HIPAA PRIVACY AND EDI RULES

Transcription

1 The Health and Human Services (HHS) issued final HIPAA privacy regulations on August 14, These rules govern how individually identifiable medical information must be protected. HIIPAA also requires national standards for electronic health care transactions, code standards, and national identifiers for healthcare plans, providers and clearinghouses. The intent of these standards is to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange (EDI) in health care. Finally, HIPAA requires that security standards be established for the protection of electronic health information. Final rules implementing these standards are expected to be issued later this year. Following is a brief overview of the HIPAA privacy rules and EDI rules that may impact plan sponsors, plan administrators, and health plans. WHAT SHOULD AN EMPLOYER DO? 1. Determine plans subject to the HIPAA privacy rules (see Section I-A and B, Covered Entities, on page 1). 2. Determine plans subject to the EDI rules (see Section I-A and B, Covered Entities, on page 1 and Section III, Overview of EDI Rules, on page 8). Determine whether the insurer or third party administrator (TPA) is handling the EDI transactions, including the extension request, for the health plan. Is an EDI extension necessary, and if so, has one been requested by the insurer or TPA? (see Section III-B, Compliance Date, on page 8). 3. Determine what PHI you will receive (see Section II-A, Protected Health Information, on page 2). 4. Determine your obligation with each health plan, i.e., plan sponsor or plan administrator (see Section II-D, Employer Functions, on page 2). 5. Determine your role with each type of health plan that you sponsor (see Section II-G, Employer Obligations by Employer Role/Plan Type, on page 7). 6. Determine employees involved in health plan functions and provide privacy training to these employees, if required (see Section II-E(4), Privacy Training, on page 4). 7. Determine vendors who will receive PHI (see Section II-E(3), Business Associate Agreements, on page 4). I. COVERED ENTITIES Entities covered by the HIPAA privacy and EDI rules include health care providers, health care clearinghouses, and health plans. A. TYPES OF PLANS SUBJECT TO HIPAA PRIVACY AND EDI RULES Health plans subject to the HIPAA privacy and EDI rules are individual and group health plans, including: 1. Insured and self-funded health plans, such as comprehensive medical plans, dental plans, vision plans, employee assistance plans, and flexible spending accounts (FSAs) 2. Multiple employer welfare arrangements (MEWAs) 3. Long-term care policies 4. Government plans, such as the Federal Employees Health Benefit Program, CHAMPUS, Medicare, Medicaid, and the Indian Health Service Program 5. State high-risk pools

2 B. PLANS EXEMPT FROM HIPAA PRIVACY AND EDI RULES Self-administered health plans with fewer than 50 participants are exempt from the HIPAA privacy rules. For this purpose, participant means an employee, excluding dependents. The under-50 participant plan exception would primarily apply to flexible spending accounts that are administered by the employer. It is important to note that if a plan wraps multiple components into one plan, such as disability, life, etc., those components otherwise exempt from HIPAA would become subject to HIPAA. II. OVERVIEW OF HIPAA PRIVACY RULES A. PROTECTED HEALTH INFORMATION Protected health information (PHI) includes any individually identifiable medical information maintained in any form, including oral communications, that: 1. Is created or received by a covered entity or employer; 2. Relates to an individual's physical or mental condition, the provision of health care services to such individual, or the payment for such health care services; or 3. Identifies the individual or creates a reasonable basis to believe that such information could be used to identify the individual. B. DISCLOSURE OF PHI The final regulations do provide some limited disclosure of PHI to plan sponsors for plan operation purposes. Specifically, enrollment and disenrollment information can be disclosed to the plan sponsor, even though it is PHI. Enrollment and disenrollment information includes such components as: names of participants and covered dependents, covered plan choices, and premium amounts. In addition, PHI can be disclosed to business associates or other health plans, such as insurers or HMOs, for purposes of obtaining proposals, or for otherwise placing the business. C. EMPLOYMENT RECORDS Medical information received for employment purposes, and not for health plan purposes, is not PHI. This means that medical information that an employer receives relating to pre-employment physicals, drug tests, fitness-for-duty information, medical information for FMLA purposes, etc., is not subject to the HIPAA privacy rules, though, other confidentiality requirements may govern how this information must be handled. D. EMPLOYER FUNCTIONS 1. Plan Sponsorship includes: a. Plan establishment b. Plan amendment, modification, and termination c. Enrollment and disenrollment in the plan d. Marketing the plan 2

3 2. Plan Administration includes: a. Plan operation activities, such as claims assistance, claims processing, plan audits, quality assurance b. Other operational functions E. HIPAA ADMINISTRATIVE REQUIREMENTS A covered entity must establish policies and procedures that are regularly followed to ensure protection of PHI. Steps to be taken include: 1. Appoint a Privacy Officer a. Designate a privacy officer responsible for developing and implementing privacy policies and procedures to ensure compliance with HIPAA. b. Designate a contact person for privacy inquiries and complaints. This person can be the privacy officer. 2. Privacy Policy Prepare a written notice of your privacy policies and procedures, i.e., a privacy policy. The privacy policy should describe the types of uses and disclosure of PHI by the covered entity. This privacy policy can be designed in a manner such that a short summary policy is followed by a more detailed explanation of the entity s privacy practices. a. Contents of Privacy Policy. Elements of a privacy policy include: 1. A required header: This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. 2. A description of the types of uses and disclosures by the covered entity for purposes of treatment, payment and health care operations. 3. A description of other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual s authorization, including any use or disclosure that is prohibited or materially limited by other applicable law. 4. A statement that other uses or disclosures will be made only with the individual s written authorization. 5. A statement that the group health plan or HMO may disclose PHI to the plan sponsor, if applicable. 6. A statement of the individual s rights regarding PHI (see Rights of Individuals in Section II-F on page 6). 7. A statement that the covered entity is required to maintain the privacy of PHI and provide individuals with notice of its legal duties and privacy practices. 8. A statement that the covered entity has the right to change the terms of its privacy policy and how it will notify individuals of any change. 9. A statement that individuals may complain to the Secretary of HHS if they believe their privacy rights have been violated and include a description of how to file a complaint. 10. The name and telephone number of the person or office to contact for further information. 3

4 b. Distributing Privacy Policy 1. The privacy policy must be provided to participants upon: A. The applicability date of the HIPAA privacy rules (see Section II-I, Applicability Date, on page 7), or, if later, B. The date the individual becomes covered under the plan. 2. Every three years thereafter, the covered entity must give participants notice of the right to obtain the entity s privacy policy. 3. In addition, the privacy policy must be distributed within 60 days of any material change in the privacy policy. 4. ELECTRONIC DISTRIBUTION A. A covered entity that maintains a website that contains customer service or benefit information must post its privacy notice on its website, and make a copy of the policy available through the website. B. A privacy policy can be delivered electronically to individuals, as long as certain conditions are satisfied. 3. Business Associate Agreements Enter into business associate agreements with service providers, including third party administrators (TPAs), premium administrators, accountants, attorneys, consultants, utilization review entities and any other entity that engages in a function governed by HIPAA, or having access or using PHI. The intent of this provision is to ensure that business associates would likewise provide safeguards to PHI. The final privacy rules include sample contract language that can be used in business associate agreements. It is important for entities to carefully review this sample language to ensure its appropriateness in respect to the business associate relationship. According to the final regulations, if a written agreement exists between the health plan and the business associate prior to October 15, 2002, and if that agreement is not modified prior to April 14, 2003, the business associate agreement need not be formally entered into until the earlier of the date the agreement between the parties is modified, or, April 14, Nevertheless, both the covered entity and the business associate must comply with the spirit of the HIPAA privacy rules. This means that individually identifiable medical information must be protected. Only those with specific business reasons relating to the medical information may have access to the PHI. 4. Privacy Training Provide privacy training to all members of your workforce who would have access to PHI, including employees and non-employees. The initial training must be completed by the date on which the privacy rules become applicable to the covered entity (see applicability date, below). After that date, a covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, when a covered entity makes a material change in its privacy policy or procedure, it 4

5 is required to retrain those members of the workforce whose duties are affected by the change, within a reasonable time of making the change. Training Certification. Upon completion of the training, the trainee is required to sign a statement certifying that he/she received the privacy training and would honor all of the entity s privacy policies and procedures. Each workforce member is required to sign a new statement every three years certifying that he/she would continue to honor the entity s privacy policies. Such certification is kept by the entity to document compliance with the privacy training provisions. 5. Implement Administrative, Technical and Physical Safeguards of PHI These might include firewalls to protect electronic data, locked file cabinets or other storage for paper records, shredding records that are no longer necessary, and limiting access to those who have a need to know. 6. Amend Plan Document to ensure confidentiality, and provide certification to the insurer that it agrees to certain terms and conditions in the use and disclosure of PHI including: a. Not using or disclosing PHI other than as permitted or required by the plan document, or by law. It must also ensure that any of its agents or subcontractors to whom the sponsor provides PHI will likewise agree to the same restrictions. b. Not using or disclosing PHI for employment-related actions. c. Providing an accounting of its disclosures, and report any inconsistent uses or disclosures of PHI. d. Providing individuals access to their PHI. e. Returning or destroying all PHI when no longer needed. f. Ensuring appropriate firewalls have been established for protecting PHI. 7. Individual s Right to Inspect, Review and Copy PHI. Establish a procedure that allows individuals to review and make changes to his/her PHI (see Section II-F, Rights of Individuals, on page 6). 8. Develop Policies and Authorization Forms for Obtaining Participant Authorization to Release PHI. If PHI is used for purposes of payment, treatment or health plan operations, then a written authorization to release PHI is not required. However, if PHI is used for other purposes, such as releasing information to an employer, managing other benefit plans not subject to HIPAA, such as disability plans, or for marketing or disease management activities, then a written authorization must be obtained from the individual to release such information. Contents of a Valid Authorization. Elements of a valid authorization include: a. Description of the information to be used or disclosed, and the purpose for its use or disclosure. 5

6 b. Name or other identification of the party releasing the information, as well as identifying the party requesting the information. c. Expiration date of the authorization. d. Signature of the individual and date. e. A statement regarding the individual s right to revoke the authorization. Covered entities are prohibited from conditioning payment, treatment, or enrollment and eligibility for benefits upon the individual s signing the authorization. 9. Review Current Record Retention Policies. The HIPAA record retention requirement provides that records must be kept for six years from the later of: 1) the date it was created, or 2) the date it is last affected. ERISA generally requires that records be kept six years beyond the year of creation (seven years). A good rule of thumb is that records be kept for seven years. 10. Establish a Complaint Process for individuals to make complaints concerning the covered entity s privacy policies and procedures. 11. Establish Sanctions for Violation of Privacy Policies and Procedures. A covered entity must have appropriate sanctions against members of its workforce who fail to comply with its privacy policies and procedures. 12. Establish a Mitigation Policy. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures by the covered entity, or by its business associate. 13. Establish a Non-Retaliation Policy. A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual who: a. Exercises his/her privacy rights. b. Files a complaint. c. Participates in an investigation or compliance review. d. Oppose an entity s privacy policy if he/she has a good faith belief that it is unlawful. 14. Establish a Non-Waiver of Rights Policy. A covered entity cannot require individuals to waive their right to file a complaint as a condition for treatment, payment, enrollment in a health plan, or eligibility for benefits. F. RIGHTS OF INDIVIDUALS Under the HIPAA privacy rules, individuals have the following rights relating to PHI: 1. Right to receive a copy of the entity s privacy policy. 2. Right to access, inspect, and copy an individual s PHI contained in a designated record set. A designated record set means a group of records maintained by, or for a covered entity, that is: a. The medical records and billing records about individuals maintained by a covered health care provider; 6

7 b. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by a health plan; or c. Used, in whole or in part, by or for the covered entity to make decisions about individuals. 3. Right to request amendment of incomplete information in a designated record set. 4. Right to an accounting of disclosure of PHI. 5. Right to request restrictions on disclosure of PHI. 6. Right to file a complaint with HHS or health plan. G. EMPLOYER OBLIGATIONS BY EMPLOYER ROLE/PLAN TYPE TYPE OF PLAN FUNCTION INFORMATION OBLIGATIONS Fully Insured Fully Insured Selffunded All administrative requirements in Sections II-E(1)-(14) except: 1. Amending the plan document [Section II-E(6)] 2. Providing compliance certification to group health plan [Section II- E(6)]. Selffunded Plan Sponsor Only Plan Sponsor/Plan Administrator Plan Sponsor Only Plan Sponsor/Plan Administrator Receives summary health information only Receives PHI Receives summary health information only Receives PHI 1. Non-waiver of rights [Section II- E(14)] 2. Non-retaliation in administrative functions. [Section II-E(13)] Insurer accomplishes all other administrative functions described above in Sections II-E (1)-(12). 1. All administrative requirements in Sections II-E (1) (14) 2. Rights of individuals [Section II-F] 1. All administrative requirements in Sections II-E(1)-(14). 2. Rights of individuals [Section II-F] H. INTERPLAY WITH STATE PRIVACY LAWS The HIPAA privacy rules are designed to enhance the protections afforded by many existing state privacy laws. Therefore, the federal privacy rules will preempt state law to the degree of greater protection of privacy. Conversely, federal law is superseded if a state privacy law provides more stringent privacy provisions. I. APPLICABILITY DATE OF PRIVACY RULES The rules become applicable on April 14, Small plans have until April 14, 2004 to comply with the rules. A small health plan is a plan with $5 million or less in annual receipts. This is determined as follows: For an insured plan, annual receipt is determined by premiums paid in the preceding fiscal year. For a self-funded plan, this means claims paid in the preceding fiscal year. If the employer has a combined insured and self-funded plan, the employer adds premium and claims paid to determine receipts. 7

8 HIPAA PRIVACY AND EDI RULES If stop loss insurance is held by the employer and not by plan to reimburse the employer for its expenses, it would appear that the premium for the stop loss insurance would not be included in the calculation of annual receipt. III. OVERVIEW OF EDI RULES A. ESTABLISHMENT OF NATIONAL STANDARDS The EDI rules govern electronic transactions between health plans (as defined in Section I-A on page 1), providers, and health care clearinghouses. Examples of administrative and financial health care transaction standards include: 1. Health claims and equivalent encounter information 2. Enrollment and disenrollment in a health plan 3. Eligibility for a health plan 4. Health care payment and remittance advice 5. Health plan premium payments 6. Health claim status 7. Referral certification and authorization 8. Coordination of benefits A health plan that neither currently, nor in the future, intends to engage in electronic transactions, then such plan would not be subject to these rules. B. COMPLIANCE DATE All health plans (as defined in Section I-A on page 1) must comply with the EDI rules by October 16, 2002, unless: 1. The plan is a small health plan (as defined in Section II-I on page 7), or, 2. A compliance extension is filed with the Centers for Medicare & Medicaid Services (CMS) no later than October 15, The extension is a simple, non-binding questionnaire that can be filed electronically through the CMS Web site ( IV. PENALTIES FOR HIPAA PRIVACY AND EDI VIOLATIONS Health plans, providers and clearinghouses that violate the privacy or EDI standards could be subject to civil penalties of $100 per incident, up to $25,000 per person, per year, per standard. Criminal penalties, including fines and imprisonment, may also be imposed. The information contained in this document is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. 8