Important: Conducting an assessment of your health plan(s) is the first step to determining HIPAA compliance. You will need to conduct a separate assessment for each of your health plans. (Please be aware that each numbered item below is explained in greater detail on the following sheet). Health plan being assessed: 1. Does the plan exist for purposes of providing or paying for the cost of medical care? Yes 2. Does the plan provide health benefits solely through a contract for insurance with a state licensed insurance carrier or HMO? Yes 5. Does the city receive more than enrollment / disenrollment YES and summary health information? Yes 3. Are there more than 50 participants? The plan is NOT a covered entity under HIPAA and is not required to comply with HIPAA s Privacy and Security Standards Yes 4. Is the health plan selfadministered? 7. The plan is a covered entity under HIPAA and is required to comply with all of HIPAA s Privacy Standards (fully-insured hands on or self-insured with full mandates). Proceed to Question 8 below regarding the HIPAA Security Standards. 8. Does the covered entity store, maintain or transmit PHI electronically? 6. The plan is a covered entity under HIPAA but has minimal responsibility for complying with HIPAA s Privacy Standards (fully-insured hands off with minimal mandates). Proceed to Question 8 regarding the HIPAA Security Standards. Yes 9. The plan is subject to applicable HIPAA Privacy Standards and all HIPAA Security Standards with respect to PHI and ephi. 10. The plan is subject to applicable HIPAA Privacy Standards but NOT subject to the HIPAA Security Standards.
FLOW CHART QUESTION AND ANSWERS 1. Does the plan exist for purposes of providing or paying for the cost of medical care? A health plan could be an individual or a group health plan for purposes of HIPAA. A health plan includes (but is not limited to) employer sponsored benefit plans like those covered under ERISA, health insurers, HMOs, group health plans, and many public benefit programs (Medicare and Medicaid). You would respond 'Yes' if your city has any of the following types of plans: Medical Dental Vision Prescription drug Behavioral Health Wellness plan that provides health benefits EAP that provides health benefits High Deductible Plan Health Reimbursement Arrangements (HRAs) including a Post Employment Health Care Savings Plan Flex Plan (medical reimbursement portion) Long-term care Examples of plans in which the city would respond include: Long term and short term disability (income replacement) Workers Compensation Life Insurance Flex plans (portions covering child care expenses) Other non-health plans 2. Does the plan provide health benefits through a contract for insurance with a state licensed insurance carrier or HMO? A contract for insurance is not a contract for administrative services it essentially means that the city is covered under a fully insured plan. See 164.520(a)(2) and related sections of the Final Privacy Rule for more detail. If the plan meets the criteria above (benefits provided through a contract for insurance with a state licensed carrier or HMO), the city would respond Yes. Unless the plan meets all the criteria, you would respond. For example: If the plan participates in a pool through a contract / joint powers agreement with an entity which is not a health insurance issuer or an HMO, you would answer (e.g. coverage through the Service Cooperatives). If the contract between the plan and the insurance issuer or HMO is for administrative services only (i.e. third party administrative services), you would answer.
If the plan pays any or all of the insurance claims of its members (essentially the plan is self-insured), you would respond. 3. Are there more than 50 participants in the health plan? HIPAA provides a limited exemption for those plans that (a) have less than 50 participants, (b) are self-insured, and (c) self-administer their own plan. All three requirements must be met. Health plans that have more than 50 participants and/or contract with a third party to administer the plan do not qualify for the exemption. A "plan participant" is an employee who is eligible for and actually participating in the health plan. However, cities that have close to 50 participants will need to be aware of the HIPAA requirements in the event that they go over 50 employees in the future. 4. Is the health plan self-administered? Again, HIPAA provides an exemption for those plans that have less than 50 participants and self-administer their own plan. Any other arrangements for services, such as a contract with a third party to administer claims processing, enrollment, billing, etc. (or plans with more than 50 eligible participants), do not qualify for the exemption. See 160.103 Definitions of the Final Privacy Rule for more information. 5. Does the City receive more than enrollment / disenrollment and summary health information? Enrollment / disenrollment information is information regarding a person s eligibility for and election to participate under a HIPAA covered health plan. Summary Health Information is information that summarizes claims history, claims expenses, and types of claims experience by individuals under a health plan provided it has been de-identified with the exception that it may include five digit zip codes. Names Geographic units (e.g. Apt or house number, street address, city) Dates related to an individual, including birth date, admission date, discharge date, date of death Ages Telephone numbers and fax numbers E-mail addresses Social security numbers Medical record numbers, health plan beneficiary numbers, account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) and Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code All of these identifiers would have to be removed for you to answer. If you receive claims data with any of the identifiers listed above, you would respond Yes.
te: If you receive information with these kinds of identifiers, then the city may want to evaluate whether or not they really need this information for purposes of sponsoring the health plan. If they don t need this information, then the city may want to discontinue receiving it. 6. The plan is a covered entity under HIPAA but has minimal responsibility for complying with the Administrative Simplification regulations. Based on the information provided, this plan has minimal responsibilities under HIPAA. The plan must: t require any member to waive their HIPAA rights as a condition for enrolling in a health plan, eligibility for benefits, treatment or payment of health care expenses. t discriminate on the basis of any health condition. Amend plan documents if you want access to protected health information from the group health plan (te: This may increase your responsibilities under HIPAA). Obtain authorization from the individual in cases where they may seek your assistance with a health claim or appeal involving the health insurer. Because the plan does receive protected health information (albeit limited PHI) such as enrollment and eligibility information, the plan must also get a Business Associate Agreement with their broker and anyone else doing anything on their behalf that receives PHI. Under HIPAA, the plan is not required to get a Business Associate Agreement with the carrier/hmo [fully insured plans only] or the plan's sponsor/employer. 7. The plan is a covered entity under HIPAA and is required to comply with all of the Administrative Simplification regulations. Based on the information provided, this plan must comply with all of HIPAA's Administrative Simplification requirements that relate to health plans, including: Modifying plan documents to permit information sharing between the group health plan and the plan sponsor, and institute procedures for complying with those amendments. Designating a privacy official. This individual is responsible for ensuring the procedures are followed and has the authority to make determinations about what and how information can be released. This could be the city s data practice official. Designating who may access Protected Health Information. Establishing firewalls to limit or restrict the flow of information between the group health plan and the employer as the plan sponsor. Creating and implementing policies and procedures and maintain documentation. Complying with the privacy rules regarding use and disclosure of protected health information obtain authorization or consent as required. Certifying to your carrier/hmo that you are HIPAA compliant. Issuing a tice of Privacy Practices to employees. Identifying Business Associates (such as third party administrators and/or the city s agent/broker) and amend contracts with each to ensure that these entities take steps to comply with HIPAA. Obtaining authorization or consent in order to receive or disclose protected health information.
Training employees who use or disclose protected health information on the plan s privacy policies and procedures. Developing a grievance procedure for individuals challenging or disputing the use or disclosure of health information. Tracking certain types of member information requests for six years. Allowing members to amend their medical records. Allowing members to restrict access to certain medical information. Please be aware that some of these functions may be delegated to the city s third party administrator through the business associate agreement, which should outline what responsibilities the city has as the covered entity in regards to HIPAA compliance and what responsibilities the TPA has as the business associate. Even if you delegate responsibilities to your business associate(s), the city is not entirely off the hook you still have an obligation to make sure that the business associate is complying with HIPAA. For instance, you should review the business associate agreement annually and/or request reports or documentation showing compliance activities on the part of the business associate (these reports could be requested annually, semi-annually or quarterly). 8. Does the covered entity store, maintain or transmit PHI electronically? In order to respond to this question, covered entities must conduct a risk assessment/analysis and document their determinations regarding whether the security measures apply to them or not. There is no exception for small health plans (other than the delayed effective date and the exception for small self-administered plans see FAQ #7). Therefore, all group health plans, whether self-administered, self-insured and administered by a third party administrator, or fully insured, must evaluate the extent to which they must comply (if at all) to the security standards. The security standards build upon the HIPAA privacy rules and are intended to protect the privacy and confidentiality of electronic protected health information (E-PHI) from improper access and interception. They are designed to ensure that electronic health information is accurate and accessible only to certain people. The security rules apply to protected health information that is electronically maintained or used in an electronic transmission, regardless of format (for a definition of protected health information, see #4 under the FAQ). E-PHI is PHI in electronic media such as through the Internet, leased lines, dial-up lines and private networks. Telephone voice response and faxback systems are covered under the security standards, but not paper-to-paper faxes, video conferencing or messages left on voicemail. There is no distinction between internal or external communications, so even internal transactions must meet the requirements. Examples of a Yes response may include: Conducting enrollment, disenrollment and/or billing online. E-mail communications with employees and/or the health insurance carrier or third party administrator that contains PHI. The city self-administers its health flexible spending account under the cafeteria plan and stores all claims information in a database on the computer system.
Examples of a NO response might include: The city faxes an explanation of benefits that they received from an employee on a claim issue to the health insurance carrier [Caution: Still HIPAA privacy concerns]. The city receives quarterly claims information that is provided in aggregate form with no individually identifiable information. The city does not store any PHI on the computer (all information is kept in hard copy in locked file cabinets) note: one e-mail to the health insurance carrier or TPA that contains PHI will likely subject the city to the security standards. 9. The plan is subject to the HIPAA security standards. The good news is that the security rules allow covered entities some flexibility to determine which of the security measures are appropriate for their circumstances. The security standards are designed to be general and flexible enough to be used in varying degrees according to the size of the covered entity, sophistication and financial capability. The security requirements can be broken down into five categories: Administrative safeguards Physical safeguards Technical safeguards Organizational requirements Policies, procedures and documentation requirements More information about each of these requirements can be found by going to the HIPAA Security Overview information sheet. The League is also working to develop templates of policies and procedures relating to the security standards. Member cities may contact the League s HR & Benefits Department at 651-215-4064 or 800-925-1122 to request a copy of this additional tool. 10. The plan is NOT subject to the HIPAA security standards. Even if you determine that your city is not subject to the HIPAA security standards, it is important that you first conduct the risk analysis and document your determination regarding the city s need to comply (or not) with the security standards. It is also important to realize that a simple e-mail containing PHI may subject the city to the security standards. Cities currently not subject to the security standards may need to monitor and evaluate this matter on an ongoing basis to ensure that the city is ready to comply at any given point and time during the year if necessary.
FREQUENTLY ASKED QUESTIONS 1. What is HIPAA? Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to reform health care. It is intended to streamline industry inefficiencies, reduce paper work, make it possible for workers to switch jobs even if they or a family member has a pre-existing condition and to protect the privacy of individual medical information. HIPAA's administrative simplification regulations affect healthcare providers, clearinghouses, and health plans including insurance companies, HMOs and employer-sponsored health plans. These regulations require standardized electronic transactions, improved privacy and security methods, and greater access to and rights for individuals regarding their health information. HIPAA is a federal law that creates a starting point for protecting individual health information. To the extent other laws already apply, they are still applicable (e.g. Data Privacy Act). 2. Who does HIPAA affect? HIPAA affects virtually all health care providers in the United States who conduct certain financial and administrative transactions electronically; health care clearinghouses; health plans, including insurance companies, HMOs and most employer-sponsored health plans; and any business associates of any of the aforementioned groups, such as third party administrators and/or the city s agent, broker and/or benefit consultant. For more detailed definitions about what entities are considered to be covered entities under HIPAA, see 160.102 Applicability and 160.103 Definitions of the HIPAA privacy rule. 3. What are the HIPAA privacy rules? The HIPAA privacy rules mandate that a covered entity (e.g. a group health plan) must implement policies and procedures with respect to protected health information (PHI). The policies and procedures must be reasonably designed, taking into account the size and type of activities that relate to PHI undertaken by the covered entity to ensure compliance. 4. What is protected health information? Protected health information (PHI) is individually identifiable information, which is created, modified, received or maintained by a covered entity that relates to an individual s past, present or future physical or mental condition, treatment or payment for care. This information is protected if transmitted in electronic, written or oral form. The following information may be considered PHI or may contain PHI: Medical records Diagnosis of a certain condition Procedure codes on claim forms Claims data or information Explanation of Benefits (EOB) Pre-authorization forms
Crime reports Coordination of benefit forms Enrollment Election forms Reimbursement request forms Records indicating payment Claims denial and appeal information Protected health information does not necessarily need to provide an individual s name, address or social security number to be considered individually identifiable information a high dollar claim report that contains only diagnoses or procedures and amounts paid during a specific period might contain individually identifiable information if the city has a relatively small number of participants in the health plan. Therefore, small cities may need to take extra precautions to ensure that they are protecting employee health information even if the information is provided on an aggregate/group basis. 5. What is E-PHI? Where the privacy standards cover all PHI regardless of the form it takes (whether it is written, verbal, electronic), the security standards cover only PHI that is in electronic form (i.e. PHI that is electronically maintained or transmitted regardless of form). E-PHI is PHI in electronic form, including storage media such as hard drives and disks, as well as transmission media such as through the Internet, leased lines, dial-up lines and private networks. Telephone voice response and faxback systems are covered under the security standards but not paper-to-paper faxes, video conferencing or messages left on voicemail. There is no distinction between internal or external communications, so even internal transactions within an organization must meet the requirements. 6. How can protected health information be used? A health plan that is subject to the HIPAA privacy and security standards may generally use or disclose PHI without obtaining an individual authorization for purposes of payment, treatment or healthcare operations; or for public policy purposes (e.g. as required by law or to avert a serious health or safety issue). However, use or disclosure of PHI generally must be kept to the minimum necessary to accomplish the task. This applies both internally and externally. 7. As an employer is my city subject to the HIPAA privacy and security rules?. As an employer, the city is not subject to the HIPAA privacy and security rules. However, keep in mind that many cities sponsor a group health plan of some sort, so the city as a sponsor of those plans would likely be a covered entity. The city will also need to make sure that there is adequate separation between its employment-related functions and the group health plan functions to ensure that information from the group health plan is not used for making employment related decisions. Many cities conduct certain functions that may fall under HIPAA and other functions that do not fall under HIPAA (e.g. health plan functions and employer/hr functions). Each of these functions may be treated separately in what is called a hybrid entity. A hybrid entity is an entity that has some covered and some non-covered functions ( 164.504 discusses hybrid entities
and their responsibilities). HIPAA dictates that the covered functions must act (in regards to protected health information) as if they were a separate company, requiring the same separation and controls as if they were actually separate legal entities. 8. Is there an exception for small health plans? The HIPAA privacy and security rules do not apply to a city s group health plan that is selfinsured, has fewer than 50 participants AND is self-administered it is important to realize that all three conditions must be met in order for the city to be exempt from all of the privacy and security requirements. 9. Does my city need to do a separate assessment for each of the health plans that we sponsor? Yes. Each city should identify the health plans that it sponsors and conduct an assessment for each one. Since HIPAA applies to the separate plans, it is important to think about the role of the plan, not the employer, when conducting this assessment. For example, if you have a separate dental, medical and flex plan, they may each have different requirements under HIPAA, so you need to run separate assessments for each one. Once each plan has been identified, the city should go through the flow chart on the previous page to identify whether or not each plan is a covered entity and if so, to what degree it will need to comply with the HIPAA privacy standards. It is also important to document your city s assessment for each plan. If you do not think that you are a covered entity under HIPAA, we recommend that you document the fact that you conducted the assessment and the reasons for why you think you are not subject to HIPAA s requirements. 10. What if I only receive summary health information and conduct enrollment / disenrollment activities? A health plan, regardless of size, is exempt from many of the HIPAA privacy requirements if (1) the plan provides health benefits only through an insurance contract with a health insurer or an HMO, and (2) the plan does not create or receive any individually identifiable protected health information other than summary health information (I.e. information which has had all identifiers deleted from it other than some geographic information) and basic enrollment and disenrollment information. te: This same exemption does not apply to the security standards. Because the plan does receive some limited protected health information, such as enrollment and eligibility information, the plan should get a business associate agreement with their agent/broker or anyone else doing anything on their behalf that receives PHI. te: Under HIPAA, the plan is not required to get a business associate agreement with the insurance carrier/hmo (e.g. Medica, HealthPartners, BCBS) or the plans sponsor/employer (e.g. the city). 11. Our city offers a fully insured health plan, but we also self-insure some of the benefits (e.g. we reimburse employees for their out of pocket costs, such as deductibles or copays). Is this a covered entity? In this situation, you have two separate plans that you must assess individually to determine the level of compliance responsibility. If you do not meet the small group exception, then you will have to comply with the HIPAA privacy standards. See questions 6 and 7 under the flow
chart Q & A section for the administrative requirements necessary to comply with these standards. 12. We are part of a self-insured pool through a Joint Powers Agreement (such as the Service Cooperatives). To what extent does the city need to comply with HIPAA. As part of a Joint Powers Agreement, you are considered to be a self-insured plan that would have to comply with HIPAA s privacy standards even if you do not receive protected health information. You will need to enter into a business associate agreement with the joint powers organization or third party administrator to ensure that they take steps to comply with HIPAA and to outline which party will be responsible for certain compliance activities. You will want to carefully review what functions the city will perform and what functions the business associate (i.e. joint powers organization or third party administrator) will perform. An argument could be made that the joint powers organization or third party administrator would have a bulk of the responsibility for complying with HIPAA. A city might be able to minimize its obligations under HIPAA by delegating many of the compliance activities to the third party administrator or joint powers organization, such as modifying plan documents, providing privacy notices to employees, etc. However, even if the city delegates many of the responsibilities to the third party, the city ultimately is responsible for making sure those entities are HIPAA compliant. In other words, your obligation under HIPAA doesn t cease to exist by delegating compliance responsibilities to a third party. 13. What if the city has more than one health plan that falls under the HIPAA privacy requirements essentially, the city has more than one covered entity? HIPAA allows multiple health plans that are covered entities and maintained by the same plan sponsor to work together as if it were just one covered entity. This is referred to as an Organized Health Care Arrangement (OHCA). An OHCA allows a city to satisfy the HIPAA requirements just once rather than multiple times. In other words, if a city has two health plans (e.g. a self-insured medical plan and a medical reimbursement plan), the city could bundle those plans together and form an OHCA. Therefore, the city would only have to comply once rather than two separate times. Please note that this OHCA designation is only allowed under HIPAA and does not extend to other benefit laws and regulations (e.g. COBRA, IRS tax code, etc.). 14. Are there other city functions that might make us a covered entity? There are a variety of ways in which a city may be considered a covered entity under HIPAA. Cities self-insuring employee benefits, including group health plans and health flexible spending accounts, city-owned medical clinics, hospitals and/or nursing homes, and cities with public health departments are likely considered a covered entity that must comply with the HIPAA administrative simplification standards (including the privacy and security standards). Since the HIPAA privacy and security standards may impact various departments within the city, such as human resources, the technology department, fire departments with ambulance
services or the police and corrections department (relating primarily to health information on inmates), cities are encouraged to conduct a department-by-department assessment to determine which areas may be subject to HIPAA including evaluating which departments may have access to and use individually identifiable health information, as well as how access to this information can be limited (i.e. what fire walls or protections can be put in place to limit access to this information). HIPAA potentially impacts several departments if the city does any of the following: Receives, uses, discloses or maintains private health information Administers a public health program. Contracts with or is considered a business associate of a covered entity, such as a third party administrator for its self-insured health plan or is a plan sponsor under a fully insured health plan. Owns medical clinics, hospitals, ambulance services, home health care agencies and/or nursing homes. Performs certain health plan functions on behalf of the insurance carrier. Has a Health Flexible Spending Account Transmits individual health information electronically In addition, cities that charge a fee (or are thinking of charging a fee) to citizens for first responders (ambulance, firefighters, police officers) should be aware that by doing so, the city may end up falling under the HIPAA requirements if they provide medical care to those citizens. In this case, the city would fall under HIPAA as a health care provider. 15. What do the security standards require? At a minimum, the security standards require that a covered entity conduct a risk assessment and document their determinations regarding whether the security measures apply to them. Even if a city thinks that it is not subject to the security standards, it should go through this assessment and document the reasons why it is not covered under the security standards (e.g. the city does not conduct billing or enrollment online, the city only communicates with vendors/insurance carriers and employees by telephone regarding employee claim questions and issues, and none of the information containing PHI is stored on the computer it is only kept in file cabinets under lock and key). If a city is subject to the security standards, there are five sets of safeguards and requirements that must be met (more information about each can be found by going to the HIPAA Security Overview Information Sheet): Administrative safeguards Physical safeguards Technical safeguards Organizational requirements Policies and procedures and documentation requirements The good news is that the security standards allow covered entities some flexibility to determine which of the security measures are appropriate for their circumstances. The security standards are designed to be general and flexible enough to be used in varying degrees according to the size of the covered entity, sophistication and financial capability.
Covered entities must address the security measures under each safeguard and determine whether the measure is reasonable and appropriate to implement for that organization. If it is appropriate, then the measure must be implemented. If not, then it must be documented why it is unreasonable and implement an equivalent, alternative measure if reasonable to do so. 16. What are the deadlines for complying with HIPAA? All cities should now be incompliance with HIPAA s privacy standards. The deadline for complying with the privacy standards for most covered entities was April 13, 2003. However, there was a one-year extension for small health plans (those plans with less than $5 million in premiums for fully-insured plans or $5 million in claims for self-insured plans). Most cities will have fallen under the extension and will need to have complied with HIPAA by April 14, 2004. The deadline for complying with the security standards for most covered entities and large health plans was April 20, 2005. As with the privacy standards, small health plans (and therefore many cities) received a one-year extension and will need to comply with the security standards by April 21, 2006, which means covered entities must conduct their risk assessment, implement the appropriate safeguards (or alternative safeguard measures, if appropriate), and have implemented policies and procedures by these dates. 17. What additional resources are available on HIPAA compliance? The League has worked with a benefits attorney to develop templates of policies and procedures for both the privacy and security standards. Member cities may contact Erin Rian, LMC Benefits Manager, at 651-215-4095 or by e-mail at erian@lmnc.org for these additional tools or if you have questions about HIPAA compliance for your city. In addition, the following resources may be of some assistance to cities as they evaluate how these regulations apply to the city or its departments: HIPAA Compliance Guide Employee Benefits Institute of America (EBIA) 866-775- 3242 or http://www.ebia.com. A subscription fee applies. 2001 Quick Reference to HIPAA Compliance International Foundation of Employee Benefit Plans, 888-334-3327. A subscription fee applies. Employers Guide to HIPAA Privacy Requirements Thompson Publishing, 800-677-3789. A subscription fee applies. Link to the U.S. Department of Health and Human Services for information on the privacy and security standards http://www.cms.hhs.gov/hipaa/hipaa2/default.asp. MN Department of Human Services (DHS) website www.dhs.state.mn.us/hipaa/default.htm.