Hipaa And Group Health Benefit Plans

The vast majority of agencies believe that they’re immune from HIPAA compliance. If you’re among the nonbelievers, then answer this question:

'Does your agency have an employee health benefits plan?'

If your answer is yes, you must determine if the health plan, as a separate entity, is subject to HIPAA compliance. Unless you know for a fact that your plan does not need to be in compliance (few are exempt), it’s time to start your efforts to meet the deadlines.

The Federal HIPAA administrative simplification regulations treat employee health benefits plans as separate legal entities, distinct from their employer sponsors, and most health plans are subject to HIPAA compliance. So, if the plan is the 'covered entity' it’s subject to HIPAA. Depending on how these plans provide their benefits, they might be subject to some, or all, of the administrative simplification regulations.

GROUP HEALTH BENEFIT PLANS

Under the HIPAA privacy regulations, an employee health benefit plan and the employer, as plan sponsor, are considered separate legal entities. This is consistent with the treatment of employee welfare benefit plans under the Employee Retirement Income Security Act (ERISA).

If the plan has 50 or more participants or if a third party administers it, it’s considered a 'group health plan' according to the HIPAA regulations. If the plan meets this definition, it’s considered a 'covered entity' subject to HIPAA administrative simplification regulations. This includes regulations regarding standard transactions and codes sets, privacy, and security when the final security rules are published.

If a group health plan provides all of its benefits through insurance contracts with health insurance companies or HMOs, it does not need to comply with many of the administrative requirements of HIPAA; but it’s still considered a covered entity subject to all other provisions of the regulations. However, if the plan provides any benefits on some other basis, rather than through insurance contracts, it’s subject to all of HIPAA, just as if it were an insurance company.

Since your group health plan is probably a covered entity, you must determine who your business associates might be and make sure that you have signed agreements with all of them. This list identifies many vendors or others that might come in contact with your agency, particularly on premises:

PROTECTED HEALTH INFORMATION

Plan documents will need to be modified if any employee of the employer that sponsors the plan receives any protected health information (PHI) from the plan, other than eligibility verification and summary health information. One of the requirements for a group health plan to disclose PHI to a plan sponsor is the plan document, which must provide an 'effective mechanism for resolving issues of noncompliance' by the plan sponsor. See 45 CFR A § 164.504 (f)(2)(iii)(C).

The relationship defined by HIPAA among the group health plan, the plan sponsor, a third-party administrator (TPA), and other entities can be confusing. When employees of the plan sponsor perform plan administration duties, their access to the group health plan’s PHI is considered a disclosure of PHI from the plan to the plan sponsor. When employees of a TPA under contract to the plan have access to the plan’s PHI, this is considered a disclosure of PHI to the plan’s business associate.

Disclosure of PHI to the plan sponsor is allowed only if the plan documents are amended. There are two exceptions: summary health information and enrollment information.

For HIPAA purposes, summary health information means information about individual participants in a group health plan that summarizes claims history, claims expenses, or type of claims experienced by those participants; and which has been de-identified.

Enrollment information is information that determines whether an individual is participating in the group health plan, or is enrolled in or has been disenrolled from a health insurance issuer or HMO offered by the plan to the plan sponsor.

Few organizations that sponsor a self-funded employee health plan can erect an impermeable barrier between the employer, as plan sponsor, and PHI in the custody of the group health plan — even if a TPA administers the plan.

I’d recommend a careful review of information received from the TPA before concluding that the sponsor of a self-funded health plan can forego the HIPAA plan document amendments. This review should include both routine reports and occasional information requests. Even in insured experience-rated plans, the plan sponsor might want to reserve the right to review high cost claims or other forms of PHI — and, thus, might want to amend the plan documents to allow these disclosures.

Regardless of the approach, PHI will probably need to be shared between employers, as plan sponsors, and those administering the employee health benefit plan. Compliance dates for documentation, and training requirements are the same for all covered entities, including the employee health benefit plan. The compliance date is April 14, 2003.

There’s an exception for employee health benefit plans that paid less than $5 million in claims and insurance premiums in the most recent full fiscal year. They’re considered small health plans, which have an extra year (until April 14, 2004) to comply with the privacy regulations.

PREPARING FOR HIPAA

Here’s some advice from the experts on what health plans can do to ensure success in meeting the HIPAA compliance deadlines.

• Tap the knowledge and resources of such industry organizations as the American Association of Health Plans.
• Participate in local, state, or regional alliances of key stakeholders to focus on universal compliance issues.
• Develop and implement methods to communicate with both employers and plan members about what HIPAA will mean for them. Without such efforts, experts suggest a public backlash against HIPAA and the plan might result.
• Document compliance intentions with respect to HIPAA security and privacy provision. This should include risk assessments and clearly articulated reasons why specific actions were or were not taken to achieve compliance.
• Approach HIPAA not simply as an information-technology project, but as a comprehensive, systemic change that will impact nearly every aspect of the plan’s operation, including processes, training, and culture.
• Plan executives should clearly articulate the benefits and challenges of achieving compliance to all members of the company.

NEWMAN’S SEVEN STEPS TO HIPAA PRIVACY RULE COMPLIANCE

Determine whether or not your firm’s employee health benefits plan is excluded from the HIPAA Privacy Rule Compliance. Self-funded, self-administered plans with fewer than 50 participants are not required to comply with the HIPAA administrative simplification regulation. Unless a plan is excluded it’s a 'covered entity' that must meet the compliance requirements. If that’s the case, you need to consider the following steps:

1. Project Organization

2. Readiness Assessment

Review these areas of the organization:

• Contractual agreements
• Business practices, policies, and procedures
• Systems and applications

3. Needs Identification

5. Privacy and Security Projects

6. Implementation

7. Compliance Maintenance

Conduct ongoing security reviews; monitor changes to regulations; maintain up to date legal documents and business associate agreements; do plan documentation; and conduct training.