The April 14, 2004 deadline for HIPAA Privacy Rule has come and gone. Confusion still reigns about the term “covered entities.” If you've been reading about this rule, you're aware that employers — your agency and your commercial lines clients — are not any of the three exceptions named. So, what exactly must an employer do? Judi Newman reviews the HIPAA requirements and employer responsibilities.
If an employer offers health insurance as an employment benefit and a policy or policies have been issued in the employer's name, then the employer, as the “plan sponsor,” must take certain steps to comply with the HIPAA requirements. HIPAA regulations make it clear that an employer-sponsored Health plan, not the employer, is a HIPAA Covered Entity.
Unfortunately, the HIPAA regulations aren't clear in describing the various responsibilities of the different types of “covered entities.” In this article, we're talking about employers and their health plans, not the insurance carrier or HMO.
The employer is usually the plan administrator and fiduciary, and is thus responsible for the compliance process. The extent of this responsibility depends in part on whether or not the plan is fully insured or self-funded.
In many cases, employers offer a variety of plans, each of which might have different requirements. If the plans include a fully insured Health plan and a self-insured dental plan administered by a third-party administrator (TPA) and a medical reimbursement account under a self-funded Section 125, the Privacy Rules might apply differently to each plan.
FULLY INSURED PLANS
Fully insured plans are the most common. If the employer sponsors such a plan, it's a HIPAA “covered entity,” as is the insurance company or HMO that provides coverage. However, the privacy rules, although applying to both, do so differently.
The health insurance carrier might no longer share Protected Health Information (PHI) with the employer, unless it meets a number of requirements:
- Plan documents must be amended according to a number of criteria contained in the rules;
- Firewalls must be established to restrict access to PHI;
- The employer as plan sponsor must provide written certification that all required steps have been taken and meet the requirements of the rule. According to 45 C.F.R. 164.504(f)(1)(i) "in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO (a group health plan) must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart.”
However, HIPAA contains an important provision that allows an employer with a fully insured plan to avoid most of the privacy requirements by sharing two categories of limited or summary data:
- HIPAA allows a health insurance provider to share “Summary Health Information” with the employer for rating, renewal, and plan amendment purposes; and
- HIPAA allows a health insurance provider to share information with the employer for enrollment and dis-enrollment purposes.
LEVEL 1 FULLY INSURED PLAN
If an employer is satisfied with receiving only “Summary Health Information” and enrollment information for the health plan, only a limited number of actions are needed to meet HIPAA Privacy requirements. Summary Health Information is the claims data that the employer receives, with specific individual identifiers removed. Although an employer might be able to “figure out” to whom summary information refers (especially in smaller groups), as long as specified individual identifiers are removed, the data still qualifies as Summary Health Information.
These individual identifiers are:
- Names;
- All geographic subdivisions smaller than five-digit ZIP codes;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, etc.;
- Telephone, fax numbers, and e-mail addresses;
- Social Security numbers;
- Medical record numbers; and
- Health plan beneficiary numbers
The group health plan, or a health insurance carrier or HMO with respect to the plan, may disclose summary health information to the plan sponsor, if the sponsor requests it in order to:
- Obtain premium bids on Health plans for providing coverage under the group health plan;
- Modify, amend, or terminate the group health plan; or
- Identify who is participating in the plan, and who has enrolled in or dis-enrolled from a health insurance issuer or HMO offered by the plan.
Employers with a fully insured health plan need to decide whether to limit the information they receive from a health insurance issuer (avoiding most HIPAA Privacy requirements), or to complete the certification process if they want to receive individually identifiable information.