PBA HIPAA Privacy & Security Forms: Overview
Overview
The enclosed Guide and other HIPAA Privacy and Security Rule Forms are being provided by PBA. The Guide will provide you with an overview of how to use the forms. The forms were created by Quarles & Brady LLP, a law firm.
What is the HIPAA Privacy and Security Rule?
In 1996 Congress passed a requirement that Group Health Plans identify their "protected health information" ("PHI") and keep that PHI private (the Privacy Rule) and secure (the Security Rule). The Privacy Rule generally prohibits a Group Health Plan from using or disclosing PHI except for certain purposes. The Security Rule generally provides that PHI which is electronic may need to be securely held and transmitted. For example, electronic PHI generally may need to be protected by firewalls and other mechanisms to guard its security.
What is a "Group Health Plan"?
A "Group Health Plan" is generally a plan which provides or pays for medical care for an employer's employees. Common examples include major medical, dental, vision, health reimbursement arrangement ("HRA") and health flexible spending account ("Health FSA") coverage. Plans which are not "Group Health Plans" (such as life insurance or disability insurance) are not subject to HIPAA's Privacy and Security Rule.
How Do We Adopt These Policies, Procedures and Forms?
Generally, the Privacy Official would review the Privacy Rule Policies and Procedures Guide and the relevant forms noted above. The Security Official would review the Security Rule Policies and Procedures and the relevant forms noted above. The documents must be customized -- for example, the name of the employer's health plan (e.g., the "Sample Co. Group Health Plan") usually must be included in each document. Also, sometimes the Privacy Official and Security Official will need to make other determinations (e.g., the "contact office" for plan enrollees to complain about possible HIPAA issues).
Once the documents have been completed and approved by the Privacy Official, Security Official and others within your organization, the documents should be formally "adopted" by your organization. Usually a high-level entity (e.g., board of directors) or person (e.g., president) would adopt the documents by signing them. For example, the cover page for the Privacy Rule Policies and Procedures Guide has a signature line so that they can be adopted.
You should retain your prior HIPAA forms for at least six years after you adopt these new Forms.
How Do I Use the Forms?
The Forms serve as a "guide" to the HIPAA Privacy and Security Rule. You -- or someone else in your organization -- should identify the employees within your organization who work with the group health plan and who could receive PHI. The person within your organization who handles HIPAA Privacy issues is called the "Privacy Official". The person within your organization who handles HIPAA Security is called the "Security Official". The documents describe the typical situations faced by a Group Health Plan under HIPAA. In some organizations, the Privacy Official and Security Official is the same individual.
The Privacy Official would be in charge of reviewing and completing the following:
- Privacy Rule Policies and Procedures Guide - These are legally-required policies and procedures that the plan must adopt and follow.
- Privacy Rule Forms - Forms 1 through 9 are forms which are all mentioned in the Privacy Rule Policies and Procedures Guide. The Policies and Procedures Guide will tell you when the forms will be used. For example, Form 7 is a Privacy Practices Notice. This Notice is usually distributed to Group Health Plan enrollees to inform them of their HIPAA rights.
- Breach Forms - Forms 10 through 14 are forms which (like Forms 1 through 8) are all mentioned in the Privacy Rule Policies and Procedures Guide. These forms help guide you if there is a "breach" of PHI (e.g., if a former employee unlawfully accesses your system and misuses PHI in a harmful way). If you never experience a breach or possible breach, you would not ever use Forms 10 through 14 -- they are there just in case you need them.
The Security Official would be in charge of reviewing and completing the following:
- Security Rule Policies and Procedure Guide(Required) - These are policies and procedures that the Group Health Plan must adopt if the plan has any electronic PHI. They require that the Security Official, on behalf of the plan, take certain actions (e.g., conduct a risk assessment to identify the risks to electronic PHI).
- Security Rule Policies and Procedures Guide(Addressable) - These are policies and procedures that the Group Health Plan must consider -- and document this consideration. However, in some situations it may not be appropriate for the Security Official, on behalf of the Plan, to implement the action noted in the Policies and Procedures Guide. For example, it may not be appropriate for the plan to encrypt emails it sends which contain PHI. If so, the Security Official would consider alternatives to that proposed action. The Security Official would document his or her consideration using Form 15.
- Breach Forms - Forms 10 through 14 are used both for breaches involving electronic PHI (which would usually involve the Security Official) and for non-electronic (e.g., paper-based) PHI, which would usually involve the Privacy Official.
When do We Have to Adopt These Forms?
Under the new HIPAA regulations (called the HITECH regulations) the updated documents must be completed and adopted by September 23, 2013. All Business Associate Agreements also should be updated by that date.