with covered plans; researchers uninvolved with health care providers or health plans HIPAA Basics: 2002 Washington and Lee University

  49. Use/Disclosure by Business Associates • Covered entities need business associate contracts/agreements with all business associates who create or receive PHI in carrying out functions on behalf of the covered entity. • E.g., third-party administrators of university self-insured health plans, outside counsel handling matters involving PHI. • BA must not use or further disclose PHI other than as permitted or required by law. • BA must use appropriate privacy and security safeguards. HIPAA Basics: 2002 Washington and Lee University

  50. Use/Disclosure by Business Associates (cont’d.) • BA must report any improper use or disclosure of which it becomes aware to covered entity. • BA must ensure its agents agree to same restrictions. • Regulations provide transition timetable for contracts renewed at various points prior to compliance deadline. • 45 CFR 164.502,-504,-532 HIPAA Basics: 2002 Washington and Lee University

More Related