|
|
|
A Service of OnQue Technologies, Inc. |
|
Deadline Approaches
For Compliance With Federal Privacy Notice Rules |
February 25, 2004
Santa Rosa,
CA |
April 14, 2004 is the date on
which small health plans must comply with the privacy provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). "Small" health
plan is defined by the law as one that pays less than $5 million a year in
premiums. Larger health plans were required to comply last
year.
The HIPAA Privacy Rule creates national standards
to protect individuals' medical records and other personal health information
(PHI), whether on paper, in computers or communicated orally. It sets legal
boundaries on the use and disclosure of health information and limits the
release of information to the minimum extent reasonably necessary for the
purpose of the disclosure. It also gives individuals the right to examine,
obtain, and correct their medical records. One of the most important provisions
of the Privacy Rule is the requirement that a Notice of Privacy Practices be
distributed.
This COBRA Tip will explain: Which entities must
comply with the HIPAA Privacy Rule, what is protected health information, and
what is the Notice of Privacy Practices.
Who must comply with the
HIPAA privacy standards?
The HIPAA Privacy Rule covers health plans, health
care clearinghouses, and any health care provider that transmits protected
health information in electronic form. Together these are referred to as
"covered entities." But health plans with more than 50 participants are covered
entities and must comply with the Privacy Rule, except those plans with fewer
than 50 participants that are administered solely by the employer that
established and maintains the plan.
Why should employers be
concerned about the Privacy Rule?
The HIPAA Privacy Rule does not explicitly apply to
employers. In fact, the Department of Health and Human Services (HHS), the
federal agency that oversees compliance with the law, has no authority over
employers. But employer health plans may utilize or generate health information
about identifiable enrollees and, to the extent that the employer has access to
such information, it may need to comply with at least some of the provisions of
the Privacy Rule.
Employers who self fund their group health plans
are privy to more of their employees' personal health information than those
that are insulated by insurance companies. However, employers whose health
plans are largely administered by insurance companies should examine their
procedures to ascertain to what extent they may have access to protected
information. Even employers that maintain fully insured plans and receive
little or no protected health information may need to comply with the Privacy
Rule. The fact that your insurance carrier is also subject to the Privacy Rule
doesn't necessarily insulate you from compliance. It is your responsibility to
know whether you are receiving protected health information and if so, take
steps to comply with the law independently of your insurance carrier's
compliance.
Business Associates: A business associate of
a group health plan is an outside organization that performs functions that
involve the use or disclosure of individually identifiable health information.
If a group health plan uses a business associate to perform services, such as
COBRA administration, the law requires the plan to enter into a written
agreement with the third party that imposes safeguards on the identifiable
health information that may be used or disclosed. This agreement is
accomplished by entering into a Business Associate Contract. The Office for
Civil Rights suggests language to use in such a contract. The covered entity is
not responsible or liable for the actions of its business associates, but if it
learns about a violation of the contract, it must take reasonable steps to end
that violation or terminate the contract.
What information is protected
health information?
According to the HHS Office for Civil Rights, the
Privacy Rule protects all "individually identifiable health information" held
or transmitted by a covered entity or business associate, in any form or media,
whether electronic, paper or oral. This information is referred to as
"protected health information," or PHI. PHI may be actual medical records, but
it is also any other information created or received by an employer or group
health plan that relates to the health of plan participants and that could be
used to identify a particular individual. Personal health information generally
may not be used for purposes unrelated to health care and covered entities may
use or share only the minimum amount of protected information needed for a
particular purpose. The information may be received in any form: written,
electronic or oral.
The definition of PHI is very broad and not limited
to specific medical data. It may be information that relates to an individual's
past, present or future physical or mental health or condition and that
identifies the individual, either specifically or if there is a reasonable
basis to believe that it could be used for identification. (PHI often contains
names, addresses, birthdays, or Social Security numbers.) It may concern the
provision of health care to a particular individual, including payment for that
health care.
What information is not protected health
information?
The Privacy Rule specifically excludes from
protected health information employment records that a covered entity maintains
in its capacity as an employer. And there are no restrictions on the use or
disclosure of health information that neither identifies nor provides a
reasonable basis to identify any particular individual. PHI may be
"de-identified" by removing specified identifiers of the individual and of
relatives, household members and employers.
Employers and plan sponsors are permitted to
receive, without being subject to the rule, PHI from insurers
regarding:
|
|
|
|
1. |
Enrollment; |
|
2. |
Summary health information, such as summaries of
claims history, expenses or types of claims and that is stripped of all
individual identifiers other than five-digit zip codes; and |
|
3. |
Information necessary for the performance of plan
administration functions. |
| |
|
|
Information given to an employer during the
employment process or as part of a Workers' Compensation claim will likely be
exempt from the Privacy Rule.
What Must Health Plans Do To Comply With The
Privacy Rule?
By April 14, 2004, small health plans and employers
that may be privy to protected health information must establish policies and
procedures to protect the confidentiality of plan participants. They must also
distribute a Notice of Privacy Practices and limit the use and disclosure of
information as required under the federal rule.
Notice of Privacy
Practices
A health plan that creates or receives PHI, in
addition to merely summary health information, must distribute a Notice of
Privacy Practices to each of its participants. The notice must be distributed
to each new enrollee at the time of enrollment or whenever a material
modification is made. It must also send a reminder to every enrollee at least
once every three years that the notice is available upon request. The notice
need be furnished only to the "named insured," not to spouses or
dependents.
Note: A health plan that does not create or receive
PHI other than enrollment or summary health information is not required to
provide a notice.
The notice must be written in plain language and
contain specified elements, such as the uses and disclosures, with examples, of
how the plan will use participants' health information. It must advise
participants of their right to request and receive copies their health
information and to request restrictions on certain uses and disclosures of that
information. If state laws exist that are "more stringent" than the federal
privacy rule, the notice must contain that information. Although the HHS does
not make available a model Notice of Privacy Practices, the law explicitly sets
out both required and optional elements.
Other Privacy Rule Provisions
Other important provisions of the HIPAA Privacy
Rule that may require your compliance are:
| |
- Individuals are entitled to see and obtain copies
of their medical records and to request corrections if they identify errors.
Health plans should provide access to these records within 30 days of the
request and may charge for the cost of copying and mailing.
|
- Covered entities may use or share only the minimum
amount of protected information needed for a particular purpose. Individuals
need to sign a specific authorization before a covered entity could release
their medical information to outside businesses for purposes not related to
health care, including marketing.
|
- Individuals are entitled to file formal complaints
regarding the privacy practices of a covered health plan. The complaints may be
made directly to the health plan, or to HHS' Office for Civil Rights (OCR).
Information on how to file complaints must be included in the Notice of Privacy
Practices.
|
- Steps must be taken to ensure that any business
associates who have access to PHI agree to the same limitations on its use and
disclosure.
|
- Personnel must be trained in privacy procedures and
a specific individual be designated as the person responsible for ensuring that
the procedures are followed.
|
|
Conclusion
It is not a simple matter
to decide whether, as an employer and sponsor of a group health plan, you are
subject to the provisions of the HIPAA Privacy Rule. It depends primarily upon
whether you receive or generate individual health information that may identify
individual health plan participants. The fact that your plan's insurer is
required to comply does not necessarily let you off the hook. Regulations
provide for penalties of up to $25,000 per violation for every year of
noncompliance, fines up to $250,000, and imprisonment in certain cases of
knowing violations. If you are in doubt as to whether you are a covered entity
and subject to the Privacy Rule, professional advice should be sought. If you
fall under the terms of the rule, take the necessary steps to comply by the
April 14, 2004 deadline.
The Department of Health and Human Services' (HHS)
Office for Civil Rights (OCR) provides assistance for compliance with the
Privacy Rule. Click on Office for Civil Rights – HIPAA for guidance, answers
to frequently asked questions, and other helpful
information.
Suggested language for a Business Associate
Contract is available at
Sample
Business Associate Contract Provisions.
|
| |
|
This information is provided by
OnQue Technologies, Inc. for educational purposes only and does not constitute
legal advice. If legal advice or other professional assistance is required, the
services of a competent professional should be sought.
|
 |
|
Click here to view past
tips: Tips
Archive |
 |
|
|
|
| As seen in Health Insurance Underwriter
Magazine |
 |
|
Copyright © 2004
OnQue Technologies, Inc. All Rights Reserved. |
|
