Netzealous -MentorHealth, Online Event
Training Options Duration: 90 Minutes
Thursday, September 28, 2017 | 10:00 AM PDT | 01:00 PM EDT
Overview: Now that the HIPAA rules have been in place for more than a dozen years, the days of advice and counseling have been replaced by a hard-nosed enforcement attitude, where HHS OCR is ready to make health care organizations that violate the rules feel some pain for their actions, and employer-based health plans are no exception. In order to determine their HIPAA compliance obligations, employers need to go through an analysis of their health insurance offereings for their employees. Employers need to examine, is the plan insured or self insured, is it one plan or several, do they rely on an insurer for all the functions or do they use a third party administrator, and much more. Much of the determination of how to comply depends on how involved the employer is with the operation of the plan and the kinds of information the employer receives about the health plan.
One of the keys to compliance for health plans is recognizing that the health plan is a separate entity from the employer, and the appropriate controls and limitations must be in place to protect PHI from inappropriate use or disclosure. In most cases, the disclosure of "summary health information" to the employer is permitted under HIPAA this session will explore what "summary health information" is and how the exclusion works. Employer health plans must also be careful what information they ask for from employees, as genetic information is prohibited from consideration in the setting of rates or determination of eligibility for coverage. The definition of "genetic Information" under HIPAA and the Genetic Information Nondiscrimination Act includes a wide variety of information about family history and more, which must be avoided by the health plan.
And finally, at those times when a health plan sponsor needs access to an eomployees health information, the appropriate processes for management of HIPAA Authorizations must be followed to prevent a disclosure that may trigger a response under the HIPAA Breach Notification rules. And even if the health plan holds only limited information, that information must be protected according the Privacy and Security rules. If you don't take the proper steps to ensure your employees' rights and health information are being protected according to the HIPAA Privacy, Security, and Breach Notification Rules, you can be hit with significant fines and penalties. With the increased HIPAA fines beginning at $10,000 in cases of willful neglect, following the privacy requirements, providing good information security, and being in compliance are more important than ever.
Why should you Attend: The HIPAA Privacy Rule governs the use and disclosure of Protected Health Information (PHI) by "covered entities." Covered entities are defined as health plans, health care clearinghouses and health care providers who transmit health information electronically using certain transactions . While the Privacy Rule does not directly regulate employers, the requirements apply to "group health plans" that are sponsored by many employers. Covered plans include those providing medical, dental, vision, pharmacy and other medical benefits. Flexible spending accounts also fall within the definition. The Privacy Rule specifically excludes from coverage disability plans, workers compensation plans and life insurance - despite potential coverage of medical services.
For plans providing benefits solely through insurers and HMOs the impact of the Privacy Rule is fairly minimal, provided the plan and the plan sponsor do not create or receive any PHI other than "Summary Health Information" received for the purposes described above (e.g., the new standard experience report is considered "Summary Health Information") or enrollment information. But for Self-Insured Plan Sponsors, there are numerous requirements for Business Associate Agreements, Privacy Notices, handling of disclosures from the Group Health Plan to the Plan Sponsor, and much more. Penalties for non-compliance can reach imto the millions of dollars depending on the circumstances, and HHS has been announcing violation settlements at an increasing rate. Now is the time to make sure your group health plan is properly following the rules so you can avoid penalties for violations.
Areas Covered in the Session:
The various kinds of health plans under HIPAA will be explored and defined
The differences between self-insured and fully-insured health plans and their HIPAA obligations will be explained
The kinds of information that must be protected by the health plan and the health plan sponsor will be discussed
Requirements for HIPAA Business Associate Agreements will be explored, including an explanation of the circumstances under which establishing BAAs is required
Limitations on the use of PHI held by the health plan will be explained, and requirements for obtaining HIPAA Authorizations will be discussed
Plan sponsor obligations will be explained in detail
The importance of a good compliance process to help you stay compliant more easily
Who Will Benefit:
Information Systems Manager
Chief Information Officer
Health Information Manager
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.
Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.
Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.
Phone No: 1-800-385-1607