An Employer's Guide to HIPAA Privacy Rules
These new privacy regulations, issued by the Department of Health and HumanServices ("HHS") on December 20, 2000, interpret the general privacystandard of HIPAA -- that entities covered by the rules may not use or discloseindividually identifiable health information unless either the covered entitieshave obtained the appropriate form of permission from that patient or the use ordisclosure is expressly allowed by HIPAA. They became effective on April 14,2001, and health plans must comply with the rules by April 14, 2003; smallhealth plans with annual receipts of $5 million or less have one additional yearin which to comply -- until April 14, 2004.
Employers, as a whole, are not generally covered under the rules. However,most employers have components such as self-insured health plans they sponsorthat are subject to the rules. Such employers are deemed to be "hybridentities" for purposes of HIPAA. The HIPAA privacy regulations will affectthe use and disclosure of protected health information ("PHI") by thehealth plan component of the employer and the corresponding workforce.
These new rules will require the self-insured health plan component of theemployer (i.e., you the employer in your role as plan sponsor) to:
Amend health plan documents to include more than a dozen specific privacyprovisions.
Negotiate or revise written contracts with third-party administrators,insurers, HMOs, managed care vendors and other "business associates"to incorporate more than a dozen specific privacy provisions.
Appoint a privacy official who will be responsible for training employeesinvolved in plan administration in handling PHI, and for ensuring that adequateprivacy practices and procedures are in place.
Protect participants' right to inspect and copy their PHI, amend therecords, file complaints about them and receive an accounting of disclosures oftheir PHI by the plan other than for "treatment, payment or health careoperations."
Obtain detailed authorization from any participant whose PHI is to be usedfor any purpose other than "payment, treatment, and health careoperations."
Separate health plan administration where PHI must be maintainedseparately from other general corporate functions and even from theadministration of other ERISA benefit plans.
These rules apply to all medical records and other individually identifiablehealth information maintained or disclosed by your health plan. In proposedform, the rules applied only to electronically transmitted information. Thefinal version applies to all information, whether electronic, written or oral.
As if that wasn't enough to get employers' attention, the privacy provisionsof the HIPAA statute generally carry significant penalties. Civil penaltiesrange up to $100 per person, per violation, up to $25,000 per year. And criminalpenalties apply as well -- up to $50,000 in fines and a year in prison forknowingly disclosing PHI; up to $100,000 in fines and five years in prison ifthe disclosure is under false pretenses; and up to $250,000 in fines and 10years in prison if the disclosure is for commercial advantage.
Gardner, Carton and Douglas Note:
The HIPAA privacy rules cover insured plans as well, but complianceresponsibilities often fall to health insurers in those cases. Therefore, thisMemorandum focuses primarily on the impact these rules will have on self-insuredplans and provides insights and guidance for navigating this unfamiliar terrain.
The HIPAA portability rules, which generally took effect in 1997, requiredplan amendments. However, those changes were not as broad and detailed as thoserequired by the new privacy rules. Under the privacy rules, if you are anemployer acting as a plan sponsor, you will have to certify to your own healthplan that the plan documents have been amended and that, as the plan sponsor,you agree to abide by the new terms. Employers also will need to identify whichemployees are acting on behalf of the self-insured health plan and which areperforming in other employer functions.
Specifically, the employer, as the plan sponsor, will need to amend plandocuments to:
Identify the permitted and required uses and disclosures of PHI.
Require the plan sponsor certification mentioned above.
Prohibit the plan sponsor from using or disclosing PHI other than aspermitted or required by the plan documents or as required by law.
Require any agents of the plan who receive PHI to abide by the privacyrules.
Bar plan sponsors from using PHI for employment-related actions or inconnection with any of its other benefit plans.
Require the sponsor to report to the plan any improper use or disclosure.
Give participants access to their PHI and enable them to amend it uponrequest (or be told why their requested amendment was denied).
Provide participants, upon request, an accounting of disclosures of theirPHI (other than for treatment, payment or health care operations).
Make available to HHS its internal practices, books, and records relatingto the use and disclosure of PHI.
Require the sponsor, once it no longer needs PHI for its intended purpose(e.g., setting plan premiums), to return or destroy all copies of the PHI or, ifthis is not feasible, to limit further uses and disclosures.
Finally, to ensure separation between the health plan and the plansponsor's other operations, the plan must: (i) describe which employees willhave access to PHI; (ii) restrict this access to plan administration functions;and (iii) provide a way to resolve any violations of the privacy rules by theseemployees.
The restriction on using PHI for other benefit plans could be significant foremployers that, for example, use health plan data to evaluate or designdisability plan benefits or that have integrated benefit plans. However, theregulations do permit the health plan to disclose PHI to the extent necessary tocomply with workers compensation laws.
Of course, many of these plan document changes could entail substantialrevisions to the way a plan currently maintains and protects health information.Currently, for example, health plans probably have no mechanism to provide (andmay not even have the data to provide) a participant with a record andexplanation of all the disclosures of his or her PHI (other than disclosures fortreatment purposes).
Administrative services contracts
For many employers, negotiating detailed administrative services contractshas not been a high priority. But under the new privacy rules, a plan cannotdisclose any PHI to any of these "business associates" -- includingclaims processing and administration firms, utilization review and qualityassurance firms, HMOs, managed care providers, billing companies, firmsproviding data analysis, aggregation, and administration, actuarial firms, legaland accounting firms, accreditation organizations, and firms providing financialservices -- without a written contract that:
Establishes permitted and required uses and disclosures of PHI by thebusiness associate.
Permits the business associate to use or disclose PHI for propermanagement and administration.
Permits the business associate to provide data aggregation services forthe plan.
Authorizes termination of the contract in case of a material breach.
Prohibits the business associate from using or disclosing the PHI otherthan as stated in contract or as required by law.
Requires the business associate to use appropriate safeguards.
Requires the business associate to report to the plan any use ordisclosure of PHI not provided for by its contract.
Requires the business associate to ensure that any agents to whom itprovides PHI abide by these privacy rules.
Requires the business associate to give participants access to their PHI,and to amend it upon request (or explain why a requested amendment is denied).
Requires the business associate to make available the information requiredto provide a participant an accounting of disclosures of his or her PHI (otherthan disclosures for treatment purposes).
Requires the business associate to make available to HHS its internalpractices, books, and records relating to the use and disclosure.
Requires the business associate to destroy all copies of the PHI when thecontract terminates or, if this is not feasible, to limit further uses anddisclosures.
Although these contract standards may seem burdensome, they may be a usefultool for employers in seeking better protection in services contracts.
Members of the health plan's workforce are not considered business associateswhen they perform these services. For example, claims administrators employed bythe employer sponsoring the health plan will not be considered businessassociates.
Administrative policies and procedures
Beyond the plan documents and service contracts, the HIPAA privacy rules willrequire major revisions to the way an employer currently administers itsself-insured health plan. Several of the key changes are highlighted below.
Because HHS has no track record in regulating self-insured health plans, itis difficult to predict how aggressively it will enforce the rules.
Privacy official/training. A self-insured health plan will be required todesignate a "privacy official" who will be responsible for developingand putting in place HIPAA-required policies and procedures. If the employer isa health care entity that already has a privacy official, that organizationcould use the same individual to act as the privacy official for itsself-insured health plan.
An employer will also be required to provide appropriate training in handlingPHI to each employee who performs health plan administration functions. Thistraining must be provided initially by the time the health plan must be incompliance with the HIPAA privacy rules (April 14, 2003, for plans generally orApril 14, 2004, for plans with annual receipts under $5 million). An ongoingtraining program must be in place to address training of new hires or changes inprivacy laws.
Participant complaints. Your health plan will also be required to provide away for participants to file complaints about privacy policies and procedures oryour compliance with these policies and procedures. All complaints received andtheir disposition, if any, must be documented. In addition, your plan may notintimidate, threaten, coerce, discriminate against, or take retaliatory actionagainst: (i) individuals for participating in any process established under theHIPAA rules; or (ii) against individuals or others for filing a complaint,testifying, assisting or participating in an investigation, compliance review,or proceeding, or opposing any act or practice prohibited by the HIPAA rules.
The HIPAA privacy rules do not preempt state laws that are more stringentthan the federal privacy protections. Many states currently have such laws ormay enact them in response to the HIPAA privacy regulations. Because there maybe different laws in different jurisdictions, employers with multistateoperations should carefully monitor state privacy law developments.
This may represent a major shift for self-insured health plans that were notordinarily covered by state restrictions due to ERISA preemption.
Consent vs. authorization
The new HIPAA rules create a distinction between obtaining consent andauthorization when getting permission to use or release PHI. For payment,treatment, and health care operations, a more generally worded and lessrestrictive form of permission may be required from a participant (consent). Forall other uses or disclosures of PHI, a more comprehensive, specifically wordedand restrictive form must be used to obtain permission for use or disclosure ofPHI (authorization). Each of these is discussed in more detail below.
Consent -- The new rules require that health care providers obtain anindividual's consent prior to using or disclosing PHI to carry out treatment,payment or health care operations. A self-insured health plan may obtainconsent, but is not required to do so. A plan may condition enrollment onobtaining consent.
Consent forms, which must be written in plain English and must be signed anddated, must also:
Inform the participant that PHI may be used or disclosed for purposes ofpayment, treatment and health care operations.
Refer the participant to a complete description of uses and disclosures inthe health plan's general privacy notice.
State that the participant may request the health plan to restrict the useor disclosure of PHI and indicate that the health plan may refuse such request.
State that the participant may revoke the consent unless the health planhas taken action in reliance upon that consent.
This consent requirement applies only to use and disclosures of PHI forpayment, treatment and health care operations. The consent may be combined withother legal consents (such as a consent for assignment of benefits) providedthat the consent is distinct from any other authorization and has a separatesignature and date line.
Authorization. If PHI is going to be used or disclosed for any reasons otherthan payment, treatment, or health care operations (where no legal exceptionsapply), the health plan must obtain authorization. For example, if theemployer's disability plan requests information from the health plan about aparticipant, or if a participant asks that information be disclosed to anoutside party, that disclosure would only be permitted if the health plan firstobtained a written authorization from that participant. This is true even if thedisability plan is only using the information to properly pay disability planclaims. The health plan may not condition treatment, payment, enrollment in ahealth plan or eligibility for benefits on the individual's signing of anauthorization except in specific and limited circumstances.
Rather than maintain authorizations, a health plan could consider using onlyhealth information that has gone through an elaborate process of"de-identification" to remove all potentially traceable pieces ofinformation.
Similar to the consent form, an authorization form must meet certain criteriato be valid. Specifically, the form must: be written in plain English; describethe PHI to be used or disclosed; identify to whom the PHI will be disclosed;include an expiration date; include a right to revoke; and indicate that the PHImay be subject to redisclosure by the recipient where such disclosure might notbe covered under the privacy statute and regulations.