Hipaa And Small Group Health Plans

by Judi Newman

HIPAA defines a 'small'health plan as one with less than $5 million of annual premium for a fully insured plan or less than $5 million of annual claims payments for a self-insured plan. The compliance date for small group health plans is April 14, 2004.

The HIPAA regulations make it clear that employers themselves are not HIPAA 'covered entities' (CE). However, an employer sponsored health plan is a covered entity.CE under HIPAA. Because the employer is involved in the operation and administration of a health plan andcould has access to personal health information (PHI), the employer becomes responsible for a number of HIPAA privacy requirements. Most plans will need to be in compliance with the HIPAA Privacy Rule. Depending on how the health plan provides benefits, it could be subject to some — or all — of the administrative simplification regulationsprivacy rule requirements.

Under HIPAA, covered group health plans include:

• Medical

• Dental
• Vision
• Chiropractic
• Pharmacy
• Behavioral Health

Section 125 plans and Flexible Spending Accounts are also included in the compliance requirements.

DOES YOUR GROUP HEALTH PLAN NEED TO BE IN COMPLIANCE?

All health plans must be in compliance with one exception: A fully self-insured plan, with fewer than 50 participants that’s areadministered wholly and internally by the employer isaren’t considered a 'Covered Entity.'

Each employer must determine what level of compliance to implement. Compliance requirements will differ depending on the amount of PHI the employer wishes to receive.

PROTECTED HEALTH INFORMATION

If the employer/plan sponsor is satisfied with receiving only summary information, then compliance activities are greatly minimized.

If an employer with a fully insured plan wants to receive more than summary information, the plan they sponsor needs to be in full compliance.

HIPAA defines summary health information as information that has been de-identified about individual participants in a Group Health plan. The summary will cover only claims history, expenses, and types of claims experienced by the participants. More specifically, summary health information is claims data with the following specific identifiers removed:

• Names
• Street address, but town, state, and ZIP code can remain
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images

If the employer wishes the insurance company to provide detailed claims reports that contain any or all of the individual identifiers, (some or all) this constitutes PHI and steps must be taken to comply with the HIPAA Privacy Rule.

The Group Health Plan documents must be amended if the employer is to use any of the listed identifiers.and t The employer must also submit written certification that it will follow the requirements in section §164.504(f)(1) of the HIPAA Privacy Regulations.

A CE can disclose PHI to a business associate to create or receive PHI on its behalf. The CE covered entityneeds to obtain satisfactory assurance that the business associate will safeguard the information appropriately. A covered entity must document the satisfactory assurances required through a written contract or other written agreement with the business associate.The CE must also document this assurance with a fully executed agreement with the business associate as required.

The fully insured employer sponsored health plan CE must enter into a Business Associate Agreement with its broker/agent and any other entity that would receive PHI. Fully insured health plans aren’t required to enter into a business associate agreement with their insurance carrier or HMO.

Since your group health plan most likely falls into the category described, Yyou need to identify your business associatesmay be and make sure that you have executed signedagreements with all of them. A number of vendors or others might come in contact with your firm. While it is unlikely that mMost of these won’t requireneed access to PHI, but, it’s important to identify those that might so that executed agreements are in place. It’s also the obligation of the CE to initiate and maintain security measures to protect PHI from disclosure except as needed to conduct business. Here are some of the entities that could come in contact with unsecured information:

• Benefits administrator
• Building Maintenance
• COBRA vendors
• Coffee service
• Computer maintenance
• Consultants
• Contract labor
• New agent
• Office cleaning service
• Offsite storage
• Outside auditor
• Outside legal
• Outsourced payroll service
• Plan vendor insurance carrier
• Renewal review with current agent
• Shredding service
• Telephone service or repair
• TPAs

The Group Health Plan documents will need to be modified if any employee of the employer that sponsors the group health plan receives any PHI from the plan, other than eligibility verification.

and summary health information. One of the requirements for a group health plan to disclose PHI to a plan sponsor is the plan document where the plan must provide an 'effective mechanism for resolving issues of noncompliance' by the plan sponsor. See 45 CFR A § 164.504 (f)(2)(iii)(C).

The relationship defined by HIPAA among amongthe Group Health plan, the plan sponsor, a TPA, and other entities, can be confusing. When employees of the plan sponsor perform plan administration duties, their access to the group health plan’s PHI is considered a disclosure of PHI from the Group Health plan to the employer. plan sponsorWhen employees of a TPA under contract to the Group Health plan have access to the group health plan’s PHI, this is considered a disclosure of the PHI to the group health plan’s business associate.

A careful review of information received from the TPA is recommended before concluding that the sponsor of a self-funded health plan can forego the HIPAA plan document amendments. This should include both routine reports and occasional information requests. Even in insured experience-rated plans, the plan sponsor may want to reserve the right to review high cost claims or other forms of PHI - and, thus, may want to amend the plan documents to allow these disclosures.

Regardless of the approach, PHI will probably be shared with employers as the plan sponsors and administrators. Compliance dates for documentation and training requirements are the same for all covered entities, including the employee health benefit plan. The date was April 14, 2003, except for small health plans — the majority of the nation’s plans — which have a deadline of April 14, 2004.

Seek advice from the experts on what health plans can do to ensure success in meeting next year's HIPAA compliance deadlines.

• Tap the knowledge and resources of industry organizations, such as IIABA, PIA, CIAB, and AAHP. the American Association of Health Plans
• Participate in local, state, or regional alliances that of key stakeholdersfocus on universal compliance issues.
• Develop and implement methods to communicate with employers and plan membersemployees about what the HIPAA Privacy Rule willmeans for to them. Without such efforts, experts suggest a public backlash against HIPAA and the plan may result..
• Document your compliance intentions with respect to HIPAA security and privacy issues.portionsThis should include risk assessments and clearly articulated reasons why specific actions were or were not taken to achieve compliance
• Approach the HIPAA Privacy Rule not simply as an information-technology a project , but rather as a comprehensive, systemic change that will impact nearly all aspects of the Group Health plan’s business, including processes, training, and culture.
• Group Health Plan executives should articulate clearly the benefits and challenges of achieving compliance to all members of the firm.

Determine whether your firm’s employee health benefits plan is excluded from HIPAA Privacy Rule Compliance. Self-funded, self-administered plans with fewer than 50 participants aren’t required to comply.ply with the HIPAA administrative simplification regulation. If not excluded, a plan is a 'covered entity' that must meet the compliance requirements. As the employer with a Group Health plan that’s a 'covered entity,' you need to consider these steps.

1. Project Organization. Review the requirements of the Privacy Rule and Administration Simplification Regulation. Conduct awareness training; gain senior management buy-in; select the project leader (it might be the Privacy Compliance Officer and/or Compliance Coordinator); set objectives and expectations.
2. Readiness Assessment. A readiness assessment reviews three areas of an organization:
   • Contractual Agreements
   • Business Practices, Policies, and Procedures
   • Systems and Applications
1. Needs Identification. After completing the readiness assessment, you’ll need to identify the needs or gap for budget, training, and workforce involvement.
2. New Policies, Procedures, and Agreements. Complete new agreements, privacy notice, procedures, and policies.
3. Launch Privacy and Security Projects. Conduct meetings, upgrade software where needed, develop training, procedures, and policies, review sanctions, check administrative changes, and update job descriptions. Finalize all necessary agreements.
4. Implementation. Implement policy changes, new job descriptions, security safeguards, ongoing training, document coordination, and legal issues.
5. Compliance Maintenance. Conduct ongoing security audits, monitor changes to regulations, and maintain up to date legal documents, business associate agreements, plan documentation, and training.

CONCLUSION

I’ve tried to alert agency owners who sponsor Group Health plans about their obligations under the HIPAA Privacy Rule. Remember that if your agency sells Group Health plans, each client with a plan has the same obligation for HIPAA compliance. Consider the value-added service that your agency can provide clients by offering a HIPAA compliance program that’s available through Phaze II Consulting.