Transcript Document
HIPAA Refresher; Updates in the Mental Health Parity Act
Tzvia Feiertag Associate Proskauer Rose LLP 973.274.3281
HIPAA Overview
HIPAA is a federal law that was enacted in 1996 The first final version of the rules were issued by HHS in late 2000, amended in 2002 Compliance with the 2000 HIPAA privacy rules was required by
April 14, 2003
for most plans
Changes to HIPAA were made in the federal stimulus law (Feb. 17, 2009) – American Recovery and Reinvestment Act of 2009 (known as “ARRA”) – section dealing with privacy, security and health information technology is referred to as the HITECH Act
12341966_1, © 2008 1
To Whom Do the Privacy Rules Apply?
The HIPAA Privacy rules apply (although sometimes in different ways) to all “covered entities”: (i) health plans; (ii) health care clearinghouses; and (iii) health care providers who transmit any health information in electronic form in connection with one of the transactions covered by HIPAA Under the 2009 ARRA law, all of the HIPAA rules apply directly to business associates (which we will discuss later), including penalties 12341966_1, © 2008 2
Covered Entities: Health Plans
What is a Health Plan under HIPAA?
— Employer sponsored health plans with more than 50 participants (includes flexible spending accounts) — HMOs and health insurers are also health plans under HIPAA. Those fully-insured plans are responsible for HIPAA compliance and employers are also responsible.
What is NOT a health plan under HIPAA?
— Pension and Disability insurers or benefits are NOT covered by HIPAA — — Life, property or casualty insurers or benefits are NOT covered by HIPAA Workers’ compensation insurers or benefits are NOT covered by HIPAA 12341966_1, © 2008 3
What Type of Health Benefits Are Covered?
Medical (physicians, hospitals) Vision Dental Hearing Behavioral Health Substance Abuse Prescription Drug Coverage 12341966_1, © 2008 4
HIPAA Penalties – New Rules under ARRA
ARRA increased the penalties for violations of HIPAA In determining the amount of the penalty, the Secretary of HHS must base it upon nature and extent of violation and extent of harm from violation Violator’s mental state, and whether violation has been corrected will be a factor.
4 Tiers: — Tier A: Offender didn’t know and by exercising reasonable diligence would not have known he/she violated the law:
$100 per violation
, up to a maximum of
$25,000 per year
for all violations of an identical requirement Does not sound severe but could really add up; also a single HIPAA non compliant action is likely to violate multiple provisions of the rules 12341966_1, © 2008 5
HIPAA Penalties – New Rules under ARRA (cont.)
— — — Tier B: Violation—due to reasonable cause and not willful neglect: $1,000 for each violation, up to a maximum of
$100,000 per year
for all violations of an identical requirement in a calendar year Tier C: Violation—due to willful neglect but corrected: $10,000 for each violation, up to a maximum of
$250,000 per year
for all violations of an identical requirement in a calendar year Tier D: Violation—due to willful neglect, and not corrected: $50,000 for each violation, up to a maximum of
$1,500,000 per year
for all violations of an identical requirement in a calendar year 12341966_1, © 2008 6
Key Definition: Protected Health Information (PHI)
The HIPAA Privacy Rules apply to Protected Health Information Protected Health Information health information that is in (PHI) is individually identifiable all forms – paper, oral, electronic PHI excludes employment records held by a plan sponsor in its role as an employer (e.g., physician’s note submitted by employee documenting reason for absence from office) 12341966_1, © 2008 7
What is Health Information?
Health information includes any information created by a health care provider, health plan, employer, school, or university — — — and that relates to past, present, or future physical or mental health or condition of the individual, or the provision of health care to the individual, or the past, present or future payment for health care to the individual 12341966_1, © 2008 8
Examples of Protected Health Information
John Jones is eligible for ABC Co.’s health benefit plans’ prescription drug benefits (it relates to present or future payment for health care) Mary Smith had an X-ray taken on March 12 (it relates to past provision of health care to her) 12341966_1, © 2008 9
What Makes Health Information Individually Identifiable?
Name Dates: birth, admission to hospital, discharge from hospital, death Telephone and fax numbers Social Security Number Account number Vehicle identifiers including license plates Web URLs and IP address numbers Geographic unit (certain zip code information excepted) Ages over 89 E-mail and other addresses Medical record numbers and health plan numbers Certificate or license number Device identifiers and serial numbers Biometric identifiers, including finger and voice prints and full face and other identifying photographic images 12341966_1, © 2008 10
What is De-Identified Information?
If a health plan remove all the identifiers listed on the previous page, the information is no longer protected by HIPAA.
If a company’s HR Department seeks to disclose health and welfare plan information, or other financial information relating to the health plans, to those not part of “HIPAA workforce”, then the HR Department must de-identify the health plan information before making the disclosures 12341966_1, © 2008 11
HIPAA Privacy: The Basic Rules
Health plans can use and disclose PHI for most routine uses and disclosures for payment for treatment and the operations Most other uses or disclosure of PHI require a signed, written authorization Health plans have to give certain rights to individuals.
administrators.
For example, right of access by a participant to his or her records, right to propose a change to the record, and accounting of unusual disclosures. The handling of these rights can be delegated to the third-party
Administrative Requirements:
Training, privacy officer, privacy notice, many policies, procedures and sanctions for violations 12341966_1, © 2008 12
Typical Allowable Uses and Disclosures Without Any Written Permission
Enrollment — use internally, or — disclose to health plans' vendors Eligibility — use internally, or — disclose to health plans’ vendors, or — disclose to health care providers Claims adjudication and payment Pre-certification and referral Coordination of benefits Utilization review Review of status of claims payment Use of De-identified Information 12341966_1, © 2008 13
Other Selected Issues in HIPAA Privacy
Training Privacy Officer Privacy Notice Authorization Minimum Necessary Safeguards Participants’ Rights as Individuals Vendors - Business Associates Handling Complaints Employee Sanctions 14 12341966_1, © 2008
Mandatory Training Under Privacy Rule: Why are We Listening to This?
Health plans must train all participants of its workforce with access to PHI (“HIPAA Personnel”) regarding HIPAA privacy policies and procedures, as necessary and appropriate for the participants of the workforce to carry out their job duties — Each new participant of the workforce must be trained within a reasonable period of time after their hire date All training must be documented 12341966_1, © 2008 15
Privacy Officer
Under HIPAA, all health plans must have a privacy officer The privacy officer is responsible for developing and implementing policies and procedures necessary to comply with HIPAA privacy rules, including training Companies should also designate a his or her rights under HIPAA contact person to answer questions and receive complaints about HIPAA’s privacy rules, and to obtain the forms necessary for a participant to exercise any of You should ask who is serving as your company’s privacy officer and HIPAA contact person.
12341966_1, © 2008 16
Privacy Notice
A privacy notice is required — Fully insured—insurers typically send — Self insured—employer must send (or third party) Notices can be delivered by email, if a participant agrees to electronic notice A company’s intranet should also include a copy of the privacy notice Participants are entitled to paper copies upon request Health plans cannot substantially change their information policies and procedures before updating its notice to reflect those revisions At least once every 3 years, health plans must remind participants of the availability of the privacy notice 12341966_1, © 2008 17
Authorizations
Written authorization is not required if PHI is being used by a health plan for treatment, payment or health care operations purposes (or for other disclosures permitted by the privacy rules) 18 12341966_1, © 2008
Authorizations
You should seek a written authorization from the individual before releasing the individual’s PHI to most third parties You should seek authorization from individuals before using PHI for reasons other than payment or health care operations — For example, if you want to use your company’s own health plan records to see if a participant is entitled to disability benefits, participant must sign an authorization 12341966_1, © 2008 19
Examples of Authorizations
Tom Jones wants ABC Co. to discuss his claims with his girlfriend Susie, who handles Tom’s paperwork. ABC Co. needs Tom’s signed authorization, giving the health plan permission to speak with Susie, before disclosing Tom’s information to Susie John Smith files a claim for disability benefits. ABC Co. must obtain an individual authorization before using health plan claims records and information to decide John’s claim for disability benefits 12341966_1, © 2008 20
Interaction with Participants and Family
Individuals may approach you for assistance with your company’s health plans benefits If (1) disclosure is to a family participant involved in the individual’s care or payment for that care, (2) disclosure is limited to that family participant’s involvement in the care or payment and (3) the individual has not objected to the disclosure to the family participant, then it’s okay to disclose, but preferable to refer to your outside administrators With a complete authorization, or another legal document, such as a general power of attorney, you could disclose anything to the family participant 12341966_1, © 2008 21
What Can I Discuss?
HR employees can always pass on information from a spouse to your health plans or, if for purposes of payment or operations, to the health plans' vendors You can discuss the medical claims of a child (under 18) with either parent (subject to limited exceptions - e.g., records protected under federal laws on family planning), unless your company is notified that it is not appropriate to so share the information (e.g., domestic abuse) 12341966_1, © 2008 22
“Minimum Necessary” Rule
The
“Minimum Necessary”
— — — Rule Whenever the health plans use or disclose PHI or requests PHI from another plan or a physician, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure or request” Thus, the minimum necessary rule covers The HR Department’s use of information Disclosure Requests for disclosure Under ARRA, within 18 months, HHS must issue guidance clarifying minimum necessary rules 12341966_1, © 2008 23
“Minimum Necessary” Rule
(cont’d) The minimum necessary rule does not apply to: — — — — Disclosures to or requests by a health care provider for
treatment
Disclosures to the individual or pursuant to an authorization Disclosures to government for enforcement of privacy rules Other uses or disclosures required by law 12341966_1, © 2008 24
Minimum Necessary - Limiting Employee Access to PHI
• The HR Department should identify those persons or classes of persons in its “HIPAA workforce” (should be referred to as “HIPAA Personnel” in the HIPAA Privacy Policy) who need access to PHI to carry out their duties: • Privacy Officer • • Other members of the HR Staff to the extent that they handle benefits, including HR Operations staff and HR business partners Members of the IT Department may have access to PHI, upon specific request of other HIPAA workforce, for the sole purpose of assisting in servicing the electronic versions of PHI on the company network servers. 12341966_1, © 2008 25
Limiting Employee Access to PHI
• • • • On a limited basis, any if your company’s personnel involved in audit or legal issues may, on a case-by-case basis, be designated as HIPAA workforce solely for purposes of their handling audit and legal issues relating to administration of the Plan. Only those HIPAA Personnel may have electronic and physical access to PHI maintained in your HR Department Your HIPAA Personnel may use and disclose the Plan’s protected health information only for plan administrative functions. The amount of PHI disclosed must be limited to the minimum amount necessary to perform the relevant plan administrative functions. Generally, HIPAA Personnel may not disclose protected health information to company employees other than other members of HIPAA Personnel. 12341966_1, © 2008 26
Safeguards to Protect Privacy
PHI may be filed in the same files as any other employee benefits information or any other human resources information, including personnel records, and electronic access must be restricted to only HIPAA Personnel.
Some companies have created access control lists on the domain side, to control all access to HR data. This list allows only HIPAA Personnel to access electronic files containing Plan information. Some companies have mandated that HIPAA Personnel have their own computer passwords and user domain account passwords accessible only to HIPAA Personnel, and they may not share passwords. Locked cabinets and doors to the offices that contain health plan records.
27 12341966_1, © 2008
Individual Rights
Right to Inspect and Copy PHI in your company’s health plans' records Right to Propose an Amendment to Correct PHI in the health plans' records Right to an Accounting of Disclosures Right to Request Restrictions on PHI Use & Disclosure Has handling of these rights been delegated to vendors? 12341966_1, © 2008 28
Individual Rights: Copying and Proposing Amendments
Participants’ and dependents have the following rights under HIPAA: — — — To access, inspect and copy their health information records in the health plans' records To copy any enrollment, payment, claims adjudication, and case or medical management records system that includes PHI and that is maintained by or for the health plans or used in whole or in part by the health plans to make decisions about individuals Right to propose an amendment to the PHI or a record about the participant (or dependent) in the health plans' record sets Under ARRA, Individuals may ask covered entity to transmit information to designated entities; request restrictions on disclosure of PHI to the plan for purposes of payment or health care operations if PHI relates to an item or service for which individual paid a doctor out-of pocket costs in full 12341966_1, © 2008 29
Individual Rights: Accounting of Disclosures
Participants have a right to request from the health plans an accounting of the disclosures of their PHI — — — Health Plans must keep a log of disclosures of PHI made within 6 years prior to the request (as long as the 6 years starts after April 2003) , and be able to give that log to a participant upon request Log excludes disclosures: (i) for treatment, payment and health care operations (e.g., don’t have to account for disclosures to physicians, or to health plans' vendors); (ii) to participants (or dependents) who request their own records; and (iii) to persons involved in the participant’s care (e.g., spouse); (iv) or if you disclosed as requested by the participant in accordance with the participant’s signed written authorization DOES include disclosures to IRS or DOL if you disclose the participant’s name and PHI Your company may require health plans employees to keep track of additional disclosures Under ARRA, new notification requirement for breach of “unsecured” PHI 12341966_1, © 2008 30
Individual Rights: Confidential Communications
HIPAA grants adult dependents (e.g., spouse, adult children) the right to REQUEST that the health plans send them communications (including any EOB that the health plans may mail out) by alternative means or at alternate locations from the mailing address of the named insured Privacy notice advises participants of this right The health plans only needs to accommodate the request (by e.g., sending the spouse’s EOB to her office) IF the request is reasonable and the individual specifies that the disclosure of all or part of the health information would endanger the individual (e.g., domestic abuse) 31 12341966_1, © 2008
What is a Business Associate?
Definition: — A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing) , or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity Includes anyone with health information from your health plans (could include attorneys, consultants, TPAs, auditors, computer software service companies) 12341966_1, © 2008 32
What are the Business Associate Rules?
General Rules — — — Need specific HIPAA-dictated language in a contract with all business associates Language includes privacy protections as well as the extension to service providers of individuals’ HIPAA rights.
Under ARRA, all of the HIPAA rules apply directly to business associates So, when entering into a new agreement with a third party administrator or a benefits consultant to audit your vendors, the Privacy Officer must arrange to have this language in your agreement 12341966_1, © 2008 33
Handling Complaints
The Privacy Notice advises everyone that they have a right to complain, about violations of their HIPAA rights If an employee (or covered dependent) complains his or her health plan privacy rights have been violated, the person complaining should be directed to the Privacy Officer, or if any employee wants to complain about a health plan privacy violation by someone else (including by your vendors), all those receiving such a complaint should make a written report to the Privacy Officer. The HIPAA Policies must include forms for making privacy complaints.
All complaints should be investigated by the Privacy Officer Retaliation for making privacy complaints is prohibited.
12341966_1, © 2008 34
Employee Sanctions for Violations
Your company is required by HIPAA to have and apply appropriate sanctions against the health plans' workforce who fail to comply with the health plans' privacy policies and procedures or the privacy requirements of HIPAA In other words, if the members of the HR Department do not follow the HIPAA privacy policies they should be disciplined, up to and including, termination 12341966_1, © 2008 35
Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA)
MHPAEA was part of the Emergency Economic Stabilization Act
— The MHPAEA amends ERISA and the Public Health Service Act—prohibits group health plans covering 50 or more employees from imposing more burdensome financial requirements for mental health or substance use disorder benefits than required for substantially all medical or surgical benefits covered by the plan — Prohibits separate cost sharing requirements that are applicable only to mental health or substance use disorder benefits 12341966_1, © 2008 36
Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA)
Effective Date
— — — Act applies to plans beginning in the first plan coverage year beginning after October 3, 2009; this means an effective date of January 1, 2010 for calendar year plans Plans maintained under collective bargaining agreements ratified before the enactment date are not subject to the Act until they terminate (or until January 1, 2010, if this is a later date) The current 1996 Mental Health Parity Act requirements for annual and lifetime dollar limits remain in effect for all plans, while the annual sunset in the 1996 parity act is eliminated, effective January 1, 2009 Mental health or substance use disorder benefit coverage is not mandated. However, if a plan offers such coverage, it must be provided at parity in accordance with this Act 12341966_1, © 2008 37
Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA)
Treatment Restrictions. Prohibits plans from imposing greater treatment limitations on mental health or substance use disorder benefits than those applicable to substantially all medical or surgical benefits and prohibits plans from imposing treatment limitations only on mental health or substance use disorder benefits Financial Restrictions. Parity required for all financial requirements, including deductibles, co-payments, coinsurance, and out-of-pocket expenses and frequency of treatment, number of visits, days of coverage, or other similar limits Out-Of-Network Benefits. A group health plan that provides out-of-network coverage for medical/surgical benefits must also provide out-of-network coverage, at parity, for mental health/substance use disorder benefits 12341966_1, © 2008 38
Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA)
Benefits Management and Transparency. As under the 1996 Mental Health Parity Act, a group health plan will manage benefits under the terms and conditions of the plan — A plan must make mental health/substance use disorder medical necessity criteria available to current or potential participants, beneficiaries or providers upon request — A plan must also make reasons for payment denials available to participants or beneficiaries on request or as otherwise required Cost Exemption. There’s an exemption if a group health plan will experience an increase in actual total costs with respect to medical/surgical and mental health/ substance use benefits of 1% (2% in the first plan year that this Act is applicable) Action Item: Review all plan designs and amend as necessary to comply prior to effective date 12341966_1, © 2008 39
Proskauer Rose
Presented by: Tzvia Feiertag, Esq.
973.274.3281
40 12341966_1, © 2008