The HIPAA Privacy RuleAnd Its Impact On Agents And
Employers
National Association of Health UnderwritersCapitol Conference
March 23, 2003
Joseph T. Holahan, JDMorris, Manning & Martin, LLP
Washington, DC202.408.0705
2
Road Map Overview of the HIPAA Privacy Rule
Covered entities and products Compliance deadlines General requirements
Impact on agents Business associate contract Disclosures to agents by insurers
Impact on employers
3
Covered Entities
Health plans
Health care providers engaging standard electronic transactions
Health care clearinghouses
4
Health Plans—Provide or Pay Cost of Medical Care
Health insurance issuers and HMOs Issuers of Medicare supplemental policies Issuers of long-term care policies (except nursing home
fixed-indemnity policies) Group health plans (except self-administered with fewer
than 50 participants) MEWAs State high risk pools Medicare, Medicare+Choice, CHAMPUS and certain
other programs Any other individual or group health plan that provides
or pays for the cost of medical care
5
Covered Products
Major medical HMO Dental and vision Most long-term care Medicare supplemental Medicare+Choice
6
Excluded Products Life Accident only Disability income Coverage issued as supplement to liability
insurance Liability insurance, including general liability
and auto liability insurance Auto medical payment Credit-only Coverage for on-site medical clinics
7
Gray Area
Specified disease Hospital indemnity
8
Compliance Deadlines
Most health insurance issuers and HMOs and any group health plans—April 14, 2003
Small health plans (annual receipts of $5 million or less)—April 14, 2004
9
General Requirements Restricts use and disclosure of “protected health
information” (PHI) without written authorization Minimum necessary standard Individual Rights
Restrictions on use and disclosure Access Accounting of disclosures Amendment
Business associate contracts Amend group health plan documents in some cases to
impose requirements on sponsor
10
General Requirements, Con’t.
Notice of privacy practices Administrative requirements, including:
Privacy officer Privacy contact office Privacy policies and procedures Training—workforce only
11
Permitted Uses and Disclosures Pursuant to written authorization compliant with HIPAA For treatment, payment or health care operations To individual or personal representative Friend, family member or other person identified by
individual with written or oral agreement Required by law
Regulators Judicial and administrative proceedings Law enforcement
To “health oversight agency” as authorized by law
12
Permitted Uses and Disclosures—Health Care Operations
“Health care operations” include: Activities by or on behalf of health plan
relating to the creation, renewal or replacement of a contract for health insurance or health benefits
Customer service by or on behalf of health plan
13
Permitted Uses and Disclosures—“Payment”
“Payment” includes: Activities by or on behalf of health plan to
determine eligibility or coverage Claims management by on behalf of health
plan
14
Disclosure By Health Plan To Agent
Payment or health care operations Friend, family member or other person
identified by individual: PHI directly relevant to person’s
involvement in individual’s health care Written or oral “agreement”, opportunity to
object and no objection or reasonable inference of no objection based on professional judgment
Written authorization
15
Required Uses and Disclosures
Individual access to PHI Secretary of DHHS for investigating covered
entity’s compliance
16
Required Elements of the Business Associate Agreement—Part I
Establish permitted and required uses and disclosures of PHI by business associate
May not authorize the business associate to use or disclose information in a way that would violate the Privacy Rule if done by covered entity, with exceptions where necessary for business associate’s management and administration and for data aggregation services
17
Required Elements of the Business Associate Agreement—Part II
Provide that the business associate will:Not further use or disclose PHI other than as
permitted or required by lawUse appropriate safeguards to prevent use or
disclosure other than as provided by the agreement
If aware of any use or disclosure not provided by the agreement, report it to covered entity
Ensure that any agents, including subcontractors, to whom it provides PHI agree to same restrictions
18
Required Elements of the Business Associate Agreement—Part III
Provide that the business associate will:Make PHI available for access by the
individualMake PHI available for amendment and
incorporate any amendmentsMake PHI available to provide an accounting
of disclosuresMake its internal practices, books, and
records available to DHHS for investigating covered entity’s compliance
19
Required Elements of the Business Associate Agreement—Part IV
At termination of contract, if feasible, return or destroy all PHI received from covered entity or created or received on behalf of covered entity and retain no copies.
If return or destruction not feasible, extend protections of contract to information retained and limit use and disclosure to purposes for which information must be retained.
20
Permitted Elements of the Business Associate Agreement
May permit the business associate to use and disclose PHI as necessary for: Management and administration of its business; and To carry out its legal responsibilities
But unless disclosure required by law, business associate must obtain “reasonable assurances” from person to whom PHI is disclosed that: PHI will be held confidentially; PHI will be further disclosed only as required by law or
for purpose for which it was disclosed to the person; and Person will notify business associate of any known
breach of confidentiality
21
Breach of Business Associate Contract—Required Action By Covered Entity
Take reasonable steps to cure the breach If unsuccessful, terminate contract if feasible If termination not feasible, report problem to
DHHS To extent practicable, mitigate any known harm
from violation
22
Group Health Plans Self-insured plans—all of the Privacy Rule’s
provisions apply, including: Provide privacy notice Implement policies and procedures Train workforce
Plans offering flexible savings accounts—may need to treat as a self-insured plan
Insured plans—depends on how much PHI created or received from issuer or HMO
23
Insured Group Health Plans If group health plan creates or receives only
“summary PHI” and information about whether individual has enrolled or disenrolled, duties greatly reduced—for example: No notice required No need for written policies and procedures No training required
If group health plan creates or receive other PHI, then: Must maintain notice and provide on request All other requirements of Privacy Rule apply
24
Plan Sponsor No requirements, if plan sponsor only receives:
“Summary PHI” for purpose of obtaining premium bids or modifying, amending or terminating plan;
Information on whether individual has enrolled or disenrolled; or
PHI disclosed pursuant to a written authorization
If sponsor receives other PHI, must amend plan documents and group health plan must receive written certification of amendment and give notice
25
Amendment of Group Health Plan Documents
Much like business associate contract, with added provisions
Not use or disclose PHI for employment-related actions and decisions
Not use or disclose PHI in connection with any other benefit or employee benefit plan of sponsor
Ensure “adequate separation” between group health plan and sponsor
26
“Adequate Separation”
Describe employees or classes of employees and other persons under control of plan sponsor with access to PHI
Restrict access to and use of PHI by employees and other persons to plan administration functions
Provide effective mechanism for resolving issues of noncompliance by employees and persons with access to PHI
The HIPAA Privacy RuleAnd Its Impact On Agents And
Employers
National Association of Health UnderwritersCapitol Conference
March 23, 2003
Joseph T. Holahan, JDMorris, Manning & Martin, LLP
Washington, DC202.408.0705
