|
|
|
A Service of OnQue Technologies, Inc. |
| Special
Report: Do you need Business Associate Contracts? Are you distributing the
Notice of Privacy Practices? |
April 8, 2004
Santa Rosa,
CA |
Complying with the HIPAA
Privacy Rule is not something that only health care providers and insurance
carriers need to worry about. HIPAA does not specifically cover
employers, but to the extent that they sponsor health plans and have access
to the personal health information of their employees and families, they need
to comply with at least some of the law's provisions.
April 14, 2004, is the
compliance deadline for most health plans. Employers that may be privy to
protected health information must, by that date, adopt and implement policies
and procedures to protect the confidentiality of group health plan
participants. In addition to health care providers, covered entities that are
subject to the HIPAA rules include employer-sponsored group health plans,
government health plans and multi-employer health plans.
Employers who self fund
their group health plans are generally privy to more of their employees'
personal health information than those that utilize insurance companies. But
employers whose health plans are largely administered by insurance carriers
still must examine their procedures to ascertain to what extent they have
access to protected information. Even though the insurance carriers are subject
to the HIPAA Privacy Rules, plan administrators are not necessarily insulated
from taking independent steps to comply with the law. It is the employer's
responsibility to know whether it receives protected health information and
what steps it must take to comply with the HIPAA Privacy Rules.
Note: A health plan or plan sponsor that does not create or
receive protected health information (PHI) other than enrollment or summary
heath information is not required to provide a privacy notice.
This Special Report covers two of the most
important provisions of the privacy rule for covered entities such as group
health plans and their sponsors:
- Use of Business Associate Contracts,
and
- Distribution of the Notice of Privacy Practices
What information is protected? According to
the federal Department of Health and Human Services (HHS), which oversees HIPAA
implementation, the Privacy Rule protects all "individually identifiable health
information held or transmitted by a covered entity or business associate, in
any form or media, whether electronic, paper or oral." Such information is
referred to as PHI -- protected health information.
The definition of PHI is
very broad and not limited to specific medical data. It may be related to an
individual's past, present or future physical condition or mental health if it
identifies the individual. Identification may be by name, address, birth date,
Social Security number, or any other means by which the PHI may be connected to
that person.
Business Associate
Contracts
What is a business associate? A business
associate of a group health plan or its sponsor is an outside organization that
performs functions involving the use and disclosure of individually
identifiable health information. For example, if a group health plan uses an
outside business associate to perform services such as COBRA administration,
the plan must enter into a written agreement with the third party administrator
known as a "Business Associate Contract." Other persons or organizations that
may be business associates of a HIPAA covered entity are those that provide
services such as benefits management, claims processing or administration,
billing, and data analysis. Business associate services may be legal,
accounting, consulting, management, administrative and
financial.
What is the purpose of the business associate
contract? HIPAA does not specifically apply to entities that provide
services to covered providers and health plans. But most health care providers
and health plans do not themselves carry out all of their health care
activities and functions; instead they use the services of outside businesses.
The Privacy Rule permits plans to disclose PHI to such "business associates"
only if the plan obtains satisfactory assurance that the business associate
will use the protected information strictly for specific purposes. To this end,
HIPAA covered entities may disclose PHI to business associates only if it helps
the plan carry out its health care functions, not for the business associate's
independent use or purposes.
Under the HIPAA Privacy Rule, covered entities must
obtain satisfactory assurance that the business associate will appropriately
safeguard the PHI it receives or creates on their behalf. This assurance must
be in writing in the form of a contract or other agreement between the plan and
the business associate.
What provisions must the business associate
contract contain? A plan's contract or other written agreement with
business associates must:
- Describe the permitted and required uses of PHI by
the business associate;
- Provide that the business associate will not use or
further disclose the protected health information other than as permitted or
required by the contract, or as required by law; and
- Require the business associate to use appropriate
safeguards to prevent a use or disclosure of the PHI other than as provided for
by the contract.
Is a covered entity liable for the actions of
its business associates? No, but if the covered entity learns of a material
breach or violation of the business associate contract it must take reasonable
steps to cure the breach or end the violation. If those attempts are
unsuccessful, the contract with the business associate must be terminated. And,
if termination is not possible due to the absence of a business alternative,
then the breach must be reported to the Department of Health and Human Services
Office for Civil Rights. If these steps are not taken, the covered entity will
be considered out of compliance with HIPAA's Privacy
Rule.
Notice of Privacy
Practices
The HIPAA Privacy Rule mandates that covered
entities that receive private health information distribute a Notice of Privacy
Practices. The purpose of this document is to inform plan participants of their
rights under the rules.
Who must receive a notice of privacy practices?
Covered entities must distribute this notice to each enrollee by April 14,
2004. Thereafter, it must be given to new enrollees at the time of enrollment,
or whenever a material modification to the plan is made. Covered entities must
send reminders to each enrollee at least once every three years that the
privacy notice is available upon request. It is necessary to furnish the
privacy notice only to the named insured, not to spouses and dependents.
What must the Notice of Privacy Practices contain? The HIPAA Privacy
Rule requires that the privacy notice be written in plain language and contain
the uses and disclosures, with examples, of how the plan uses participants'
health information. It must advise enrollees of their right to request and
receive copies of their health information and to request restrictions on
certain uses and disclosures of that information. And where state privacy rules
exist that are more comprehensive than the federal rule, the notice must
contain the state requirements. If the covered entity maintains a website for
benefits information, it must make the notice available electronically on that
site.
For more information about the HIPAA Privacy Rule,
read OnQue's COBRA Tip,
Deadline
Approaches For Compliance With Federal Privacy Notice Rules
For an official summary of the HIPAA Privacy Rule click on:
Department of Health
and Human Services |
| |
|
This information is provided by
OnQue Technologies, Inc. for educational purposes only and does not constitute
legal advice. If legal advice or other professional assistance is required, the
services of a competent professional should be sought.
|
 |
|
Click here to view past
tips: Tips
Archive |
 |
|
|
|
| As seen in Health Insurance Underwriter
Magazine |
 |
|
Copyright © 2004
OnQue Technologies, Inc. All Rights Reserved. |
|
