If your business provides health benefits, you handle Protected Health Information. Last year, the HHS stepped up its HIPAA privacy audits, expanding the scope beyond health care providers to any business that handles PHI – that means you.
Audits aren’t slowing down, so get the one-hour guide to:
- Proper handling of protected information
- Permitted disclosures of PHI
- Current EDI standards and compliance strategies
- Best practices before and during a HIPAA audit
This educational webinar reviews all of the requirements that an employer must meet to comply with HIPAA Privacy.
The webinar covers the following topics:
• What health information must be protected by the employer
• What steps an employer must take to comply (forms and procedures)
• What penalties will be imposed by the federal government if an employer does not comply
• What steps an employer must take if any information is disclosed improperly
• What agreements must be in place for an employer's outside vendors to comply
PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama,
in Florence, AL, concerning HIPAA policies and procedures.
This educational webinar reviews all of the requirements that an employer must meet to comply with HIPAA Privacy.
The webinar covers the following topics:
• What health information must be protected by the employer
• What steps an employer must take to comply (forms and procedures)
• What penalties will be imposed by the federal government if an employer does not comply
• What steps an employer must take if any information is disclosed improperly
• What agreements must be in place for an employer's outside vendors to comply
PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama,
in Florence, AL, concerning HIPAA policies and procedures.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
HIPAA Training: Privacy Review and Audit Survival Guidebenefitexpress
HIPAA Privacy Overview for Employers. Review a helpful checklist of requirements an employer must adopt to stay compliant with HIPAA and to survive an audit by Health and Human Services (HHS).
This presentation reviews: what information must be protected, what policies and procedures need to be in place, what disclosures have to be given to employees, what agreements have to be in place for business associates, and what breach procedures have to be followed.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
HIPAA Training: Privacy Review and Audit Survival Guidebenefitexpress
HIPAA Privacy Overview for Employers. Review a helpful checklist of requirements an employer must adopt to stay compliant with HIPAA and to survive an audit by Health and Human Services (HHS).
This presentation reviews: what information must be protected, what policies and procedures need to be in place, what disclosures have to be given to employees, what agreements have to be in place for business associates, and what breach procedures have to be followed.
Bracing for (Regulatory) Impact: Your DOL Audit Checklistbenefitexpress
Shifting regulations and contradicting messages on enforcement have employers questioning whether they need to prepare for a DOL audit and what they should be doing.
Join this Q&A with our benefits attorney to learn:
- What to do after receiving a notice
- How to prepare for an audit
- What auditors are looking for
- Best practices during a DOL audit
Similar to HIPAA Lockdown: One-Hour Guide to PHI Best Practice (20)
Webinar: Mid-Year Election Changes for Cafeteria Plansbenefitexpress
Let's talk about cafeteria plans. When can participants make election changes?
While cafeteria plans can be a great option for employees wishing to pick and choose benefits based on cost, when and how to facilitate election changes outside of open enrollment can be tricky to navigate for employers. As the use of cafeteria plans continue to grow, we take a deeper look at the rules and regulations of these plans, particularly as they pertain to mid-year election changes.
COVID-19 Health & Welfare: Compliance for Employersbenefitexpress
As part of our continuing ERISA Compliance series, we covered such compliance topics and more in our April 9th webinar discussing COVID-19 and updates from the IRS and DOL concerning the Families First Coronavirus Response Act.
Plan Sponsor Webinar: Navigating COVID-19 for Employersbenefitexpress
In this webinar, we take a deeper look into how the novel coronavirus is not only affecting the way we live, but changing the way we work. From remote work environments, FMLA, contract agreements and more, we discuss how to navigate the changing workforce during this time of uncertainty, and answer questions to help you make the best decisions for the health and safety of your employees.
Medicare & Employer Health Coverage - a Coordination Conversationbenefitexpress
Let's talk about Medicare and Employer Health Coverage. The rules on coordinating Medicare and employer coverage can be complex. How it complements other programs (such as COBRA, HSAs and the ACA) are also areas of question for both employees and their employers.
Part of our ERISA Compliance Series, this webinar is hosted by ERISA Attorney Larry Grudzien and moderated by chief marketing officer Julia Goebel. This webinar will discuss the top wage and hour issues that may be unknowingly lurking within your company.
The Affordable Care Act touches the lives of most Americans. In fact, nearly 21 million will be at risk if Obamacare is struck down, and may even lose health insurance completely if the law is ruled unconstitutional. This webinar will discuss what the outcome may be if ACA is repealed.
Watch our free one-hour webinar reviewing the rules for the new Individual Coverage HRA and the new Excepted Benefit HRA (ICHRA and EBHRA).
In June 2019, Treasury, DOL and HHS released final regulations that are effective for plan years beginning on or after January 1, 2020. These regulations created two new HRAs, Individual Coverage HRAs (ICHRA) and Excepted Benefit HRAs (EBHRA).
These new HRAs will be subject to ERISA and COBRA, but will not be subject to the nondiscrimination rules under Code Section 105(h). Any employer can offer these new HRAs to their employees. They can be offered to common law employees, but cannot be offered to self-employed individuals, partners and more than 2% S-Corporation shareholders.
Facilitated by ERISA attorney Larry Grudzien, and moderated by Chief Marketing Officer Julia Goebel, this webinar will cover the following:
-Why are these new HRAs so important?
-Which employees can be included or excluded
-What documentation is needed to be completed by employers to adopt them
-What reporting and disclosure requirements must be met
-What types of expenses can be reimbursed
-The pros and cons of establishing and participating in these new HRAs for employers
In today's multi-generational workforce, health and wellness benefits are weighted equally with salary expectations. This is why it's important for small and large businesses alike to embrace health and wellness benefits to recruit top talent as well as retain valued employees.
While offering these benefits has been shown to improve employee engagement and productivity, it comes with some challenges. This webinar reviews common questions human resources professionals confront when offering health and welfare benefits to employees.
Facilitated by ERISA attorney Larry Grudzien, this webinar covers the following:
- Questions Surrounding Tax
- Reporting Disclosures
- ERISA, COBRA & FMLA
- Workers Compensation
- Affordable Care Act (ACA)
Benefits are a critical piece of an employee compensation package, with health care benefits reigning most important. Whether you're already offering these benefits or considering adding them to your benefits offerings, view our webinar to learn more and remain competitive in the talent marketplace.
How to Administer Wellness Programs in Today's Regulatory Environmentbenefitexpress
Are you struggling to make sense of the recent legislative updates surrounding employer sponsored wellness programs? Perhaps you are trying to decide whether to continue with current wellness plans, modify your plans without guidance from the EEOC, postpone new wellness programs or discontinue them all together.
It’s a complicated landscape ripe with several options for “next steps” for employees and plan sponsors of wellness plans in 2019 — with perhaps the biggest barrier of all being that employers cannot measure the risk of wellness plans at this time.
To help guide you through this maze of options, watch our one-hour webinar on-demand to learn what rules remain after the EEOC’s regulations were found invalid and what rules have to be met in 2019 in order to offer a valid wellness program.
How to administer wellness programs in today's regulatory environment
This webinar covers:
Requirements under HIPAA
Requirements under the Internal Revenue Code
Requirements under ERISA
Requirements under GINA
Requirements under ADA
Requirements under ACA
Webinar | Texas vs. United States - The Repeal of ACA?benefitexpress
Recently a Federal District Court held in Texas, et al. v. United States of America, et al. that the individual mandate in the Patient Protection and Affordable Care Act (ACA) is unconstitutional, and that the other provisions in the ACA are invalid because they are inseverable from the individual mandate.
Our ACA compliance webinar reviews:
- What the Federal District Court decided.
- The basis for the decision.
- The impact of the decision.
- What may happen over the next months or year.
- What Congress may do to address the situation.
Healthcare Check-in: The Latest Developments in Health and Welfare Plansbenefitexpress
We work in an exciting industry – which means quick changes are the norm, and adaptability is a necessity. Keep your compliance plans up to date with a download of all legislative changes since our last update webinar. This webinar covered legislation that's passed in the last six months, what's on the way, and what it means for your organization.
Webinar | From Analysis to Action: How Personalization Can Lower Employer Cos...benefitexpress
Personalization is everywhere – from Amazon to Spotify, and is now the expectation for consumers. Personalization in benefits elections is also the new normal, thanks to decision support tools and data analytics. Modern decision support tools draw on data points including demographics, preferences and medical need, all highly relevant towards personalization ... as opposed to the "one-size fits all" modeler of the past that relied on strict business rules.
Using data to advise clients can be a game changer for a broker. With analytics, you can quantify your benefit plan suggestions based on hard evidence, and advise based on unbiased data versus mere opinion. But where does this data come from? And how do you know which data to use?
This webinar shows how decision support tools can provide data to simplify health benefit decisions, allowing employees to feel more confident in their decisions, leading to lower costs for employers and client retention for brokers as a result.
In this webinar, brokers will learn how decision support analytics can reinforce their role as a trusted adviser by:
• Helping employer clients understand which health plans and programs are being used and which ones are the most cost-effective
• Minimizing the number of employees who are over-insured or under-insured, helping to save on annual and long-term costs for healthcare premiums, leading to better client retention over time
• Supporting healthy employee behaviors, resulting in lower health care expenses overall
FSAs can do some heavy lifting for your benefits plan – they allow employees to save pretax dollars for healthcare costs without the price tag of other financial wellness initiatives.
However, many HR professionals lack a deep understanding of the compliance requirements to offer and administer a well-rounded program for their employees. Engage your employees with a financial wellness benefit that works.
Key webinar takeaways:
- How different types of FSAs interact with benefit plans as a whole
- FSA and reimbursement limits for 2018
- Legal implications of offering an FSA to employees
- Best practices for administering a successful FSA benefit plan
Webinar | COBRA Pitfalls: Common Mistakes and How to Avoid Thembenefitexpress
Leaving the organization isn't the end of the benefits cycle for employees. This webinar focuses on how to avoid one of the most common compliance pitfalls in benefits ... COBRA administration.
Some of the top takeaways were:
• The basics of successful COBRA administration
• Required notices associated with COBRA coverage
• How Medicare interacts with COBRA for employees and dependents
• Penalties for noncompliance
Smooth and successful off-boarding of departing employees is as important as well-planned on-boarding of new hires. Log on to your roadmap for a smooth ride into COBRA compliance.
Webinar | Clients Calling “Mayday”? Design a Benefits Technology Strategy to ...benefitexpress
Benefits administration can be a delicate, and even difficult balancing act for employers. From managing costs and administrative demands, to maintaining compliance, and integrating with workforce wellness plans, it’s not surprising that three in four employers called “mayday” and turned to benefits administration outsourcing in 2017. With the administrative difficulty level rising, and advisory competition increasing, it is now critical to become the partner of choice to relieve this distress. But how?
Join Scott Evans, chief product officer at benefitexpress, this May Day, as he guides benefits advisers through the top considerations for building, buying or borrowing benefits administration technology solutions to offer clients. If you and your clients have benefits technology questions, Scott has answers.
Webinar takeaways include:
• How to assess your readiness: learn and identify the benefits administration business model that is right for you
• Key criteria for evaluating potential benefits technology partners, plus a valuable checklist
• How to create a benefits technology strategy for your business which is seen as an imperative – not a “value-add” – by your clients
• Tips for staying competitive in a changing market, using your solutions portfolio
Webinar | Training the Technique: Advanced ERISA Compliancebenefitexpress
If your organization offers any form of retirement plan, chances are you have questions about ERISA. This advanced compliance training will go beyond the basics of the requirements of the Employee Retirement Income Security Act of 1974.
Attend our one-hour training to learn:
- Which employers are affected by ERISA regulations
- Which benefits plans are subject to ERISA
- What documentation employers must provide to prove
compliance
- Penalties for noncompliance
ERISA attorney Larry Grudzien will share industry inside knowledge to help participants ensure total compliance with ERISA regulations.
Factors of Self-Funding: Evaluating the Pros and Consbenefitexpress
In a changing healthcare landscape, employers are increasingly considering taking the funding of their healthcare benefits into their own hands. If you're one of them, this webinar is the one-hour guide you must see.
Participants will learn:
- The legal implications associated with self-funding
- Common administrative pitfalls
- Solving employee issues involved in self-funded plans
- A full overview of laws and regulations governing self-funding
Our compliance expert will weigh in during a compact, one-hour guide.
Factors of Self-Funding: Evaluating the Pros and Cons
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
1. • Awesome Content
Supporting material
Supporting material
• Awesome Content
Copyright 2016 – Not to be reproduced without express permission of Benefit Express Services, LLC 1
Sample Topic
Sample image
3. Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 3
About Larry
Larry Grudzien
ERISA Attorney
Lawrence (Larry) Grudzien, JD, LLM is an attorney
practicing exclusively in the field of employee
benefits. He has experience in dealing with qualified
plans, health and welfare, fringe benefits and
executive compensation areas. He has more than 35
years’ experience in employee benefit law.
Mr. Grudzien was also an adjunct faculty member of
John Marshall Law School’s LL.M. program in
Employee Benefits and at the Valparaiso University’s
School of Law. Mr. Grudzien has a B.A. degree in
history and political science from Indiana University,
J.D. degree from Valparaiso University School of Law
and LL.M. degree in tax from Boston University
School of Law. He is a member of Indiana and Illinois
Bars.
4. • “Health plans are required to protect and safeguard a
participant’s or covered dependent’s personal health
information (PHI) from impermissible use or disclosure
and they must obtain a patient’s content for certain uses
and disclosures.
• What is required to protect information?
• What information is protected?
• What steps must a health plan and the employer do to
comply?
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 4
General Requirements
5. Health plans must:
• Establish written policies and procedures to protect PHI.
• Protect and safeguard a participant’s or covered dependent’s personal health
information (PHI).
• Obtain participant’s or covered dependent’s written permission for certain uses
of PHI.
• Notify a participant and/or covered participant of policies of disclosure and use
of PHI.
• Report impermissible use or disclosure of PHI.
• Allow a participant and/or covered dependent to inspect or copy his or her
PHI.
• Use and disclose only the “minimum necessary” health information.
• Enter into Business Associate Agreements.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 5
What is Required?
6. • All medical records and other individually identifiable health
information held or disclosed by a health plans in any form, whether
communicated electronically, on paper or orally.
• Health plans may release PHI to employers without authorization in
very limited circumstances.
• Three conditions must be met:
Provider must provide service at the request of employer or as an
employee
Service provided must relate to medical surveillance of workplace or an
evaluation to determine individual has workplace injuries or illness
Employer must have legal requirement under state or federal law to keep
records
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 6
What is “Protected Health Information” (PHI)?
7. • Group health plans do not need to obtain a participant’s or
a covered dependents consent to release information for
the administration of the plan.
• Plan sponsor’s obligation depends on whether it receives
protected health information, summary health information
or no health information.
• Obligations, if it receives only summary health information
• Required plan amendments
• Obligations, if it receives protected health information
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 7
What are the Plan Sponsor’s obligations?
8. • HIPAA Privacy Policy
• HIPAA Privacy Use and Disclosures
• Notice of Privacy Practices
• Business Associate Contracts
• Authorization for Release of Information
• Amendment to Health Plan Document
• Amendment to Health Plan SPD
• Plan Sponsor Certification to Health Plan
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 8
What documents are needed to comply?
9. Documents for Implementing individual Rights:
• Request to inspect or copy PHI
• Request to amend or correct PHI
• Request for Accounting of Disclosures of PHI
• Request for restrictions on Use or Disclosure of PHI
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 9
What documents are needed to comply?
10. Health plans are allowed to use or disclose PHI in the following
circumstances:
• as required in accordance with an individual’s right to access PHI
• for covered functions (i.e., treatment, payment, or health care
operations)
• with respect to specific types of information after the opportunity to
agree or object
• pursuant to an individual’s authorization
• as required or permitted under HIPAA’s public policy exceptions and a
limited data set may be disclosed when certain requirements are met
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 10
Consent Issues
11. A health plan may use and disclose PHI without authorization:
• For its own treatment, payment, and health care operations
• For the treatment activities of another health care provider
• To another covered entity for the payment activities of the entity
receiving the information
• To another covered entity for certain health care operations
activities of the entity that receives the information if each entity
has (or had) a relationship with the individual who is the subject
of the PHI, the PHI pertains to such relationship, and the
purpose of the disclosure is one of those listed in the
regulations
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 11
For treatment, payment, and health care operations
12. The health plan may use and disclose PHI if individual has had opportunity to,
prohibit the disclosure of such information in advance regarding to:
• Disclosures of limited types of information to family members or close
personal friends of the individual for care, payment for care, notification, and
disaster relief purposes
• Uses and disclosures of limited types of information for facility directory
purposes (generally not applicable to health plans)
• Exceptions
Individual authorizations are required whenever the use or disclosure is not
permitted under privacy rules. May request authorization for another entity for:
• Any purpose
• Especially before sending any marketing material
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 12
Authorizations
13. Health plans may disclose PHI without authorization:
• If required by law
• To certain designated public agencies, individuals and the employer
• Regarding an individual if a victim of designated abuse and certain other conditions are
met
• To a health oversight agency
• In response to certain court proceedings
• To a law enforcement officials if certain conditions are met
• To a coroner or medical examiner of ID purposes
• To organ procurement organizations for transplant purposes
• To prevent health threat
• For certain specified government purposes
• To comply with Worker‘s Compensation purposes
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 13
Without Individual Authorization
14. For health plan underwriting
• Underwriting and placement of health coverage is a permissive health
coverage operations
• Sharing PHI with other covered entities for other purposes limited
• Authorizations may be necessary in some situations
Personal representatives, minors, and spouses
• Covered entities must recognize a personal representative’s authority and
provide information within that authority
• But certain exceptions do apply
• Parent’s authority
• Spouse’s authority
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 14
Permitted Uses
15. What is Required?
Health plans must establish policies and procedures with
respect to PHI that complies with:
• HIPAA standards
• Implementation specifications
• Other requirements
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 15
Privacy Policy and Procedures
16. • Who is required to provide notices?
Covered entities (Health Plan)
• What must the notices describe?
Uses and disclosures of PHI that may be made by the covered entity
Individual’s rights
Health plan’s legal duties with respect to PHI
• What are a health plan’s duties?
Must provide own privacy notices if it has access to PHI
A health plan may arrange to have another entity to provide notice, but will
be responsible if no notice is provided
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 16
Privacy Notices
17. • A health plan must designate a privacy official.
• The privacy official is responsible for the development and implementation of
policies and procedures.
• A privacy officer must be designated for each subsidiary that is a covered
entity.
A single corporate officer could be designated for multiple subsidiaries.
• Covered entities must designate a contact person or office for receiving
complaints.
Such designation must be documented.
Contact person must be able to provide additional information about matters that are
covered in privacy notice.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 17
Privacy Official and Contact Person
18. • Apply to the electronic storage and transmission of PHI
• General effective date - April 21, 2006
• Covered entities must implement appropriate administrative, technical and
physical safeguards for PHI
• Privacy rules require “appropriate safeguards” for protecting PHI
• No guidelines for PHI in oral, written or non-electronic form
• What information must be protected?
Any information transmitted by electronic media, maintained in electronic media or
maintained in other form or medium
What is electronic media?
• Certain transmissions are not covered
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 18
Health care security requirements
19. • What are the four general security requirements?
• Ensure the confidentiality, integrity and availability of all
electronic PHI that the covered entity creates, receives,
maintains or transmits
• Protect against any reasonably anticipated threats or
hazards to the security or integrity of such information
• Protect against any reasonably anticipated uses or
disclosures of such information that are not permitted or
required
• Ensure compliance by the workforce
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 19
Health care security requirements
20. What are the security standards?
• Administrative safeguards
• Physical safeguards
• Technical safeguards
Covered entities must:
• Use reasonable and appropriate measures to accomplish
the requirements
• Engage in risk analysis to determine how to comply
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 20
Health Care Security Requirements
21. • All covered entities must standardize the format and content of all electronic
transactions when engaging in “covered transactions.”
• These are called the EDI Standards.
• What are the EDI Standards requirements?
• Covered entities in conducting covered transactions must use standardized
formats and content, as well as uniform codes in communicating with other
entities.
• Only those entities who conduct ”standard transactions” electronically or
engage others to do so are subject to EDI standards.
• Health plans are considered to be covered entities and must comply with the
EDI Standards, along with the additional requirements.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 21
Electronic Transaction Requirements
22. What are “covered transactions”?
• Health claims and equivalent encounter information
• Health care payment and remittance advice
• Coordination of benefits
• Health claim status
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
• Health plan premium payments
• Referral certification and authorization
• First report of injury
• Health claims attachments
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 22
Electronic Transaction Requirements
23. • What transactions and transmissions are covered?
Is the entity conducting the transaction a covered entity (or its
business associate)?
Does the transaction fall within the definition of one of the covered
transactions?
• Covered entities must comply with the EDI Standards in
certain stated transactions.
• Transactions within a covered entity are subject to the EDI
Standards.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 23
Electronic Transaction Requirements
24. EDI Requirements
• Applies to transactions transmitted using electronic media
• Does not apply to any transactions conducted in paper or
over the telephone
• Does not apply to noncovered entities
• Does not apply to group health plans with under 50
participants
• Does not apply to health plan sponsors because they are
not covered entities
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 24
Electronic Transaction Requirements
25. A group health plan may not share PHI with plan sponsor
except for disclosure of:
• De-identified information
• Group health plan enrollment and disenrollment
information
• Limited summary health information for insurance
placement and settlor function
• PHI to plan sponsor personnel involved in plan
administration when certain requirements are met
• Pursuant to authorization
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 25
Final Thoughts: Sharing PHI with Plan Sponsor
26. • Health plans can not provide access to PHI to plan sponsors without certain
plan provisions and safeguards.
• Disclosure must be for “plan administrative functions.”
• Health care providers and health plans may use and disclose PHI with an
individual’s “authorization” for any purpose provided in the authorization.
• These functions include:
Plan must not condition treatment or payment on receipt of an authorization
In some circumstances, an employer may condition employment on receipt of
authorization
Authorization may be required to obtain PHI for purposes of FMLA or ADA
An authorization may be required for an employer to assist employee with a claim
An authorization may be required for an employer to receive reports from EAP
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 26
Certain Employer Functions Require Authorization
27. HIPAA includes numerous exceptions to broad use and
disclosure rules.
Common employer practices that fall under these
exceptions:
• State/Federal disclosure requirements
• Workers’ compensation
• Health information contained in employment record
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 27
Exceptions for some common employer practices
28. • Change office behavior
• Shred pertinent documents- do not simply discard them.
• Prohibit staff from accessing a participant’s medical records to learn a
neighbor’s birthday or to satisfy a similar form of curiosity.
• Do not leave messages about a participant’s health on an answering machine
or with someone other than the patient or doctor.
• Avoid discussions about a participant’s claims in elevators, cafeteria or other
public places.
• Avoid paging participant’s using identifiable information.
• Do not fax information without knowing that the persons to whom the fax is
addressed is ready to receive it.
• Do not allow faxes to sit on an office machine where unauthorized people may
see them.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 28
Special Concerns
30. American Recovery and Reinvestment Act of 2009 (ARRA)
modified HIPAA
• Security and privacy rules apply to Business Associates
(BAs)
• Created new notification rules for a Privacy breach
Notice to affected individuals.
Notice to Media
Notice to the Department of Health and Human Services (HHS)
• Penalties for non-compliance increased
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 30
Overview
31. • Most security rules now apply to BAs
• Some privacy rules now apply to BAs
• Generally effective February 1, 2010:
Some provisions, such as the breach rules and penalties, can apply
earlier
BAs must comply with electronic protected health information (PHI)
and breach rules as of September 1, 2009, but do not need security
policies and procedures until February, 2010
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 31
Security and Privacy Rules Applied to Business Associates
32. • A breach is:
“The acquisition, access, use or disclosure” of PHI
In a manner not otherwise permitted under the HIPAA privacy rule
“Which compromises the security or privacy” of the PHI
• Regulations do not incorporate the statute’s use of “accesses, maintains,
retains, modifies, records, stores, destroys or otherwise holds, uses or
discloses” unsecured PHI.
• Compromises PHI is defined as a breach that poses “a significant risk of
financial, reputational, or other harm.”
BAs can make a judgment call about how significant a threat is.
• If not significant, there is no breach and reporting is not required.
Risk assessment should be done and documented so it can be demonstrated why a
breach notice was not needed.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 32
Breach Defined
33. During an evaluation consider:
• Who impermissibly used PHI or to whom information was
impermissibly disclosed
• The nature of the PHI that was disclosed
For example:
• If the name of an individual and plan participation are disclosed there
could be a privacy breach, but there may be no harm.
• If the types of treatment or other sensitive information (social security
number, account number, etc.) are revealed then there is a higher
likelihood of harm.
Many types of health details are sensitive these days given the risk of
employment discrimination.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 33
Breach Defined
34. • Effective for breaches occurring 30 days on or after
publication in the Federal Register.
• HHS will use its enforcement discretion and not impose
penalties until February 22, 2010.
No guidance on whether penalties could relate to actions taken
between September 23, 2009 and February 21, 2010.
• HHS does not have the authority to penalize BAs until
February 18, 2010.
This will not negate any potential exposure from breach of contract
or negligence.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 34
Breach Defined
35. • Secured PHI
• Unintentional acquisition, access or use by individual
acting under authority of BA
• Inadvertent disclosure from one covered entity to another
covered entity
• Unauthorized disclosure where the unauthorized individual
would not reasonably have been able to retain the
information
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 35
Exceptions to Breach
36. Secured PHI
• PHI that is held in a manner deemed to be “secure.”
Electronic data protected by specified encryption technology
Paper or film records shredded or destroyed
Electronic media purged in accordance with specific standards.
Unsecured PHI
• PHI that is not rendered unusable, unreadable or indecipherable to
unauthorized individuals through technology or methodology approved by
HHS.
PHI in any form is covered (oral and written-both paper and electronic.)
Access controls, firewalls, etc. do not make data secured.
Redaction of paper documents does not make them secured.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 36
Exceptions to Breach - #1. Secured PHI
37. Safe harbor
• For data:
In motion (moving through a network)
At rest (in a database or flash drive)
In use (in process of being created, retrieved, updated or deleted)
Disposed (both discarded paper records and recycled electronic
media)
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 37
Exceptions to Breach - #1. Secured PHI
38. The unintentional acquisition, access or use of PHI by a workforce member or
person acting under the authority of the plan or BA if acquisition, access or use
is in good faith and within the scope of authority and does not result in further
use or disclosure in a manner not permitted under the HIPAA privacy rule
• Workforce member – includes employees, volunteers and others under the
control of the plan
• BA can be acting under the authority of the plan
• Example:
An employee who is responsible for billing receives an email which contains PHI
about a plan participant from another employee. The email was accidentally sent.
The billing employee opens the email, notices she is not the intended recipient, alerts
the employee who sent the email and then deletes the email.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 38
Exceptions to Breach - #2. Unintentional Acquisition
39. Inadvertent disclosure by a person who is authorized to
access PHI at a plan or BA to another person authorized to
access PHI at the same plan or BA, if the PHI received is
not further used or disclosed in a manner violating 45 CFR §
164 Part E.
Example:
• A member of an appeals committee shares a participant’s
PHI with another committee member. Member 1 thought
the participant had appealed a claim, however it was
actually a different participant’s appeal. Member 2 does
not disclose or use the PHI.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 39
Exceptions to Breach - #3. Disclosure to Another Covered Entity
40. • Disclosure of PHI where a plan or BA has a good faith
belief that an unauthorized person to whom the disclosure
was made would not reasonably have been able to retain
the PHI.
• Appears to apply to both physical (e.g., actual paper
record) retention and mental retention.
• Example:
A plan mails a number of EOBs to the wrong individual. The EOBs
are returned by the post office as undeliverable. They are
unopened.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 40
Exceptions to Breach - #4. Unauthorized Disclosure, Not Retained
41. Plan and BA must determine:
• whether there was an impermissible use or disclosure of
PHI under the Subpart E
• whether the impermissible use or disclosure compromises
the security or privacy of the PHI and document such
findings
• if an exception applies
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 41
Identification of Breach
42. When a breach is discovered:
• BA should report the data to the plan within the timeframe allowed by
their agreement
Do not need to report the breach to the affected individuals, unless the
contract specifies
• Plan must notify each individual whose unsecured PHI has been, or is
reasonably believed to have been, accessed, acquired, used or
disclosed as a result of the breach
• Plan may need to notify the media
• Plan must notify HHS
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 42
Notification Rules
43. Discovery of a breach
• First day on which the breach is known or should reasonably have
been known by a covered entity or BA if they had exercised
reasonable diligence
• Plan and BA deemed to have knowledge of workforce members and
any agents
Agent status determined using federal common law agency rules
• BA is often an agent of the plan
• Broad reach
• If breaching employee never tells anyone of a breach, the breach
occurred but cannot be discovered and therefore there is no reporting
obligation
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 43
Notification Rules
44. Business Associate notification to plan
• Must notify plan after it discovers a breach of unsecured
PHI
Same rules as for covered entities in determining when a breach is
discovered
• BA must provide notice to plan without unreasonable
delay, but in no event later than 60 days after breach
discovered
• BA must provide a list of each individual whose PHI was
breached and any other information the plan would need
to send out notice to individuals
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 44
Notification Rules
45. Notice to individuals
• The Plan must notify each individual whose unsecured PHI has been, or is
reasonably believed to have been, accessed, acquired or disclosed as a result
of the breach.
If BA discovers breach, must notify plan and should identify each individual who is
affected.
• Notification must be made without unreasonable delay and be no later than 60
calendar days after discovery of the breach.
60 days, from date breach first known, is the outside limit and may be unreasonable
in some circumstances.
• 60 days begins even if initially unclear whether there was a breach
Burden of proof on covered entity/BA to show timeliness.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 45
Notification Rules
46. Notice to individuals
• When direct notice is not possible due to the plan having insufficient or out of
date contact information, may notify by substitute form
For less than 10 individuals, it may be written notice, telephone notice or other
means
For more than 10 individuals, should be a conspicuous posting on the covered
entity’s web site for 90 days or more or a conspicuous notice in a major print or
broadcast media
• Toll-free phone number must be included so individuals can learn if unsecured
PHI was breached
• Must be on the home page of the website or be a prominent hyperlink
• What constitutes a major print or broadcast media is a facts and
circumstances test, which considers the geography of the individuals
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 46
Notification Rules
47. Notice to individuals
• Notice must include:
Plain language, brief description of what happened including the date of breach and
date of breach discovery
Type of unsecured PHI involved (e.g., social security number, full name, address,
etc.)
Steps an individual should take to protect himself/herself from potential harm
Brief description of what is being done to remedy and mitigation the effects of the
breach
Contact procedures for individuals to ask questions or get additional information
• Must include a toll-free phone number, email address, web site or mailing
address
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 47
Notification Rules
48. Media Notice
• Notice must be provided to prominent media outlets in the state or
jurisdiction if unsecured PHI of more than 500 residents of the state or
jurisdiction is or is reasonably believed to have been accessed,
acquired or disclosed during a breach
Assumption that major media is similar to prominent media
Jurisdiction is smaller than a state (e.g., county or city)
Must affect 500 residents of the state or jurisdiction – if the total breach is
more, but there are not 500 in a state or jurisdictions, this notice is not
required
• This notice is in addition to the individual notice
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 48
Notification Rules
49. HHS Notice
• Notice must be provided to HHS if there is a breach of 500 or more
individuals
Notice must be submitted within same timeframe for sending notice to
affected individuals
Calculation of individuals is for a total discovered during investigation
• If there was an individual discovery of 400 individual, but upon
investigation another 150 are discovered, must notify HHS
• Log must be maintain and submitted annually to HHS for breaches of
less than 500 individual
Must be submitted within 60 days of the end of the calendar year
HHS website will provide details on how to submit
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 49
Notification Rules
50. • State notification laws not preempted unless they stand
“as an obstacle.”
• Law enforcement delay of notification, verbal notice must
be documented and is for a maximum of 30 days, written
notice is for the time period specified
• Must train workforce on requirements
• Complaint processes must provide for the ability to include
complaints regarding these processes
• Retaliation/waiver/intimidating acts are prohibited
• There are sanctions for failure to comply
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 50
Penalties/Enforcement
51. HHS audits now required
Penalty amounts:
• Minimum $100 if did not know of violation and would not have known
even with reasonable diligence – maximum $50K per violation, $1.5M
total
• Minimum $1,000 if reasonable cause and not willful neglect –
maximum $50K per violation, $1.5M total
• Minimum $10,000 if willful neglect but corrected – maximum $50K per
violation, $1.5M total
• Minimum $50,000 if willful neglect and not corrected – maximum
$1.5M
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 51
Penalties/Enforcement
53. • OCR announced the launch of phase 2 of the audit
program in March 2016.
• Here are some things to expect:
• Who may be audited?
OCR intends to audit a wide range of covered entities, and business
associates will be added to the list of audit targets, now that OCR
has direct enforcement authority over business associates.
OCR’s stated goal is to have a broad sample of audited entities,
including each type of covered entity (plans, providers, and
clearinghouses), different types of business associates, entities of
different sizes, and entities located in various regions throughout
the country.
Compliance Audits
54. What is the structure of the audit program?
Phase 2 will be conducted in three rounds:
• Round 1: The first round will be remote desk audits of covered entities, based
on documents and other information received in response to an information
request.
• Round 2: The second round will be remote desk audits of business
associates, based on documents and other information received in response
to an information request. Rounds 1 and 2 are expected to be completed by
December 2016
• Round 3: The third set of audits will be on-site and will examine a broader
scope of HIPAA requirements than the desk audits. Both covered entities and
business associates, including those that already underwent a desk audit, may
be subject to an on-site audits
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 54
Compliance Audits
55. How will the audit program work?
• The audit process will employ common audit techniques.
• Entities selected for an audit will be sent an email notification of their selection
and will be asked to provide documents and other data in response to a
document request letter.
• Audited entities will submit documents online via a new secure audit portal on
OCR’s website—within 10 business days after they receive OCR’s request.
• After reviewing relevant documentation and other information, auditors will
develop and share draft findings with the audited entity.
• Audited entities will have the opportunity to respond to the draft findings, and
their written responses will be included in the final audit report. Audit reports
generally describe how the audit was conducted, discuss any findings, and
contain entity responses to the draft findings.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 55
Compliance Audits
56. What is the audit timeline?
• The timeline for desk audits is quite compressed.
• Once the auditor sends draft findings to the audited entity, the audited entity
will have just 10 business days to review the findings and return written
comments to the auditor.
• The auditor will complete a final report within 30 business days after receiving
the audited entity’s comments.
• On-site audits will be conducted over a period of 3–5 days, depending on the
size of the entity.
• As with desk audits, the audited entity will have just 10 business days to
review and submit written comments on the auditor’s draft findings.
• The final audit report will be completed and furnished to the audited entity
within 30 days after the audited entity’s response.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 56
Compliance Audits
57. What is the likely scope of an audit?
• OCR has indicated that desk audits will be more limited than on-site audits,
but it is unclear how much more limited they will be.
• OCR also has released an updated audit protocol. Previously, OCR had
suggested that the updated protocol would identify the areas that OCR would
focus on during phase 2 audits, but the actual protocol does not really carry
through on this suggestion—it lists all of the security rule’s requirements for
administrative, physical, and technical safeguards and all of the breach
notification rule’s requirements.
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 57
Compliance Audits
58. What is the likely scope of an audit?
• The protocol is a little narrower with respect to the privacy rule,
covering:
the Notice of Privacy Practices
the right to request privacy protection for PHI
access of individuals to PHI
administrative requirements (such as training, policies and procedures,
sanctions, and document retention)
uses and disclosures of PHI
and individuals’ rights to request amendment of PHI and accountings of
disclosures
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 58
Compliance Audits
59. • How do you prepare for a possible audit?
• Be alert to OCR communications
• Don’t ignore OCR
• Round up all the OCR inquires
• Have an audit response plan in place
• Conduct a pre-audit review
• Time is of the essence
• Know your business associates
• Develop or update compliance documents
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC 59
Compliance Audits
61. Company Background - Services
Eligibility
Enrollment
Integration
Self Service
Communications
EE Call Center
Decision Support
Retiree H&W Admin.
COBRA
Direct Billing
Total Rewards
Reimbursements (HSA / FSA)
Commuter Benefits
Dependent Verifications
ACA & Other Compliance Svc.
We help participants understand and use
their benefits wisely so that they can be
accountable for their healthcare.
We enable you, as the plan sponsor, to
enable and deliver your benefits strategy.
benefit wise. relationship driven.
62. 62
Company Background – Book of Business
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC
Clients & Services Supported
226
Administration Participants 1,500,000+
3,952Technology Clients
Reimbursement / COBRA clients 187
Average client size - participants 4,100
Mid/Large Administration clients
ACA 1095 Forms Generated 250,000
250 employees serving our clients from two services
center; Schaumburg, IL and Rancho Cordova, CA.
63. Copyright 2016 – Not to be reproduced without express permission of Benefit Express Services, LLC 63
Some of Our Partners
65. Larry Grudzien
Attorney at Law
(708) 717-9638
larry@larrygrudzien.com
www.larrygrudzien.com
Copyright 2017 – Not to be reproduced without express permission of Benefit Express Services, LLC
Contact Information
65