Professional Employer Organizations Obligations Under HIPAA A Summary

Transcription

1 NAPEO Legal InsightsTM Volume 2, Number 6 November 2009 Professional Employer Organizations Obligations Under HIPAA A Summary Dale R. Vlasek, Esq. Attorney McDonald Hopkins LLC Cleveland, Ohio A PEO is obligated to follow the rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). What the PEO s duties are depends on what role it is playing as an employer, a coemployer, and sponsor/administrator of a group health plan. The extensive requirements of the privacy provisions of HIPAA are explained in detail in NAPEOLegal Review HIPAA Privacy in the Workplace: A Primer for PEOs, Part I and Part II, September 2003 Volume 1, Issue 8 and October 2003, Volume 1, Issue 9. (It is available to NAPEO members at The purpose of this more limited NAPEO Legal Insight is to provide PEOs with a more focused outline of a PEO s duties under HIPAA. As HIPAA relates to PEOs, there are three areas of concern: Privacy protection imposed on organizations and individuals who handle health information; The portability of health insurance coverage as employees move between employers; and The prevention of discrimination in health benefits based on health factors relating to an individual. Privacy HIPAA requires that covered entities protect the privacy of what is called protected health information (PHI). Technically, an employer is not a covered entity NAPEO Legal Insights TM is published by the National Association of Professional Employer Organizations and is an exclusive member service. NAPEO 707 North St. Asaph Street Alexandria, VA / NAPEO: The Voice of the PEO Industry The Source for PEO Education This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO. 1

2 under HIPAA. A group health plan, however, is a covered entity. Therefore, an employer is indirectly obligated to comply with HIPAA s privacy rules in its role as the plan sponsor or administrator of a group health plan. 1 One cautionary note: this paper addresses federal HIPAA requirements. PEOs are also subject to a number of other federal and state laws that may impose other privacy or recordshandling requirements other than those under HIPAA. 2 Reminder: a training program must have an evergreen component. Training employees at a single point in time is insufficient in the face of employee turnover and changes in regulatory requirements. A good training program will include provisions for training new employees, a periodic refresher, and routine audits of the training program itself to ensure compliance with current regulatory requirements. 3 This paper deals with the role of a PEO under HIPAA. The reader should be aware that when a PEO undertakes activities related to health as an agent or as an ASO, it may become a business associate of the client s plan and thus have to have appropriate statements and documents in place for that activity. Protecting PHI PEOs routinely come into possession of information about the health and medical conditions of its employees, co-employees, or their dependents. It is a best practice for a PEO to treat all such information with care and attention to the privacy of worksite employees. However, it is essential for the PEO to determine whether the information it receives is protected, and if it is, what steps the PEO needs to take to protect it. PHI refers to health information in any form including oral, electronic, written, or any other medium that is created or received by a provider, health plan, employer, or healthcare clearinghouse. The information: must relate to the physical or mental health or condition of an individual, at any time, past, present, or future; identify an individual or could be used to identify an individual; and be in the possession of the group health plan (or some other covered entity). It includes information related to the payment of health benefits. In its role as an employer or co-employer, a PEO routinely receives health information. These instances include drug testing, pre-employment physicals, and doctor s notes relating to sick days or leaves of absence. Normally, this information is not protected by HIPAA 1 because the PEO is receiving this information as an employer or co-employer and not as a covered entity. Nonetheless, the PEO, for its own protection, may wish to ensure that its forms provide that the employee or co-employee is authorizing the release of the information to the PEO. PEOs, however, also receive health information in their roles as health plan sponsors or administrators. Health plans are covered entities and as such must take care to protect PHI. Health plans include a group health insurance program typically provided by a PEO as well as flexible savings accounts (FSAs), vision plans, and dental plans. In addition to the extent a client-employer chooses not to participate in the PEO s health program, but maintains its own, the PEO may assist in the administration of these plans. In that capacity, the PEO will need to comply with the privacy rules. Practical Steps As the plan sponsor or administrator of a health plan, a PEO should be doing the following to comply with HIPAA s privacy rules: Develop and implement a privacy policy; Designate a privacy officer whose job it is to implement the policy and update it as needed; As part of the policy, identify which PEO employers will have access to PHI; Develop and implement a program to train such employees on the proper handling of PHI; 2 Provide PEO employees and the PEO s co-employees with a written notice of the plan s privacy policy; and Develop procedures to restrict access to PHI from internal and external sources. Business Associates PEOs often use the services of outside administrators or entities to assist in the administration of their group health plans. These outside service providers are referred to under HIPAA as business associates. 3 The privacy rules require that such business associates provide satisfactory assurances that they will also safeguard any PHI they may receive. These assurances are required to be included in a business 2 This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO.

3 associate contract. These contracts need to contain the following specific provisions related to the protection of PHI: A statement of permitted and required uses and disclosures; A limitation on the business associate using or disclosing protected health information other than as stated in the contract or as required by law; A statement that the business associate will use appropriate safeguards to prevent the inappropriate use or disclosure of protected health information; A statement that the business associate will report uses or disclosures of protected health information that violate the business associate agreement; A statement ensuring that the business associate s agent and subcontractors agree to the same restrictions and conditions that apply to the business associate; A statement that the business associate will make protected health information available as required by the privacy rules right to access provision discussed below; A statement that the business associate will make protected health information available for amendment and will incorporate amendments as required by the privacy rules right to request an amendment provision discussed below; A statement that the business associate will provide an accounting of uses and disclosures as required by the privacy rules right to accounting provision discussed below; A statement that the business associate will let the Department of Health and Human Services audit it to determine compliance with the business associate agreement provisions; A statement that the business associate will return or destroy all protected health information at the termination of the contract (or, if that is not feasible, continue to protect the information while maintaining it); and A statement authorizing the group health plan to terminate the contract upon a determination that the business associate breached the contract. 4 Under the regulations, unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology under guidance given by the Department of Health and Human Services on its Web site. The Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), revised the requirements and made business associates directly subject to HIPAA s privacy requirement and subject to the penalties for violating those requirements. This revision is effective February 17, These new obligations are to be incorporated into any business associate contracts. At this time, it is not clear exactly how these requirements are to be included and whether it will be necessary to incorporate existing contracts. The best practice at this point is to wait for guidance. Breach of Unsecured PHI Notification Effective as of September 23, 2009, under HITECH and regulations issued under that law, covered entities are required to notify plan participants if there has been any compromise of their unsecured PHI. 4 Business associates are required to notify covered entities if they become aware of any breach so the covered entities can notify participants. The business associate must include in its notice information describing the individuals whose unsecured PHI has been breached. The business associate must also provide the covered entity with any other available information it has that the covered entity must include in its notice to individuals, as described below. The covered entity s notice to individuals is to be made without unreasonable delay, but no more than 60 days following detection of the breach. The notice should be sent to individuals by first class mail at their last known address or by if the individual has agreed to receive electronic notices. The notice should include: This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO. 3

4 A brief description of what happened; A description of the unsecured PHI involved in the breach (such as whether names, date of birth, or Social Security numbers were compromised); Steps that affected individuals can take to protect themselves; A brief description of the steps the covered entity is doing to investigate the breach, mitigate the harm to individuals, and to prevent future breaches; and Contact procedures for individuals to ask questions or give further information including toll-free telephone numbers, Web sites, , and postal address. If the breach involves more than 500 residents in a state or jurisdiction, the prominent media of that state or jurisdiction must be notified. The notice must be provided within the same time limits that apply to the individual notices and must contain the same information. The notice to the media is in addition to and not in lieu of the notice to individuals. Sale of Health Information HITECH also made it clear that covered entities may not sell PHI. Among other things, HIPAA did permit covered entities to provide certain promotional information to individuals about its products. Under HITECH, such promotional information may not be provided without the individual s authorization if the covered entity receives any payment from another party for providing the promotional information. Health Claims Assistance PEOs routinely assist employees or co-employees with their health claims. HIPAA does not prevent such assistance, but because this assistance will typically require the involvement of PHI, the PEO should obtain the written authorization of the employee or co-employee to use PHI to facilitate the resolution of any health claims. Participant Rights Notices HIPAA s privacy rule requires group health plans to periodically notify the plan participants about its privacy policy. The notice should include the following information: The uses and disclosures the group health may make of PHI; The individual right under the privacy rule; and The group health plan s duties with respect to PHI. The notices should be given: At the time of the individual s enrollment in the plan; and Within 60 days of any material change to the notice, and Every three years the group plan should notify participants and beneficiaries that a privacy notice is available. Right to Access A participant or beneficiary in a group health plan has certain rights under HIPAA s privacy rule. A participant or beneficiary can request to inspect and obtain a copy of his or her PHI that is included in the plan s records including: The enrollment, payment, claims adjudication, and a case or medical assessment; and All other records used by the plan to make decisions about participants or beneficiaries. 4 This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO.

5 The plan may charge reasonable cost-based fees for copying or mailing such information. This may include the costs of supplies and labor, the postage, and the cost of summarizing the PHI if so requested. Right to Restrict Access A plan participant or beneficiary may request the plan to restrict access to PHI as it relates to the use and disclosure of such information for payment and healthcare operation. In addition, the participant or beneficiary can request that disclosure of PHI not be made to family members or other individuals involved in the participant s or beneficiary s care. For example, an employee with a diagnosis of a certain disease or condition may prefer to limit the family s knowledge of that condition. They can instruct that the information not be released to certain or any family members. Right to Direct Confidential Information A plan participant or beneficiary may request that the plan communicate PHI by alternative means or to alternative locations if the participant or beneficiaries allege that the disclosure could harm him or her. This could involve disclosing information to the participant or beneficiary at work rather than at home or to designated addresses, telephone numbers, or addresses. Right to Amend Information A participant or beneficiary may request that his or her PHI be amended if the information is inaccurate or incomplete. The plan must act on this request or issue a written denial, normally within 60 days of receiving the request. The request can be required to be in writing. Among other reasons, as a practical matter, the PEO can deny amending PHI if the PHI is accurate and complete as it is or the PHI was not created by the group health plan and whoever created the PHI is available to correct the erroneous PHI. Right to Accounting of the Release of PHI A participant or beneficiary may request an accounting of any disclosures of PHI made by the plan during the six-year period prior to the request. The accounting would include the PHI disclosures, to whom it was disclosed, the purpose of the disclosure, and the date of the disclosure. Please note the disclosure of PHI in the processing of medical claims does not need to be part of the accounting. Disclosures authorized by the individual or disclosures to the individual rather than third parties do not need to be part of the accounting. Because so much of the disclosed information will fit into the normal health plan processing, there does not appear that there will be much for a PEO to reveal in any accounting. PEO s Use of Scrubbed Health Information From time to time the PEO may need to use health information for purposes of shopping for group health insurance or redesigning the health program. A PEO can use health information for this purpose provided the claims history, claim expense, or types of claims are summarized. In addition, the information must have the following data removed: Names; All dates (except year); All geographic units smaller than a state (except for five digit zip codes); Telephone and fax numbers; This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO. 5

6 All ages over 89; Social Security numbers; addresses; Health plan beneficiary numbers; Medical record numbers; Certificate/license numbers; Account numbers; Device identifiers and serial numbers; URLs; Vehicle identifiers and serial numbers (including license plate numbers); Internet protocol address numbers; Biometric identifiers (including finger and voice prints); Full face photos (and comparable images); and Any other unique identifying number, characteristic, or code. The HIPAA regulations do provide that health information that has been deidentified can be used for any purpose. The health data must be stripped of every piece of information related to an individual s identity. The regulations define the level of security required. As a practical matter, it is difficult to determine when a PEO has a need for deidentified health information. Finally, certain information, and what is called limited data set, might be shared for research or public health reasons. Once again, PEOs probably will not confront this need in the normal course of business. Portability Limits on Pre-Existing Condition Restrictions In addition to the protection of a participant s or beneficiary s privacy with respect to health information, HIPAA also limits the ability of a group health program to exclude coverage for new participants or beneficiaries based on pre-existing conditions. In designing or administering a group health plan, the PEO needs to be aware of the limits. HIPAA limits what can be defined as a pre-existing condition and then limits how long the plan may deny benefits for that condition. Specifically, HIPAA permits a plan to impose a pre-existing condition exclusion only on a mental or physical condition for which the individual had received or had been recommended medical care, advice, diagnosis, or treatment during the six month period before the date of enrollment (or the first day of the waiting period, if earlier) in the group health plan. The individual must have actually received or have had the care, diagnosis, or treatment recommended during the period. If the condition existed but the individual did not seek care or treatment, then the condition is not a pre-existing condition under HIPAA. If a pre-existing condition exists, the PEO s group health plan can only exclude benefits for 12 months (or 18 months if the individual enrolls late). HIPAA also requires the 12- (or 18-) month period be reduced by every day the individual had coverage under a health plan, regardless of whether it is a group plan or individual health insurance policy. This prior coverage is called creditable coverage. What this means in practice is that a person who was covered by another group health plan for 12 months (or 18 months for late enrollment) will have coverage for all conditions from the time of enrollment. However, this creditable coverage does not count if the individual had a 63-day or longer break in coverage. Coverage under the Consolidated Omnibus Budget 6 This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO.

7 Reconciliation Act (COBRA) counts as creditable coverage. When a person leaves employment, or otherwise loses coverage, a group health plan must provide the individual with a certificate of creditable coverage. Certain conditions are not subject to pre-existing conditions. These are: Pregnancy; Condition present in a newborn or child under 18 who is adopted (or placed for adoption) and who was covered by creditable coverage within 30 days after birth, adoption, or placement for adoption; and Genetic information, without the diagnosis of a related condition. Special Enrollment Rights HIPAA also requires that a group health plan permit individuals who originally declined enrollment the right to enroll in the plan at a later date. When individuals decline coverage, they are required to be provided with a notice indicating their special rights to enroll later. These special enrollment rights are activated on account of loss of coverage or the occurrence of certain life events. A PEO must be aware of these special rights and design its program to accommodate them. Loss of Coverage or Life Event Employees or their dependents who lost coverage under another plan, had their COBRA eligibility end, or the employer contribution for the other plan stop can request to enroll in the group health plan sponsored or administered by the PEO. Likewise, employees, spouses, and new dependents are able to enroll because of marriage, birth, adoption, or placement for adoption. The special enrollment must be requested within 30 days of the event. The enrollee is not treated as a late enrollee for purposes of the longer 18-month pre-existing condition exclusion for late enrollees. HIPAA requires that a group health plan provide a notice about these special enrollment rights to any employee or co-employer who is offered the opportunity to enroll in the group health plan. This is typically provided when the individual is originally entitled to enroll. Normally, the PEO will not have any knowledge of these subsequent events that trigger the special enrollment rights unless the employee or dependent informs the PEO about them. However, when the PEO does learn of life events, such as marriage, death, or adoption of a child, it would be prudent to notify the employee of his or her special enrollment rights regarding coverage. HIPAA mandates that a health plan provide terminating participants with a certificate of creditable coverage including the period of time the participant was covered under that plan. Likewise, when a participant terminates from the PEO s health plan or co-employer s health plan, the plan must provide a comparable certificate. Non-Discrimination In designing and operating its group health plans or the health plans of its coemployers, a PEO must comply with HIPAA s non-discrimination rule. Specifically, HIPAA prohibits a group health plan from discriminating against an individual with respect to eligibility for benefits, premiums charged, or contributions required because of any health factor. A health factor is: Health status; Medical conditions, including physical and mental illnesses; Claims experience; Receipt of healthcare; Medical history; This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO. 7

8 Genetic information; Evidence of insurability (which includes participation in hazardous activities such as motorcycling, snowmobiling, all-terrain vehicle riding, horseback riding, and skiing); and Disability. A group health plan may not deny benefits or otherwise exclude coverage for an individual who is not actively at work or confined to a hospital or medical facility at the time the individual is to enroll in the group health plan. Within the non-discrimination rules, a PEO can design its health program to impose uniform benefit restrictions that apply to all similarly situated employees or co-employees. This would include satisfying deductibles or co-pays, lifetime limits or benefits, and excluding coverage for certain diseases, drugs, or experimental procedures. While a group plan may not deny coverage due to participation in hazardous activities, it may deny benefits based on the source of injury unless the injury was a result of a medical condition or an act of domestic violence. Conclusion A PEO sponsoring or administering a group health plan must take care to protect the health information generated to operate the plan. In addition, as a sponsor or administrator, the PEO must issue certificates of creditable coverage to participants or beneficiaries who leave the plan. Correspondingly, the PEO must honor such certificates to avoid the imposition of impermissible pre-existing condition exclusions. Finally, the PEO must be sure to design a health program that does not discriminate against individuals on the basis of various health factors. Best practices would require that a PEO: Familiarize itself with HIPAA privacy requirements; Establish written (and periodically reviewed) procedures and training for compliance; Apply its policies and procedures consistently and with appropriate recordkeeping; and Periodically audit its programs and procedures for their effectiveness. 2009, National Association of Professional Employer Organizations NAPEO Legal Insights TM is designed to give general information on the subjects covered and is not intended as legal advice or assistance with individual problems. Readers are advised to consult competent legal counsel of their own choosing about how the information may relate to specific issues confronting their companies or clients. About the Author Dale R. Vlasek, Esq. is chair of the Employee Benefits Practice Group for McDonald Hopkins LLC, Cleveland, Ohio. He focuses his practice on all employee benefit matters including pension, profit sharing and 401(k) planning design, operation and compliance matters, ESOPs, welfare benefit plans (e.g., group health, life, dependent care programs) design, operation and compliance matters, ERISA litigation, and multi-employer pension plans. He serves as benefits counsel to a number of middle-market and larger companies. Dale is licensed to practice in Ohio, Iowa and Wisconsin. 8 This is a copyrighted publication of NAPEO and may not be copied, reproduced, or distributed without the written authorization of NAPEO.