Introduction to HIPAA’s Privacy and Security Rules

00:00:01.210 --> 00:00:10.380
Amber Posthauer: Good afternoon, everyone. Thank you for joining us today. We're going to get started in a minute or so to allow all registrants to get connected. We'll get started shortly.

00:00:38.450 --> 00:00:45.280
Amber Posthauer: Welcome, everyone, to the Introduction to HIPAA's Privacy and Security Rules. Thank you all so much for joining us.

00:00:45.580 --> 00:00:56.699
Amber Posthauer: The Benefits Compliance Team will be answering the questions you sent through the Q&A today. We'll try our best to answer all of your questions, but if for whatever reason we're unable to get to your question today, please follow up with your advisor for further assistance.

00:00:57.160 --> 00:01:11.760
Amber Posthauer: Today's presentation is being recorded. We will be sharing the recording in the follow-up email and on the NFP website. If there are any portions of this call that you missed, by Monday you'll receive an email with a link to the full recording. The PowerPoint slides used during this presentation will be shared in the same email.

00:01:11.990 --> 00:01:23.449
Amber Posthauer: At this time, I'd like to hand it over to Sharon Cohen, Vice President and Council of Benefits Compliance at NFP, and Molly Sudd, Vice President of NFP Benefits Compliance. Molly, the floor is yours.

00:01:24.780 --> 00:01:32.579
Mollie Sledd: Thank you, Amber, and good afternoon, everyone. Welcome to our Get Wise Wednesday webinar on HIPAA privacy and security.

00:01:32.800 --> 00:01:38.220
Mollie Sledd: As Amber said, my name is Molly Sled, and I am a member of NFP's Benefits Compliance Team.

00:01:38.450 --> 00:01:49.740
Mollie Sledd: Now, in the spirit of HIPAA, I'll disclose, a little health information of my own. I do have a cold right now, so I apologize in advance for any coughing or sniffling you might hear.

00:01:51.220 --> 00:01:52.130
Mollie Sledd: Right?

00:01:55.630 --> 00:02:12.879
Mollie Sledd: So, my colleague Sharon Cohen and I will be presenting today. Here we are. The HIPAA privacy and security rules certainly are not new. We're revisiting them now as part of the launch of our new HIPAA employer guide, and because we're hearing about HIPAA breaches and enforcement actions more and more.

00:02:12.950 --> 00:02:23.670
Mollie Sledd: These are long-established requirements, but the risk of a breach and liability on the employer sponsoring a health plan continues to grow. So we're shining a spotlight on it today.

00:02:26.420 --> 00:02:44.549
Mollie Sledd: As a reminder, this information is intended to be used for general guidance only. We are not offering tax or legal advice, and we encourage you to speak to your tax or legal professional for specific advice to your company. The information contained herein is current as of yesterday's date.

00:02:47.770 --> 00:03:03.039
Mollie Sledd: Here is our agenda for today's training. Now, this webinar is not meant to be a full primer on HIPAA privacy and security. We'll offer an overview, but if you need to brush up on the HIPAA privacy and security rules background and requirements.

00:03:03.120 --> 00:03:08.400
Mollie Sledd: Please do review our new publication, and you can reach out to your account team if you need a copy of that.

00:03:09.770 --> 00:03:26.689
Mollie Sledd: Instead, after some table setting of the law and its requirements, Sharon and I are going to spend the first part of the webinar hitting the salient parts of HIPAA privacy and security, and then talk about how it impacts employers who sponsor group health plans through practical scenarios that you may find yourselves in.

00:03:27.680 --> 00:03:46.090
Mollie Sledd: And just as a reminder, if you do want to submit questions, which we absolutely encourage, please do use the Q&A function on Zoom instead of the chat function. That way, we can be sure that we do address your question, and it's memorialized, and we can get to it properly.

00:03:48.290 --> 00:03:54.660
Mollie Sledd: Alright, so Sharon, could you please give us a brief introduction to the HIPAA privacy and security rules?

00:03:55.020 --> 00:04:11.009
Sharon Cohen: Molly, I would love to do that. As Molly mentioned, this is HIPAA Privacy and Security Month at NFP, so we're just, using this opportunity today to give some awareness around these rules that have been in place.

00:04:11.010 --> 00:04:16.579
Sharon Cohen: since 1996. So, HIPAA was enacted at that point.

00:04:18.350 --> 00:04:28.109
Sharon Cohen: So, health coverage and protect personal health information. HIPAA is a law that touches every part of the U.S. healthcare system, from

00:04:28.110 --> 00:04:39.779
Sharon Cohen: Coverage continuity, like these special enrollments and the non-discrimination provisions that we know about for wellness programs, to how health data is managed and secure.

00:04:39.930 --> 00:05:02.440
Sharon Cohen: secured. Hipaa is enforced by HHS, that's the Department of Health and Human Services, and the Office of Civil Rights. We call it, refer to it as OCR, that's the enforcement arm. So OCR is an entity that investigates complaints and conducts audits and partners with the Department of Justice

00:05:02.440 --> 00:05:26.830
Sharon Cohen: should there be any criminal violations of the HIPAA rules. OCR can also impose penalties for noncompliance, and common violations under the privacy provisions are things like unauthorized use or disclosure of PHI, a failure to secure and safeguard electronic PHI, or what we refer to as

00:05:26.830 --> 00:05:44.050
Sharon Cohen: ePHI, denying an individual access to their own PHI, violations of the minimum necessary standard. And these violations can result in civil, and monetary penalties, sorry, of,

00:05:44.580 --> 00:06:03.400
Sharon Cohen: hundreds of dollars to a couple million dollars. It depends on the severity. There are also criminal penalties of up to $250,000 and jail time for, up to 10 years for intentional misuse of

00:06:03.400 --> 00:06:06.499
Sharon Cohen: PHI, or protected health information. So.

00:06:06.500 --> 00:06:13.460
Sharon Cohen: we're not messing around here. To bring home the importance of today's discussion, I want to mention a case

00:06:13.460 --> 00:06:32.500
Sharon Cohen: that was settled in March of this year, and the situation involved a company called Health Fitness. It's a wellness plan provider and a business associate to employer-sponsored group health plans. So Health Fitness ultimately played close to $230,000

00:06:32.500 --> 00:06:37.710
Sharon Cohen: to settle alleged violations of the HIPAA security rule.

00:06:37.710 --> 00:07:00.650
Sharon Cohen: after they failed to conduct a timely and thorough risk analysis. So, what was happening was they had multiple breaches that stemmed from a server misconfiguration within their system, and this exposed, ePHI, or electronic PHI, of over 4,000 individuals to internet search engines.

00:07:00.650 --> 00:07:11.819
Sharon Cohen: And as part of that settlement, Health Fitness agreed to a corrective action plan, and they also agreed to 2 years of monitoring, from OCR.

00:07:11.820 --> 00:07:24.749
Sharon Cohen: So today, we are going to focus on three specific sections of HIPAA's administrative simplification rules. That's the privacy rule, which governs how protected health information is used or disclosed.

00:07:24.750 --> 00:07:36.710
Sharon Cohen: The security rule, which sets the standard for safeguarding ePHI, and the breach notification rule, which outlines what must happen when unsecured PHI is compromised.

00:07:36.710 --> 00:07:59.560
Sharon Cohen: So let's first talk about the entities that are subject to HIPAA. So first of all, what is this a covered entity? Under HIPAA, a covered entity is an organization that handles protected health information, which I am now going to refer to as PHI, and we'll define that in a minute, but it's in connection with the delivery or payment of healthcare.

00:07:59.560 --> 00:08:08.349
Sharon Cohen: So, covered entities are health plans, healthcare providers, like doctors and hospitals, and healthcare clearing ha-

00:08:08.350 --> 00:08:22.839
Sharon Cohen: Clearing Houses. And these are entities that check and clean up information that doctors have sent to them before sending it on to insurance companies so they can… so that claims can be, properly,

00:08:22.930 --> 00:08:23.950
Sharon Cohen: Processed.

00:08:24.100 --> 00:08:47.100
Sharon Cohen: Let's dive a little bit deeper into health plans as covered entities, since that's where an employer's responsibility is going to lie. So, what is a health plan? Well, it's private insurers, it's government programs like Medicare and Medicaid, and it's also employer-sponsored group health plans. So, different types of employer-sponsored group health plans

00:08:47.100 --> 00:09:03.749
Sharon Cohen: are going to be covered entities, like the major medical coverage, dental, vision, prescription drug coverage, health FSAs, HRAs, and any other benefits that pay or reimburse medical care. So this might be a point solution, for example.

00:09:03.750 --> 00:09:06.700
Sharon Cohen: What isn't a covered entity, or isn't

00:09:07.140 --> 00:09:22.419
Sharon Cohen: considered under HIPAA's umbrella. Well, this would be benefits that don't provide medical care, but I like to call them medical-adjacent. So, things like disability insurance, life insurance, accidental death and dismemberment.

00:09:22.420 --> 00:09:27.719
Sharon Cohen: sick leave, medical leave, FMLA benefits. They all might use

00:09:27.720 --> 00:09:44.450
Sharon Cohen: medical information, but they would not be considered covered entities. And these plants, you know, involve sensitive information, and, but for the most part, they are considered employment records, not PHI under P… under HIPAA.

00:09:44.490 --> 00:10:03.559
Sharon Cohen: There is a special exception for small, self-administered plans under HIPAA. HIPAA does not apply to certain small group health plans that meet these three criteria that we've laid out here. So, number one, they have to be self-administered. You can't have a TPA or vendor involved.

00:10:03.560 --> 00:10:16.899
Sharon Cohen: They have to have fewer than 50 employees, and they don't transmit health information electronically. That means they would use paper forms. So this is a very narrow exception, and most days.

00:10:17.110 --> 00:10:38.600
Sharon Cohen: even small group health plans are not going to qualify for this exception. So the one takeaway here from this slide is that if an organization sponsors a group health plan that provides or reimburses medical care and transmits that health data electronically, it's a covered entity under the HIPAA

00:10:38.660 --> 00:10:44.500
Sharon Cohen: provisions and needs to comply with the privacy, security, and breach notification rules.

00:10:44.700 --> 00:11:04.589
Sharon Cohen: So, so far, we've talked about the fact that HIPAA covers, applies to covered entities like health plans, but HIPAA also applies to business associates. And these are individuals or companies that help the plan operate and handle and manage PHI on the plan's behalf.

00:11:04.600 --> 00:11:14.880
Sharon Cohen: So, a business associate is anyone outside of the employer's workforce who creates, receives, stores, or transmits PHI.

00:11:14.890 --> 00:11:23.809
Sharon Cohen: for the plan. And these would be things like claims processors and administrators, data analysts, building vendors.

00:11:23.810 --> 00:11:40.409
Sharon Cohen: legal, actuarial, consulting, and broker services. So, in many cases, NFP is a business associate. It can also include these less obvious helpers, like IT support, or your document shredding vendor.

00:11:40.410 --> 00:11:46.639
Sharon Cohen: Or entity, or a storage vendor. So think about it this way. If a vendor touches

00:11:46.640 --> 00:12:01.280
Sharon Cohen: PHI in any way, they're a business associate under HIPAA. And HIPAA requires that the covered entity have a business associate agreement, or a BAA, with each of its vendors that handle PHI.

00:12:01.280 --> 00:12:18.460
Sharon Cohen: And a BAA is a written contract that says, you know, the vendor will protect PHI similarly to a covered entity, they'll only use it for permitted purposes, they'll report any breaches or security incidences.

00:12:18.590 --> 00:12:31.059
Sharon Cohen: So a group health plan can hire outside vendors to help with things like claims adjudication, or billing, or data storage. In essence, the covered entity is saying.

00:12:31.060 --> 00:12:42.449
Sharon Cohen: We're trusting you with sensitive data, and you're agreeing to protect it. That's how it works, and a group health plan cannot share PHI with a vendor without a BAA in place.

00:12:42.450 --> 00:12:50.579
Sharon Cohen: So business associates are directly responsible for complying with many of HIPAA's privacy and security requirements.

00:12:50.580 --> 00:13:12.760
Sharon Cohen: So, while the BAA is also on the hook for compliance, this doesn't mean that the plan is off the hook. So, a plan sponsor can hand off some of the work, but generally not the legal responsibility. And the nature of that responsibility will depend on the facts and circumstances, and Molly, in a few slides, is going to get us

00:13:12.760 --> 00:13:16.030
Sharon Cohen: Into more detail on what that means.

00:13:16.130 --> 00:13:17.980
Sharon Cohen: For employer group health plans.

00:13:19.260 --> 00:13:20.230
Sharon Cohen: So…

00:13:20.230 --> 00:13:43.970
Sharon Cohen: What is protected health information? We've talked a lot a bit around it, and now let's really break it down. So, PHI is individually identifiable health information that is created, received, or transmitted by a covered entity or its business associate in any form. This can be electronic, paper, or oral. Let's, like, break it down a little bit.

00:13:44.350 --> 00:13:51.510
Sharon Cohen: More. So it's three things. It's health-related, and this could be about someone's

00:13:51.510 --> 00:14:07.450
Sharon Cohen: past, present, or future, physical or mental health. And it also includes information about the care they received and how they paid for it. It's identifiable, meaning that there are things like names, birthdates, social security numbers.

00:14:07.450 --> 00:14:18.950
Sharon Cohen: email addresses, and it's not just the obvious things. HIPAA actually, in the rules themselves, they list 18 specific identifiers that can make

00:14:18.970 --> 00:14:29.620
Sharon Cohen: health information individually identifiable. And these are things that include phone numbers and medical record numbers, IP addresses.

00:14:29.620 --> 00:14:53.430
Sharon Cohen: biometric data. If you've ever taken a picture at your, doctor's office, that would also be, one of these AT identifiers. And if any of these are tied to health information, it's considered PHI. And the last one is that it's created or received by the plan. If the plan or one of its business associates creates, receives.

00:14:53.430 --> 00:14:59.189
Sharon Cohen: or transmits the information, it's considered PHI, so it checks all the boxes.

00:14:59.190 --> 00:15:10.870
Sharon Cohen: It's PHI, it's protected under HIPAA, subject to the provisions under HIPAA. So, PHI, again, is at the heart of the privacy and security rules.

00:15:10.870 --> 00:15:27.159
Sharon Cohen: And covered entities are permitted, allowed, to use and disclose PHI, but only for the specific purposes of treatment, payment, and healthcare operations. And in addition to those limited circumstances to use or disclose it.

00:15:27.160 --> 00:15:40.499
Sharon Cohen: HIPAA also imposes what's called a minimum necessary standard, meaning that the covered entity, while using PHI for one of these permitted purposes of a treatment, payment, or a healthcare operation.

00:15:40.500 --> 00:15:47.340
Sharon Cohen: Should share or use the least amount of information needed to get the task done.

00:15:47.370 --> 00:15:59.299
Sharon Cohen: So, use of PHI beyond a treatment, payment, or healthcare operation requires special permission or an authorization from, the individual.

00:16:00.470 --> 00:16:08.050
Sharon Cohen: So, we've talked about… a lot about what, counts as PHI, and it's important to know

00:16:08.120 --> 00:16:23.399
Sharon Cohen: things that are, not PHI. And a lot of information can be sensitive, and for a variety of reasons, we wouldn't want it shared, but it may or may not be technically PHI.

00:16:23.470 --> 00:16:25.000
Sharon Cohen: So, HIPAA defines, several of these items that we have up here at first. Enrollment or disenrollment information. This one can be tricky. Sometimes it is PHI, and sometimes it isn't. So, if it's enrollment or disenrollment information that comes from outside the plan, like payroll, it's not PHI. But if it comes

00:16:49.090 --> 00:16:51.719
Sharon Cohen: From within the group health plan.

00:16:51.790 --> 00:16:56.640
Sharon Cohen: or a business associate, then it would be considered PHI.

00:16:56.790 --> 00:17:04.090
Sharon Cohen: Summary health information and de-identified health information, which is listed below it, are…

00:17:04.599 --> 00:17:20.899
Sharon Cohen: defined terms within HIPAA, within the HIPAA, provisions, and to some degree, they're subsets of PHI. So, summary health information, is stripped of many identifiers, but it can include

00:17:20.900 --> 00:17:38.889
Sharon Cohen: zip codes and dates, and summary health information can be shared with a plan sponsor, but only for obtaining premium bids and modifying or amending a plan. So it's used for healthcare operation, but it's still subject to HIPAA's minimum necessary standard.

00:17:38.890 --> 00:18:02.619
Sharon Cohen: And de-identified information, we have at the bottom of this list here, this is information that's defined within the privacy rules, but all 18 HIPAA identifiers, which we defined on the… or which we discussed on the previous slide, they're removed. And so this information is not considered PHI, and it can be used

00:18:02.620 --> 00:18:06.450
Sharon Cohen: For research and analytics or marketing purposes.

00:18:06.450 --> 00:18:10.310
Sharon Cohen: But there is a process to de-identifying,

00:18:10.740 --> 00:18:21.910
Sharon Cohen: pre-HI, and that process is set out in the privacy standards, in the privacy rules, and so there are strict standards for how information can become,

00:18:22.440 --> 00:18:30.210
Sharon Cohen: de-identified, for example. And the last thing here is that, we do have some

00:18:30.320 --> 00:18:53.730
Sharon Cohen: things that contain health information, but are not necessarily PHI. So, if it's originated or part of an employment record, it's not protected by HIPAA. And these are things like FMLA certifications, or disability claims, or sick leave notes, or drug test results. These… this kind of information is protected under other laws.

00:18:53.730 --> 00:19:09.680
Sharon Cohen: like the ADA or the FMLA, but not under HIPAA, per se. So the bottom line is, if it comes from a covered entity, like a group health plan, but can't be used to identify a specific person, it's not PHI.

00:19:09.680 --> 00:19:25.630
Sharon Cohen: Now Molly is going to walk us through how all of these terms that we've just gone through can be used, you know, out in the wild, in real life, and what the significance, what significance they have for fully insured employers and employers with self-funded.

00:19:25.700 --> 00:19:26.640
Sharon Cohen: Plans.

00:19:28.160 --> 00:19:47.580
Mollie Sledd: Yeah, so, thank you. So now that we have an idea of what is and isn't PHI protected by HIPAA, let's talk about how our group health plans, should be interacting with PHI. And most of that answer is going to come down to the plan's funding structure and whether the group is considered what's referred to as

00:19:47.580 --> 00:19:51.040
Mollie Sledd: hands-on or hands-off PHI.

00:19:53.240 --> 00:20:03.119
Mollie Sledd: Alright, so first let's talk about hands-off PHI. Now, this is a status that can only apply to fully insured group health plan sponsors.

00:20:03.400 --> 00:20:23.139
Mollie Sledd: Sponsors of fully insured group health plans can opt not to receive PHI from the carrier, any business associate, any service provider. And this is, what we refer to as being hands-off with respect to PHI. Now, this is not a defined term under HIPAA, but it is a largely used and recognized one.

00:20:23.220 --> 00:20:28.200
Mollie Sledd: You're not going to find it in the statute or any of the HHS regs or anything like that, though.

00:20:28.790 --> 00:20:36.250
Mollie Sledd: Now, fully insured hands-off plan sponsors are allowed to handle that summary health information

00:20:36.350 --> 00:20:49.109
Mollie Sledd: And enrollment… disenrollment information that does not come from the plan that Sharon just mentioned a couple of slides ago. They can… they can handle that information, and it will not jeopardize their hands-off status.

00:20:49.720 --> 00:21:07.890
Mollie Sledd: Alright, and why would they be interested in keeping a hands-off status? Well, fully insured, hands-off plan sponsors are exempt from most, but not all, of the privacy rules administrative requirements. It gives you a little bit of compliance relief.

00:21:08.350 --> 00:21:19.189
Mollie Sledd: And, you know, in that case, the way I like to describe it is that the plan is really the carrier. The carrier is the plan. The employer is just kind of the conduit for offering the benefits.

00:21:19.760 --> 00:21:26.949
Mollie Sledd: The carrier for fully insured hands-off group health plans assumes the primary responsibility for HIPAA compliance.

00:21:28.060 --> 00:21:31.729
Mollie Sledd: If a plan sponsor that wants to have a hands-off

00:21:31.750 --> 00:21:49.230
Mollie Sledd: status for their fully insured plan, wants to be able to access PHI for some reason, they would need to get assigned HIPAA authorization from the affected individuals in order to access or handle that PHI, such as for getting involved in employee claims advocacy.

00:21:49.770 --> 00:22:03.349
Mollie Sledd: Alright, and we have a great article on, our NFP website on Compliance Corner Insights. We call it an NFP observation called Don't Cross the Line, Avoiding PHI Pitfalls in Fully Insured Group Health Plans.

00:22:03.350 --> 00:22:12.129
Mollie Sledd: We published it a few weeks ago, and it covers a lot of the issues that we are talking about right now, and we'll be talking about over the next couple of slides.

00:22:12.130 --> 00:22:20.589
Mollie Sledd: where that distinction is, where that line is for fully insured group health plan sponsors who want to maintain a hands-off approach to PHI.

00:22:24.120 --> 00:22:43.779
Mollie Sledd: On the other hand, no pun intended, we have hands-on PHI status. So, first of all, if you have a self-insured group health plan, you are automatically considered hands-on with respect to PHI. This isn't going to include, of course, your kind of classic self-insured approach, but also level-funded plans.

00:22:44.070 --> 00:22:49.980
Mollie Sledd: Health FSAs, And health reimbursement arrangements.

00:22:50.370 --> 00:22:53.819
Mollie Sledd: You know, even if all of your benefits are fully insured.

00:22:54.020 --> 00:23:07.620
Mollie Sledd: and all you have is a health FSA or an HRA that will unfortunately make you, or put you in that hands-on category with respect to PHI, and we're going to talk about that a little bit later in one of our scenarios.

00:23:08.460 --> 00:23:19.480
Mollie Sledd: Fully insured group health plans can also opt into being hands-on, and that would be true if they decide to receive PHI from the carrier or business associate.

00:23:20.850 --> 00:23:27.970
Mollie Sledd: Now, sponsors of hands-on plans, they're, you know, there are upsides and downsides, right? There are benefits and

00:23:28.210 --> 00:23:38.819
Mollie Sledd: ramifications for doing one or the other. Sponsors of hands-on plans are allowed to handle and transmit PHI for plan administration purposes.

00:23:38.950 --> 00:23:46.069
Mollie Sledd: They can do the job of administering the plan. And that is, the three classic reasons are for treatment.

00:23:46.420 --> 00:24:02.490
Mollie Sledd: payment, and healthcare operations. You can do what you need to do in order to make sure that participants are getting the healthcare they need, and that the group health plan is paying and getting paid in the way in which it is supposed to in order to operate.

00:24:03.080 --> 00:24:07.080
Mollie Sledd: Now, if you are a hands-on group health plan sponsor.

00:24:07.320 --> 00:24:24.160
Mollie Sledd: You do not need an authorization to get involved in things like claims advocacy, for example, in order to facilitate treatment, payment, and healthcare operations. However, all of your activities, however you, touch PHI, it needs to be in…

00:24:24.450 --> 00:24:39.319
Mollie Sledd: consistent with the minimum necessary standard that Sharon discussed earlier. You should only be touching the amount of health information that is necessary to do the task at hand before you at that time.

00:24:42.980 --> 00:25:00.609
Mollie Sledd: Alright, so here we have a, a chart that lays out the compliance responsibilities under the HIPAA privacy and security rules for hands-off versus hands-on group health plan sponsors. So you can really kind of visualize the difference here.

00:25:00.920 --> 00:25:15.469
Mollie Sledd: Alright, so first, with access to PHI, if you're hands-off, you should not be accessing PHI, you know, that's the long and the short of it. So take a look at your systems, take a look at your operations, and make sure, you truly are not

00:25:15.710 --> 00:25:32.529
Mollie Sledd: receiving PHI from the carrier, from the business associate, or, you know, service providers, and that you do not plan to try to access it on a regular basis. However, if you're hands-on, the assumption is that you are. So, first, you know, kind of get a lay of the land.

00:25:32.530 --> 00:25:41.449
Mollie Sledd: And, evaluate, put pen to paper, and figure out how exactly your organization is accessing, using, and disclosing PHI.

00:25:42.020 --> 00:25:52.299
Mollie Sledd: Second is, the obligation to perform a risk analysis. This applies across the board, for both hands-off and hands-on group health plan sponsors under the security rule.

00:25:52.700 --> 00:26:00.109
Mollie Sledd: So, HHS has put together a tool, they call it the Security Risk Assessment Tool, that

00:26:00.110 --> 00:26:19.799
Mollie Sledd: smaller, maybe more fully insured group health plan sponsors can use to conduct their risk analysis. And what this does is it takes a look at your systems and says, okay, what are the actual risks to, you know, to this organization with respect to PHI? Again, if you are hands-off.

00:26:19.800 --> 00:26:29.480
Mollie Sledd: and you truly do not have any, then there should be, you know, very, very little risk. But this is a way… this tool is a way to go through that step, memorialize it, you can download it and save it.

00:26:30.460 --> 00:26:40.150
Mollie Sledd: If you are self-insured, if you are hands-on, however, you will need to conduct that risk analysis in a more kind of robust way.

00:26:40.150 --> 00:26:51.029
Mollie Sledd: And we are, we're going to recommend that you engage a HIPAA privacy and security vendor who can assist you with this risk analysis step.

00:26:51.910 --> 00:27:04.089
Mollie Sledd: Next is the obligation reform workforce training. So take a look at your organization and figure out who is working on the health plans, who's working in benefits, or maybe in finance or accounting.

00:27:04.090 --> 00:27:19.489
Mollie Sledd: If you are hands-off, then we want to make sure that you are educating those workforce members on the importance of remaining hands-off, where those boundaries are, and why it's so important not to touch or engage with PHI. Whereas if you're hands-on.

00:27:19.590 --> 00:27:34.519
Mollie Sledd: you need to engage in a robust workforce training that teaches your staff members how they should be handling PHI. And again, a HIPAA privacy and security vendor is going to be able to

00:27:34.630 --> 00:27:38.599
Mollie Sledd: Provide, that, that, you know, training resource for you.

00:27:39.740 --> 00:27:51.350
Mollie Sledd: Next is the obligation to have written policies and procedures. So for hands-off, we do recommend having a document that, memorializes your limited

00:27:51.390 --> 00:28:07.440
Mollie Sledd: kind of access or limited obligations under the HIPAA privacy and security rules. Again, you need to make it clear that you are not accessing or handling PHI. Whereas, if you are hands-on, you're going to need to draft and adopt

00:28:08.010 --> 00:28:20.020
Mollie Sledd: Full written policies and procedures for both a privacy and security role, and a vendor is going to be able to provide either templates or assistance in customizing those, written documents for you.

00:28:21.190 --> 00:28:35.450
Mollie Sledd: Now, HIPAA enshrines certain rights to individuals with respect to their own PHI. If you are hands-off, then you have to, basically promise that you will not seek a waiver of participants' rights. You will not

00:28:35.510 --> 00:28:51.609
Mollie Sledd: ask participants to say, oh, you know what, we don't have a right to our own PHI, we don't have a right to ask for accountings of it. You cannot ask for that waiver, and you cannot engage in any sort of retaliation against participants who try to exercise their rights.

00:28:52.230 --> 00:28:57.109
Mollie Sledd: Now, if you're hands-on, you have a much more, kind of,

00:28:57.260 --> 00:29:11.400
Mollie Sledd: a much wider obligation with respect to ensuring that your participants' rights under HIPAA are protected, and again, a vendor is going to be the entity that can help create that.

00:29:11.910 --> 00:29:14.119
Mollie Sledd: That kind of program for you.

00:29:15.400 --> 00:29:19.580
Mollie Sledd: So, business associate agreements. For hands-off

00:29:20.240 --> 00:29:37.249
Mollie Sledd: group health plan sponsors, you'll want to consider whether or not you need to sign BAAs with service providers. It's kind of a facts and circumstances, approach, you know, discussed with your council or with your consultants, whether or not you think that that is something that is necessary. But hands-on plan sponsors absolutely need to be.

00:29:37.250 --> 00:29:42.549
Mollie Sledd: entering into BEAs with their service providers who do access, create, or store PHI.

00:29:43.430 --> 00:29:53.629
Mollie Sledd: And then finally is the obligation to provide a notice of privacy practices. If you are hands-off, that is the carrier's responsibility. They will send that notice directly to participants.

00:29:53.650 --> 00:30:09.879
Mollie Sledd: Your obligation as the plan sponsor is simply to, remind them, to advise them of the availability of that Notice of Privacy Practices, which you have to do at least every 3 years. You can do that, for example, annually through your benefit guide, if you would like.

00:30:10.070 --> 00:30:23.660
Mollie Sledd: Hands-on plan sponsors have to provide that notice directly. They have to maintain it, provide it, post it online, make sure it's distributed to enrollees, and there is a model notice available from HHS.

00:30:24.590 --> 00:30:25.370
Mollie Sledd: Right?

00:30:28.250 --> 00:30:30.470
Mollie Sledd: So, hands-on,

00:30:30.570 --> 00:30:41.520
Mollie Sledd: group health plan sponsors do have additional responsibilities with respect to HIPAA. It is, you know, you do get to have that involvement with plan administration, but like I said, it is… it's more work.

00:30:41.550 --> 00:30:59.880
Mollie Sledd: So, some additional tasks for those hands-on plans. You have to designate a privacy and security official. It could be the same individual, it could be two different ones, but, this is the individual that is responsible for making sure all those steps, like training and…

00:30:59.920 --> 00:31:08.720
Mollie Sledd: Written policies and procedures at logging participant complaints, tracking breaches, things like that, are being… are being actually done.

00:31:09.050 --> 00:31:23.340
Mollie Sledd: Also, hands-on plan sponsors need to amend their plan documents to specifically allow for the access to PHI, and inside a certification form that says that they agree to protect and safeguard that information.

00:31:24.320 --> 00:31:39.959
Mollie Sledd: They need to also develop a breach and security incident procedure. So what happens if PHI is used or disclosed in a way that it shouldn't be? If it gets out there, then what are your procedures that you're going to follow? And we're going to discuss that, some more in a scenario later on.

00:31:40.580 --> 00:31:56.019
Mollie Sledd: Next, consider state privacy laws. So, HIPAA is not the last word in privacy or security. It's the biggest word, but not the last word. There are states that have their own laws. California, for example, has its own, set of protections that would need to be followed.

00:31:56.020 --> 00:32:13.039
Mollie Sledd: And then finally, it is imperative that you regularly review and update your HIPAA compliance. Take stock, you know, maybe annually, take stock of your organization, how it's handling PHI, what your security protocols are, and make sure that you are up-to-date in your compliance.

00:32:14.320 --> 00:32:15.140
Mollie Sledd: Alright.

00:32:16.420 --> 00:32:26.889
Mollie Sledd: So, on that note, let's go ahead and dive into some common scenarios, some things that we see going on with clients and organizations everywhere. So first.

00:32:27.140 --> 00:32:34.510
Mollie Sledd: Sharon, we have an employer who maintains a fully insured health plan, and they want to remain hands-off PHI.

00:32:35.130 --> 00:32:41.780
Mollie Sledd: Now, an employee comes to HR and informs them of her pregnancy, and she requests confidentiality.

00:32:42.310 --> 00:32:46.980
Mollie Sledd: What is HR's obligation under HIPAA with respect to this information?

00:32:47.400 --> 00:32:52.349
Sharon Cohen: Yeah, sorry, I got a little trigger-happy with the slides there for a second.

00:32:52.490 --> 00:32:57.740
Sharon Cohen: Thank you, Molly, for asking that question, but this is not,

00:32:57.970 --> 00:33:14.359
Sharon Cohen: PHI. This is not considered, PHI. While it is certainly, you know, sensitive information, and the individual has asked that it not be shared, it's not considered PHI because it came from

00:33:14.360 --> 00:33:29.010
Sharon Cohen: the individual herself, and it did not… it was not created or part of, a covered entity, so it didn't come from the group health plan or a business associate. So the source of this information

00:33:29.010 --> 00:33:48.620
Sharon Cohen: was not the covered entity, so HIPAA would not apply to that. So, as we've been talking, HIPAA applies when the group health plan or a vendor creates, receives, or transmits health information. But that doesn't mean that, you know, a company-wide email blast is,

00:33:48.800 --> 00:33:51.149
Sharon Cohen: Of this information is, you know.

00:33:51.810 --> 00:33:58.950
Sharon Cohen: necessary, or is okay to do. So even though it's not PHI, you know, HR has

00:33:58.950 --> 00:34:22.650
Sharon Cohen: a responsibility to treat this information as confidential. They would have that responsibility even if the person had not asked for it, because there are laws that would apply to her, like the ADA and the Pregnancy Discrimination Act, which actually requires that confidentiality, and FMLA, she might be asking for FMLA.

00:34:22.650 --> 00:34:36.369
Sharon Cohen: So, HR should only share the information with those who have a legitimate business need, for example, maybe her manager in giving her some accommodations, to,

00:34:36.719 --> 00:34:38.670
Sharon Cohen: To have that information.

00:34:40.510 --> 00:34:50.270
Sharon Cohen: So, again, just because something isn't PHI doesn't mean, you know, it's fair game, but… We also see…

00:34:50.409 --> 00:35:01.059
Sharon Cohen: quite often, information that is mis, I don't want to use the word diagnosed, but misconstrued to be PHI, when it's not.

00:35:05.690 --> 00:35:06.899
Mollie Sledd: All right, thank you.

00:35:06.900 --> 00:35:08.140
Sharon Cohen: Nope. Okay.

00:35:10.190 --> 00:35:13.800
Sharon Cohen: So, I have a question for you, Molly.

00:35:13.800 --> 00:35:18.010
Mollie Sledd: An employer maintains a fully insured health plan.

00:35:18.010 --> 00:35:37.069
Sharon Cohen: And avoids handling PHI. They don't want… they don't want to be hands-on. But they occasionally want to help with some claims, and the employer finds it burdensome to collect HIPAA authorizations each time an employee needs help with a claim.

00:35:37.120 --> 00:35:57.039
Sharon Cohen: Can an employer collect a blanket authorization at enrollment? You know, like, on the open enrollment, you know, screen, can they collect some sort of blanket authorization and then keep it on file in the future, should they have need to, help an employee with a claim?

00:35:58.270 --> 00:36:07.600
Mollie Sledd: Yeah, so, unfortunately, I don't think this would work. Authorizations really do need to be customized and completed and signed.

00:36:07.710 --> 00:36:09.820
Mollie Sledd: For each individual request.

00:36:09.950 --> 00:36:16.300
Mollie Sledd: In order to share or access PHI. So a blanket authorization would not really complete this organization's goals.

00:36:16.830 --> 00:36:31.940
Mollie Sledd: Now, authorizations have to contain certain core elements of conduct, including description of the information that's being disclosed, the name of the entity that's disclosing it, the name of the recipient, who's going to be receiving it, the purpose of the disclosure.

00:36:32.020 --> 00:36:41.190
Mollie Sledd: An expiration date or event, and a statement of the individual's right to revoke the authorization, along with their signature and the date.

00:36:41.340 --> 00:36:47.039
Mollie Sledd: Now, if we have a situation where a plan sponsor wishes to regularly access and share

00:36:47.190 --> 00:36:55.479
Mollie Sledd: PHI, for example, they really want to be able to assist with claims advocacy, and they… they envision themselves getting involved quite often.

00:36:55.880 --> 00:37:02.450
Mollie Sledd: Then they should really consider adopting a hands-on PHI status instead of repeatedly using authorizations.

00:37:03.310 --> 00:37:09.489
Sharon Cohen: So, so what do you recommend for an employer that wants to remain hands-off, but

00:37:10.000 --> 00:37:13.840
Sharon Cohen: occasionally wants to help with claim issues. Like, you know, they…

00:37:14.120 --> 00:37:22.289
Sharon Cohen: If they get called, they want to try to refer people to the insurer, but if they get called, they want to be seen as

00:37:22.490 --> 00:37:25.070
Sharon Cohen: Helpful, and not a hindrance.

00:37:25.070 --> 00:37:40.320
Mollie Sledd: Yeah, absolutely, and I totally understand HR wanting to do that, right? That's… that's great. So, the idea is that authorizations are absolutely there to be used for their purpose, right? Which is to allow a user or disclosure of PHI.

00:37:40.320 --> 00:37:50.710
Mollie Sledd: But in this case, really, if they want to remain hands-off and not have to go through all of the HIPAA privacy and security compliance obligations that we discussed a few slides ago.

00:37:50.710 --> 00:37:51.080
Sharon Cohen: Yep.

00:37:51.080 --> 00:37:59.230
Mollie Sledd: And use of those alterations should really be sporadic. It should not be something that's happening regularly or systematically.

00:37:59.330 --> 00:38:14.470
Mollie Sledd: So, you know, we recommend that there be a process in place for getting individual authorizations. You know, you can find, a lot of the carriers do have sample authorizations that they'll ask, employers to use when requesting PHI.

00:38:16.020 --> 00:38:23.320
Mollie Sledd: But, does that make sense that, you know, it's something that can happen every now and then, but shouldn't really regularly be happening?

00:38:23.320 --> 00:38:32.529
Sharon Cohen: Yes, and what do you think about whoever picks up the phone? For example, so some… you get, you know, there's a call to HR that someone's, you know.

00:38:32.530 --> 00:38:46.779
Sharon Cohen: At the dentist's office, or, you know, at a doctor's office, or they've just received… they're upset, they've just received something in the mail that is denying their claim, and they just blanket

00:38:46.840 --> 00:38:54.049
Sharon Cohen: we're using the word blanket again, but they just make a call to HR, and someone picks up the phone there.

00:38:54.060 --> 00:38:58.529
Mollie Sledd: Right, so… so HR can, you know, they can offer,

00:38:58.640 --> 00:39:07.069
Mollie Sledd: general information about the plan, like, oh, you know, here's the deductible, or… but really, we encourage,

00:39:07.410 --> 00:39:21.020
Mollie Sledd: We want to encourage participants to reach out to the service providers, to the carriers, to the organizations that are really in a much better position to be able to help them with that information in those situations.

00:39:21.020 --> 00:39:35.820
Sharon Cohen: Yeah, so even though this is a hands-off employer, it behooves them to have some training within their HR department to understand what they should do when they get these kinds of calls.

00:39:35.820 --> 00:39:37.409
Mollie Sledd: Definitely, yeah.

00:39:37.410 --> 00:39:52.950
Sharon Cohen: And even if they do have this sort of sporadic system of, you know, helping and getting an authorization from the individual, everyone in HR should be aware of, you know, the protocols around that.

00:39:52.950 --> 00:39:54.949
Mollie Sledd: Yes, yeah, agreed.

00:39:55.280 --> 00:39:55.980
Sharon Cohen: Okay.

00:39:56.790 --> 00:39:57.780
Mollie Sledd: Alright.

00:39:58.270 --> 00:40:00.140
Mollie Sledd: So, Sharon.

00:40:00.330 --> 00:40:07.139
Mollie Sledd: Next, we have an employer who's fully insured. However, they have decided to be hands-on with respect to PHI.

00:40:08.080 --> 00:40:21.000
Mollie Sledd: They have an employee who's hospitalized and unconscious after an accident. A family member of that employee calls HR, and they need to get some plan information to ensure that hospital services are covered.

00:40:22.050 --> 00:40:26.930
Mollie Sledd: Can HR share any information at all with that family member?

00:40:26.930 --> 00:40:46.439
Sharon Cohen: Yeah, so there is a provision within HIPAA that in an emergency, you know, HIPAA would allow HR to share limited plan info information, with someone involved in the employee's care. So, like, if a spouse or a parent were to call,

00:40:46.570 --> 00:41:04.140
Sharon Cohen: and if it helps with their treatment or coverage, then that sort of limited plan information can be, shared with them. If the employee can't speak for themselves, HR, you know, is… is… it's necessary for HR to use common sense.

00:41:04.140 --> 00:41:09.300
Sharon Cohen: To decide if the employee would be okay with sharing that sort of basic

00:41:09.300 --> 00:41:12.509
Sharon Cohen: Information, like whether they're enrolled in the plan.

00:41:12.510 --> 00:41:32.219
Sharon Cohen: But, you know, keep it simple, so it's just the basics, the minimum necessary. Confirming coverage is fine, but, like, sharing history of claims or any kind of medical history would not be okay, right? And then, if the caller wants more than basic information, like details about claims or bills.

00:41:32.390 --> 00:41:45.949
Sharon Cohen: for this scenario, HR should, direct them to the insurer, the TPA, because that's where the information is going to be best distributed, as you mentioned before. And that keeps

00:41:45.950 --> 00:41:54.790
Sharon Cohen: HR out of the PHI zone, because this… this employer wants to be out of the PHI zone and keep them in this sort of hands-off role.

00:41:55.670 --> 00:41:56.570
Mollie Sledd: Great.

00:41:57.050 --> 00:42:07.549
Mollie Sledd: So, I wonder if it would be useful for employers to, to maybe, ahead of time, get kind of a, like, an emergency contact information from their employees for this.

00:42:07.550 --> 00:42:09.340
Sharon Cohen: For this very reason. Yeah.

00:42:09.340 --> 00:42:11.459
Mollie Sledd: In case they do get a call.

00:42:11.670 --> 00:42:18.630
Mollie Sledd: Good to know that there are… there are, kind of, provisions and exceptions in HIPAA for emergencies.

00:42:18.630 --> 00:42:19.170
Sharon Cohen: Right.

00:42:19.170 --> 00:42:23.850
Mollie Sledd: You know, it sounds like it's meant to be, Pragmatic and practical, right?

00:42:23.850 --> 00:42:43.389
Sharon Cohen: It is, yes. So, even if it was a hand-on, hands-on, you know, employer, they could provide some information, but they still may want to direct them in this sort of emergent situation to, to the insurer.

00:42:44.210 --> 00:42:44.640
Mollie Sledd: Alright.

00:42:44.640 --> 00:42:45.170
Sharon Cohen: Right.

00:42:47.840 --> 00:42:53.790
Mollie Sledd: Alright, so… Let's see… Next.

00:42:54.600 --> 00:42:56.339
Mollie Sledd: We have an employer.

00:42:56.650 --> 00:43:00.299
Mollie Sledd: Who currently sponsors a fully insured, hands-off group health plan?

00:43:01.430 --> 00:43:09.830
Mollie Sledd: But, renewals being what they are this year, they're looking at their options, and they want to transition to a self-insured arrangement for the next plan year.

00:43:10.190 --> 00:43:14.379
Mollie Sledd: What HIPAA privacy and security responsibilities now apply?

00:43:14.880 --> 00:43:26.450
Sharon Cohen: Yeah, so I think this is, happens quite often with our employers, and, you know, when employers are looking to, try to save

00:43:26.450 --> 00:43:35.109
Sharon Cohen: Money for a variety of reasons why they might want to switch from a fully insured plan to a self-insured plan.

00:43:35.110 --> 00:43:49.300
Sharon Cohen: this is one of the items that, is… should be on their list in thinking about when they're making this transition. You know, a lot of times, employers get kind of lost in the… in the financials.

00:43:49.300 --> 00:44:06.560
Sharon Cohen: For example, and maybe even plan documentation, and then these other things, and then what they're not realizing is they're really going from this fully insured hands-off to self-insured, which means they're hands-on, right? It's a hands-on employer.

00:44:06.560 --> 00:44:21.889
Sharon Cohen: So, for this employer, what they're going to need to think about is, who within the employer is going to be a privacy officer or security officer. You know, they're going to need to have… to train staff.

00:44:21.890 --> 00:44:28.940
Sharon Cohen: Who's going to handle the PHI within the plan. A lot of times, we have HR departments that

00:44:28.940 --> 00:44:47.120
Sharon Cohen: are large, and they can have certain individuals designated as those who are part of the group health plan. I'm using air quotes for that. And other times, we have a very small staff within, an employer, and somebody I…

00:44:47.340 --> 00:45:01.010
Sharon Cohen: always refer to it as wearing a hat. So, somebody may have a dual purpose, right? They might be working with employment records, and they're wearing their employer hat, and then they need to take that hat off and put their,

00:45:01.010 --> 00:45:12.259
Sharon Cohen: health plan hat on, so their group health plan hat on, when they deal with what's PHI, and they need to make sure that the two don't cross, and that the Q2 are

00:45:12.260 --> 00:45:37.240
Sharon Cohen: physically separated as well. They're going to need to distribute a notice of privacy practices to the participants, they're going to need to amend their plan document to allow PHI disclosures to the employer for plan administrations, and very importantly, they're going to need to assess and sign business associate agreements with any of the vendors

00:45:37.240 --> 00:45:45.659
Sharon Cohen: who, touch PHI on their plan beha- on the plan's behalf. So, NFP, your,

00:45:46.010 --> 00:46:02.770
Sharon Cohen: You know, if we sort of relate this to how can we help, we can help in supporting and guiding our clients through this transition, but it's, it's important for an employer to, access and involve,

00:46:03.210 --> 00:46:08.220
Sharon Cohen: HIPAA privacy and security experts to get that help.

00:46:08.220 --> 00:46:32.059
Sharon Cohen: And so, some of this is very, you know, fact-specific and training-specific, especially around these security experts, and our teams, our account teams are really knowledgeable in experts and vendors that we can recommend to assist employers with this. But there is a bigger role that the employer and HR is going to

00:46:32.060 --> 00:46:33.859
Sharon Cohen: need to,

00:46:33.860 --> 00:46:52.740
Sharon Cohen: Put in place, in terms of policy and procedures that aren't just sort of these documents that they hold onto, but actually contain the information as a guide to their own, employees on how to handle this information and what their protocols are.

00:46:52.770 --> 00:47:00.629
Sharon Cohen: And then to implement, you know, breach protocol… breach notification protocols to have all of that in place.

00:47:01.420 --> 00:47:03.379
Sharon Cohen: Did I miss anything, Molly?

00:47:04.250 --> 00:47:15.419
Mollie Sledd: I don't think so. I think you got it. So, definitely they should look back at the slides, you know, further up, that list the responsibilities, because that's what they're going to need to do.

00:47:15.420 --> 00:47:31.860
Sharon Cohen: Yes, and we also have some written materials that, you know, are accessible to our account teams that can help around, you know, providing employers with general education about the HIPAA privacy and security requirements.

00:47:33.670 --> 00:47:34.600
Mollie Sledd: All right.

00:47:34.780 --> 00:47:35.810
Sharon Cohen: Alrighty.

00:47:36.550 --> 00:47:43.580
Sharon Cohen: So, we have an employer, with… with a small group,

00:47:44.890 --> 00:48:03.919
Sharon Cohen: fewer than 50 lives. Medical, dental, and vision are fully insured, and they are a hands-off PHI employer, so they don't… they try not to touch it. The employer is implementing a health FSA, to their plan, with their upcoming renewal.

00:48:03.920 --> 00:48:19.859
Sharon Cohen: A Health FSA vendor is going to handle all the claims and substantiation, and participants are going to be reimbursed directly, so the employer's kind of out of the picture here, right? What are the employer's HIPAA obligations?

00:48:20.540 --> 00:48:37.739
Mollie Sledd: Yeah, so this one is kind of a similar… similar as the last one that we went through, in that that health FSA is a self-insured group health plan, even if all the other health benefits are fully insured and the employer is completely hands-off.

00:48:38.150 --> 00:48:51.630
Mollie Sledd: Even if they, you know, promise that they're gonna have nothing to do with that health FSA, that the vendor's gonna handle everything. Unfortunately, under HIPAA, under the law, under the privacy and security rules.

00:48:51.630 --> 00:48:59.460
Mollie Sledd: They are now viewed as a self-insured group health plan sponsor, because of that Health FSA, and they are hands-on.

00:49:00.650 --> 00:49:08.519
Mollie Sledd: And that means that they are going to be subject to those additional privacy and security rule responsibilities that apply to hands-on group health plan sponsors.

00:49:08.670 --> 00:49:13.310
Mollie Sledd: So, they're gonna wanna definitely sign a BAA with their flex vendor.

00:49:13.380 --> 00:49:29.210
Mollie Sledd: You know, their FSA offender is a business associate, and they're gonna need to implement HIPAA-compliant privacy and security policies and procedures, as well as all of those other things that we just discussed on the last page. With respect to

00:49:29.210 --> 00:49:34.370
Mollie Sledd: their Health FSA, and any employees, any staff members who work with the Health FSA.

00:49:34.640 --> 00:49:39.069
Mollie Sledd: Also consider that even if you think the vendor is doing everything, a lot of times.

00:49:39.160 --> 00:49:47.960
Mollie Sledd: Fsa plan sponsors do receive transaction reports from their Flex vendors that include PHI. Some vendors may even require

00:49:47.960 --> 00:49:59.580
Mollie Sledd: plan sponsors to look at, you know, end-of-year balances, or approve specific claims, like unsubstantiated claims. So they could certainly be handling PHI.

00:49:59.580 --> 00:50:07.950
Mollie Sledd: So, you know, it's definitely something to take into account when they do their, kind of, assessment, their risk analysis, all of that.

00:50:08.270 --> 00:50:20.469
Sharon Cohen: Yeah, so even though they feel disassociated from the Health FSA because they've employed this vendor, right, it will automatically push them into a hands-on, situation.

00:50:20.470 --> 00:50:21.300
Mollie Sledd: Right, right.

00:50:21.530 --> 00:50:25.309
Sharon Cohen: And what about this small employer plan exception?

00:50:25.310 --> 00:50:33.810
Mollie Sledd: Right, yeah, you did… you did mention there was that exception. Unfortunately, as you pointed out before, it is an extremely narrow exception, because it…

00:50:34.000 --> 00:50:53.760
Mollie Sledd: It would only be available if there's no vendor, no TPA, helping administer, which in this case there is, and if there's no electronic transactions going on with PHI, which, this day and age, I don't know how you would do that without, you know, email and saving records on computers and things like that, so…

00:50:53.880 --> 00:50:55.499
Mollie Sledd: That does not get them out of it.

00:50:55.830 --> 00:50:56.780
Sharon Cohen: Okay.

00:50:58.930 --> 00:51:15.150
Sharon Cohen: Now, here we have an employer that is self-insured, their medical plan, and it's implemented technical, physical, and administrative safeguards, per the security rule, with the guidance.

00:51:15.540 --> 00:51:30.010
Sharon Cohen: Using a HIPAA vendor. And a member of the HR team sends an email containing PHI to several authorized coworkers, and later he discovers that an unauthorized colleague

00:51:30.010 --> 00:51:35.689
Sharon Cohen: was accidentally copied. So you know how we… sometimes we might have, like, a group.

00:51:35.690 --> 00:51:46.470
Sharon Cohen: That we email, and we don't realize that maybe someone within that group shouldn't have been… shouldn't have gotten that email. So what does he need to do?

00:51:47.320 --> 00:52:02.209
Mollie Sledd: Yeah, so this is definitely something that happens, right? Accidentally copying, too many people, typing in, right, the wrong name, or, you know, how Outlook, like, auto-fills the rest of a name for you sometimes. So this happens!

00:52:02.210 --> 00:52:11.019
Mollie Sledd: So the first step, whenever you have any incident where you think, -oh, did I send PHI somewhere, or do something with it, I shouldn't have.

00:52:11.020 --> 00:52:17.679
Mollie Sledd: First step is to immediately notify the privacy official. They're going to be the person who is in the role of kind of triaging here.

00:52:17.820 --> 00:52:32.900
Mollie Sledd: They're gonna take a look and determine whether or not this constitutes a breach, which under HIPAA is the acquisition, use, or disclosure of PHI in a way not permitted by HIPAA, and in a way that compromises the security and privacy of that information.

00:52:33.220 --> 00:52:44.050
Mollie Sledd: So, if they determine that this is a breach, the next step is to perform a risk assessment, which they should do with their legal counsel, or other, you know, other vendor, other…

00:52:44.420 --> 00:52:45.440
Mollie Sledd: Consultant.

00:52:45.590 --> 00:52:57.060
Mollie Sledd: that considers four factors. What PHI is involved here? You know, how sensitive is it? What are the types of identifiers? You know, are these social security numbers? Things like that.

00:52:57.400 --> 00:53:14.509
Mollie Sledd: Who it was sent to, the unauthorized person who's receiving the PHI. Whether it was actually acquired or viewed, and the extent to which, that breach has been mitigated. You know, is there any way to kind of try to, like, contain it or fix it?

00:53:14.870 --> 00:53:30.730
Mollie Sledd: If a breach has been confirmed, then there are notification procedures under the HIPAA breach notification rule. So, notifications are going to be required in three instances. First, to the affected individuals as soon as possible, but no later than 60 days.

00:53:31.130 --> 00:53:33.920
Mollie Sledd: Second to HHS, either

00:53:34.140 --> 00:53:43.319
Mollie Sledd: As soon as possible, no later than 60 days, if it's a breach involving 500 or more individuals, or you can wait and log it, at the end of the year.

00:53:43.990 --> 00:53:54.950
Mollie Sledd: If it's… if it affects fewer than 500 individuals. And then, you may have to… to notify local media as well, if it is large enough, and you would do that with… with a press release, so…

00:53:55.060 --> 00:53:58.770
Mollie Sledd: Breaches do, unfortunately, involve some follow-up action.

00:53:58.770 --> 00:54:10.870
Sharon Cohen: Yeah, so again, with the minimum necessary rule, this also sort of lends itself to that, right? I know you and I have both been privy to emails where we're receiving

00:54:10.870 --> 00:54:30.230
Sharon Cohen: information from a group health plan, maybe it's a self-insured employer, and it's really not necessary for us to know that level of detail. Like, we could answer the question or help them and not have all of that information. So that sort of minimum necessary when you are drafting these emails

00:54:30.230 --> 00:54:46.350
Sharon Cohen: in addition to confirming that everybody who's receiving it should be receiving it. So we have one last quick example. An employer is self-insured, an employee requests a leave of absence due to a serious medical condition.

00:54:46.350 --> 00:54:52.459
Sharon Cohen: Does HR need to follow HIPAA's rules when collecting the FMLA medical form?

00:54:52.950 --> 00:55:09.940
Mollie Sledd: Yeah, so as you mentioned before, FMLA is subject… it's a type of employment record, it's an employment issue. It's not subject to the HIPAA privacy and security rules. And FMLA does specifically permit employers to require medical certification in order to approve that leave.

00:55:10.300 --> 00:55:14.669
Mollie Sledd: However, employers should not be contacting the employers

00:55:14.720 --> 00:55:24.410
Mollie Sledd: doctor or provider directly without a HIPAA authorization. The provider is a covered entity, right? They're gonna need the authorization in order to provide that, so that

00:55:24.410 --> 00:55:41.449
Mollie Sledd: The easiest thing to do, the best thing to do, is the provider fills that form out, right? The employee brings it to their appointment, the provider fills it out, gives the certification to the employee, who then submits it to the employer or, you know, to the carrier, if they have someone administering.

00:55:41.510 --> 00:55:42.530
Mollie Sledd: FMLA.

00:55:42.750 --> 00:55:48.680
Mollie Sledd: Hipaa privacy and security rules do not apply to employers in FMLA situations.

00:55:48.800 --> 00:56:03.880
Mollie Sledd: However, FMLA has its own confidentiality and record-keeping requirements, you know, you gotta keep them separate from other employment records, all of that, and if it's a serious health condition, the ADA's, requirements may also apply, right?

00:56:04.110 --> 00:56:04.880
Sharon Cohen: Yes.

00:56:05.280 --> 00:56:10.420
Sharon Cohen: So, same rules and issues would apply for disability claims. That's what I was just gonna ask you, Molly.

00:56:10.420 --> 00:56:11.110
Mollie Sledd: Yep.

00:56:12.300 --> 00:56:14.410
Sharon Cohen: Okay, so a similar analysis.

00:56:14.740 --> 00:56:18.830
Mollie Sledd: Yes, definitely. Anything that's not true, group health plan related.

00:56:19.050 --> 00:56:20.060
Sharon Cohen: Okay, good.

00:56:20.170 --> 00:56:24.079
Sharon Cohen: Alright, so let's bring it home.

00:56:24.300 --> 00:56:30.719
Sharon Cohen: For you all. The, the heart of HIPAA, again, I think Molly and I have sort of

00:56:31.130 --> 00:56:50.530
Sharon Cohen: if anything, hopefully we've driven this home, that the heart of HIPAA is really protected health information, right? And not everything counts as that. So information like employment records or information from non-health… non-health plans, is not PHI.

00:56:50.530 --> 00:57:02.459
Sharon Cohen: And remember that PHI is individually identifiable information that is created or received by a covered entity, by a health plan or a provider.

00:57:02.540 --> 00:57:09.050
Sharon Cohen: Or healthcare clearinghouse, and it relates to a person's health condition, care, or payment for care.

00:57:09.190 --> 00:57:14.620
Sharon Cohen: HIPAA applies to all employer-sponsored health plans, but

00:57:14.730 --> 00:57:30.179
Sharon Cohen: how much the privacy and security responsibilities lie on the plan sponsor really depends on the… on whether and to the degree in which the plan actually handles PHI. So, if it's a

00:57:30.290 --> 00:57:53.719
Sharon Cohen: self-insured plan, including FSAs and HRAs, it's automatically a hands-on situation. This means that full HIPAA compliance is required. If the plan is fully insured and it can stay hands-off, it will have minimal responsibilities. But again, only if the employer avoids accessing PHI.

00:57:54.070 --> 00:58:02.799
Sharon Cohen: To be sure, every plan should go through a security risk analysis to check whether PHI is being handled.

00:58:02.800 --> 00:58:19.859
Sharon Cohen: Hands-on plans should use a HIPAA compliance vendor to help with policies and procedures, training, breach protocols, and more, and account teams can help connect employers or clients with reputable vendors.

00:58:20.780 --> 00:58:40.080
Sharon Cohen: We offer, just a quick reminder that we offer several resources on HIPAA privacy and security. We note here recent podcasts. There's a recent podcast that was done on HIPAA settlements and NFP observation, which,

00:58:40.080 --> 00:58:58.039
Sharon Cohen: which Molly worked on, which is fabulous. It, it, you know, discusses the differences between hands-on and hands-off employers, and how to maintain that hands-off, fully assured employer, to keep away from these,

00:58:58.380 --> 00:59:13.639
Sharon Cohen: many of these responsibilities. I want to thank everyone for hanging in there with us today. It was, absolutely, our pleasure, Molly and my pleasure, to speak with you today, and I hope that you have a great rest of the day.

00:59:14.710 --> 00:59:15.960
Mollie Sledd: Thank you.

00:59:17.100 --> 00:59:22.160
Amber Posthauer: Alright. Well, thank you, Sharon and Molly, for sharing your valuable time and expertise with us today.

00:59:22.260 --> 00:59:37.459
Amber Posthauer: To reiterate, today's presentation was recorded. We will be sharing the recording in the follow-up email and on the NFP website. If there are any portions of this call that you missed, by Monday, you'll receive an email with a link to the full recording. The PowerPoint slides used during this presentation will be shared in the same email.

00:59:37.800 --> 00:59:48.619
Amber Posthauer: At the end of this call, a survey will populate in a new window. Please take a brief moment to complete the survey, as it lets us know what topics are important to our listeners, and helps make our education program as current and relevant as possible.

00:59:48.730 --> 00:59:53.399
Amber Posthauer: That concludes our webinar for today. Thank you, everyone, for joining us, and have a great day!