September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan

September 17, 2002 © Michael Best & Friedrich LLC 1

Iowa State Association of Counties

HIPAA Training

September 17-18, 2002

Legal Issues

presented by:

Ryan Meade & Brian AnnulisMichael Best & Friedrich LLC

Chicago, IL

(312) 222-0800


Overview

1. Hybrid Entity Analysis

2. Affiliated Covered Entities

3. Organized Health Care Arrangements

4. Government Agency as Health Plan

5. Iowa State Law Preemption Issues


Overview

6. Government Entities as Business Associates of other Government Entities

7. Workers Compensation & Employee Health Records

8. A note on the modified Privacy Rules: To consent or not to consent?

9. Employee Health Plans

4

1. Hybrid Entity Analysis


Hybrid Entity Analysis

The first question in any HIPAA analysis is:

What is my organization?

– Health care provider?

– Health plan?

– Health care clearinghouse?

– Business Associate?

– Hybrid?

– A combination of any or all of the above?


Definitions(42 CFR 164.504)

• Covered Functions: functions which make an entity a health care provider, health plan or health care clearinghouse.

• Hybrid: a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates health care components.

• Health Care Component: a component or combination of components of a hybrid entity designated by a hybrid entity.


Hybrid Rules

• A covered entity can limit “HIPAA creep” by recognizing itself as a hybrid entity and designating health care components.

• The entity must then wall-off its health care components from non-health care components with respect to use or disclosure of Protected Health Information (PHI). The entity must establish safeguards to avoid disclosure of PHI from the health care components to non-health care components.

• The divisions within the entity must be treated as separate entities for HIPAA privacy purposes.


Hybrid Rules• The hybrid entity operates for HIPAA purposes as 2 separate entities and

must treat each use or disclosure of PHI with this idea of a dual world in mind.

• If disclosure of PHI from the health care component divisions would need an authorization if PHI disclosed outside of entity, then health care component division must obtain authorization before disclosing PHI to a non-health care component division.

• Benefits of a hybrid entity: – Limits the effects of HIPAA to the health care divisions. – Eases administrative burdens. – Minimizes undue confusion for divisions which have no interaction with health

information but might otherwise need to be trained in HIPAA or adopt HIPAA privacy rules.


What divisions may be health care components?

• MUST be designated a health care component:– any division that would qualify as a covered entity (health

plan, health care clearinghouse or health care provider that engages in standard transactions).

• MAY be designated a health care component:– any division that engages in health care provider activities but

does not use standard transactions.

– any division that would qualify as a business associate to the county’s covered entity functions if that division were a separate legal entity.


Your Hybrid Status is a Strategic Decision

• A hybrid entity must choose how to draw its “hybrid entity” line.

• Do you want non-covered entity covered functions designated as a health care component?

• Do you want business associate-oriented divisions designated as a health care component?

• Strategic questions:– How much interaction will divisions have with PHI held by a covered

entity division?– What is the burden of making non-covered entity divisions covered by

HIPAA?


County Hybrid Issues• Counties are often single legal entities with a variety of covered functions

and non-covered functions.

• Analysis: Who interacts with PHI within the county? Who performs covered functions?

• Consider the status of: (not an exhaustive list)

• county hospitals• health clinics• social services• child welfare• correctional facilities• police/sheriff• county controller• county attorneys


What Must Be Done?• To determine a county’s hybrid status and “draw” the hybrid line:

– Identify divisions within county– Identify whether a division engages in a covered function– Identify whether a covered function division qualifies as a covered entity

division– Identify whether a division provides services to a covered entity division

and interacts with PHI (serving in a business associate role)– Identify divisions that use PHI from a covered function division– Identify which divisions must be designated health care components– Identify which divisions may be designated health care components– Analyze burdens/benefits in designating each optional health care

component– Strategically designate a county’s health care components to “wall-off”

HIPAA and avoid “HIPAA creep”

13

2. Affiliated Entities


• The Privacy Rule generally requires separate Covered Entities to individually adhere to the Privacy Rule's implementation rules and standards.

• This, as a general matter, for separate Covered Entities that do not participate in an organized health care arrangement, joint consents and joint privacy notices are not permitted.

• EXCEPTION: Affiliated Covered Entities (upon designation)

Affiliated Covered Entities



– Legally separate, but affiliated covered entities that designate themselves as a single covered entity can engage in "joint" compliance. 42 CFR 164.504

– "Affiliated" means 5% or more ownership, or power to influence significantly policies or actions.


• To act as an affiliated covered entity:

– the designation must be documented

– the affiliated entities must act as a "multiple function covered entity" under the Privacy Rules



• Affiliated Covered Entities may undertake a joint compliance initiative.

• Separate consents and privacy notices need not be maintained, providing use or disclosure of PHI is within the same covered function (e.g., a separate consent would need to be obtained if PHI was collected for treatment purposes but the Affiliated Covered

Entities wanted to use the PHI for health plan purposes.



– Important questions for counties:

• What entities does the county control?

• Does the county have management agreements with other covered entities?

• Are any county health care components managed (or controlled) by other covered entities?


19

3. Organized Health Care Arrangements


Organized Health Care Arrangements

• Integrated health care or health benefits arrangement

– Clinically-integrated care setting(e.g., hospital and medical staff)

– Organized system held out as joint arrangement and conducting utilization management or risk sharing(e.g., IPA, PHO)

– Group health plan and health insurer orHMO that underwrites benefits



• Participants may share protected health information for arrangements’ health care operations

– Subject to minimum necessary limitation



• Advantages:

– Allows participants to rely upon joint notices and joint consents

– Avoids need for execution of multiple consents by patients and receipt of multiple privacy notices


• Disadvantages:

– Revocation process

– Apparent agency/apparent authority issues

– Complexity of joint consent and joint notice if some independent medical staff refuse to use joint consent and joint notice




• In determining whether an Organized Health Care Arrangement is applicable or suitable for a county, consider:– Does the county have relationships with independent providers

who do not act on behalf of the county (and are not paid by the county) but provide health care at a county site?

– What is the counties relationship with independent…• physicians

• dentists

• nurses

• therapists

• social workers

25

4. Government Entity as a Health Plan


Government Entity as a Health Plan

• Can government entities be considered health plans under the HIPAA?

• HIPAA does not exempt government entities from being considered a health plan.

• Determining whether a county engages in health plan activities involves examining county activities against the definition of a health plan.


Government Entity as a Health Plan

• A government entity can be considered a health plan according to the definition of “health plan” (42 CFR 160.103). Most relevant:– if a government program is specifically named within the

definition of health plan

– any individual plan that provides or pays for the cost of medical care

• Definition of health plan excludes a government funded program:– whose principal purpose is not for paying for health care; or

– makes grants to fund direct provision of health care

28

5. Iowa State Law Preemption Issues


Iowa State Law Preemption Issues

• HIPAA provides a federal floor for privacy protection and generally preempts state privacy law.

• BUT, the HIPAA Privacy Rule does not preempt state law which is contrary to the Privacy Rule and is more stringent than the Privacy Rule


Iowa State Law Preemption Issues• More stringent means:

– the state law imposes greater privacy protections

– the state law imposes greater privacy administrative obligations

– grants the individual who is the subject of PHI greater rights

• Questions to be asked: – Does the state law allow an individual greater control or access

to his or her PHI?

– Does the state law require the county to do more than HIPAA requires to protect the individual’s privacy?

– If YES, then the state law survives



• State law means ANY government directive that has the force and effect of law:– Iowa Constitution

– Iowa Code (statutes)

– Iowa Administrative Code (regulations)

– Certain Executive Orders

– County ordinances and rules

– City ordinances and rules

– Any other government body’s rules

– Case Law



• An example of HIPAA preemption in Iowa: Iowa AIDS confidentiality

• Iowa AIDS Confidentiality Law (IA ADC 141A.9)– Basic rule: “Any information, including reports and records,

obtained, submitted, and maintained pursuant to this chapter is strictly confidential medical information. The information shall not be released, shared with an agency or institution, or made public upon subpoena, search warrant, discovery proceedings, or by any other means except as provided in this chapter...Information shall be made available for release to the following individuals or under the following circumstances….”


Iowa State Law Preemption Issues• Provision: AIDS information may be released “to any person

who secures a written release of test results executed by the subject of the test or the subject's legal guardian.”

• Impact: Iowa allows only the individual or his/her legal guardian to sign written permission to disclose AIDS information. HIPAA allows anyone who qualifies as an individual’s personal representative to sign an authorization to disclose PHI. Personal representatives include legal guardians as well as anyone who has health care treatment decision making authority for the individual. Iowa is more stringent in limiting the types of personal representatives who may sign authorizations for disclosure of AIDS PHI.


Iowa State Law Preemption Issues• Provision: AIDS information may be released “to an authorized

agent or employee of a health facility or health care provider... and the agent or employee has a medical need to know such information.”

• Impact: Iowa law only allows AIDS information to be used without written permission within a health care provider by individuals who need to know for medical reasons. HIPAA allows PHI to be used without an authorization within a health care provider by individuals who need to use the information for treatment, payment or health care operations. Iowa is more stringent and health care providers must continue to obtain written permission from the individual before using AIDS PHI for payment or health care operations.

35

6. Government Entities as Business Associates of other

Government Entities


Government Entities as Business Associates of other

Government Entities• Government entities that serve as business associates of other

government entities may enter into “Memorandum of Understanding” which set out the basic requirements of a business associate contract.

• HIPAA Memoranda of Understanding needed when counties serve as business associate of other counties or the state. (or the reverse).

• If a county or other government entity is required by law to serve as a business associate, then the Memorandum of Understanding does not need termination provisions.

• (Note: reports to HHS may be more frequent in government to government business associate relationships).

37

7. Workers Compensation &Employee Health Records


Workers Compensation &Employee Health Records

• Workers compensation plans are excluded from the definition of “health plan”

• Workers compensation plan activities by the county are exempted from HIPAA providing the division that deals with workers compensation is not designated a health care component.

• “Employment records held by the covered entity in its role as employer” are excluded from the definition of PHI and are not covered by the Privacy Rules. 42 CFR 164.501

39

8. To Consent or Not to Consent?


A note on the modified Privacy Rule:To consent or not to consent?

• The modifications to the Privacy Rule from August 14, 2002 eliminated a health care provider’s obligation to obtain consent before using or disclosing PHI for treatment, payment or health care operations purposes.

• Obtaining a HIPAA consent is now OPTIONAL.

• Should a county’s health care provider division elect to use a HIPAA consent?– a business decision for the county

– risks should be weighed: how likely will errors occur?

– why take on risks and liabilities that a county does not need to?

41

9. Employee Health Plans


Employee Health Plans

• Employee group health plans (GHP) are health plans under HIPAA and are covered entities covered by the Privacy Rule.

• A GHP operates as a separate entity. HIPAA requires the employer to respect the “privacy walls” around the employee GHP.

• Understanding HIPAA’s impact on employee GHPs is a matter of understanding relationships.


Group Health Plans

• Basic Terminology

• Group Health Plan

• Plan Sponsor

• Employer Administration

• Fully Funded GHP (Insured GHP)

• Self-Funded GHP

• Important questions: What type of GHP does the employer have? What is the employer’s interaction with the GHP’s PHI?


Insured Group

““Plan Sponsor” = Plan Sponsor” = EmployerEmployer

EmployeesEmployees

““Group Health Plan” = Group Health Plan” = Employees and DependentsEmployees and Dependents

HR DeptHR Dept InsurerInsurerunderwriting riskunderwriting risk

for premiums for premiums

PHIPHI

PHIPHI


Self-Funded Group:ASO


EmployeesEmployees


HR DeptHR DeptASOASO

(Business(BusinessAssociate)Associate)

PHIPHI

PHIPHI

Business Associate ContractBusiness Associate Contract


Employer Administration


EmployeesEmployees


HR DeptHR DeptPlanPlan

DocumentDocumentAmendmentAmendment

PHI UsePHI Use

CertificationCertification

ASOASO(Business(BusinessAssociate)Associate)

InsurerInsurer(OHCA)(OHCA)

PHIPHI

PHIPHI

PHIPHI

Documents

September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan