ACT HIPAA & Privacy Supplement
A Companion Resource to ACT’s Report, “Safeguarding Non-Public Personal Information”
An Agents Council for Technology Resource
October 3, 2004
|This supplement is not intended to provide specific advice about individual legal, business or other questions. It was prepared for use as a guide, and is not a recommendation that a particular course of action be followed. If specific legal or other expert advice is required or desired, the services of an appropriate, competent professional, such as an attorney or consultant, should be sought.|
For a complete discussion of HIPAA’s requirements, please refer to the FAQ “HIPAA Privacy Rule” prepared by IIABA’s Office of the General Counsel which is found at Page 15 of this Supplement. Other materials on compliance with HIPAA are available for IIABA members on the Legal Advocacy page of www.independentagent.com.
Table of Contents
HIPAA Privacy Requirements for “Covered Entities” 1
Managing the HIPAA Compliance Process 3
Impact of HIPAA on Benefits Department’s Procedures 6
HIPAA/Privacy Security Issues 11
Frequently Asked Questions on HIPAA Privacy Rule—IIABA Legal Analysis 15
HIPAA Privacy Requirements for “Covered Entities”
The Health Insurance Portability and Accountability Act (HIPAA or the Act) of 1996 required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated provisions into HIPAA that mandate the adoption of federal privacy protections for individually identifiable health information.
HHS’s regulations implementing HIPAA set national standards for the protection of health information, as applied to the three types of “covered entities”: health plans, health care clearinghouses, and health care providers (Covered Entities). By April 14, 2003 (April 14, 2004, for small health plans), covered entities were required to implement standards to protect and guard against the misuse of individually identifiable health information (also referred to as protected health information or PHI). Failure to comply may, under certain circumstances, trigger the imposition of civil or criminal penalties. (Small health plans constitute about 75% of the health plans in this country, and are defined as fully insured plans that pay less than $5 million of premium annually, or self-insured plans that spend less than $5 million on claims annually.)
The HIPAA privacy rules regulate how and when a covered entity use PHI that could identify the individual without obtaining the individual’s written permission to do so (subject to some prescribed exceptions when consent is presumed) and then to use it in a manner prescribed by the law.
An employer that sponsors a health plan is not a covered entity per se. However, the employer’s health plan generally is a Covered Entity and must comply with HIPAA. Therefore, the employer as the plan sponsor, must see to it that compliance with the Act occurs.
All health plans need to be compliant with HIPAA. The amount of information the plan wishes to receive determines the plan’s responsibilities. A plan could elect to receive summary information only that does not contain any individually identifiable information. Such a plan would need to appoint a privacy compliance officer to oversee compliance with limited HIPAA responsibilities.
If a plan elects to receive more than summary information, it must take all of the appropriate actions to be in compliance with the Act. The following are some of the privacy provisions required:
à Appoint a privacy compliance officer responsible for ensuring that adequate privacy practices and procedures are in place to comply with the Act.
à Review and amend, if necessary, the plan’s contract with third-party administrators, insurers, HMOs, managed care vendors and other “business associates” to incorporate more than a dozen specific privacy provisions. The plan administrator should be pro-active and not rely on the business associate to initiate these changes.
à Provide individuals the opportunity to view and amend their health information. These rights granted by HIPAA are similar to the rights that individuals have to view and amend their credit history under the Federal Fair Credit Reporting Act.
à Establish procedures to obtain consent from any individual whose health information will be used for any purpose other than payment, treatment and health care operations. HIPAA includes rules for both affirmative (opt-in) and negative (opt-out) consent.
à Take steps to ensure that health information will be maintained separate from general corporate functions and even from the administration of other employee benefit plans, such as the company’s disability plan. One of the difficulties that companies must determine is “which hat” they are wearing: their “plan administrator” or their “employer” hat. The distinction is important because in no event may a company use health information obtained in its capacity as plan administrator in making an employment decision.
à Provide notice of an individual’s right to privacy under HIPAA at the time of enrollment and at least once every three years thereafter. The notice must include statements concerning the individual’s rights, the covered entity’s duties, and the types of information uses and disclosures that may be made.
à Although an individual does not have a right under HIPAA to sue the plan sponsor or plan administrator for rule violations, the individual can complain to the U. S. Department of Health and Human Services, Office of Civil Rights and may have the right to sue under state law. In addition, HHS has the authority to impose sanctions. These sanctions include civil and criminal penalties.
Therefore, it is imperative that employers as the plan sponsors and administrators make every effort to thoroughly understand and comply with these new rules.
Managing the HIPAA Compliance Process
Effective HIPAA compliance requires organization-wide implementation. The key to compliance success is to standardize your approach, follow a logical process, and document that process.
Issues that should be considered by whoever is charged with overseeing compliance with the Act include:
· Building initial organizational awareness of HIPAA
· Comprehensive assessment of the organization's policies and procedures
· Developing an action plan with deadlines and timetables
· Developing a technical and management infrastructure to implement the plan
· Implementing a comprehensive action plan, including developing new policies, processes, and procedures
· Implementing agreements where necessary
· Redesigning a compliant technical information infrastructure
· Purchasing new, or adapting current information systems
· Developing new internal communications
· Training and enforcement
Identification and Mitigation of Gaps
Proper identification of gaps (the gap between present processes and procedures and processes and procedures required for reasonable administrative, physical and security measures to meet the requirements of HIPAA) provides the basis for determining what needs to be done. If you do not properly identify your gaps, it will be impossible to effectively determine what needs to be done. How do you identify gaps?
1. List all the requirements of HIPAA, its regulations and any additional requirements contained in your Business Associates Agreements
2. Identify the requirements for which you currently have written policies, procedures, and processes
3. Identify what current policies, procedures and processes are in compliance with the requirements
4. Identify what policies, procedures or processes are needed to address the requirements
There are two main ingredients needed for an accurate gap assessment:
· Understanding of your organization’s culture, business processes and technology
· HIPAA subject matter expertise
Without these two ingredients, you cannot accurately identify gaps. Operational knowledge, and involvement of those with this knowledge in the gap assessment, is vital if you are to develop a compliance work plan that will ensure success of your compliance initiative. Those involved in the gap assessment may want to do a physical walkthrough of the entire organization. They also may want to talk to the workforce. It is crucial that the survey responses accurately reflect the business processes of the organization. With regard to the second ingredient, you may either have or need to develop HIPAA subject matter expertise internally or seek assistance from the outside.
Your gap assessment has only one purpose: to provide a “baseline.” This baseline defines your starting point. Now you know where you are in relation to HIPAA compliance. Assemble your decision makers and go through each gap to determine your plan to remain HIPAA compliant, including identification of any changes needed to process or workflows to conform to HIPAA.
Some factors that may affect the potential solutions available to you for any gaps include:
· Available resources in-house
· Perception of the workforce
· Technology capabilities
Keys to success with compliance assessment – analyze your issues and gaps and determine your alternatives. Give a lot of thought to this step. Your work plan and budget result from your assessment, as well as your due diligence results.
Once you know what needs to be done, take action. The people assigned to implement any changes should be empowered to make them work. Make sure the work plan is clear and organized by priority. Make sure you have the time, human and financial resources to execute your plan.
Monitor your agency’s compliance actions to assure you reach “no gap” status. In order to reach a “no gap” status, you may:
1. Review your HIPAA policies and procedures.
2. Educate your workforce on your policies and procedures.
3. Implement the policies and procedures.
4. Audit of the compliance process.
Because business processes will change, your technology will change, the practice will change, and incidents may occur, there may always be gaps that need to be addressed. You need to know your status of addressing gaps from an organizational standpoint, departmental standpoint, facility standpoint, and systems and software application standpoint.
When you develop new policies and procedures, they are no good unless your organization knows about and understands them. Create HIPAA compliant policies suitable for your unique organization, and educate employees who are authorized to handle PHI. Education should include an awareness of privacy and information security, training on policies and procedures, and how they will impact operations.
Providing effective HIPAA awareness training sends a clear message to your staff with responsibility in this area. Awareness training can help raise their privacy antenna, and encourage them to begin thinking about potential, practical solutions for their particular responsibilities.
Here are some topics for awareness training to assist in gaining buy-in of your workforce to the administrative, technical, and physical steps that you implement:
· Introduction to terminology specially defined by HIPAA, such as: use, disclosure, individually identifiable health information, PHI, workstation, malicious software, backups, disaster recovery, access, workforce, business associate
· Introduction to HIPAA concepts such as privacy rights, minimum necessary standard, required by law, required standards, organized health care arrangement, Notice of Privacy Practices, incidental disclosures
· Information flow within the organization
· Information flow in to and out of the organization and within the health care industry
· Inherent security risks of electronic information
· Benefits of technology
· Commitment of the organization to respect privacy and safeguard PHI
· Benefits of information security
· Detrimental consequences of unauthorized use and disclosure of PHI
· Reinforcement of the goals of privacy and information security
Audit and Document
When you go through your gap assessment, there will be policies and procedures that are found to be in compliance with the requirements. Compliance can be documented and the requirement can be audited to provide self-certification of compliance with that requirement. Once your modified or new policies and procedures are implemented, an audit can be conducted to verify that the new or revised process meets the policy requirements.
Documenting of your HIPAA compliance actions including addressing gaps, auditing, issues identification, incidents, sanctions, etc. is crucial to be in position to demonstrate your due diligence to comply with the Act.
If you do not have the resources in house to develop and implement a compliance plan, consider utilizing one or more of the many software tools available to help you manage and document your compliance efforts.
If you need outside HIPAA resources and/or expertise, consider hiring a seasoned consultant to assist you. It may be most effective to go with a firm that has a lot of experience with agency management systems as well as enterprise-wide HIPAA compliance projects. Make sure the firm assigns the person or persons who have the experience. Check their references! This investment can save you money in the long run if you invest wisely.
Impact of HIPAA on Benefits Department’s Procedures
This section contains a useful tool for agencies to use to assess the aspects of their benefits workflows that might be impacted by HIPAA. It includes a sample benefits department workflows and emphasizes those workflows that involve exposure to PHI. The day-to-day activities of a benefits department requires many exposures to PHI and therefore several opportunities exist for improper release of this information. Deliberate steps should be taken to protect this PHI. Once again, it is important for agencies to customize these sample workflows to reflect their specific operations and how they specifically handle and safeguard PHI or develop their own workflows to assure compliance with the Act.
SAMPLE WORK FLOWS
EMPLOYEE BENEFITS DEPARTMENT
Duties and Responsibilities
(Workflows exposed to PHI are printed in italics and underlined.)
Census Information (New Case or Renewal)
1. Request current census information from employer in Excel format. (Producer)
2. If needed, enter census data in an Excel worksheet, to include name, DOB/age, gender, type of coverage including number of children, and location, if appropriate. Add occupation and salary for life and DI quotes, as needed. (Marketing Coordinator)
3. Gather information regarding health conditions which may impact rates. (Producer)
Quoting Process - Fully Funded (Includes Split Funded)
1. More than 15 days before the appointment with the client, determine which companies should quote and request quote to be prepared. (Producer)
2. Prepare quote status form. (Marketing Coordinator)
3. Prepare standard quote request. (Excel) In most cases book rates will be requested in order to expedite the process, however if health conditions are known and the producer requests it, they should be included in the quote request. Prepare summary of health conditions, if appropriate. (Marketing Coordinator)
4. Submit quote request to insurance company. All quotes will be handled electronically in pdf format. (Marketing Coordinator)
· Enter the census data into an Excel worksheet.
· Run quotes for groups of 2 – 9 persons on-line whenever possible and by e-mail when necessary.
· Hold the files for the 2 – 9 person groups until the quote arrives.
5. Proposals should be received within 10 calendar days. Follow up with insurance company within 24 hours after the due date if quotes not received in a timely basis. (Marketing Coordinator)
6. Review quotes when received for accuracy. Obtain corrections as needed. (Marketing Coordinator)
· Check each quote for census accuracy (all size groups) and the accuracy of quote terms and conditions.
· Notify Producer that all quote data is available
7. Review quote status with Producer. (Marketing Coordinator)
8. Prepare draft summary spreadsheet showing rates provided by carriers within two days of authorization to proceed. (Marketing Coordinator)
9. Producer reviews draft and returns for finalization within two days of receipt. (Producer)
10. Final summary spreadsheet is prepared within two days of receipt. (Marketing Coordinator)
10. Assemble presentation materials no later than one day before presentation. (Marketing Coordinator)
Quoting Process – Self Funded
1. Gather required information for quote. (Producer)
Three Years Rate History
Three Years Claims History
Plan Document or Summary of Benefits
Details of Shock Loss Claims
Type of Stop Loss Contract, i.e. 15/12, 12/12, etc.
Specific Levels and Aggregate Levels
2. Enter the census data into an Excel worksheet, when required. (Marketing Coordinator)
3. Prepare quote request cover letter. (Producer)
4. Submit quote request to insurance company / TPA. All quotes will be handled electronically. (Marketing Coordinator)
5. Proposals should be received within 20 calendar days. Follow up with insurance company / TPA within 24 hours after due date, if quotes not received in a timely basis. (Producer/Marketing Coordinator)
6 Review quotes when received for accuracy. Obtain corrections as needed. (Producer)
· Check the accuracy of the quote census, terms and conditions after they are received from the carrier. (Producer)
7 Prepare draft summary spreadsheet within two days of request, showing rates provided by carriers / TPA. (Marketing Coordinator)
8 Review draft, decide on presentation format and return for finalization within two days of receipt. (Producer)
9 Final summary spreadsheet is prepared within two days of receipt. (Marketing Coordinator)
10 Assemble presentation materials no later than 24 hours before presentation meeting. (Marketing Coordinator)
Preparing Submissions To The Insurance Carriers
1. Obtain signed and dated employer group application. (Producer)
2. Obtain signed Carrier’s Rating & Renewability (Disclosure) Form from client. (Producer)
3. Obtain quarterly state wage and tax statement (UC-7823). (Producer)
4. Obtain a copy of the most recent current carrier billing statement. (Producer)
5. Obtain a check from employer made payable to carrier for first month premium. (Producer)
6. Obtain signed and dated employee enrollment (application) / waiver forms. (Producer)
· Review new enrollee applications in order to identify missing information. (Marketing Coordinator)
· Make list of missing information. (Marketing Coordinator)
· Gather missing information from employer or employee as necessary. (Producer)
7. A copy of the proposal must be included. (Marketing Coordinator)
8. Gather all other materials necessary to meet any carrier specific requirements. (Producer)
· Check submissions to ensure that all required information from the carrier’s list is included. (Marketing Coordinator)
· E-mail submissions. (Marketing Coordinator)
9. Specify to carrier where certificates and ID cards are to be sent. (Producer)
1. Follow-up with carrier within 7 to 10 days regarding underwriting status. (CSR)
2. Gather additional information as required by carriers. (CSR/Producer)
3. Present final offer to client. (Producer)
4. Send acceptance / withdrawal notice to carrier. Request that check be returned, if appropriate. (CSR)
5. Prepare cancellation letter, obtain signature and forward to prior carrier. (CSR/Producer)
6. Follow up regarding approval letter, certificates, ID cards. (CSR) (ID cards have contained PHI in the past.)
· Verify the accuracy of all Certs and ID cards. Scan Certs and ID cards for our files; prepare materials for delivery or mailing as appropriate.
7. Create files for new customers (CSR)
8. Update all files with modifications to current plans. (CSR)
9. Follow-up on countersigned stop-loss contracts and administration agreements on a monthly basis. (CSR)
10. Review and determine if all the information is correct. (Producer)
11. Review files to make sure that all of the necessary documentation is present. (Producer)
12. Enter the account card information in computer. (CSR)
Handling claims questions and concerns from a claimant or employer representative.
1. Listen to caller and identify the problem reported.
2. Request e-mail address.
3. Request additional information as necessary.
4. Inform individual of the potential need for a Patient Release to be signed.
5. Obtain patient release as necessary.
6. Request information from the insurance company (TPA).
7. Obtain additional information from the claimant as necessary. Inform the claimant that if they do not provide the requested information by a certain date, no further action will be taken on the claim. After three unsuccessful requests, inform the employer of the status.
8. Conduct conference calls with claimant and insurance company, as necessary.
9. Continuously document activity and findings in computer.
10. Further investigation may be necessary on some issues such as:
a. unbundling charges
b. Network issues through Provider Relations
c. review of plan document/certificate vs. going to the insurance company
d. procedure codes
11. Assure that the claimant is informed of the process and the time involved. “We’re working on it.” Follow-up should be made within 48 hours.
12. Notice should be provided to producer when appropriate.
13. If the producer receives a claims call, he/she must inform the claimant of the time needed to gather information. “We will get back to you in X days.” “X” is determined by the nature of the problem, normally no more than 48 hours.
14. In all cases where the claimant is told the CSR will get back to them, be sure the CSR is informed of this expectation.
15. If the producer handles the claimant question, he/she must document the activity in the computer.
16. When appropriate, request that the claimant keep us informed when and if the matter is resolved.
17. In the event that it is appropriate to appeal a decision of the insurance company, inform the claimant of the information needed and have him/her contact the doctor or insurance company.
Handling Premium Billing Questions (CSR)
(The bill may contain PHI. If so, it must be handled appropriately.)
1. If the bill has an error, obtain a copy of the bill from the client, the specific issue of concern, what the client believes the correct information should be and why.
2. Request information from the carrier/TPA regarding supporting billing data about the issue in question.
3. Evaluate any differences and work to resolve.
4. Keep the client informed regarding the status of the solution.
Handling Policy Changes (CSR)
1. Determine the desired change.
2. Use modification form or letter from client, on client letterhead, to inform the insurance company.
3. Suspense for 14 days to follow-up on receipt of letter from the insurance company accepting the change.
4. Follow-up on new ID cards and certificates if appropriate. (CSR)
5. Update computer records as needed. (CSR)
Preparing and Maintaining Files
All references to computer files are with non-PHI on the agency management system and PHI in a secure, access restricted location.
Update computer and files with all new information. (CSR)
· Update computer records (CSR)
· After approval of a new group, set up 7 colored folders in a folder in the computer.
· Prepare labels indicating group name, address, phone number and contact person on each colored folder and file.
· All group information should be placed in the appropriate color coded file.
· All group information should be entered into the computer system.
Setting Up a Group File: (CSR)
1. Prepare a file with the following client information:
· full legal name
· full address
· telephone and fax number
· contact name
· E-mail address
2. Each file inside the folder is labeled with the above information with the following respective color coded system:
· Red – Account Information File This is the Summary of the Account. The account information inside this file should be completed to include all current benefits, probationary period, etc. A summary card should be available for each line of coverage. The Modification of Policy Form should be used in this file as well and stapled on the left side of the account information file. The Modification form is used to record any changes or modifications to the original policy or eligibility requirements, etc.
· Blue – Correspondence File This file includes an ongoing log of any contact with the employer or employees. Each entry should contain the contact date and be initialed. This file also contains any correspondence from the agency, providers, client, etc. PHI, if present, will be referenced in the file but the actual document will be maintained in a secure location.
· Pink – Claim File This file contains any document on claim problems. In the event of a large volume of claims, it may be necessary to have an “active” and “closed” claim file.
· Green – Contract File This file contains a contract of the group. The employer group application and any related group information submitted with the original application is kept in this file along with copies of any change requests. This file contains benefit booklets and contracts (grouped separately for each plan). If the group was obtained with an Agent of Record letter, a copy of the master application should be obtained from the carrier if at all possible. Self Funded plans should have subfolders for contracts, plan documents, amendments, stop loss and administration agreement.
· Orange – Enrollment File This file contains all employee enrollment and change forms in alphabetical order. More than one file may be required for large groups depending on the number of insurers for different lines of coverage.
· Yellow – Rate File This file contains all current and past rates for all coverage with the current rate information kept to the front of the file. Renewal letters with new rate information stapled to them and billing copies should be kept in this file. A copy of the renewal must be added to the file immediately after completion. Remove alternate quotes from the file after the renewal is finalized.
· Purple – Quote File This file contains all present and past quoting information including copies of current and past quote request forms and censuses. When quoting a group, all quotes received should be kept in this file. Upon completion of the quoting process, this file should be cleaned out and any carrier information not used should be purged. Copies of spreadsheets should be kept for three years or as otherwise required by law. Retain quote status forms.
· Manila – Claims Experience File This file contains monthly claim reports. (Based on preference, these reports may be kept in a binder.) If each consecutive report includes the previous months, the previous report can be purged upon receipt of the current report. Note: Year end claim reports should be kept in a binder.
1. All other file folders in the accordion file for subjects such as a 401k plan should be manila and labeled appropriately.
HIPAA/Privacy Security Issues
We will look at four primary areas for addressing security: policy, access, logging, and auditing. While these areas will seem, on the surface, to primarily address electronic systems, they are intended to be broader than that. These areas should be considered for all security aspects, whether it be logging access to workstations, logging access to client folders, or logging guests to your agency.
Step one in working with security issues is to set your security policy. The purpose of this policy is to explicitly define the primary aspects that security should address and how the security policy will evolve over time. One approach to creating and maintaining your security policy is to:
1. Define which person, group of people, or committee at your agency is responsible for setting security policy; what is their charge to identify security issues; and how often do they meet.
2. Define who implements security policy. These may or may not be the same people as the people who set the policy; they could also be different depending on the type of security policy.
3. Define who tracks security policy (audits / logging), the process by which this information is reported, and the timelines for reporting.
4. Define the process by which security holes will be addressed. When a security policy fails (and it will probably fail at some point), you should have a clear process to evaluate why there was a security failure and to document how that security failure will be corrected.
5. After addressing a security failure, set this as the benchmark to re-define the policy. Security policies will develop through the discovery of security holes.
6. Finally, define the process by which violations of security policy are handled.
Your security policy may not consider security as an absolute, but rather as an evolution. Accept the fact that security issues will be raised, that technology and the environment will change over time. Accept that there is no policy that can address every eventuality. By embracing this, security policy will be defined based on identification, and you will have set the path for a true Quality Improvement process.
After setting your primary security policy, you will likely have a host of security issues identified already. Some sample policy issues that you may want to address could include the following:
1. Network Firewall: what people have the rights to make changes to the corporate firewall and what approval process is in place.
2. Email: what information is permitted via e-mail. Note e-mail, unless sent in encrypted form, is not a confidential medium and can be viewed as it passes from server to server on the Internet. Using mail or fax provides a more confidential way to transmit private health and other personal information.
3. Paper Records: who has access; how are they secured, and how is access logged.
4. Electronic Records: who has access; how are they secured, and how is access logged.
5. Electronic Devices: types of devices allowed on your network and the security used to protect against unauthorized devices.
6. Staff Internet Access: what types of access do you give to employees to the Internet and what limitations are in place to protect your company.
7. Client Electronic Access: what types of information do you allow your clients to access electronically (web site, email attachments), and how do you protect this information.
8. Passwords: set policy on how passwords are set up, how often they are changed, how they are terminated upon employee departure, and how these passwords should remain secure.
9. Information Access: define staff access as being on a need-to-know basis only and set the document that staff must sign to acknowledge their understanding. Clearly define who has access to what and what limitations there are for access, regardless of whether there are systems to enforce this. This can be part of your employee handbook and a refresher done every year.
Usually when we think of “access to information,” we think of logins and passwords. Clearly logins and passwords are important issues that require policies of their own. Still, as raised earlier, “access” can be as basic as tracking the people who are entering and exiting your building.
In a truly secure agency, no person could access anything that they do not have rights to access. Guests that visit your company would be unable to read documents sitting on desks. Employees would only be able to read and open files that they have rights to access and a need to access.
Note these two major points in information access: rights and need. Your policy should address both points. Strive to set up systems that verify someone has security rights to access particular information, and try to define the policy so it states what information we have rights to view. However, it is also necessary to recognize the fact that just because one has the right to access a certain type of information, it does not mean they have the need to access it. They should also be required to have the need to access that information. If you are the director of information systems at an agency, you likely have the rights to access nearly every piece of information on the servers. However, without a particular issue being raised, it is highly unlikely there would be a need to access that information.
These issues are important not just for access to databases, workstations, and other electronic means. They also are important to any piece of paper, conversation, voicemail or any other corporate information.
The only way to know every piece of information being passed within a company is to log the movement of every person and their actions and conversations. We recognize, however, that this is an unrealistic and unachievable goal. However, depending on your security need, much of what happens within your organization could be logged. The front desk can keep a pad of paper or guest register tracking who exits and enters your organization. Paper records can be in a central location where they need to be logged in and out. Workstations can be set to log their access to the network in a database. External devices can be purchased to monitor packets that travel on your network, and their origination and destination points.
As security issues are raised, it is important to think about how information could be logged better to address those issues. Admittedly, logging can be expensive or even become a productivity-killer. Weigh the need to appropriately track information against the security issues being raised and document that decision-making process through your Quality Improvement review. Perhaps later you will change that decision, but the process by which decisions are made should follow your overall security policy.
With logging comes the ability and need for auditing. While auditing the information we are tracking seems like a no-brainer, it is commonly forgotten.
How many of us have firewalls or other devices that monitor traffic but do nothing with that ability? If you purchase an electronic system that monitors all network traffic, it would be nearly impossible to read and approve every packet being sent. However, a Quality Improvement review could focus on the elements that raised the need for such a device. What security issues presented the requirement for purchasing this device? What auditing reports will be needed to adequately monitor this security concern?
Many of us might already log guests to our company at the front desk. Has anyone historically reviewed these logs?
One approach to consider is setting a policy on the types of security auditing that take place at your company, the timelines that auditing follows, the annual time that auditing takes place, the person(s) to whom that information is given, and how that information is being used. Logging, and then auditing those logs, can be a valuable tool for identifying security issues before they become security problems.
This report was prepared by the ACT HIPAA/Privacy Work Group:
Chris Ball, Insource, Inc., Workgroup Chairman
Kay Barrett, IMA Financial Group
Ed Higgins, Thousand Islands Agency
John Higginson, Applied Systems
Johnmichael Monteith, Parker Smith Feek
Judi Newman, Phaze II Consulting
Fred Petters, Maritime Insurance Group
Wayne Sather, Maritime Insurance Group
Bonnie Schaller, Ten Eyck Group
Bob Slocum, The Slocum Agency
Gerri Tillbrook, The Hartford Insurance Group
Angelyn Treutel, Treutel Insurance Agency
Alison Zernik, Brown & Brown
Jeff Yates ACT Executive Director
Debra Perkins, IIABA Executive Vice President & General Counsel
OFFICE OF THE GENERAL COUNSEL
HIPAA PRIVACY RULE
EFFECTIVE APRIL 14, 2003
These FAQs are not intended to provide specific advice about individual legal, business or other questions. They were prepared solely as a guide, and are not a recommendation that a particular course of action be followed. If specific legal or other expert advice is required or desired, the services of an appropriate, competent professional should be sought.
NOTE: These Frequently Asked Questions and Answers on the HIPAA Privacy Rule were prepared by the Baltimore office of the law firm of Venable, Baetjer, Civiletti & Howard, LLP at the request of IIABA.
May 26, 2003
1. What are the basics of HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has been called the most important health care legislation since Medicare. HIPAA includes important protections for individuals by governing the use, disclosure and transmission of health care information by health care providers that bill electronically, almost all insurers and health plans, and health care clearinghouses (“Covered Entities”) and third-party entities that do work for them (“Business Associates”).
The heart of HIPAA is the “Privacy Rule.” The goal of the Privacy Rule is laudable -- protect the confidentiality of health care information that can identify individuals (individually identifiable health information or “IIHI”) by limiting its use or disclosure by Covered Entities and others with access to it, and by giving individuals federal rights with respect to their own IIHI (which is called protected health information or “PHI” in the hands of a Covered Entity).
The Privacy Rule provides that PHI can only be used or disclosed by a Covered Entity in connection with the treatment of the individual, payment for either treatment or coverage under a health plan, or some of the Covered Entity’s internal business activities unless the individual has given specific, time limited revocable permission (“authorization”), or as required or permitted by other law. Any other use or disclosure by a Covered Entity violates the law.
2. What am I? Am I a Covered Entity?
As a broker or independent agent, am I a Covered Entity under HIPAA?
It is what you do, not what you call yourself, that determines whether you are directly (i.e., a Covered Entity) or indirectly by contract (a Business Associate) or just indirectly (everybody else) affected by the HIPAA Privacy Rule. Assuming that you are not a health care provider, you could be either a clearinghouse or a health plan, each of which is a Covered Entity. Although the normal activities of a broker or independent agent should not rise to the level needed to become either of these covered entities. As explained below, we do not believe that under normal circumstances a broker or independent agent would be a Covered Entity.
Traditional brokerage activities do not amount to the level or type of activity that would make you a health care clearinghouse, but additional or value added services could create a trap for the unwary. A clearinghouse is essentially a translator that takes in health payment information in one format (either paper or electronic) and translates this information into one of the standard electronic transactions that health plans and insurance companies will be required to use after October, 2003. Some of those standard transactions (see Glossary for a list of the standard transactions) involve insurer to insurer or employer to insurer communications, including premium payments, eligibility inquiries and enrollment and disenrollment information.
A Covered Entity must use the standard transactions when communicating electronically with another Covered Entity. However, since you are not a Covered Entity, you will not be required to use the standard transactions in your dealings. It is possible, however, that insurers eventually will want to use the standard formats with everyone. If you engage in any of the standard transactions on behalf of your clients, do not transform the data into or from a standard electronic format. You can receive and send information that does not meet the standard format at either end, or receive and send standardized electronic transactions without becoming a clearinghouse. If, however, you receive data in one format and send it out in the standard electronic format, or vice versa, you will be deemed a clearinghouse and therefore subject to most of the requirements of the Privacy Rule.
You are a Covered Entity if you, alone or in connection with others, act as a “health plan”. A health plan “means an individual or group plan that provides, or pays the cost of, medical care”. 42 USC 1320d(5); 45 CFR 160.103. While you could engage in activities that would make you into a (probably unlicensed) health plan, we expect that your normal activities of arranging for individuals or commercial enterprises to obtain health plan coverage in one form or another would not rise to the level of a “health plan.” The statute lists 16 specific types of health plans and the regulations add one catch-all category. All of the listed health plans clearly and logically “provide or pay the cost of” medical care. Applying logic and the definition of health plan, you are not a health plan when you arrange for one entity to purchase health insurance from an insurer or other health plan.
However, some concern has been voiced because the statute and regulations refer to the definition of “health insurance issuer” from other parts of HIPAA, which defines issuer to mean “an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan”. Most of you are licensed as brokers or agents under your state’s insurance law. HIPAA does not define the “business of insurance” and does not otherwise discuss the role of agent or broker in any of the many hundreds of pages in the various preambles to HIPAA. We note that third party administrators fall within the same definition in many states, and the Privacy Rule preamble generally discusses third party administrators as business associates, not health plans. In the absence of any indication that HIPAA intended to enumerate insurance brokers and agents as if they were the health plans they sell to third parties, we do not believe that you will be regarded as a health plan, or a Covered Entity, when you engage in your normal business activities. You do not act as a plan that provides or pays the cost of medical care, and should not fall within the definition of a health plan. Absent extraordinary circumstances, you are not a Covered Entity.
3. Am I a Business Associate of a Covered Entity?
These are really two different questions. The first question is to determine whether you act as a business associate of a company or individual when you assist them in obtaining health care coverage. The second is whether you act as a business associate of the insurer that provides the coverage. If you are employed by an insurance company that offers health insurance, you are a member of the workforce of a Covered Entity and not a business associate. [As used in this memo, health insurance includes health, dental, vision, long term care, medical savings accounts and similar types of insurance. It does not include workers compensation, life, disability , automobile , casualty or similar insurance. See Question 7.]
What is a business associate?
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of individually identifiable health information on behalf of, or to provide services to, a Covered Entity. Therefore, each of the following requirements must be present to make you a business associate and trigger the requirement of a business associate agreement:
1. The party you contract with must be a Covered Entity under HIPAA. Individuals, employers and plan sponsors are not covered entities when they purchase or obtain health insurance, although the health plan the employer sponsors or funds is. Insurers and HMOs and group health plans are all covered entities;
2. You must receive or create individually identifiable health information (IIHI);
3. You must receive, create or use the IIHI in the course of doing something for the Covered Entity. If you receive the protected health information to do something on your own behalf, you are not a business associate; or
4. You must be providing one of the specified services and the Covered Entity discloses IIHI to you in order for you to provide the services.
Am I a business associate of an individual when I arrange for them to buy health insurance?
NO, because an individual is not a Covered Entity.
Am I a business associate of a company when I represent it to buy health insurance?
PROBABLY, IF you receive IIHI from or on behalf of the company and use it to negotiate the price of the health insurance, or to design it, or otherwise act on their behalf in any situation that involves your receipt of IIHI either from them or from someone else acting on their behalf.
NO, IF you do not receive such information. If you use information that does not reach the level of IIHI, you should not be considered to be a business associate. For instance, IIHI can be “de-identified”, in which case it is not IIHI and your receipt of that information will not make you a business associate. You may receive summary heath information, in which case it still may be IIHI (depending on the level of detail) and you would be considered a business associate if you received it from them or from some other business associate of theirs.
One of the most difficult concepts in HIPAA is the difference between an employer or plan sponsor (which is not a Covered Entity) and the plan they sponsor (which is). If all of your dealings and transactions are with or on behalf of the employer/plan sponsor, a business associate agreement should not be required because the employer/plan sponsor is not a Covered Entity.
Am I a business associate of the insurer when I sell their product?
YES, if you receive or use IIHI in the course of your representation. The “Frequently Asked Questions” released in December 2002 by the Office of Civil Rights (OCR) describe the circumstance of an agent representing an insurer, and describe the agent as the insurer’s business associate, in describing the new marketing rules. However, if you do not receive IIHI, you are not a business associate. Please keep in mind that the definition of IIHI is quite expansive, and it includes most summary health information.
4. What is the difference in compliance obligations between a business associate and a Covered Entity?
A Covered Entity is subject to HIPAA. If you are a Covered Entity, by April 14, 2003, you must:
· Develop, post and distribute a Notice of Privacy Practices (“Notice”) that describes what you will do with IIHI and informs individuals about their rights under HIPAA. The method and timing of distribution varies with the type of Covered Entity.
· Appoint your Privacy Officer.
· Develop policies and procedures regulating your use and disclosure of IIHI, and identifying by job description permitted internal and external uses and flow of IIHI.
· Identify and train your workforce members, including unpaid volunteers, with access to IIHI.
· Establish a complaint procedure for individuals.
· Establish and enforce a sanction procedure for violations.
· Implement reasonable technical and physical safeguards for IIHI in your possession or under your control.
· Establish document retention procedures (everything needs to be kept for six years).
· Secure patient records containing IIHI so that they are not readily available to those who do not need them, and adopt policies to guard against having your work force request, use or disclose more than the minimally necessary information needed to accomplish the task for which the IIHI is requested, used or disclosed.
· Honor the individual’s new federal rights to inspect, request an amendment to, and obtain an accounting of unauthorized disclosures of, their own IIHI.
· Identify all of, and review/amend/establish written contracts with, your Business Associates to make them protect IIHI in their possession. The government provided a model contract that you can use.
· If you sponsor a health plan, and want more than very limited IIHI from your health plan, you must amend your Plan to permit and protect such disclosures
A Covered Entity is also liable for its violations of HIPAA. However, a Covered Entity is not liable for the HIPAA violations of its Business Associates, as long as it has a business associate agreement in place and honors its terms. That agreement requires it to terminate the agreement of a non-compliant business associate, or refuse to send any IIHI to any entity that does not sign as Business Associate agreement.
A Business Associate is not subject to HIPAA, and therefore has only those obligations it assumes under its Business Associate agreement. For instance, a business associate does not have to have a Notice of Privacy Practices, appoint a Privacy Officer, or adopt policies and procedures. It must take reasonable steps to protect the confidentiality of any IIHI in its possession and agree not to disclose any information in a manner not permitted by the agreement. It must also ensure that it can live up to the particular terms of the agreement. The model agreement is posted on the website of the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), which enforces the Privacy Rule (http://www.os.dhhs.gov/ocr/hipaa/contractprov.html). OCR described the difference in the following terms:
The HIPAA Privacy Rule does not “pass through” its requirements to business associates or otherwise cause business associates to comply with the terms of the Rule. The assurances that covered entities must obtain prior to disclosing protected health information to business associates create a set of contractual obligations far narrower than the provisions of the Rule, to protect information generally and help the Covered Entity comply with its obligations under the Rule.
Business associates, however, are not subject to the requirements of the Privacy Rule, and the Secretary cannot impose civil monetary penalties on a business associate for breach of its business associate contract with the Covered Entity, unless the business associate is itself a Covered Entity. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of protected health information.
The business associate agreement is a contract, and the business associate may be liable to the Covered Entity for any violations under contract law even though it is not subject to civil penalties under HIPAA. Pay close attention to contract provisions that are not required by HIPAA, but may be added by covered entities. These include indemnity provisions, audit and inspection provisions (other than the right of the Secretary of Health and Human Services to investigate a complaint), the imposition of the obligation to respond to individuals (unless their IIHI is in your possession), and unusual or unilateral mitigation provisions. We strongly recommend that you include a no third party beneficiary clause as well to limit the chance that individuals will bring actions alleging that you have violated the terms of a contract intended to benefit them.
1. Will an agency’s E&O policy cover any HIPAA exposures in connection with a Business Associate Agreement?
We suspect that you will be sent a business associate agreement that contains an indemnity provision (not required) and a mitigation provision (required). Many E & O policies contain a provision that excludes from coverage contractually assumed obligations. We encourage you to discuss with your insurer whether, or when, indemnity provisions will be deemed to fall within this exclusion. Many insurers may take the position that indemnities that increase liability, or only work in one direction, may trigger the exclusion. Remember, the indemnity will not just reduce your coverage – if it applies, your coverage for other acts will remain intact, but your indemnity obligation under the Business Associate agreement may not be covered at all.
2. How is an employer different from a health plan?
As noted above, an employer is not a Covered Entity. IIHI contained in employment records, including Family and Medical Leave Act records, workers compensation records or disability records, is not subject to HIPAA. However, if the employer offers health (including dental, vision, flexible savings accounts and employee assistance programs) insurance to its employees, the Plan (whether fully or self insured) is a Covered Entity. Most plans (even ERISA self insured plans) have no employees and are little more than a legal fiction. Therefore, in any dealings with an employer on behalf of its health plans for its employees, take care in articulating which entity you are dealing with.
3. What are the obligations of each?
The employer has no direct obligations under HIPAA (although other laws protect much of the same type of information in its hands). The Plan has all of the obligations of a Covered Entity. We note that employers who provide coverage through a fully insured health product can substantially reduce their HIPAA obligations compared to self-insured plans (usually managed by a third party administrator). A Plan is not subject to many of the costly Privacy Rule standards if it i) provides health benefits solely through an insurance contract(s) with a health insurance issuer or HMO, and ii) does not create or receive IIHI other than “summary health information” to determine pricing or coverage, or information as to whether an individual participates in the Plan.
To receive any IIHI other than listed above from its Plan (whether fully or self insured), the employer must amend its Plan documents to:
· Describe the permitted uses and disclosures;
· Specify that disclosure is permitted only upon receipt of a certification from the employer that it has amended its Plan and agreed to certain conditions regarding the use and disclosure of PHI;
· Provide adequate firewalls to protect against disclosure;
· Adopt policies and identify and train the classes of employees who will have access to PHI;
· Restrict access solely to the employees identified and only for the functions performed on behalf of the Plan; and
· Provide a mechanism for resolving noncompliance.
1. What types of IIHI are subject to HIPAA, what is not?
IIHI contained in the employment records of an employer from any source other than its health plan is not subject to HIPAA. IIHI contained in any of the legislatively excluded types of insurance products (See Question 9) are not subject to HIPAA. Only IIHI in the possession of a Covered Entity, or in the possession of a Business Associate, is subject to HIPAA. Other laws (federal and state) protect much of the same information, but do not contain the elaborate procedures and limitations found in the Privacy Rule.
2. What types of insurance are not subject to HIPAA? Is long term care insurance covered?
HIPAA specifically excludes from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. Excepted benefits include any (or any combination thereof) of the following policies, plans or programs:
· Casualty and Property Insurance Liability insurance, including general liability insurance and automobile liability insurance.
· Life insurance policies
· Coverage only for accident, or disability income insurance, or any combination thereof.
· Coverage issued as a supplement to liability insurance.
· Workers’ compensation or similar insurance.
· Automobile medical payment insurance.
· Credit-only insurance.
· Coverage for on-site medical clinics
· Other similar insurance coverage, under which benefits for medical care are secondary or incidental to other insurance benefits.
Long term care insurance is covered by HIPAA, but a nursing home fixed indemnity policy is not.
These policies may involve IIHI, but the issuers of these policies do not have to comply with HIPAA, and information in their possession (or in yours when you are acting on their behalf) is not subject to HIPAA. Issuers and brokers of excepted policies may be indirectly affected, because you may need information from health care providers who are Covered Entities to underwrite or manage the policies. Since the providers may be subject to HIPAA, they will require an authorization from the individual whose information is sought to disclose it to you. We note that nothing is required when dealing directly with the patient, but many disclosures are made directly to the issuer or broker, and authorizations will be required in those instances. See Question 10.
1. What type of authorization form must life insurance agents use?
HIPAA requires an “authorization” from the person whose IIHI is being disclosed for any disclosure by a Covered Entity (such as a health care provider) that is not otherwise permitted or required by HIPAA. The basic rule is that disclosures for treatment of the individual, payment (including payment activities of the insurer as well as payment to providers) or the Covered Entity’s internal operations do not require authorization, nor do disclosures required by law or made to the individual themselves. Other disclosures (such as by a physician to an insurer in connection with their examination of an individual who is seeking to obtain an insurance policy, including a policy for excluded benefits such as a life insurance or disability policy) will generally require the patient’s authorization. Even if you aren’t a Covered Entity, the physician or health care provider probably is, and they can not release the results of their exam without the individual’s authorization.
If you need such information, you must either get it directly from the individual or get the individual to sign an authorization. The authorization requires more detail than your existing release. A sample authorization is attached.
Generally, a Covered Entity (such as a physician) can not condition treatment or service on signing an authorization. However, that is not the case when the purpose of the physician’s examination of the individual is to apply for excepted insurance, because the physician’s services are rendered specifically to provide the report to a third party. Similarly, the individual normally has the right to withdraw an authorization at any time. That right can not be exercised to deprive an insurer of its right to underwrite or defend a policy.
11. Does HIPAA restrict an agency’s ability to market other products to a customer with health insurance?
Generally, a Covered Entity cannot use IIHI for marketing purposes without the express authorization of the individual. There are exceptions. The OCR has noted that:
The HIPAA Privacy Rule excludes from the definition of “marketing,” communications about replacements of, or enhancements to, a health plan. Therefore, notices about changes in deductibles, co-pays and types of coverage, such as prescription drugs, are not marketing. Likewise, a notice to a family warning that a student reaching the age of majority on a parental policy will lose coverage, then offering continuation coverage, would not be considered marketing. Nor are special health care policies such as guaranteed issue products and conversion policies considered marketing. Similarly, notices from a health plan about its long term care benefits would not be considered marketing.
However, you should not mail to insureds under a health plan “promotional material about insurance products that are considered to be ‘excepted benefits,’ such as accident only policies. It would likewise be marketing for health plans to describe other lines of insurance, such as life insurance policies. Generally, such communications require authorizations.”
You can, however, describe anything if you are meeting with the individual face to face:
In the specific case of face-to-face encounters, the HIPAA Privacy Rule allows health plans and their business associates to market both health and non-health insurance products to individuals.
In those circumstances in which you are a business associate of a Covered Entity Insurer, your business associate agreement states that you cannot use or disclose IIHI in any manner that would be prohibited if the Covered Entity used or disclosed the IIHI. This would include the prohibition on marketing without authorization. The sale of IIHI to another entity for its marketing efforts is particularly bad, and could lead to stringent penalties. When you are not a business associate, the Privacy Rule does not apply. You will need to distinguish those circumstances subject to HIPAA from those that are not, particularly when the same insurer issues both covered policies (health, dental, vision, etc.) and excepted policies.
12. Are business associates required to restrict their uses and disclosures to the minimum necessary? May a Covered Entity reasonably rely on a request from a Covered Entity’s business associate as the minimum necessary?
As noted above, a Covered Entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the Covered Entity’s minimum necessary policies and procedures. If you are acting as a business associate, you can only request, use or disclose the minimum IIHI necessary to do the task at hand. A Covered Entity is permitted to reasonably rely on requests from a business associate of another Covered Entity as the minimum necessary. It is suggested that you conduct some training on this issue if you execute business associate agreements with a Covered Entity, such as an insurer. You could request their minimum necessary policy to serve as a base, particularly if they state in your business associate contract that you must follow their policies.
13. Do I have to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?
YES, if your business associate agreement requires it. The Privacy Rule does not regulate business associates. Covered Entities are responsible for meeting Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting (45 CFR 164.524, 164.526, and 164-528). With limited exceptions, a Covered Entity is required to provide an individual access or his or her protected health information in a designated record set. This includes information in a “designated record set” of a business associate, unless the information held by the business associate merely duplicates the information maintained by the Covered Entity. The business associate contract must provide that the business associate will make such IIHI available if and when needed by the Covered Entity to provide an individual with access to the information. Review any business associate contract sent to you to see if it requires you to provide access directly to individuals, and if it provides sufficient time to respond to inquiries.
The same analysis applies to the amendment of IIHI in your records (or copies) when requested by the Covered Entity. The business associate contract must provide that you will make information available to the Covered Entity in order for it to fulfill its obligation to the individual to provide an accounting. As with access and amendment, the business associate contract that the business associate may required you to provide the accounting directly to individuals, and must be carefully reviewed to ascertain the exact duties you are accepting.
14. What happens if I don’t sign the Business Associate agreement?
If one is required, the Covered Entity can no longer use your service.