HIPAA Privacy: Implementing Privacy for

Government Health Plans

Roberta M. WardSenior Counsel, Privacy Officer

California Department of Health Services

Tuesday, September 16, 2003 * 11:00 am-Noon

What types of government health plans are covered

by the Privacy Rule?

Specifically mentioned:• ERISA employee plans• HMO’s• Medicare, Parts A and B• Medicaid• Employee health benefits plans• CHAMPUS• Indian Health Service program• Federal Employees Health Benefits Program• State Child Health Plans under Title XXI• Medicare + Choice Program• State high risk pools to provide coverage to eligible

individuals

General Catch-all Category:

A group plan that provides, or pays the cost of medical care

Not equivalent to a “group health plan” which is an employee plan under ERISA

 Comes under 45 CFR 160.103 Health Plan (xvii): “Any other individual or group plan,… that provides or pays for the cost of medical care”

Exceptions

Any policy, plan or program which pays for the cost of excepted benefits listed in 42 U.S.C. 300gg-91(c)(1)

 A government funded program whose principal purpose is other than providing or paying the cost of health care or

 Whose principal activity is the direct provision of health care or

The making of grants to fund the direct provision of health care

Continuing Confusion About Catch-all Category

“Any other group plan that provides or pays for the cost of medical care”

“Group plan” is not defined and is not restricted to ERISA plans, which are “group health plans” under the definition at 45 CFR 160.103

 Intent of the Privacy Rule coverage of government health plans is to be very expansive

Commenters on the Privacy Rule argued that many government “payment programs” should not be included in the definition of a health plan, such as the AIDS Drug Assistance Program and Breast and Cervical Cancer Screening Programs

In the Final Rule, OCR excepts out only government programs that have a

principal purpose other than providing or paying for cost of health care

Or . . .

Those which have as their principle activity the direct provision of health care

or making of grants to fund the direct provision of health care

Specifically Mentioned in Preamble as Excluded:

WIC Program

Health care services for INS detainees

Title X Public Health Service Act grantees for family planning programs

“To the extent that a certain benefits plan or program otherwise meets the definition of “health plan” and is not explicitly excepted, that program or plan is considered a “health plan” under paragraph (1)(xvii) of the final rule.”

“Where a public program meets the definition of “health plan”, the government agency that administers the program is the covered entity

 Preamble to Privacy Rule: 65 Fed. Reg.

82578 (December 28, 2000)

Department of Health Services (DHS) is

a “hybrid entity” under HIPAA Hybrid entity is a single legal entity which contains

both covered and non-covered functions

Hybrid must ensure that covered health care components of the entity comply with HIPAA, and

Do not disclose PHI to another component of the covered entity when the Privacy Rule would prohibit disclosure if the health care component and other component were separate and distinct legal entities

Rules for Hybrid Entities Employees of hybrid entity must not use or disclose

PHI created or received in the course of work for the covered health care component in a way prohibited by Privacy Rule when they work for both covered and noncovered components of the hybrid.

Hybrid must document designations of covered health care components and must include any component that would meet the definition of a covered entity if it were a separate legal entity.

The advantage of being a hybrid entity is that strict HIPAA rules apply only to covered components and their internal business associates.

HIPAAsaurus

DHS

DHS Covered Components Medi-Cal County Medical Services

Program (DHS runs program on behalf of counties)

Children’s Treatment Program Physicians’ Services Contract

Back/Emergency Medical Services Appropriation

Refugee Health Services California Children’s Services Child Health and Disability

Prevention Program Genetically Handicapped

Persons Program

Medical Therapy Program Family PACT Newborn & Prenatal Screening Aids Drug Assistance Program Aids Medi-Cal Waiver HIV Diagnostic Assay Program Cancer Detection—Prostate

Cancer Breast and Cervical Cancer

Detection Program Long Term Care – SCAN Long Term Care – PACE

Federal Preemption Federal Preemption is when another federal

statute or regulation is contrary to and more stringent than the provisions of the Privacy Rule.

If the Federal statute or regulation relating to the privacy of PHI, is more stringent, in comparison to a standard, requirement or implementation specification of the HIPAA Privacy Rule, the provision of the Federal law controls.

More Stringent Means:

With respect to a use or disclosure, the Federal law prohibits or restricts a use or disclosure in circumstances where the use or disclosure would be permitted under HIPAA,

Except to the Secretary for determining compliance, or

To the individual who is the subject of the PHI, or

Permits greater rights of access or amendment to the individual, who is the subject of the PHI

What Does This Mean for the Medicaid Program?

Medicaid rules on use and disclosure are much more restrictive than HIPAA

The Federal Medicaid statute and regulations restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the state Medicaid program. (Section 1902(a)(7) of the Social Security Act and 42 CFR 431.300 et.seq.)

States are required to have statutes that provide legal safeguards against uses or disclosures of Medicaid information for purposes not directly connected with the administration of Medicaid and which impose sanctions for violations.

Purposes directly connected with Medicaid Administration are narrowly

defined as:

Establishing eligibility, determining the amount of medical assistance, providing services for recipients, and conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to Medicaid program administration.

Medicaid agencies must safeguard information about applicants and

recipients, including:Names and addresses; medical services provided; social and economic conditions or circumstances; agency evaluation of personal information; medical data including diagnosis and past history of disease or disability; any information received for verifying income eligibility and amount of medical assistance; any third party liability information.

Medicaid agencies must inform the court of the restrictions on use and disclosures in response to a subpoena for a case record or for an agency representative to testify concerning an applicant or recipient.

Title XIX

Medicaid agencies may only distribute materials to applicants, recipients, or medical providers which directly relate to the administration of Medicaid.

Medicaid agencies must not distribute holiday greetings, general public announcements,partisan voting information and alien registration notices.

Medicaid agencies may distribute materials directly related to the health and welfare of applicants and recipients, such as announcements of free medical examinations, availability of surplus food, and consumer protection information.

Allowable Distributions

How do the Medicaid restrictions on use and disclosure intersect with the HIPAA Privacy Rule?

HIPAA permissible disclosures are generally not allowed under Medicaid:

The Medicaid agency may not disclose PHI:– To public health authorities

– To researchers, unless research is related to operation of the Medicaid program

– In response to a subpoena, unless subpoena is for criminal or civil case related to Medicaid program, such as fraud and abuse

– In response to beneficiary’s own authorization, unless purpose is directly related to administration of the Medicaid program

– To coroners, medical examiners, and funeral directors

– To law enforcement, unless Medicaid fraud investigation or prosecution

– For public safety or security reasons

– In response to a court order, without informing the court first of the restrictive Medicaid rules on use and disclosures

What about the right of Medicaid beneficiaries to access

their own records?

Prior to HIPAA, information could only be released to beneficiaries for purposes directly connected with Medicaid operations.

Post HIPAA, contrary laws may not restrict health plan beneficiaries’ rights to access or amend their own records.

This has been acknowledged in conversations with federal attorneys, but CMS has not issued written guidance.

Plain language—short sentences in active voice, use common everyday words, divide material into short sections

Uses and disclosures must reflect the more stringent law: in this case, the Medicaid law (45 CFR 164.520(b)(1)(ii)(C)).

Laundry list of HIPAA permissible disclosures should not be included as Medicaid agency is not permitted to make these disclosures by law.

Should be translated into threshold languages for limited English proficiency beneficiaries

Should be available in braille or on audiotape for sight impaired to comply with ADA

What are the Requirements for a Medicaid Notice of Privacy Practices? (NPP)

Title VI of the Civil Rights Act of 1964 prohibits discrimination on the basis of race, color, or national origin in any program or activity that receives Federal Financial Assistance

The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) has published Guidance to Federal Financial Assistance Recipients Regarding Title VI Prohibition Against National Origin Discrimination Affecting Limited English Proficient (LEP) Persons

OCR’s Guidance requires the translation of written materials which are considered vital documents

NPP’s Must be Translated

NPP is a Vital Document Vital documents include consent and complaint forms, intake

forms, written notices of eligibility criteria, rights, etc.

HIPAA Notices of Privacy Practices (NPP’s) are written notices of rights and thus should be considered “vital documents”

Safe Harbor rule is strong evidence of compliance with the recipient’s written-translation obligations:

– The recipient of HHS federal financial assistance must provide written translation of vital documents for each LEP language group that constitutes 5 percent or 1,000, whichever is less, of the population of persons eligible to be served or likely to be affected or encountered by the program or provider

Entities Covered by OCR Guidance

Entities covered by the OCR Guidance include any state or local agency, private institution or organization that (1) operates, provides, or engages in health, or social service programs and activities and (2) receives Federal financial assistance from HHS directly or through another covered entity.

Covered entities with LEP obligations include: health care providers; managed care organizations; universities and other entities with health research programs; state, county and local health agencies; State Medicaid agencies.

Title VI HIPAA Obligations

The Preamble to the Privacy Rule notes: “(A)ny covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients’ service areas. Specifically, this Title VI obligation provides that, where a significant number or proportion of the population eligible to be served …by a federally assisted program needs service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in languages appropriate to such persons.” 65 Fed. Reg. 82547 (December 28, 2000)

Medi-Cal Threshold Languages

California’s Medicaid NPP was translated into 13 threshold languages, including English and Spanish

Distribution of NPP’s 

Health plans must distribute to individuals “covered by the health plan” (enrollees):

As of the compliance date;

After the compliance date, at enrollment in the health plan to new enrollees;

After enrollment, within 60 days of a material revision to the content of the NPP; notify enrollees of the availability of the NPP every three years; and make it available upon request to any person.

Only need to send to named insured, or head of household, not every dependent

Problems in Distributing NPP’s

Challenge with DHS health plans in which there is no stable enrollment, where coverage is episodic, and plans are the payors of last resort

Patient identifying information is sent to the fiscal intermediary with the claim and not easily retrievable

Family PACT program where adolescents receive family planning services, without parental notification

Actions Taken by DHS DHS asked providers to distribute NPP’s for these

health plans and preserve documentation of distribution  Privacy Rule Preamble allows health plans to arrange

for others to distribute NPP’s on their behalf, such as health care providers affiliated with the health plan.

Covered providers are required to distribute only their own NPP. If the other entity fails to distribute the NPP, health plan may be in violation of the Privacy Rule.

Preamble on Distribution by Others

Preamble states: “We require covered providers to distribute only their own notices, and neither require nor prohibit health plans and health care providers from devising whatever arrangements they find suitable to meet the requirements of this rule.” 65 Fed. Reg. 82720 (December 28, 2000)

HMO’s Many State Medicaid programs have contracted out the

operations of Medicaid to private HMO’s

California’s Medi-Cal program is about 50/50 fee-for-service and managed care

Issues: Is the managed care organization (MCO) the business associate of the State Medicaid agency?

What set of rules apply to uses and disclosures of Medicaid PHI by the MCO?

Business AssociatesBusiness associate performs a function or activity involving PHI on behalf of covered entity, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and/or provides management, administrative, or financial services to or for such covered entity

What Are MCO’s?

Could argue that MCO’s are business associates of state Medicaid agencies

Would require business associate agreements

MCO’s would be restricted to same uses and disclosures of PHI as the state Medicaid agency

Medicaid agency would assume some liability for privacy breaches of MCO’s

MCO’s Not Medicaid Business Associates

Because MCO’s are generally full risk HMO’s who are covered entities in their own right and don’t like being considered business associates, prevailing view is that they are not business associates of state Medicaid agency.

MCO’s Could be OHCA’s

Could be participants in “Organized Health Care Arrangements” (OHCA’S) with the state Medicaid agency if they agree

OHCA is an organized system of health care in which more than one covered entity participates and where the covered entities hold themselves out to the public as participating in a joint arrangement and participate in joint health care activities, such as UR, QA, or payment activities

Advantages of Being an OHCA

OHCA’s are formed by participating covered entities which share PHI to manage and benefit their common enterprise

Covered entities in an OHCA can share PHI with each other for the arrangement’s joint health care operations

Covered entities in an OHCA may issue a joint NPP

Joint Operation Most common interpretation is that MCO’s and

state Medicaid agency are jointly operating a government health plan

Where a public agency is required or authorized by law to administer a health plan jointly with another entity, public or private, OCR considers each agency to be a covered entity

Examples of joint administration include:– State and Federal Medicaid and SCHIP

Programs– Medicare +Choice Plan and CMS

Contractual Obligations of MCO’s

State Medicaid agency allowed to limit uses and disclosures of PHI under MCO contract to only those restrictive uses and disclosures permitted by federal law for the single state Medicaid agency

State Medicaid agency can put business associate protections in its contracts with MCO’s

Under the Balanced Budget Act, state Medicaid agency has obligation to ensure HIPAA compliance by its MCO’s

Other State Agencies Other state agencies work in partnership with the

state Medicaid program to implement certain Medicaid benefits

An agency that does not administer a program, but which provides services for the program is not a covered entity

Parts of these agencies may be a business associate of the state Medicaid program. 65 Fed. Reg. 82578 (December 28, 2000)

 Business associate language may be incorporated into Inter-Agency Agreements or into regulations.

Eligibility & Enrollment Exception

But there is an exception for government agencies that are authorized by law to collect eligibility or enrollment information for covered government health plans.

These agencies are not considered business associates of the covered government health plans but the covered entity health plan is allowed to make disclosures of PHI to them. 45 CFR 164.502(e)(1)(ii)(C)

Providers are Not BA’s

Treating providers which are paid by the health plan are not thereby business associates of the health plan

Business Associate Agreements

Business associate agreements should include timely notification to the covered entity of breach of security of PHI

California law requires immediate notification by contractor of breach to the covered entity and subsequent notification of persons whose PHI has been acquired by an unauthorized person

FI Contracts

Other important provisions in fiscal intermediary business associate agreements:

• Written privacy and security policies, duty to assist in defense,

• Time deadlines on duty to provide access to records and amend records,

• Access to internal practices, books and records by covered entity to audit compliance with privacy

Audits

Medicaid and other government health plans audit and oversee their providers and contracted health plans for compliance with program rules and standards and to discover fraud and abuse

Several sections of the Privacy Rule may be relied upon to allow the providers or other health plans to disclose the PHI to the auditors

Disclosure may be required by state laws or regulations (and thus may be a “required by law” permissible disclosure under 45 CFR 164.512(a)

Disclosures for Operations

A covered entity may disclose PHI to another covered entity for health care operations of the entity that receives the information, if each entity has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to the relationship, and the disclosure is for the purpose of health care fraud and abuse detection or compliance. 45 CFR 164.506(c)(4).

If the disclosure is not required by law, and does not fit into the operations disclosure exception above, then argue that the disclosure is to a health oversight agency

Health Oversight

Health oversight agencies are state or local agencies, or their agents, authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance. 45 CFR 164.501.

Health Oversight Disclosures

Covered entities may disclose PHI to health oversight agencies for oversight activities authorized by law, including audits and civil, administrative, or criminal proceedings or actions.

Auditors are entitled to see records of beneficiaries from other programs or who are private pay, if necessary for health care oversight and auditing

A covered entity may rely, if such reliance is reasonable, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials under 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose. 45 CFR 164.514(d)(3)(iii)(A).

Administrative Simplification

By the Federal Government

— Are You Kidding?

THE END