HIPAA Privacy Manual

for

Plan Sponsors and Plan Administrators

Category B: Fully Insured Plans:

Plan Sponsor has limited involvement with PHI

To Our Clients:

I am sure by now you have heard about the Health Insurance Portability and Accountability Act of 1996 (commonly referred to as "HIPAA") and that it will affect health plans – both self-insured and fully insured.

In the nearly five years since HIPAA took effect, we have implemented its requirements for portability (including issuing certificates of creditable coverage and amendment of pre-existing condition limitations and exclusions), nondiscrimination (which affected a plan's ability to have actively-at-work and non-confinement provisions or to treat individuals differently based upon certain health factors) and fraud and abuse.

We now are preparing to comply with HIPAA's four-pronged "administrative simplification" provisions, which will take effect over the next several years. The first of these provisions, the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards") will be effective on April 14, 2003, and we have hired consultants with expertise in these matters to ensure that our operations are compliant and to prepare sample materials for your use.

Compliance with the HIPAA Privacy Standards

In general, the Privacy Standards protect each individual's individually identifiable health information (which is called "Protected Health Information" or "PHI") from being used or disclosed by health care providers, plans and clearinghouses (called "Covered Entities") without the individual's express consent or authorization. PHI is health information created or received by a Covered Entity or employer which relates to a person's physical or mental health, provision of health care to that person, or payment for that person's health care. While you, as the employer, are not a Covered Entity, you may have access to PHI by virtue of your position as Plan Administrator (in which you are responsible for the operations of the plan, which is a Covered Entity) and may require that access in your position as Plan Sponsor (in which you are responsible for establishing, amending, funding and terminating the plan). Therefore, the following steps must be taken to comply with the Privacy Standards:

HIPAA only imposes minimal requirements on employers that sponsor fully-insured health plans, but do not create, maintain or receive PHI. These requirements are:

  • A prohibition against intimidating or retaliatory acts against a person who exercises their privacy rights, files a complaint, participates in an investigation, or opposes any improper practice under HIPAA.
  • A prohibition of any requirement that an individual waive their HIPAA rights as a condition of treatment, payment, enrollment or eligibility.

All other HIPAA Privacy Rule requirements are generally imposed on the insurance carrier providing the coverage.

Plan sponsors are still able to conduct typical plan administration activities under HIPAA as long as the activities do not include the use or disclosure of PHI. Plan Sponsors may still have access to information for the following purposes:

  • Receive Summary Health Information for the limited purposes of obtaining premium quotes, modifying, amending, or terminating the plan.
  • Enroll and disenroll participants and make payroll deductions without implementing HIPAA adminstrative requirements.
  • Assist employees with claims disputes or with understanding their plans as long as the plan sponsor has the required authorization from the individual to obtain the individual’s PHI for that assistance.

If a plan sponsor creates, maintains, or receives PHI, HIPAA imposes the following additional requirements:

  • Provide individuals the rights to review, amend, and receive an accounting of their PHI used or maintained by the plan.
  • Prepare a privacy notice to participants and provide that notice to participants upon request.
  • Implement administrative safeguards to prevent unauthorized use or disclosure of PHI.
  • Amend plan documents to describe authorized uses and disclosure of PHI and implement firewalls to protect PHI
  • Provide certification to the health plan that plan document and firewall requirements have been implemented.
Authorizations – Attachment 1

For the purpose of assisting an employee or their covered dependents with claims issues or understanding their plan, if that assistance will require that you obtain or disclose any individual’s protected health information, you must obtain an authorization from the individual. In most cases, the insurance company or health plan will have an authorization form for this purpose. If they do not have a form available to you, a model authorization form (Attachment 1) is provided along with instructions for completing the form.

Distribute the Notice of Privacy Practices – Attachment 2

The Plan must distribute the Notice of Privacy Practices to all individuals covered by the plan. A suggested form of Notice of Privacy Practices is attached as Attachment 2.

Amend the Plan Document and Summary Plan Description – Attachment 3

The Privacy Standards require that plans amend their plan documents to provide for adequate separation between the plan and Plan Sponsor, to establish the permitted and required uses and disclosures of PHI by yourself as the Plan Sponsor and, possibly, to condition coverage upon the participant's authorization for certain uses and disclosures of PHI or, alternatively, to authorize the Plan Administrator to provide PHI to stop-loss carriers on behalf of the Plan Sponsor.

Certify Compliance – Attachment 4

Certify that you have taken certain required actions to comply with the Privacy Standards. Included as Attachment 4 is a form of Plan Sponsor Certification.

Establish firewalls and limit employees with access to PHI

Plans must establish safeguards or "firewalls" to prevent access to PHI by employees who are not involved in health plan operations. Basically, you will need to appoint one or more employees (or positions, such as "Human Resource Manager," or classes of employees) to receive, use and safeguard PHI (during enrollment, claims processing and appeals). Each individual with PHI access should be trained to understand the importance of his or her role and to assure that he or she does not disclose PHI to any other employees or for any purpose other than those related to the plan, unless proper authorization has been obtained. If possible, such a person should not be responsible for employment-related decisions, such as hiring, promotions or terminations, or for any other benefit plan, so that PHI is used only for administration of the health plan and not for any other purpose. Further, the plan must examine its offices to determine if any physical changes are needed to safeguard PHI, such as moving a fax machine to an area where only the appropriate personnel can access it.

HEALTH PLAN’S AUTHORIZATION REQUEST TO USE OR DISCLOSE

** YOU MAY REFUSE TO SIGN THIS AUTHORIZATION **

Purpose: This form is used to request an individual’s unconditioned authorization for the Health Plan to use or disclose protected health information for the purpose stated.

SECTION A: Psychotherapy Notes.

Check if this authorization is for psychotherapy notes.

If this authorization is for psychotherapy notes, you must not use it as an authorization for any other type of protected health information.

SECTION B: The Individual from whom this authorization is being requested.

Name:

Address:

Telephone: E-mail:

Enrollee Number:

SECTION C: Please read and complete the following statements carefully.

No Conditions: This authorization is voluntary. The Health Plan will not condition our payment activities in connection with your claims, your enrollment in the Health Plan or your eligibility for benefits on you giving this authorization.

Purpose of this Authorization: By signing this form, you will authorize the Health Plan to use and/or disclose your protected health information for the following purposes:

Effect of Granting this Authorization: The protected health information described below may be disclosed to and/or received by persons or organizations that are not health plans, covered health care providers or health care clearinghouses subject to federal health information privacy laws. They may further disclose the protected health information, and it may no longer be protected by federal health information privacy laws.

Protected Health Information to Be Used and/or Disclosed: The specific protected health information (including date[s], if applicable) we are asking you to authorize us to use and/or disclose for the purposes stated above is:

Inspection and Copy of the Protected Health Information: You have the right to inspect and/or copy the protected health information described above.

Entities Authorized to Use or Disclose: The persons and/or organizations (or the classes of persons and/or organizations), including the Health Plan, who you are authorizing to make use of and/or to disclose the protected health information described above are:

Entities Authorized to Receive and Use: The persons and/or organizations (or the classes of persons and/or organizations) to whom you are authorizing the Health Plan to disclose and/or let use the protected health information described above are:

SECTION D: Remuneration (check one).

The Health Plan will not receive direct or indirect remuneration from a third party as a result of the use and/or disclosure of the protected health information requested by this authorization.

The Health Plan will receive direct or indirect remuneration from a third party as a result of the use and/or disclosure of the protected health information requested by this authorization.

SECTION E: Expiration and Revocation.

Expiration: This authorization will expire (complete one):

On ____/____/______

On occurrence of the following event (which must relate to the individual or to the purpose of the use and/or disclosure being authorized):

Right to Revoke: I understand that I may revoke this authorization at any time by giving written notice of my revocation to the Contact Office listed below. I understand that revocation of this authorization will not affect any action you took in reliance on this authorization before you received my written notice of revocation.

Contact Office:

Telephone: Fax:

E-mail:

Address:

SIGNATURE—YOU MAY REFUSE TO SIGN THIS AUTHORIZATION.

I have had full opportunity to read and consider the contents of this authorization. Iunderstand that, by signing this form, I am confirming my authorization that the Health Plan may use and/or disclose to the persons and/or organizations named in this form the protected health information described in this form for the purposes stated in this form.

I understand that, if the persons or organizations I authorize to receive and/or use the protected health information described in this form are not health plans, covered health care providers or health care clearinghouses subject to federal health information privacy laws, they may further disclose the protected health information and it may no longer be protected by federal health information privacy laws.

Signature: Date:

If this authorization is signed by a personal representative on behalf of the individual, complete the following:

Personal Representative’s Name:

Relationship to Individual:

YOU ARE ENTITLED TO A COPY OF THIS AUTHORIZATION AFTER YOU SIGN IT.

INSTRUCTION SHEET

REGARDING

NOTICE OF PRIVACY PRACTICES

An Individual (as defined in the Privacy Standards, the person who is the subject of protected health information) has a right to receive a Notice of Privacy Practices ("Notice") from a group health plan of the uses and disclosures of protected health information that may be made by the Plan, and of the Individual's rights and the Plan's legal duties with respect to protected health information.

PROVISION OF NOTICE.

The Plan must make the Notice available on request to any person.

The Plan must provide the Notice as follows:

  • No later than the compliance date of April 14, 2003, to Individuals then covered by the Plan;
  • Thereafter, at the time of enrollment, to Individuals who are new enrollees; and
  • Within 60 days of a material revision to the Notice, to Individuals then covered by the Plan.

Additionally, no less frequently than once every three years, the Plan must notify Individuals then covered by the Plan of the availability of the Notice and how to obtain the Notice. The Plan satisfies the requirements of providing the Notice if the Notice is given to the employee when coverage is provided to the employee and one or more dependents.

SPECIFIC REQUIREMENTS FOR ELECTRONIC NOTICE.

If the Plan maintains a web site that provides information about the Plan's customer services or benefits, the Plan must prominently post its Notice on the web site and make the Notice available electronically through the web site.

The Plan may provide the Notice to an Individual by e-mail, if the Individual agrees to electronic notice and such agreement has not been withdrawn. If the Plan knows that the e-mail transmission has failed, a paper copy of the Notice must be provided to the Individual. Any electronic notice must be given within the appropriate timeframe as set forth above.

An Individual who is the recipient of an electronic notice retains the right to obtain a paper copy of the Notice from the Plan upon request.

DOCUMENTATION OF NOTICE.

The Plan must document that it has provided the Notice by retaining copies of the Notice in written or electronic form for six years from the date of its creation or the date when the Notice last was in effect, whichever is later.

REVISIONS TO THE NOTICE.

The Plan promptly must revise and distribute its Notice whenever there is a material change to the uses or disclosures, the Individual's rights, the Plan's legal duties, or other privacy practices stated in the Notice. Except when required by law, a material change to any term of the Notice may not be implemented prior to the effective date of the revised Notice in which such material change is reflected.

JOINT NOTICE WHEN THE PLAN SPONSOR MAINTAINS MORE THAN ONE PLAN.

In the event the Plan Sponsor maintains more than one group health plan, a joint notice may be used for all group health plans, provided that:

  • The Notice is accurate as to the privacy practices of all plans covered by the Notice;
  • The Notice describes the plans covered by the Notice;
  • If applicable, the Notice states that the plans covered by the Notice will share protected health information with each other, as necessary to carry out treatment, payment and health care operations; and
  • All other requirements regarding content and provision of the Notice are met.

NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective Date of Notice: [Insert date]

This Notice of Privacy Practices ("Notice") is made in compliance with the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards")set forth by the U.S. Department of Health and Human Services ("HHS") pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). The [Insert Name of Plan] (the "Plan") is required by law to take reasonable steps to ensure the privacy of your Protected Health Information ("PHI"), as defined below, and to inform you about:

(1)the Plan's uses and disclosures of PHI;

(2) your privacy rights with respect to your PHI;

(3) the Plan's duties with respect to your PHI;

(4)your right to file a complaint with the Plan and with the Secretary of HHS; and

(5)the person or office to contact for further information about the Plan's privacy practices.

The term "Protected Health Information" (PHI) includes all "Individually Identifiable Health Information" transmitted or maintained by the Plan, regardless of form (oral, written or electronic).

The term "Individually Identifiable Health Information" means information that:

  • Is created or received by a health care provider, health plan, employer or health care clearinghouse;
  • Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and
  • Identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Section 1. Notice of PHI Uses and Disclosures

1.1Required PHI Disclosures

Upon your request, the Plan is required to give you access to certain PHI to inspect and copy it and to provide you with an accounting of disclosures of PHI made by the Plan. For further information pertaining to your rights in this regard, see Section 2 of this Notice.

The Plan must disclose your PHI when required by the Secretary of HHS to investigate or determine the Plan's compliance with the Privacy Standards.

1.2Permitted uses and disclosures to carry out treatment, payment and health care operations

The Plan, its business associates, and their agents/subcontractors, if any, will use or disclose PHI without your consent, authorization or opportunity to agree or object, to carry out treatment, payment and health care operations. The Plan will disclose PHI to a business associate only if the Plan receives satisfactory assurance that the business associate will appropriately safeguard the information.