From DIscharge, to Charge, to Litigation: Tips for
Download
Report
Transcript From DIscharge, to Charge, to Litigation: Tips for
This UBA Employer Webinar Series
is brought to you by United Benefit Advisors
in conjunction with Jackson Lewis
For a copy of the following presentation, please visit our
website at www.UBAbenefits.com. Go to the Wisdom tab and
then to the HR webinar series page.
[email protected]
[email protected]
2
Represents management exclusively in every aspect of
employment, benefits, labor, and immigration law and
related litigation
Over 700 attorneys in 49 locations nationwide
Current caseload of over 5,000 litigations and
approximately 300 class actions
Founding member of L&E Global
3
This presentation provides general information regarding its subject and explicitly may not be construed as
providing any individualized advice concerning particular circumstances. Persons needing advice concerning
particular circumstances must consult counsel concerning those circumstances. Indeed, health care reform
law is highly complicated and it supplements and amends an existing expansive and interconnected body of
statutory and case law and regulations (e.g., ERISA, IRC, PHS, COBRA, HIPAA, etc.). The solutions to any
given business’s health care reform compliance and design issues depend on too many varied factors to list,
including but not limited to, the size of the employer (which depends on complex business ownership and
employee counting rules), whether the employer has a fully-insured or self-funded group health plan, whether
its employees work full time or part time, the importance of group health coverage to the employer’s
recruitment and retention goals, whether the employer has a collectively-bargained workforce, whether the
employer has leased employees, the cost of the current group health coverage and extent to which
employees must pay that cost, where the employer/employees are located, whether the employer is a
religious organization, what the current plan covers and whether that coverage meets minimum requirements,
and many other factors.
IRS Circular 230 disclosure: Any tax advice contained in this communication (including any attachments or
enclosures) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties
under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any
transaction or matter addressed in this communication. (The foregoing disclaimer has been affixed pursuant
to U.S. Treasury regulations governing tax practitioners.)
4
I.T.
-
Smart phones
Social media
Email
- Passwords
- Data security
- Firewalls
- Technology
-
Confidentiality
Trade secrets
Policies
Agreements
Whisleblowing
-
E-commerce
Vendors
Customers
COPPA
Data breach
H.R.
- Information about
employees
* Hiring
* Testing
* Monitoring
* Record retention
- Ensuring compliance by
employees
Legal / Compliance
- HIPAA
- FCRA
- GLBA
- State law
- Litigation
- International
5
What is the Health Insurance Portability and
Accountability Act (HIPAA)?
o Nondiscrimination
o Portability
o Fraud and Abuse
o Administrative Simplification
What are key aspects of “Administrative
Simplification”?
o Privacy and security standards
o Transaction code sets
6
How do the privacy and security standards interact
with state law?
o They provide a federal floor for health information protection that
supersedes any contrary provision of state law
o State laws are not preempted if they conflict with HIPAA and are
more “stringent” – more protective
What is the basic principle under HIPAA?
o Covered Entities that possess . . .
o individually identifiable information related to an individual’s health
care, or provision or payment for health care. . .
o cannot be used or disclosed except under specified circumstances,
and must be safeguarded.
7
Who/what is a covered entity under HIPAA?
o Most Healthcare Providers – those that transmit health
information in electronic form in connection with certain covered
transactions
o Health Plans
o Health Care Clearinghouses
o No Jurisdiction Over “Employers”
What health plans are covered?
o Medical, dental, vision, HRA, HFSA, EAP, many LTC plans
o Remember on-site health clinics, even though not “plans”
8
What plans are NOT covered?
o Disability, workers compensation, fixed indemnity LTC, stoploss/reinsurance policies
o Self-administered health plans with fewer than 50 participants
What is protected health information?
o Information created or received by covered entity or employer
o Relating to individual’s past, present or future
• Physical or mental health or condition or
• Provision of health care or
• Payment for health care
o That does or reasonably could identify the individual
9
What is NOT Protected Health Information?
o Medical information collected or maintained in connection
with employer obligations under law (wearing your
“employer hat”)
• FMLA, ADA , Sick Leave Requests
• Occupational Injury
• Disability Insurance Eligibility
• Drug Screening Results
• Workplace Medical Surveillance
• Fitness-For-Duty Tests
o Focus on WHY employer acquired the information
10
What is a Use?
o The sharing, employment, application, utilization, examination, or
analysis of information within the entity maintaining the
information.
What is a disclosure?
o The release, transfer, provision of, access to, or divulging in any
other manner of information outside the entity holding the
information.
11
When can a plan use and disclose PHI?
o General rule – not unless permitted under HIPAA
o Key exceptions
• Individual, and pursuant to his/her authorization
• Plan sponsor and business associates
• Inadvertence
• Treatment, payment, health care operations
• Judicial and administrative proceedings
• Workers compensation
• HHS
• Whistleblowers
12
What if a situation does not fall into an exception?
o Authorization is needed
What are the required elements for an authorization?
o Specific and meaningful description of information
o Identify person or class of persons authorized to make the disclosure,
and that will use or receive it
o Purpose of the disclosure, and no compound authorizations
o Expiration date or specified event to terminate the authorization
o Notice of right to revoke and how to do so
o Notice of the potential for subsequent disclosure and loss of protection
o Date and signature of the individual
13
What do plans (plan sponsors) need to consider
when addressing compliance with HIPAA privacy
and security?
o Fully insured plan exception v. self-funded plans
o Privacy rules
o Security rules
14
Do fully insured plans have the same requirements
as self funded plans?
o It depends. Fully insured plans are exempt from many of HIPAA’s
administrative requirements if plan does not create or receive PHI,
except for:
• Performing administrative enrollment functions
• Receiving summary health information for limited purposes
– Bid submissions
– Plan amendment or termination
– Administering payroll deductions
o 2004 JCEB informal guidance suggests fully insured plans may avoid
triggering full application of rules by obtaining an authorization when
dealing with employees
15
We have a fully insured plan and only receive PHI as plan
sponsor for obtaining premium bids, modifying or
terminating the plan, and enrollment and disenrollment.
Do we need to amend our plan?
o No, virtually all of the compliance burden will fall on the insurer
• Privacy Notice
• Administrative Safeguards
o Required policies, actions:
• Anti-intimidation\retaliation
• Limitation on waiver of HIPAA rights
• Possible Business Associate Agreement – e.g., Insurance brokers who
handle claims questions
16
Same question as the previous slide, but we also have a
health flexible spending arrangement (HFSA)?
o While compliance would be the same for the fully insured plan,
the HFSA is considered a self-funded health plan to which the
administrative exception would not apply.
o Compliance would be similar to what is described for fully
insured plans that do not qualify for the administrative exception
(the plan has access to PHI beyond what is permitted for
exception to apply) and self-funded plans
o The answer is the same for health reimbursement arrangements.
17
We have a fully insured plan which has a wellness
program component that we administer and also
provides a participant advocate service for covered
employees and dependents?
o The administrative exception described above likely does not
apply, which means that the plan is subject to all of the
administrative requirements under the privacy rule and the
security rule.
o This is the case for self funded plans as well.
18
What are the key requirements under the HIPAA
privacy rule?
o Appoint Privacy Officer
o Amend the health plan for plan sponsor access, and obtain plan
sponsor certification
o Adopt written policies including:
• Safeguards to protect PHI
• Accommodating individuals’ rights including access, amendments,
accounting for disclosures, restrictions, etc.
• Record retention and documentation
• Complaints and sanctions
19
What are the key requirements under the HIPAA
privacy rule? (ctd.)
o Identify and contract with business associates (and their subcontractors—discussion ahead!)
o Distribute notice of privacy practices
o Train employees as reasonably necessary to ensure compliance
o Maintain plan for responding to breaches of unsecured PHI
o Periodically review and document compliance efforts
20
What are the key requirements under the HIPAA
security rule?
o Security rule applies to electronic PHI only
• PHI that is computer based, e.g., created, received, stored or
maintained, processed and/or transmitted in electronic media
• Electronic media includes computers, laptops, disks, memory stick,
PDAs, servers, networks, dial-modems, e-mail, web-sites, etc.
o Security - means to ensure the confidentiality, integrity, and
availability of PHI that the covered entity creates, receives,
maintains, or transmits through applicable administrative,
physical and technical standards.
21
What are the key requirements under the HIPAA
security rule? (ctd.)
Administrative Safeguards
o Security Management Process
• Risk analysis (R)
• Risk management (R)
• Sanction policy (R)
• Information system activity review (R)
o Assign Security Responsibility
22
What are the key requirements under the HIPAA
security rule? (ctd.)
o Workforce Security
• Authorization or supervision of workforce (A)
• Workforce clearance procedure (A)
• Termination procedures (A)
o Information Access Management
• Access authorization (A)
• Access establishment and modification (A)
23
What are the key requirements under the HIPAA
security rule? (ctd.)
o Security Awareness and Training
• Security reminders (A)
• Protection from malicious software (A)
• Log-in management (A)
• Password protection (A)
o Security Incident Procedures
• Response and reporting (R)
24
What are the key requirements under the HIPAA
security rule? (ctd.)
o Contingency Plan
• Data backup plan (R)
• Disaster recovery plan (R)
• Emergency mode operation plan (R)
• Testing and revision procedures (A)
• Application and data critically analysis (A)
o Evaluation
o Business Associates
• Written agreement (R)
25
What are the key requirements under the HIPAA
security rule? (ctd.)
Physical Safeguards
o Facility Access Controls
• Contingency operations (A)
• Facility security plan (A)
• Access control and validation procedures (A)
• Maintenance records (A)
o Workstation Use
o Workstation Security
26
What are the key requirements under the HIPAA
security rule? (ctd.)
o Device and Medical Controls
• Disposal (R)
• Media re-use (R)
• Accountability (A)
• Data back-up and storage (A)
27
What are the key requirements under the HIPAA
security rule? (ctd.)
Technical Safeguards
o Access Control
• Unique user identification (R)
• Emergency access procedure (R)
• Automatic log-off (A)
• Encryption and decryption (A)
o Audit Controls
o Integrity
• Authenticate ePHI (A)
28
What are the key requirements under the HIPAA
security rule? (ctd.)
o Person or Entity Authentication
o Transmission Security
• Integrity controls (A)
• Encryption (A)
29
What changes were made by HITECH?
o Modifications to breach notification rule
o Application of HIPAA to business associates, subcontractors
o Attorney general enforcement
o Increased penalties and enforcement
o Updates to Notice of Privacy Practices
o Expanded right of electronic access to PHI
What changes were made by GINA?
o Confirmed PHI includes “genetic information”
30
What are the key features of the breach notification
rule under HIPAA?
o Applies to covered entities and business associates
• Final regulations confirm covered entities still have obligation to
provide notification
• Covered entities may delegate that responsibility to business
associates by contract
o Triggered for unsecured PHI
31
What are the key features of the breach notification
rule under HIPAA?
o No risk of harm standard, CEs and BAs must consider following
factors to determine if there is a breach
• nature and extent PHI involved, including the types of identifiers and
the likelihood of re-identification;
• the unauthorized person who used the PHI or to whom the
disclosure was made;
• whether the PHI was actually acquired or viewed; and
• the extent to which the risk to the PHI has been mitigated.
32
What are the key features of the breach notification
rule under HIPAA?
o Generally follows the format of 46 state laws with some key
distinctions:
• Absent law enforcement delay, must provide notice without
unreasonable delay but not later than 60 days following discovery
• Notify Secretary of HHS via website
– Immediately for breaches affecting 500 or more individuals
– Within 60 days of end of calendar year in which breach occurred for
breaches affecting fewer than 500 individuals
• Conspicuously post notice on CE’s website or place notice in major
print or broadcast media for breaches involving 10 or more
individuals for whom there is insufficient contact information
33
How do the new changes affect business associate
relationships?
o BAs are subject to most of the privacy rules, and virtually all of
the security rules, directly
o Subcontractors of BAs are considered BAs
o An entity is a BA if it meets the regulatory definition, regardless
of whether a BAA is in place
o Final regulations make clear that entities that maintain PHI for
CEs (even if they do not access it) are likely BAs – e.g., cloud
service providers, records storage companies.
34
Are CEs responsible for BAs?
o CEs are responsible for their BAs when the BAs are
their agents under federal common law
• Look to terms of BAA and nature of relationship to determine
agency status
• Key factor – does CE have right to control conduct of BA?
35
When are BAs directly liable under HIPAA?
o Final regulations make clear that BAs are directly liable for:
• uses and disclosures of PHI not permitted under HIPAA;
• a failure to provide breach notification to the CE;
• a failure to provide access to a copy of electronic PHI to the CE, the
individual, or the individual’s designee;
• a failure to disclose PHI to the Secretary of Health and Human
Services to investigate or determine the BA’s compliance with the
HIPAA privacy and security rules;
• a failure to provide an accounting of disclosures; and
• a failure to comply with the HIPAA security rules.
o But not other portions of privacy rule, such as notice requirement
36
What key issues need to be addressed in our BAAs?
o OCR provides sample provisions:
• http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/
contractprov.html
o Caution:
• Address agency issue to minimize liability for acts/omissions of BA
• Give attention to state law protections for personal information as
BAs often also have access to this kind of information. See, e.g.,
CA, TX, MD, MA, and others
• Outline process for investigating/handling security
incidents/breaches
• Consider indemnification provisions
37
What should we know about State AG enforcement?
o Actions brought in federal court
o Actions may seek damages on behalf of State residents
o Attorneys’ fees can be recovered
o Damages are determined by
• Multiplying number of violations by $100,
• Subject to a calendar year cap for violations of identical
requirements or prohibitions equal to $25,000
o States like CT and MN have already invoked this authority
38
What are the new penalties under HITECH?
o “Did not know” penalty – amount not less than $100 or more than $50,000 per
violation when it is established the CE or BA did not know and, by exercising
reasonable diligence, would not have known of a violation;
o “Reasonable cause” penalty – amount not less than $1,000 or more than
$50,000 per violation when it is established the violation was due to reasonable
cause and not to willful neglect;
o “Willful neglect-corrected” penalty – amount not less than $10,000 or more
than $50,000 per violation when it is established the violation was due to willful
neglect and was timely corrected;
o “Willful neglect-not corrected” penalty – amount not less than $50,000 per
violation when it is established the violation was due to willful neglect and was
not timely corrected.
o A penalty for violations of the same requirement or prohibition under any of these
categories may not exceed $1,500,000 in a calendar year.
39
Are there new rules for HHS investigations,
compliance reviews?
o Yes, investigations of complaints (beyond preliminary review) and
compliance reviews are mandatory when willful neglect is possible.
o Willful neglect means the “conscious, intentional failure or reckless
indifference to the obligation to comply with the administrative
simplification provision violated.” Examples:
• CE disposes of several hard drives containing ePHI in an unsecured
dumpster, in violation of § 164.530(c) and 310(d)(2)(i). HHS’s investigation
reveals CE failed to implement any policies and procedures to reasonably
and appropriately safeguard PHI during the disposal process.
• CE’s employee loses unencrypted laptop containing unsecured PHI. HHS’
investigation reveals CE feared its reputation would be harmed if information
about the incident became public and, therefore, decided not to provide
notification as required by § 164.400 et seq.
40
What changes do we have to make to our Notices of
Privacy Practices (NPPs)?
o Describe certain uses and disclosure that require authorization,
including:
• psychotherapy notes (where appropriate),
• marketing purposes,
• disclosures that constitute a sale of protected health information, and
• mention that other uses and disclosures may require an authorization
o Inform individuals of the right of affected individuals to be notified
following a breach of unsecured PHI; simple statement sufficient
o Include a statement that PHI includes genetic information
41
Are these changes to the NPP “material”, and how
do we provide notice of the changes?
o Yes, these changes are material.
o If NPP is posted on website:
• prominently post material changes or revised NPP on its website by the
effective date of the material change – Sept. 23, 2013, and
• provide the revised NPP, or information about the changes and how to
obtain a revised NPP, in its next annual mailing to individuals then covered
by the plan, such as during the open enrollment period.
o If NPP is not posted on website:
• Provide a revised NPP (or information about the changes and how to get a
revised NPP) to individuals covered by the plan within 60 days of the
material revision to the NPP.
o Be sure to address ADA, other discrimination issues
42
What if we already updated our NPP?
o If the NPP has already been updated to reflect the HITECH Act
requirements and individuals have been informed of all material
revisions made to the NPP, no additional action is needed because of
the final rule.
o If you made the changes to the NPP consistent with the HITECH Act,
but did not inform individuals of the material changes, you should do so
within the time and manner described above.
Can we provide the NPP by email?
o Yes, so long as the individual has agreed (“opt-in” rule) to
receive an electronic copy. The agreement to receive electronic
notice can be obtained electronically.
43
Does HITECH enhance an individual’s right to their
electronic PHI?
o For PHI maintained in electronic records systems, covered plans must
provide the requested information:
• in the electronic form and format requested by the individual, if it is readily
producible, or
• if not, in readable electronic form and format as agreed to by the plan and
the requesting individual.
• To the extent possible, the information must be provided as a “machine
readable copy,” meaning in a standard digital format that can be processed
and analyzed by a computer (for example, in Microsoft Word or Excel, text,
HTML or text-based PDF).
o Plans must use reasonable safeguards in providing the individual with
the electronic copy of his or her PHI
44
Does HITECH enhance an individual’s right to their
electronic PHI (ctd.)?
o The timeline for providing access to requested PHI in a
designated record set, whether in paper or electronic form, is
shortened from 60 days to 30 days for records maintained at an
off-site location.
o A one-time 30-day extension (for a total of 60 days) is permitted
if the individual is timely notified of the need for an extension.
45
When do we have to comply with final rule?
o General rule: The final rule becomes effective on March 26,
2013, but covered plans and business associates have 180 days
to comply - September 23, 2013.
o Business associate agreements: For BAAs in place prior to
January 25, 2013, that comply with the HIPAA and privacy and
security rules:
• the parties need not update the BAA during the one-year period
following September 23, 2013, unless
• the BAA is renewed or modified on or before September 23, 2014,
and provided
• the parties operate as required under the final rules in accordance
with the applicable compliance dates.
46
What is the Genetic Information Nondiscrimination
Act (“GINA”) and why is it important?
o Applies to employers and group health plans
o Protects “genetic information” of current/former employees and
applicants
o Prohibits employers from collecting (request, require or purchase), using
and disclosing “genetic information,” subject to certain exceptions
o Makes it illegal to fire, demote, harass, or otherwise “retaliate” against
an applicant or employee for filing a charge of discrimination,
participating in a discrimination proceeding (such as a discrimination
investigation or lawsuit), or otherwise opposing discrimination
o Genetic information may not be used for underwriting purposes even
with the individual’s authorization
47
What does “genetic information” mean?
o Genetic tests of the individual or his/ her family members;
o Family medical history – manifestation of disease in a family
member, including an employee’s spouse;
o An individual’s request for, or receipt of, genetic services, or
participation in clinical research that includes genetic services; or
o GI of a fetus carried by an individual or by pregnant family
member.
48
What do we do now?
o Review basic HIPAA privacy and security rule compliance
• Plans should revisit plan design issues, risk assessment, policies
and procedures, plan document requirements, etc.
• BAs should ensure they are up to speed with the new HITECH
mandates (security rules, in particular) and the requirements in
BAAs, as well as state law data security requirements
o Modifications to breach notification rule
• Both plans and BAs should revisit their internal protocols so they
are prepared for an eventual breach.
• State laws also need to be considered, and coordination with other
parties
o
49
What do we do now? (ctd.)
o Business associates, subcontractors
• Plans should ensure BAAs are in place where needed and updated
timely (remember state law and personal information)
• BAs should ensure they have BAAs with their subcontractors and that
their policies and procedure reflect the provisions in those agreements.
• Watch for state law issues and additional protections – breach,
indemnity, audit, etc.
o Update to Notice of Privacy Practices
• Plans need to ensure NPPs are timely updated and disseminated
• BAs responsible for this function must update their NPPs accordingly
o Be audit ready
50
51
Thank you for your participation
in the UBA Employer Webinar Series
If your question was not answered during the webinar or
if you have a follow-up question, you can email the presenters today or
tomorrow at: [email protected]
www.UBAbenefits.com
www.jacksonlewis.com
To obtain a recording of this presentation, or to register for future
presentations, contact your local UBA Partner Firm.