All posts tagged HIPAA

When it comes to Employee Assistance Programs, confidentiality is a concern for both employers and employees. As an employer, it is helpful to understand the terms and processes your EAP uses to keep information confidential and ensure that your employees and your workplace are safe.

The Health Insurance Portability and Accountability Act (HIPAA) rules apply to EAPs and their affiliate providers. All information that is obtained during an EAP session is maintained in confidential files. The information remains confidential except in the following circumstances:

  1. An employee/client provides written permission/consent for the release of specific information. This can be done using a Consent to Inform or Release of Information form.
  2. The life or safety of the client or others is seriously threatened.
  3. Child abuse has occurred.
  4. EAP records are the subject of a court order (subpoena).
  5. Other disclosures required by applicable law.

Depending on the situation, an employee may use EAP services through a self-referral, guided-referral or mandated-referral

Voluntary or self-referrals are the most common. When an employee seeks EAP services voluntarily, all of the employee’s information, including whether he or she contacted the EAP or not, is confidential and cannot be released without written permission.

Guided referrals are an opportunity for the employer to encourage the employee to use EAP services when the employer senses there is a problem that needs to be addressed. This may occur when the employer identifies an employee who may be having personal or work-related difficulties but it is not to the point of mandating that the employee use an EAP. In the case of guided referrals, information disclosed by the employee is still kept confidential.

Mandatory or formal referrals usually occur when substance abuse or other behaviors are impacting productivity or safety. An employer’s policy may allow for putting the employee on a performance improvement plan and may even include a “last chance” agreement that states what an employee must do in order to keep their job. In these cases, employees are mandated by the employer to contact the EAP and a Release of Information is signed so the EAP can exchange information with the employer about employee attendance, compliance and recommendations.

In some cases, it may be advised to send the employee for a Fitness for Duty Evaluation or similar assessment to determine the employee’s ability to physically or mentally perform essential job duties, or assess for a potential threat of violence. These evaluations are performed by specially trained professionals and will come with an additional cost. If the employee has provided written consent, limited information may be released to the employer regarding the results of these evaluations.

By Kathryn Schneider
Originally Published By United Benefit Advisors

Court Orders the EEOC to Reconsider Its Wellness Program Rules | Ohio Benefit Advisors

Categories: ADA, Blog, EEOC, HIPAA, HR, Wellness Programs
Comments Off on Court Orders the EEOC to Reconsider Its Wellness Program Rules | Ohio Benefit Advisors

On August 22, 2017, in AARP v EEOC, a federal court found that regulations allowing employers to offer large incentives under workplace wellness programs were arbitrary. The court did not vacate (nullify) the rules due to concerns about disrupting employers’ existing programs. Instead the court has ordered the responsible agency, the Equal Employment Opportunity Commission (EEOC), to review and reconsider its regulations.

Background

The EEOC regulates and enforces provisions of the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) that affect workplace wellness programs. Employers with 15 or more workers generally are prohibited from requiring employees to undergo medical exams or answer disability-related questions (unless needed for certain job-related health/safety exams). An exception is allowed for wellness programs that are “voluntary,” but the meaning of voluntary has long been debated.

For many years, the EEOC failed to issue regulations defining voluntary while at the same time unofficially asserting that programs were not voluntary if the employee was required to provide private health information to earn a reward or avoid a penalty. In 2015, the EEOC finally proposed rules on the matter, which were finalized in 2016 and took effect January 1, 2017. In an about-face from its prior assertions, the EEOC rules allow employers to offer wellness program incentives of up to 30% of the health plan’s cost. The AARP, on behalf of its membership, sued in federal court alleging that the 30% threshold was too high to be considered a voluntary program.

(The Health Insurance Portability and Accountability Act (HIPAA), a separate federal law primarily regulated by the Department of Labor (DOL), not the EEOC, permits group health plans, including wellness programs, to offer incentives of up to 30% of plan cost. AARP did not challenge the HIPAA rules. HIPAA’s incentive cap applies only to health-contingent programs, however, while the EEOC’s ADA and GINA rules are broader and include both participatory-only and health-contingent wellness programs.)

In AARP v EEOC, the U.S. District Court for the District of Columbia found that the EEOC failed to justify how it had determined its new definition of a voluntary program. The court ordered the EEOC to reconsider its regulations and to file a status report by September 21, 2017 that includes a proposed schedule for the review.

Employer Considerations

Last week’s court ruling did not vacate the EEOC’s wellness program rules. They remain in force and employers may use them as guidance in designing and administering their workplace programs. At the same time, however, employers will want to be mindful that the current rules are under review and may be revised in the future. Also, employers whose wellness programs offer large incentives for providing individual health information need to consider whether their program may be challenged through private litigation. Employers are encouraged to work with their benefit advisors and legal counsel to ensure their wellness programs are consistent with rules under HIPAA, and, if applicable, under the ADA and GINA.

Originally Published By ThinkHR.com

Congress approved the Health Insurance Portability and Accountability Act (HIPAA) to guard the privacy of personal medical information, and to give individuals the right to keep their health insurance coverage for pre-existing conditions in place even if they change jobs. The law has done this, providing important safeguards for patients. But it has also increased the red tape involved in medical care.

History

Congress passed HIPAA in August 1996, and the U.S. Department of Health and Human Services finalized standards for the electronic exchange, privacy and security of health information in 2002. The rules apply to health plans, health care clearinghouses, and to any health care provider, such as a doctor, who transmits health information in electronic form.

Significance

Congress intended HIPAA to protect individually identifiable health information. Any entity, including a physician’s office, a hospital or other health care facility, or an insurer, that deals with personal health information must follow strict rules about how to handle that information to avoid disclosing it to someone not authorized to see it. For example, Health and Human Services allows physicians and insurance companies to exchange individually identifiable health information to pay a health claim, but would not allow them to release it publicly. Penalties for violating the regulations include civil fines of up to $50,000 per violation, according to Health and Human Services.

Minimum Necessary

According to Health and Human Services, the privacy rule also requires physicians, hospitals, insurers, and other health care entities to use and disclose only the minimum amount of information needed to complete the transaction or fulfill the request. As a practical matter, for example, that means a physician should not send a patient’s entire medical file to an insurer if just one page from the record will suffice to answer the insurer’s query.

Portability

In addition to protecting patients’ privacy, HIPAA also limits the ability of a new employer plan to exclude coverage for pre-existing conditions. This means a person who has health insurance coverage can change jobs — and therefore health plans — without worrying that a condition they already have, such as diabetes or asthma, would not be covered under the new health plan. This was not always the case, according to the U.S. Department of Labor. “In the past, some employers’ group health plans limited, or even denied, coverage if a new employee had such a condition before enrolling in the plan. Under HIPAA, that is not allowed,” the Department of Labor says. HIPAA also prohibits discrimination against employees and their family members based on health histories, previous claims, and genetic information, according to the Department of Labor.

Pros of HIPAA

HIPAA, for the first time, allowed patients the legal right to see, copy, and correct their personal medical information. It also prevented employers from accessing and using personal health information to make employment decisions. And, it enabled patients with pre-existing conditions to change jobs without worrying that their conditions would not be covered under a new employer’s health plan.

Cons of HIPAA

However, HIPAA’s effects have not all been positive. The regulations increased the paperwork burden for doctors considerably, according to the American Medical Association. HIPAA has spawned a mini-industry of companies and consultants who help medical professionals comply with the law’s lengthy provisions. In addition, some professionals who deal with medical paperwork have become overcautious about releasing protected information. For example, some physician’s offices now refuse to mail test results, saying patients need to pick them up in person. And some hospitals require physicians to submit written requests on their own letterhead for information on a patient’s condition, when the law allows this information to be provided by phone.

Originally published by www.livestrong.com

0826The Health Insurance Portability and Accountability Act (HIPAA) established national standards to secure and protect the privacy of health information. The Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to conduct audits of covered entities and business associates in order to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

OCR initiated a pilot program in 2012 to assess the processes implemented by 115 covered entities to comply with HIPAA’s requirements. The pilot program was a three-step process: (1) initial protocol development, (2) test of these protocols by conducting 20 audits, and (3) full audit execution using revised protocol materials, which were completed by the end of December 2012.

OCR selected a pool of covered entities for audits that broadly represented a wide range of healthcare providers, health plans, and healthcare clearinghouses. Criteria to select entities to be audited included whether the entity was public or private, size of the entity, affiliation with other healthcare organizations, the type of entity and relationship to patient care, past and present interaction with OCR concerning HIPAA enforcement and breach notification, as well as geographic factors.

A wide range of covered entities were audited in Phase 1. The audit process began when selected entities received a notification letter from OCR notifying them of their selection and asking them to provide documentation of their privacy and security compliance efforts. Every audit included a site visit during which auditors interviewed key personnel and observed processes to determine compliance. Following the site visit, auditors developed a draft audit report which described how the audit was conducted, what the findings were, and what actions the covered entity took in response to those findings. The covered entity had the opportunity to remedy any compliance issues. The final report included the steps the entity took to resolve any compliance issues identified by the audit and it also described best practices.

OCR used the final audit to understand HIPAA compliance efforts and to determine the types of technical assistance that should be developed and the types of corrective action that are most effective. The technical assistance and best practices that OCR generated assisted covered entities and business associates in improving their efforts to keep health records safe and secure.

Originally published by United Benefit Advisors – Read More

Significant Changes for Health Care Providers, Health Plans, and Their Business Associates and Subcontractors in Final HIPAA Privacy Regulations

Categories: Compliance News, Team K Blog
Comments Off on Significant Changes for Health Care Providers, Health Plans, and Their Business Associates and Subcontractors in Final HIPAA Privacy Regulations
Covered entities and business associates are required to comply by September 23, 2013. Read more