Medical - HIPAA

You have likely heard a great deal about the HIPAA Privacy Rule and how it has had a sweeping effect on the health care industry. Although the Privacy Rule primarily impacts health care providers and insurers, it also affects employers that sponsor group health plans. If you have not done so already, Aetna urges you to consult your professional/legal advisors for guidance on how the Privacy Rule impacts you and what, if anything, you need to do to comply. Although Aetna can’t substitute for your professional advisor’s advice, this Guide highlights some of the issues that you will need to consider in regard to the HIPAA Privacy Rule.

Background on HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed into law in 1996. Until recently, most of the focus on HIPAA has been confined to certain health insurance-related issues. For example, HIPAA addresses limitations on exclusions for pre-existing conditions, availability of health insurance coverage for small employers, and rights of individuals to apply for health coverage when they lose their existing coverage. HIPAA also strengthens federal health care fraud and abuse laws.

Recently, more attention has shifted to Title II, Subtitle F of HIPAA, which deals with Administrative Simplification. Privacy is just one of the five components of Administrative Simplification -- the other components are: Electronic Transactions; Code Sets; Security; and Unique Identifiers. Each of the Administrative Simplification components has its own compliance date. The compliance date for the HIPAA Privacy Rule was April 14, 2003.

Covered Entities
The HIPAA Privacy Rule governs the use and disclosure of Protected Health Information (PHI) by "covered entities." Covered entities are defined as health plans, health care clearinghouses and health care providers who transmit health information electronically. While the Privacy Rule does not directly regulate employers, the requirements apply to "group health plans" that are sponsored by many employers. Covered plans include those providing medical, dental, vision, pharmacy and other medical benefits. Flexible spending accounts also fall within the definition. The Privacy Rule specifically excludes from coverage disability plans, workers compensation plans and life insurance -- despite potential coverage of medical services.

Protected Health Information
Under HIPAA, Protected Health Information (PHI) is information that:

  • Relates to an individual’s physical or mental health, the provision of health care to the individual, or the payment for the individual’s health care;
  • Identifies, or could reasonably be used to identify, the individual; and
  • Is created or received by a covered entity.

The Privacy Rule covers PHI that is transmitted or maintained in any form or medium (e.g., electronic, paper and oral communications).

Uses and Disclosures
Health plans may use or disclose PHI for purposes of treatment, payment or health care operations without a participant’s consent or authorization. “Payment” is defined as any activity undertaken by a health plan to obtain premiums or fulfill its coverage responsibilities. “Treatment” means the provision, coordination or management of health care and related services. “Health care operations” means administration of health benefits policies or contracts, quality assessment and improvement activities, customer service, disease management, etc. Any allowable use or disclosure must be limited to the “minimum amount necessary” to achieve the stated purpose. Health plans should conduct a survey of their uses and disclosures of PHI to ensure that they comply with the Privacy Rules and adopt appropriate policies.

Participants’ Rights
Group health plan participants and beneficiaries have a right to:

  • Receive a notice explaining their health plan’s privacy policies and practices (the notice must be sent each time the practices change materially);
  • Access their PHI;
  • Request amendments to their PHI;
  • Request an accounting of certain types of disclosures (i.e., those outside the scope of treatment, payment and health care operations); and
  • Request, in certain instances, that PHI be communicated through alternative confidential means or to alternative locations.

Business Associates
Health plans must have a written contract with each “Business Associate” that contains certain prescribed provisions (in essence, the business associate must be required to abide by the use and disclosure limitations in the Privacy Rule). “Business Associates” are persons or entities who perform functions on behalf of a covered entity and either have access to or are reasonably likely to have access to PHI. Health plans have to take action if they become aware of a Business Associate breach (i.e., require the Business Associate to cure the breach, and, failing that, the health plan may have to terminate the contract).

Administrative Requirements
The following tasks must be implemented by “covered entities” in order to be in compliance with the HIPAA Privacy Rule:

  • Appoint a privacy officer;
  • Develop HIPAA-compliant privacy policies and procedures;
  • Implement privacy safeguards;
  • Conduct employee training; and
  • Establish a complaint process.

Impact on Self-Insured Plan Sponsors
There are a variety of HIPAA Privacy Rule issues that must be addressed by self-insured plan sponsors. Summarized below are some of the key issues that deserve special attention because they require coordination between the plan sponsor and their health plan.

  1. Business Associate Agreements. Self-insured plan sponsors will need to enter into “business associate” agreements with all of their service providers who have access to protected health information (“PHI”). The plan sponsor’s claims administrator will be one of the principal business associates. The business associate agreement must contain a number of very specific provisions.
  2. Privacy Notice. Self-insured plan sponsors are required to send a privacy notice to all of their plan participants. Because this notice will, in large measure, be addressing the privacy practices of the claims administrator, self-insured plan sponsors will need to work closely with the administrator in developing the notice.
  3. Participants’ Rights. In addition to the right to receive a privacy notice, plan participants have a series of other rights highlighted previously, including the right of access, amendment, accounting and the right, in certain instances, to have PHI communicated through alternative confidential means. Plan sponsors should coordinate with all parties administering any portion of the designated record set to avoid confusion and ensure that all parties honor all requests in a consistent fashion.
  4. Disclosure of PHI by or for the “Group Health Plan” to the “Plan Sponsor.” The HIPAA Privacy Rule contains detailed and complex requirements for disclosures of PHI by or for the group health plan to the plan sponsor in conjunction with its plan administrative role. These requirements are identified in the Epstein Becker & Green, P.C., Frequently Asked Questions and Answers included in this Guide. There are four aspects to note in particular:
  • “Group Health Plan” vs. “Plan Sponsor.” The regulations force us all to draw a line of demarcation between the “plan sponsor” and the “group health plan.” The outline provides more information on this subject, including why you need to draw the line and why it can be difficult to do.
  • “Certification Requirement and Plan Document Amendments.” One of the requirements for the disclosure of PHI (other than Summary Health Information for limited purposes and enrollment information) is for the plan sponsor to provide a certification to the group health plan that the plan documents have been amended in a number of respects. It will often be incumbent upon the plan sponsor, as the administrator of its group health plan, to put the necessary compliance measures in place. The employer is also certifying to its group health plan that it will not use the PHI it has access to in its health plan administration role in the context of other benefit plans or in employment-related decisions.The plan documents will need to be amended to contain certain disclosures relating to the data sharing practices with the plan sponsor and the plan sponsor’s use of the PHI. It is important that the plan sponsor coordinate any such amendments to ensure that they correctly describe data sharing.
  • Summary Health Information and Enrollment Information. The foregoing “plan sponsor disclosure” rules contain a limited exemption for certain PHI that qualifies as “Summary Health Information.” This term is defined in the Epstein Becker & Green, P.C., Frequently Asked Questions and Answers included in this Guide. To the extent your organization is relying on this exemption, please note that it is incumbent upon you to verify that the information meets the requirements of the definition and that the information is only being used for purposes of obtaining premium bids or for modifying, amending or terminating the group health plan. There is also an exemption for enrollment information.

   5. Administrative Requirements. Sponsors of self-funded plans will need to comply with     some  or all of the administrative requirements highlighted above and as set out in Section 530 of the HIPAA Privacy Rule.

Impact on Fully-Insured Plan Sponsors
For plans providing benefits solely through insurers and HMOs the impact of the Privacy Rule is fairly minimal, provided the plan and the plan sponsor do not create or receive any PHI other than “Summary Health Information” received for the purposes described above (e.g., the new standard experience report is considered “Summary Health Information”) or enrollment information. Among other things, plans meeting this definition avoid the need to name a privacy officer, deliver a privacy notice (the insurer will do it for them), create special privacy policies and procedures and train their employees on them. However, plans are urged to consult their professional advisors about how the Privacy Rule might impact them. Note that the burden is substantially greater for insured customers who create or receive PHI, so insurers will generally shield insured customers from any information that is not “Summary Health Information.” You should know that we also do this for state law reasons.

We at Aetna hope you find this information helpful. This information summarizes selected elements of the HIPAA Privacy Rule, but does not include a full statement of these or related regulations. Please remember that this information is not intended as legal advice and that plan sponsors should consult their own professional/legal advisors regarding compliance with the Rule.

If you would like further details or have questions about Aetna’s compliance with the HIPAA Privacy Rule, please contact your Aetna Account Executive or Account Manager. For more information about Aetna, please visit our website at www.aetna.com.