HIPAA Compliance for the Non-Health Provider
By Caleb A. Williams
SAALFELD GRIGGS PC
Many of our readers may be familiar with the privacy regulation recently promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”). You may have been asked to sign an acknowledgment form at your doctor’s or dentist’s office regarding their efforts to comply with HIPAA. Compliance by health care providers is most apparent because of the routine interaction we all have with our doctor or dentist. However, HIPAA affects more than just health care providers. Employers who provide or sponsor a health plan for their employees need to address HIPAA, as do those individuals or organizations that do business with health care providers.
HIPAA COMPLIANCE FOR EMPLOYERS
Group health plans are covered entities under HIPAA and subject to the same rules as health care providers. HIPAA defines group health plans as: “employee welfare benefit plans, including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependants, directly, or through insurance, reimbursement, or otherwise.” As you can see, this definition is broad enough to include both insured, self-insured health plans, and perhaps flexible spending accounts established by an employer for the benefit of its employees.
Fortunately, a number of exceptions will limit or completely eliminate the effort that most employers would otherwise need to take to comply with the HIPAA Privacy Rule. First, group health plans with less than fifty (50) participants and that are administered by the employer that established and maintains the plan are not considered health plans under the Privacy Rule. Second, those health plans that are fully insured and that only receive Summary Health Information, described below, will generally be covered by their insurance company’s HIPAA compliance efforts.
If a fully insured group health plan elects to receive only what is called “Summary Health Information,” it will fall under the insurer’s HIPAA privacy umbrella and will not need to undertake most HIPAA compliance activities. Summary Health Information is “Protected Health Information” that summarizes claims history, claims expenses, or types of claims experienced by enrollees for whom the plan sponsor has provided health benefits under the group health plan. Protected Health Information (“PHI”) is, generally, health information and demographic information that identifies or reasonably could identify an individual. Summary Health Information must be stripped of all information that identifies the individual.
Fully insured health plans that elect to receive only Summary Health Information, and not PHI, must formally document this decision. This documentation can be made in a variety of ways, including in the plan’s corporate minutes or in the plan documents, for example. Fully insured plans must also modify any of their existing practices that involve a greater use of PHI and retain any amendments to its plan documents for six (6) years.
Those fully insured health plans that have access to PHI must fully comply with the provisions of the Privacy Rule. This includes, among other things, developing and implementing privacy policies and procedures, furnishing a notice of privacy practices to its members, training employees on privacy policies and procedures, and allowing for access, copying, and requests for an amendment to PHI.
If a group health plan is self-insured, and not exempted from the definition of group health plan because the plan either has more than fifty participants or is self-administered by a third party, then it must fully comply with the requirements of the HIPAA Privacy Rule. The requirements for compliance are complex. If your company is self-insured, give us a call to discuss what steps you must take to comply.
Plan sponsors are not covered entities under HIPAA, and, thus, have no compliance obligation. However, if it is necessary for a plan sponsor to receive PHI from the group health plan, the plan sponsor must amend its plan documents to include certain provisions required by the Privacy Rule. Many insurance companies will provide plan sponsors with sample amendments to the plan documents. If a plan sponsor does not amend its plan documents in accordance with HIPAA, then it may only receive Summary Health Information from the health plan, or the insurer, and then only for the purposes of obtaining bids on the plan’s health insurance coverage, or for modifying, amending, or terminating the health plan.
Your company may act as both a group health plan and a plan sponsor. If so, you need to evaluate the compliance requirements for both roles.
Health plans were to be in compliance with the Privacy Rule by April 14, 2003. However, “small health plans” have until April 14, 2004, in which to comply. A small health plan is defined as a health plan with annual receipts of $5 million or less. For purpose of measuring annual receipts, the Department of Health and Human Services has stated that fully insured health plans should use the amount of total premiums which they paid for health insurance benefits during the plan’s last full fiscal year. Self-insured plans, both funded and unfunded, should use the total amount paid for health care claims by the employer, plan sponsor, or benefit fund, on behalf of the plan during the plan’s last fiscal year.
Under the HIPAA Privacy Rule, health care providers and other covered entities are required to enter into written agreements with certain individuals or organizations that they do business with to govern the use and disclosure of PHI. Many of our clients have been requested by one of their customers or clients to sign a Business Associate Agreement.
Under the HIPAA Privacy Rule, a Business Associate relationship exists if the individual or organization (a) receives or creates PHI; and (b) conducts work for or on behalf of the covered entity. Both factors must be present in your relationship with the health care provider in order for the provider to request that you execute a Business Associate Agreement. Examples of Business Associates may include: (a) medical transcription firms that provides services to a practice; (b) billing services and collection agencies working on behalf of a practice; (c) financial or operational consultants; and (d) accountants and other advisors.
A Business Associate Agreement will typically require that you give certain assurances to the health care provider regarding PHI, including that you will (a) not use or disclose PHI other than as permitted by the agreement or required by law; (b) use appropriate safeguards to protect the confidentiality of PHI; (c) report to the provider any use or disclosure not permitted by the agreement; and (d) ensure that any of your agents or subcontractors will agree to the same restrictions as those placed on you by the agreement.
If you are requested to execute a Business Associate Agreement by one of your customers or clients, it is important that you carefully consider whether a Business Associate relationship actually exists between you and that customer or client. Our office would be happy to assist you in making that determination.
If you have any questions regarding the HIPAA Privacy Rule and what you may need to do, please do not hesitate to contact our office.