Embed Size (px)
Citation preview
Presented by
Patrick C. Haynes, Jr., Esq., LL.M.
Consulting | Brokerage | Compliance | Communication | Administration
HIPAA and GINA Review
2
3
Patrick C. Haynes, Jr.
As Crawford Advisors’ GC and Vice President – Compliance, Mr. Haynes advises employers and plan sponsors in a variety of health and welfare benefit plan compliance matters, including, but not limited to, tax qualification and other Internal Revenue Code issues, PPACA, ERISA, COBRA and HIPAA portability and privacy issues. Mr. Haynes lectures frequently and has published many articles on health and welfare benefit plan compliance topics.
Today’s speaker
Practice Areas Employee Benefits, PPACA, ERISA, COBRA, HIPAA, §125, and §§ 105, 106, 129, 132
Education Temple University School of Law, LL.M.
Rutgers University School of Law, J.D.
Rutgers University School of Business, M.B.A.
Rutgers University College of Arts & Sciences, B.A.
Admitted to Practice U.S. Supreme Court
Federal and State Courts of
New Jersey
Pennsylvania
Connecticut
District of Columbia
4
Before we begin
A brief interactive poll…
Kindly respond online via the
pop-up window on the right
5
Roadmap
• HIPAA • Always with two A’s, never with two P’s
• Security Rule
• GINA
• Scenarios
• Poll Questions
• Takeaways
6
HIPAA
7
What is HIPAA?
Health Insurance Portability and Accountability Act
Passed by Congress in 1996
• Portability – Transfer of Health Insurance Coverage
• Accountability – Prevent Healthcare Fraud and Abuse
• Administrative Simplification – Decrease Costs and Administrative Burdens
– Privacy
– Transactions & Code Sets
– Security
8
HIPAA - Portability
HIPAA is a federal law that:
• Limits the ability of a new ER plan to exclude coverage for preexisting conditions;
– Change/update – due to the Affordable Care Act.
• Provides additional opportunities to enroll in a group health plan if you lose other coverage or experience certain life events;
– Special Enrollment Rights
• Prohibits discrimination against EEs and their dependent family members based on any health factors they may have, including prior medical conditions, previous claims experience, and genetic information; and
• Guarantees that certain individuals will have access to, and can renew, individual health insurance policies.
9
HIPAA – Portability
Although HIPAA adds protections and makes it easier to switch jobs without fear of losing health coverage for a preexisting condition, the law has limitations.
For instance, HIPAA:
• Does not require that ERs offer health coverage;
• Does not guarantee that any conditions you now have (or have had in the past) are covered by your new ER’s health plan; and
• Does not prohibit an ER from imposing a preexisting condition exclusion period if you have been treated for a condition during the past 6 months.
– Change/update – due to the Affordable Care Act. Pre-existing condition limitations are no longer and option for plans as of the first plan year on/after 01-01-2014.
10
HIPAA – Portability
(the way things worked pre-PPACA) Can I reduce or eliminate the max preexisting condition exclusion period?
• Yes, if you can show prior “Creditable Coverage”.
– This includes prior ER’s coverage, group health plans, COBRA continuation coverage, Medicare, Medicaid and individual policies.
– If break in coverage is shorter than 63 days, your prior creditable coverage will offset your new plan’s pre-ex.
» Example: New ER’s plan has a 12 month pre-ex. You have a coverage gap of 30 days. Prior to that you had 4 years of creditable medical coverage. Your new ER’s plan will impose no pre-ex upon you.
– If break in coverage is greater than 63 days, your prior creditable coverage will not help you & your new plan’s pre-ex will control what can be paid & what can be denied.
11
HIPAA – Portability (the way things worked pre-PPACA)
What happens if I don't enroll in my ER’s health plan at the first chance?
• An EE declines, as a new hire, coverage under his ER’s health plan. EE enrolls 2 years later during an open enrollment period. At the time the EE wishes to enroll, there is no special enrollment opportunity (the right to enroll regardless of regular enrollment dates).
• When this EE elects coverage, he is a late enrollee.
• Being a late enrollee will not cause him to lose HIPAA’s protections. But, the maximum pre-ex exclusion period is 18 months, rather than the 12 months for those who enroll at the first chance.
12
HIPAA – Portability
When do I get a HIPAA cert? • When your coverage ends (active, COBRA, etc.)
• When your ER changes claims payers (such as a move from Blue Cross to CIGNA; you’d get a HIPAA cert reflecting that your Blue Cross coverage ended).
• Upon request
Gone too! This requirement sunset with 2014. There’s no longer a requirement (nor a need) for these certificates.
When can I exercise a HIPAA Special Enrollment Right • If you previously declined coverage under your ER’s health plan because you HAD
other coverage, then, within 30 days of losing that other coverage, you may elect coverage under your ER’s health plan
• All HIPAA Special Enrollment Rights are also IRS approved Status Changes (so you can change your pre-tax salary deferrals as a result of a HIPAA Special Enrollment Right)
13
Administrative Simplification -Decrease Costs and
Administrative Burdens
• Privacy
• Transactions & Code Sets
• Security
14
HIPAA - Privacy
HIPAA Privacy Rule
• Increased Risks for Invasion of Privacy
• Public and Congressional Concern about Healthcare Privacy
• Support for Provider-Patient Relationship
• National Standards to Protect PHI (Protected Health Information)
• National Boundaries on Use and Release of Health Records
• Appropriate Safeguards for Protection of PHI
• Disclosure for Public Health Purpose
• Civil and Criminal Penalties
15
HIPAA - Privacy
Who and What is Covered
• Healthcare Providers
• Government & Private Health Plans
• Healthcare Clearinghouses
• Business Associates
– Carriers, Claims Payers
– Brokers & Consultants
– Other vendors?
16
Top Health Care Breaches of 2014
– Information Compromised: Names, addresses, birthdates, telephone numbers, and Social Security numbers
– 4.5 million Patients Affected
– Forensic experts believe the threat originated from a group in China (these hackers used some advanced malware to attack the hospital chain’s systems)
– Information Compromised: Names, birthdates, Medicaid numbers, medical & billing records, diagnosis codes, reports, and photographs.
– 2 million Patients Affected
– Legal dispute between the state and a former contractor, Xerox. When the state ended its contract with Xerox, the vendor allegedly failed to turn over to the state paper records & computer equipment they possessed
• County of Los Angeles Public Health
– Information Compromised: Names, birthdates, Medicaid numbers, medical & billing records, diagnosis codes, reports, and photographs.
– 342,000 Patients Affected
– Unencrypted computers stolen from its offices
17
Top Health Care Breaches of 2014 cont’d…
• Compromised information presents the following potential risks to patients
– Identity Theft
– Insurance Fraud
– Dangerous Hoaxes
– Stolen Prescriptions
– Tampering of Medical Records
18
Health Information & Protected Health
Information (PHI) Health Information is Oral or Recorded Information that:
• Is Created/Received by a Healthcare Provider, Health Plan, Public Health Authority, Employer, Life Insurer, School or University or Healthcare Clearinghouse
• Relates to the Past, Present and/or Future Physical or Mental Health or Other Health Condition
• Concerns the Provision of Healthcare
• Relates to Past, Present or Future Payment
PHI is Defined as Health Information that is
• Individually identifiable
• Transmitted or Maintained in any Form or Medium
19
The Importance of PHI Security
• Required by Law
• Earns Patient Trust
• Privacy & Security of Information
• Sets Federal Minimum Standards & Safeguards to Protect PHI
• Preempts Weaker State Laws
• Does Not Supersede Federal Laws or Privacy Act
20
HIPAA – Privacy
When disclosing PHI, what must a covered entity do?
• Is the disclosure authorized? Or not?
Next the Plan must always release only as much information as is necessary to address the need of the entity requesting the information
– This is the "minimum necessary" standard
For additional information, consider reviewing several chapters of the HHS’ Guide to Privacy and Security of Health
Information.
Such as: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-4.pdf
21
HIPAA – Privacy
What kind of fines/penalties could there be for violations? Is the disclosure authorized? Or not?
• Civil penalties $100 per violation
– Can be “stacked” for multiple violations with respect to a single individual
– Max civil penalties $25,000 per year, per person, per standard
– (if 2 standards were violated for 1 person, the penalties could be $50,000)
• Criminal penalties $250,000 & 10 years in prison
– Knowingly & improperly disclosing information or
– Obtaining information under false pretenses
– Malicious harm & financial gain motives can see even higher penalties imposed
– Plus, state-level causes of action could apply: everyday torts like invasion of privacy or intentional infliction of emotional distress
22
Administrative Simplification
• Privacy – April 14, 2003 – implemented
– Review your plan’s Privacy Policy
– Send out reminders - about where they can get the Privacy Policy- every 3 years
» ABC Company has a reminder in their annual open enrollment benefit guide every year, so there’s no need to send out a reminder every 3rd year
» Now that you’ve sent out your reminder – do you have an actual policy to provide anyone that asks for one?
• Transaction Standards and Code Sets – October 16, 2003 - implemented
• Security – April 20, 2005 or 2006 (depending on the size of a group’s claims (more than $5M or less than $5M) – these rules have been with us for some time – what steps have you taken to ensure your organization’s compliance?
23
Security Rule
24
Important Security Facts
• Only applies to e-PHI
• Requires a Risk Assessment
• Requires a more Technical Solution
• Effective April 20, 2005*
*(April 20, 2006 for Plans with claims less than $5 million).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
25
What does the Security Rule Protect?
• Electronic Protected Health Information (e-PHI)
– Created or received by a health care provider AND
– Involves past, present, or future treatment OR
– Payment for such services, AND
– Identifies the individual AND
– Transmitted by or maintained in ELECTRONIC MEDIA
• Focuses on protecting e-PHI from:
– Unauthorized Disclosure
– Modification
– Destruction
26
Security Rule Core Requirements
• Covered Entities must:
– Ensure the confidentiality, integrity, and availability (CIA) of e-PHI they create, receive, maintain, or transmit.
– Protect against any reasonably anticipated threat or hazard to the security or integrity of e-PHI.
– Protect against any anticipated uses or disclosures of e-PHI that are not permitted under the law.
– Ensure compliance with the Security rule by all its workforce members.
27
GINA
28
GINA - Summary
G.I.N.A. = Genetic Information Nondiscrimination Act
• Law Bans GHPs / Insurers from
– Requesting, requiring or purchasing the results of genetic tests
– And from disclosing genetic information.
• Effective Dates:
– GINA/Health Coverage, 1st Plan Year beginning after 05/21/2009
– GINA/Title II, Employ. Discrimination, 11/21/2009
• Examples that already spawned litigation:
1. The EEOC filed suit and settled with the Burlington Northern Santa Fe (BNSF) Railroad for secretly testing its EEs for rare genetic condition (that predisposed EEs to CTS - carpal tunnel syndrome), & secret screenings for diabetes & alcoholism. One EE who refused testing was threatened with possible termination.
2. Lisa’s young son was having difficulty in school. Suspecting a learning disability, she consults her doctor. Genetic tests reveal her son has “Fragile X Syndrome” an inherited form of mental retardation, and the insurance carrier dropped the family’s coverage citing the child’s preexisting condition. Lisa cannot find another carrier and ultimately quits her job so that she can qualify for Medicaid.
3. Social worker attends staff workshop: “Caring for People with Chronic Illnesses”. During workshop she shares experience w/ caring for her mother who died of Huntington’s disease. Reveals she has 50% chance of developing it. Despite outstanding performance reviews in the months prior to her firing, she was let go a week after the workshop.
29
GINA – Regulations
• Part 1. GINA, Title I, expansion of ERISA
– DOL impose fines of $100/day on noncompliant plans.
– Min penalty is $2,500 unless the violation was corrected prior to receiving a notice of noncompliance.
– Min penalty is $15,000 in cases in which the violations are more than the de minimus.
– The DOL will also be empowered to seek equitable relief.
– DOL’s FAQs: http://www.dol.gov/ebsa/faqs/faq-GINA.html
• Part 2. GINA’s Title I enforcement for privacy violations / HHS (Health and Human Services’)
– HHS may impose civil monetary fines of $100/violation, up to $250,000, and up to 10 years in prison for violations (committed for malicious harm, personal gain or commercial advantage).
• Part 3. GINA’s Title II (borrowed from Title VII of the Civil Rights Act of 1964), prohibits ERs from using genetic information to discriminate against an individual through hiring, firing, compensation or other employment decisions.
– The EEOC (the Equal Employment Opportunity Commission) will be empowered to investigate and advise whether or not the employee can bring litigation. http://www.eeoc.gov/laws/types/genetic.cfm
30
GINA – Regulations, EEOC
• EEOC clarifies terms
– “EE” covers current EEs, applicants & former EEs
– “genetic tests” includes family members, medical histories & genetic information of a fetus
• Drug & Alcohol testing are specifically excluded from the definition of “genetic tests”
• 6 Exceptions to the statutory prohibition from acquiring Genetic Information (GI)
1. ER inadvertently obtains GI – water cooler exception
2. ER offer qualifying health or genetic services, including service offered as part of a voluntary wellness program
3. ER requests family medical history to comply with FMLA certification (or state/local family medical leave laws)
4. ER acquires GI from documents that are commercially/publicly available (print, internet) – except ER may NOT go looking for an individual’s GI from medical databases or court records
5. ER acquires GI for use in the genetic monitoring of the biological effects of toxic substances in the workplace (subject to restrictions)
6. Where an ER that conducts DNA analysis for law enforcement purposes requires GI of its EEs, apprentices, or trainees for Quality Control purposes to detect sample contamination.
31
HIPAA/HITECH Act Omnibus Final Rule
On Friday, January 25, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and
Human Services (HHS) published the long-awaited final rule, entitled “Modifications to the HIPAA
Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology
for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other
Modifications to the HIPAA Rules” (Omnibus Rule), 78 Fed. Reg. 5566 (Jan. 25, 2013). The Omnibus
Rule:
• finalizes modifications to the Privacy, Security, and Enforcement Rules to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act, proposed in July 2010;
• finalizes modifications to the Privacy Rule, proposed in July 2010, to increase the workability of the Privacy Rule;
• modifies the Breach Notification Rule, adopted by interim final rule in August 2009; and
• finalizes modifications to the Privacy Rule to implement the Genetic Information Nondiscrimination Act of 2008 (GINA), proposed in October 2009.
Action Items:
• Did you update your BAAs?
• Did you adopt/implement/revise your plans to comply with GINA?
Finally Final! HIPAA Privacy and Security Regulations Released
http://www.crawfordadvisors.com/2013/01/24/final-hipaa-privacy-and-security-regulations-released/
32
Scenarios
33
Privacy Complaint – Now what?
• Best Practice: Develop – that is, write, maintain and follow a procedure
for resolving privacy complaints.
– When a Plan Participant complains about a Privacy Violation, how is that
investigated, documented, detailed and ultimately explained, corrected or both?
– This will help a great deal if the Participant complains to HHS’ Office of Civil
Rights
– HHS will not assess a penalty if a Privacy Rule violation was due to a reasonable
cause and not willful neglect and is corrected within 30 days from when the Plan
knew (or should have known) about the violation
34
Is this PHI?
• Doctor’s note – John can work, but must not lift more than 10 lbs for the next 14 days
• Worker’s Compensation Claim (next page)
• Short Term Disability (STD) Claim / Long Term Disability (LTD) Claim
– Not health plans under HIPAA, so not PHI
• EOI, Evidence of Insurability form for life insurance
– Again not a health plan, so HIPAA does not apply, but the Privacy Provisions of the
Gramm-Leach-Bliley Act (GLBA)
• FMLA leave request – info about “serious medical condition”
– Health Plan is not acting but the ER is
– ER must still act prudently in compliance with state privacy laws and to avoid any
possible EEOC, ADA claims or lawsuits
35
Workers Comp
Workers Comp
– disclosures w/o the EE's consent
• required by worker's comp laws
• required by OSHA
• required in order to obtain payment
– disclosures with the EE's consent
• (EE designates a personal representative, spouse parent, lawyer, etc.)
• Subject to any limitations the EE provides
– Minimum Necessary
• Plan must still reasonably limit the information they disclose
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/workerscomp.html
36
How much did you learn?
Poll Questions
37
Need more?
Have you thoroughly explored this topic? Are there other areas within your organization that require your attention and/or compliance with HIPAA and GINA? Consider reviewing one of our prior webinars…. http://www.crawfordadvisors.com/webinars/
38
Question 1
True or false: The Security Rule does NOT protect e-PHI
A) True
B) False
39
Question 2
The EEOC states all of these are examples of genetic tests EXCEPT
A) Medical histories
B) Genetic information of a fetus
C) Drug and Alcohol testing
D) Family Members
40
Takeaways
• HIPAA Prohibits discrimination against EEs and their dependent family members based on any health factors they may have, including prior medical conditions, previous claims experience, and genetic information.
• Health Information is Oral or Recorded Information that is Created/Received by a Healthcare Provider, Health Plan, Public Health Authority, Employer, Life Insurer, School or University or Healthcare Clearinghouse.
• HIPAA Guarantees that certain individuals will have access to, and can renew, individual health insurance policies.
• Now is the time to review your Privacy Practice Notices, update your BAAs, take an inventory of all the PHI you have, save, keep and exchange
41
If you have any further questions about the conflicting court rulings or about
any of the information discussed in this Webinar, please feel to contact us
at…
Crawford Advisors, LLC
200 International Circle, Suite 4500, Hunt Valley, MD 21031
Devon Square Two, 744 West Lancaster Avenue, Suite 215
Wayne, PA 19087
800.451.8519 • www.CrawfordAdvisors.com
Via E-mail to: [email protected]
To Download These Slides: http://www.crawfordwebinars.com
Questions & Requests: [email protected]
Questions
