the PowerPoint! - Self

Report
Privacy and Security Laws Beyond
HIPAA: Protecting Consumer
Information
Webinar Presented by Laura Bird
January 29, 2014
1
Module Contents
• Introduction
• Privacy and Security of Personally Identifiable
Information under the Affordable Care Act
• Privacy and Security of Federal Tax Information under
the Tax Code
• Other Requirements on Certified Application
Counselors and Navigators under Agreements with the
Centers for Medicare & Medicaid Services
• Authorized Representative Designation & Privacy
• Other Considerations & Guidance
2
Introduction
3
Acronyms
Acronym
ACA
Meaning
Affordable Care Act
CAC
Certified Application Counselor
CDO
Certified Designated Organization
CMS
Centers for Medicare & Medicaid Services
FFM
Federally Facilitated Marketplace
FTI
Federal Tax Information
HIPAA
Health Insurance Portability and Accountability Act
IRS
Internal Revenue Service
PHI
Protected Health Information
PII
Personally Identifiable Information
QHP
Qualified Health Plan
4
Why is Protecting Consumer
Information Important?
• Besides the fact that it can harm a person
personally and financially…
• Purpose of Marketplace is to help people get
insured.
• Enrollment assisters have a key role in
protecting information.
• Disclosure can result in civil and criminal
penalties.
5
Enrollment Assisters
• Types
–
–
–
–
–
–
Navigators
Non-Navigator Assister Personnel
Certified Application Counselors
Authorized Representatives
Outreach and Enrollment Workers
Agents and Brokers (not discussed here)
• Enrollment Assisters will need to be familiar with
applicable privacy and security laws beyond
HIPAA in providing assistance to consumers.
6
Enrollment Assisters & Privacy
• Enrollment assisters who assist consumers
apply for coverage will have access to a
consumer’s personal information.
• Enrollment assisters are bound by the ACA, as
well as other privacy laws, to protect
consumer information that the enrollment
assister may be exposed to and have a duty to
ensure that it’s not used or shared in a
harmful way.
7
Privacy and Security of PII Under
The ACA
8
Compliance with HIPAA is not Enough
• I/T/Us are required to comply with the HIPAA
Privacy, Security and Breach Notification Rules
as to the PHI created, maintained, or
transmitted.
• The ACA privacy and security standards are
broader than HIPAA. Complying with HIPAA is
not enough to comply with ACA privacy and
security standards.
9
Eight ACA Privacy and Security
Standards
1.
2.
3.
4.
5.
6.
7.
8.
Individual access
Correction
Openness and transparency
Individual choice
Collection, use and disclosure limitations
Data quality and integrity
Safeguards
Accountability
10
Confidentiality of Consumer’s PII
Under the ACA
• A consumer is required to provide only the information
strictly necessary to verify identity, determine eligibility
for insurance, and determine the amount of the tax
credit or cost sharing reduction.
• Any person (including enrollment assisters) who receives
information provided by an applicant or from a Federal
agency shall use the information only for the purpose of
ensuring efficient operation of the Marketplace and shall
not disclose the information to any other person.
See Section 1411(g) of the Affordable Care Act.
11
What is the Penalty for Disclosing PII?
• A “….person who knowingly and willfully uses
or discloses information in violation of section
1411 (g) of the Affordable Care Act will be
subject to a civil penalty of not more than
$25,000 per person or entity, per use or
disclosure, in addition to other penalties that
may be prescribed by law.”
45 C.F.R. § 155.260(g).
12
Examples of Information Considered
PII Under the ACA
Name
Biometric Records (e.g.,
height, weight, etc.)
Medical Information
Social Security Number
Phone Number
Educational Information
Date and Place of Birth
Address
Financial Information
Mother’s Maiden Name Driver’s License Number
Employment
Information
*These are only examples, the CMS Agreements include a long list
of the types of PII a Navigator or CAC may receive.
13
Non-Exchange Entity
• A Marketplace must require the same or more
stringent privacy and security standards as a
condition of an agreement with a NonExchange entity.
• A Non-Exchange entity specifically includes
Navigators, CACs and agents and brokers.
• A Tribe or organization with Outreach and
Enrollment Workers may be considered a NonExchange entity.
14
Non-Exchange Entity (cont’d)
• A Non-Exchange entity is not specifically defined
in the regulations but refers to: “…Individuals or
entities, such as Navigators, agents, and brokers,
that:
(1) Gain access to personally identifiable information
submitted to the Exchange; or
(2) Collect, use or disclose personally identifiable
information gathered directly from applicants, qualified
individuals, or enrollees while that individual or entity is
performing the functions outlined in the agreement
with the Exchange….”
15
Applicable Laws and Requirements
Type of Enrollment Assister
Applicable ACA Security and Privacy Laws and Other
Requirements
Navigators
Section 1411 (g); 45 C.F.R. 155.210; 45 C.F.R. §
155.260; CMS Agreement with Attachments; and
MARS-E Suite of Documents
Non-Navigator Personnel
Assistance (In Person
Assisters)
Section 1411 (g); 45 C.F.R. § 155.260; State
Marketplace Agreement (if applicable)
Certified Assistance
Counselors
Section 1411 (g); 45 C.F.R. § 155.225; 45 C.F.R. §
155.260; CMS Agreement with Appendices; and
MARS-E Suite of Documents
Authorized Representatives
Section 1411(g) 45 C.F.R. § 155.227; and Authorized
Representative Designation Form
Outreach and Enrollment
Workers
Section 1411(g); likely considered a Non-Exchange
entity subject to the same laws as CACs.
16
Oversight of ACA Privacy and Security
Standards
HHS has oversight and monitors: State has oversight and
monitors:
• Federally-facilitated
• Non-Exchange Entities in a
Marketplaces
State-based Marketplace
• State Partnership
Caveat: If your Tribe or organization
Marketplaces
entered into an agreement with the
• Non-Exchange Entities in an
State then your Tribe or organization
FFM
may have agreed to comply with
other state privacy and security laws.
• State-based Marketplaces
17
Section Summary: What You Need to
Know
• You must keep the consumer’s
information confidential, never disclose
information to others.
• Under ACA, there are civil penalties for
disclosure of confidential information.
• Critical to maintain consumer’s trust!
18
Questions
???
19
Privacy and Security of FTI under
The Tax Code
20
Under the Tax Code
• The ACA regulations incorporate reference to the Tax
Code.
• Under the Tax Code, if you have access to Federal Tax
Information (FTI) from the IRS or a secondary source
to carry out consumer eligibility requirements for
premium tax credits or any cost sharing reduction, or
eligibility in a State Medicaid Program, CHIP or basic
health program, you are bound not to disclose FTI
obtained in any manner in connection with the
service provided to the consumer.
• FTI includes returns and return information and must
be kept confidential.
21
Federal Tax Information (FTI)
FTI is any return or return information received from the IRS or
a secondary source.
Return
Return Information
• Any tax or information return
(e.g., 1040, 1040A, 1040EZ,
etc.), including forms such as
W-2s and 1099s.
• Declaration of estimated tax
• Claim for refund
• Any amendment or supplement
• Supporting schedules,
attachments or lists which are
part of the return
• Any information collected or generated by the
IRS regarding any person’s liability or possible
liability for any tax, penalty, interest, fine,
forfeiture, or offense
• Information extracted from a return, including
dependents or location of business
• The taxpayer’s name, address, and
identification number (e.g., SSN or EIN)
• Information collected about any person’s tax
matters
• Information about a person’s income,
finances, debts, deductions and exemptions
22
FTI Available through Marketplaces
Under the Tax Code
• Taxpayer identity information
• Filing status (single, married, etc.)
• The number of individuals for whom a deduction is
allowed
• The taxpayer’s modified adjusted gross income (MAGI)
• The taxable year of the information, or that such
information is not available.
• Other information that might indicate whether an
individual is eligible for the premium tax credit, or cost
sharing reductions, and the amount.
23
Protecting FTI
• Do not retain the FTI after the enrollment
session is over.
• Never access FTI if the information is not
needed for the consumer’s enrollment.
• If you have access to a consumer’s FTI, do not
disclose the FTI.
• Criminal penalties and civil liability can result
from unauthorized access or disclosure of FTI.
24
What is Considered Unauthorized
Access?
• Unauthorized access occurs when an entity or
individual receives or has access to FTI
without authority.
• Criminal penalty: Misdemeanor punishable by
a fine of up to $1,000, or imprisonment of not
more than one year, or both, plus the costs of
prosecution.
• Civil liability: A taxpayer may sue the
employee or assister for damages.
25
What is Considered Unauthorized
Disclosure?
• Unauthorized disclosure occurs when an entity or
individual with authorization to receive FTI
discloses FTI to another entity or individual who
does not have the authority and a need-to-know.
• Criminal penalty: Felony punishable by a fine of
up to $5,000, or imprisonment of not more than
one year, or both, plus the costs of prosecution.
• Civil liability: A taxpayer may sue the employee or
assister for damages.
26
Section Summary: What You Need to
Know
• FTI is only that information received directly
from the IRS or through a secondary source.
• Never retain FTI after the enrollment session
ends.
• Even if you receive the return or return
information from a consumer directly to assist
with an application, do not keep this
information in your files and make sure to
return it to the consumer.
27
Questions
???
28
Other Requirements on Navigators
and CACs under
CMS Agreement
29
Additional Navigator and CAC
Requirements
• Navigators and CACs are subject to six categories of
privacy and security standards that the Navigator or
CAC organization agreed to with CMS, including any
attachments and referenced documents.
– Note: Links to the documents are provided in the next
slide.
• As a Navigator or CAC, you may be required to sign an
agreement with your employer to perform your duties
as a Navigator or CAC.
• Recommendation: These standards should also be
followed by I/T/Us not under a formal agreement with
CMS or a Marketplace as minimal standards to ensure
the protection of consumer information.
30
Links to Referenced Documents
• Model Navigator Assistance Consent Form in FFM, available at
http://oci.wi.gov/navigator/navigator-consent.pdf
• Model CAC Authorization Form in FFM, available at
http://enrollmentloop.org/sites/default/files/helpimages/CAC%20C
onsent%20Form.pdf
• Appendices to Model Agreement Between CAC and Organization in
FFM, available
athttp://revcycle.med.umich.edu/sites/default/files/Appendices%2
0to%20the%20CDOCAC%20Model%20Agreement%20%282%29.pdf
• MARS-E Suite of Documents, available at
http://www.cms.gov/cciio/resources/regulations-andguidance/#MinimumAcceptableRiskStandards
31
6 Categories of Privacy and Security
Standards
1- Individual Access:
– Organization must have policies and procedures in
place to provide consumers with access to PII upon
request.
– Organization must respond to a request for access and
grant or deny request within 30 days.
2- Openness & Transparency:
– Organization must provide a Privacy Notice Statement
that is prominently and conspicuous displayed on a
public facing website (if applicable), or in electronic
form and/or paper form that will be used to gather
and/or request PII.
32
6 Categories of Privacy and Security
Standards (cont’d)
3- Individual Choice:
– Organization may only use PII for the functions and
purposes listed in the Privacy Notice Statement and
any agreements that were in effect when PII was
collected unless the consumer’s informed consent is
obtained. The consent must be appropriately secured
and retained for 10 years.
4- Collection, use and disclosure limitations:
– Organization should always try to collect PII directly
from the consumer when information may result in an
adverse determination about benefits.
33
6 Categories of Privacy and Security
Standards (cont’d)
5- Data quality & integrity:
– Organization must allow a consumer the right to
amend, correct, substitute or delete PII. Such
request must be granted or denied within 10
working days of request.
– Organization must verify consumer’s identity.
– Organization must maintain an accounting of any
and all disclosures for at least 10 years after the
disclosure, or the life of the record, whichever is
longer.
34
6 Categories of Privacy and Security
Standards (cont’d)
6- Accountability:
– Organization must implement breach and incident
handling procedures.
– Organization shall incorporate privacy and security
standards and implementation procedures in its
standard operating procedures as to PII.
– Organization shall develop training and awareness
programs for members of its workforce involved with
PII.
– Organization shall adopt and implement Security
Control Standards.
35
Model Consent Form Templates
Navigator Model Consent Form
CAC Model Consent Form
Selected privacy and security standards:
Selected privacy and security standards:
• “[Navigator] will make sure that my PII • [CAC] will follow privacy and
is kept private and secure…”
information security standards when
• “Navigator should not maintain or
creating, collecting, disclosing,
store any of my PII…”
accessing, maintaining, storing and/or
• “Navigator will make sure that any
using my PII….Information about these
stored PII is kept private and secure…”
standards will be provided.”
• “If [Navigator] does collect, handle,
• [CAC] aren’t expected or required to
disclose, access, maintain, store and/or
maintain or store any of my PII and/or
use my PII….[Navigator] will keep that
the PII of my authorized
PII private and secure.”
representative, other than this
authorization form, but if [CAC] do
maintain or store my PII, they will
follow privacy and information security
standards.”
Note: See slide #31 for links to these consent forms.
36
Consent Form Modifications
• Mailing Documents for Consumers
– CMS Training: The best practice discourages
mailing of applications by CAC. See Privacy and
Security Standards, Course 13.
– Best practice is to ask the consumer to mail the
application him/herself.
– However, where consumer may be unable to
accomplish this task, you could have a separate
consent form allowing the organization/assister to
mail the application releasing the
organization/assister from liability.
37
Section Summary: What You Need to
Know
• Always provide a Privacy Notice Statement to
consumer.
• Always obtain a consent form before assisting a
consumer.
• Always obtain informed consent (separate form) for
any use or disclosure of consumer’s information
outside of the Privacy Notice Statement. Consents
must be kept for 10 years.
• Keep track of any disclosures made as to consumer’s
information. Must be kept for 10 years.
• Report any breaches of the consumer’s PII or FTI.
38
Questions
???
39
Authorized Representative
Designation & Privacy
40
What is an Authorized
Representative?
• An authorized representative is a person or organization
authorized by a consumer to assist the consumer with his
or her application and enrollment in insurance in the
Marketplace.
– An authorized representative should have authority to also work
with the QHP, but a separate form could be required.
• A consumer should select a person or organization that
the consumer trusts to act as his or her representative
since this person will have access to the consumer’s PII.
• The FFM paper application allows a consumer to name
an authorized representative, but it may be done through
the electronic application.
• A consumer may revoke a designation at any time.
41
Duties of Authorized Representative
• An authorized representative may be
authorized to:
– Sign the application on behalf of the consumer
– Submit an update or respond to a redetermination
for the consumer
– Receive copies of the consumer’s notices and
other communications from the Marketplace; and
– Act on behalf of the consumer in other matters
with the Marketplace. See 45 C.F.R. § 155.227(c).
42
Requirements of Authorized
Representative Designation
• Must be in a written document signed by consumer, or
through another legally binding format.
• Marketplace must ensure that the “…authorized
representative agrees to maintain, or be legally bound
to maintain, the confidentiality of any information…”
regarding the consumer.
• Marketplace must ensure that the representative is
responsible for fulfilling all required duties.
• Marketplace must provide information to both the
consumer and the authorized representative regarding
representative’s powers and duties.
See 45 C.F.R. § 155.227(a)(2)-(5).
43
Timing of Designation
• The Marketplace must permit a consumer to
designate an authorized representative:
– At the time of the application; or
– At other times and methods, including:
•
•
•
•
Via an internet website
By telephone through a call center
By mail
In person
See 45 C.F.R. 155.227(b), 155.405(c)(2).
44
Language in FFM Paper Application
• By signing an authorized representative
designation, a consumer gives the
representative:
– Permission to talk about the consumer’s
application with the Marketplace
– See consumer’s information
– Act on consumer’s behalf on matters related to
the application, including obtaining information
about consumer’s application
– Sign the application on consumer’s behalf.
45
Authorized Representative Designation in
Selected State-based Marketplaces
State
Authorized Representative Form
CO
Part of application. Same terms as FFM designation, but adds that authorized
representative takes legal responsibility for the information provided in the
application. Note: Specifically states that an enrollment assister can act as an
authorized representative but must provide documentation that consumer cannot
act on own behalf.
MA
Separate form explaining in detail who may be selected as an Authorized
Representative and includes additional terms and disclosures. Available at:
http://www.mass.gov/eohhs/docs/masshealth/privacy/ard.pdf.
MN
Part of application. Same language as FFM designation.
NV
Separate form with additional terms and disclosures. No link but can be googled,
enter “Consent for Facilitated Enrollment by An Authorized Representative.”
OR
Separate form with the same language as FFM but additional language at signature
line states that Authorized Representative understands that he/she is liable for
repayment of an overpayment if he/she knowingly withholds information or gives
incorrect or incomplete information. Available at
http://resources.coveroregon.com/pdfs/Consent_for_Assistance_Form.pdf.
46
Authorized Representative v. CAC
Consideration
I/T/U Authorized
Representative
I/T/U CAC
Training
May not be formally trained on
Marketplace enrollment process.
Certified to assist consumers in the
State. Familiar with process.
Privacy and
Confidentiality
No specific training on privacy and
confidentiality of consumer
information beyond HIPAA.
Received specific training on privacy
and confidentiality of consumer
information in Marketplace.
Applicable ACA
Laws and
Regulations
Section 1411 (g); 45 C.F.R. §
155.227
Section 1411 (g) 45 C.F.R. §§
155.225, 155.260
Other
Requirements
If within an I/T/U, privacy practices
would apply in handling PHI.
Compliance with all terms in
organization’s agreement with CMS,
including any attachments and
referenced documents.
Access to
Information
Complete access to consumer
information.
Potentially less access to consumer
information.
47
Can a CAC also be an Authorized
Representative?
• Yes. A CAC can also be designed as a
consumer’s authorized representative.
48
Section Summary: What You Need to
Know
• Authorized representatives must agree to
maintain confidentiality of consumer
information.
• Best practice for authorized representatives
within an I/T/U would be to follow the same
or similar standards as Navigators and CACs
under CMS Agreements.
49
Other Considerations & Guidance
50
Tribal Sponsorship Considerations
• Tribes involved in Tribal Sponsorship of QHPs in
the Marketplace should only collect and retain
information solely for the purpose of
administrating the program.
– May include very sensitive information, such as
claims data or other medical information.
• Follow the same six privacy and security
standards previously discussed (see slides 32-35).
– Make sure to tailor Privacy Notice Statement and
consent forms to Tribal Sponsorship.
51
General Guidance on Physical and
Electronic Protection of Information
• Secure PII in a locked file cabinet, and limit
access.
• Password protect computers and electronic files
containing consumer information, and limit
access.
• Never email PII/FTI, or request this information
via email.
• Do not keep notes with a consumer’s PII/FTI.
• Never leave consumer information unattended
on your desk or computer screen.
52
Questions
???
53

similar documents