HIPAA’s Privacy and Electronic Transaction Rules: A Practical Overview for Employers
HIPAA was enacted in 1996 to improve health plan “portability and accountability”. HIPAA’s substantive rules concerning pre-existing condition limitations, nondiscrimination based on health status factors, and special enrollment periods have indeed made access to health care easier for many Americans.
In addition to its substantive rules, HIPAA includes “administrative simplification” rules designed to protect the privacy of private medical records and to streamline the health plan communication system. Although HIPAA’s substantive provisions have been in effect for a number of years, the administrative simplification rules are not yet effective.
This outline provides a practical overview, from the point of view of an employer-sponsor of an employee health plan, of the HIPAA privacy and electronic transaction rules. Naturally, his outline and its attachments are not intended to constitute legal advice for any particular situation, but instead are intended to serve as starting points for further discussion.
I. HIPAA’s Privacy Rule
A. When Is It Effective? Health plans that are subject to the privacy rule must be in compliance by April 14, 2003, except for “small health plans”, which much comply by April 14, 2004. A small health plan is one that has less than $5,000,000 in “gross receipts” (for self-funded plans, gross receipts means claims processed; for insured plans, it means (roughly) total premiums paid) for the previous full fiscal year).
B. Who Is Affected? The HIPAA privacy rule applies to virtually all employee health plans, including medical, dental, vision and long term care plans as well as health care Flexible Spending Accounts. However, there is one exception (which, in practice will apply most often to health care FSAs) — a health plan that has fewer than 50 participants is not subject to the privacy rule if that plan is self-administered by the employer (i.e., if no insurer or third party administrator helps to administer the plan). Because health plans (other than health FSAs) with fewer than 50 participants typically are either insured or have contracts with a TPA for administrative services, virtually all medical, dental, vision and long-term care plans will be subject to the HIPAA privacy rule. However, many health FSAs with fewer than 50 participants are actually self-administered and such plans (and any other plan that meets that those requirements) will not be subject to the privacy rule.
C. What is the Impact on Employers and Plans? Although employers are not subject to the privacy rule, “health plans” are. Of course, the concept of a “health plan” as an independent legal person that can take care of its own compliance obligations is essentially a fiction (except in the case of, for example, union multi-employer health and welfare funds which are, in fact, often actual operating businesses). Therefore, most employers are taking the position that they will need to put forth the needed effort to ensure that their “health plans” are in compliance with the privacy rule by the applicable effective date.
D. What is the General HIPAA Privacy Rule? In essence, the HIPAA privacy rule prohibits the use or disclosure of an individual’s identifiable medical records (so-called “PHI” or “Protected Health Information”), without the express, written, advance authorization of that individual.
E. What is the Exception to the General HIPAA Privacy Rule? A health plan may use or disclose PHI to the minimum extent necessary for treatment, payment or health plan operations. This is the crux of the entire HIPAA privacy rule as it impacts employers. That is, unlike the case under pre-HIPAA privacy rule law, employers must stop and think before they use or disclose PHI and make a thoughtful determination that they will be using or disclosing PHI only to the minimum extent necessary for treatment, payment or health care operations (or, alternatively, employers must acquire authorizations). The old days of simply using or disclosing PHI casually whenever the employer thinks it might be helpful will expire when the HIPAA privacy rule becomes effective. (Note that, although the HIPAA privacy rule is not yet effective, many employers and others in the employee health plan business are already “practicing” with this concept.)
F. What Mechanical Steps Must be Taken by Employers? In addition to changing the employer’s mind-set about how PHI may be used or disclosed, the HIPAA privacy rule contains a number of mechanical steps that must be taken by employers. For example, health plans (i.e., acting through their employer-sponsors) must:
1. institute procedures to limit access to PHI;
2. not disclose PHI maintained by the health plan to other parts of the employer that are not involved in the health plan function;
3. designate a “privacy official” to manage and implement the plan’s privacy policies as well as a contact person (who could be the same person) to be responsible for receiving privacy-related complaints;
4. maintain records of disclosure authorizations provided by participants and records of disclosures made pursuant to authorizations;
5. maintain appropriate administrative, technical and physical safeguards to protect the privacy of PHI;
7. implement written policies and procedures to ensure compliance with the HIPAA privacy rule;
8. enter into Business Associate Agreements with Business Associates of the plan;
9. amend plan documents and SPDs to contain required HIPAA privacy language; and
10. provide a required HIPAA privacy notice to participants.
G. What is the Business Associate Agreement Requirement? Although TPAs, brokers, consultants and other businesses that perform services for health plans are not covered directly by the HIPAA privacy rule, health plans are required to impose many of the requirements of the HIPAA privacy rule, through contract restrictions, on these so-called “Business Associates” of the plans. (Note that these health plan Business Associates include not only the expected vendors like TPAs, brokers, consultants, and the like, but also professionals like ERISA counsel and CPAs.)
Fortunately, this requirement is rather easily met merely by the employer causing its health plan to enter into a perfunctory, form Business Associate Agreement, containing language from the HIPAA privacy rule regulations, with its Business Associates.
H. What Documentation Obligations are Imposed on Employers? Employers must amend their health plan governing documents to contain certain language about the HIPAA privacy rule. The required governing plan document language is fairly extensive.
I. What is the HIPAA Privacy Notice? In addition to amending its governing plan document and its SPD, a health plan sponsor must provide a HIPAA Privacy Notice to each plan participant. This Notice is provided: 1. when the participant is first covered by the plan; 2. when any change is made to the plan’s privacy policies and procedures; and 3. once every three years.
Of course, this is yet another arguably unnecessary piece of paper (e.g., the WHCRA Notice, the Initial COBRA Notice, etc.) that employers must provide to their health plan participants, but the penalties for non-compliance should cause employers to take this HIPAA privacy rule requirement, as well as all other HIPAA privacy rule requirements, seriously. (Note that, in the case of fully insured plans, this Notice is provided by the insurer, and not the employer.)
J. What’s the Bottom Line? Employers that sponsor health plan for their employees must take the HIPAA privacy rule seriously. However, as can be seen above, the effort required of employers to ensure that their health plans are compliant with the HIPAA privacy rule are not particularly onerous.
Essentially, these efforts will consist of: 1. adopting the new, post-HIPAA privacy rule mind-set — i.e., “I can’t use or disclose PHI any more, unless I really convince myself that I’m using or disclosing it only to the minimum extent necessary for treatment, payment or health plan operations”; and 2. performing the mechanical steps described above on an appropriately frequent basis and keeping careful records of the employer’s efforts in that regard.
Our experience suggests that employers that have good compliance procedures in place for the other types of legal obligations imposed on their health plans — COBRA would be a good example — will have little trouble satisfying their obligations under the HIPAA privacy rule.
II. HIPAA’s Electronic Transaction Rule
A. When Is It Effective? The HIPAA electronic transaction rule is effective on October 16, 2002, except for “small health plans”, which much comply by October 16, 2003. As with the privacy rule, for electronic transaction rule purposes, a small health plan is one that has less than $5,000,000 in “gross receipts” (for self-funded plans, gross receipts means claims processed; for insured plans, it means (roughly) total premiums paid) for the previous full fiscal year).
B. Who Is Affected? The electronic transaction rule applies to all health plans except “self-administered health plans with fewer than 50 participants” (i.e., small health FSAs), health care providers, and health care clearinghouses.
C. What is the Impact on Employers and Plans. As with the privacy rule, although employers are not subject to the electronic transaction rule, “health plans” are. Because, as noted above, the concept of a “health plan” as an independent legal person that can take care of its own compliance obligations is essentially a fiction (except in the case of, for example, union multi-employer health and welfare funds which are, in fact, often actual operating businesses), as with the privacy rule, most employers are taking the position that they will need to put forth the needed effort to ensure that their “health plans” are in compliance with the electronic transaction rule by the applicable effective date.
D. What is the General HIPAA Electronic Transaction Rule? HIPAA’s electronic transaction rule requires that ten specified types of electronic transactions (more may be added later) be conducted in standard, federally-prescribed code sets and formats. These transactions are sometimes referred to using broad terms such as “enrollment” or “claims” transactions, but in fact they are more limited than those terms might imply. All of the transactions involve the electronic transmission of information between one “covered entity” (a health plan, health care provider or a health care clearinghouse) and another covered entity, or within a covered entity.
Because employers as such — as opposed to the part of the employer that is the “stand-in” for the employer’s health plan — are not subject to the electronic transaction rule, a transaction that involves the employer acting as “employer” (such as the employer providing a list of newly eligible employees to a service provider for its health plan) and not as the “health plan” will not be subject to the rules. As mentioned previously, this distinction between employer and health plan is usually artificial, but it is necessary to keep it in mind in trying to understand when the electronic transaction rules apply and when they do not.
The electronic transactions that are covered by the regulations (but only if they involve transmissions within the health plan or between the health plan and another covered entity) are:
1. Health care claims or equivalent encounter information, which is, roughly, a request for payment transmitted by a provider to a health plan or insurer.
2. Health care payment and remittance advice, which is either (1) the transmission of payment or certain information about payment from a health plan to a provider’s bank or other financial institution or (2) the transmission of either of an explanation of benefits or a remittance advice from a health plan to a health care provider.
3. Coordination of benefits, which is the transmission of claims or payment information from any entity to a health plan for the purpose of determining the relative payment responsibilities of the health plan.
4. Health care claim status, which is the transmission of either an inquiry about the status of a health care claim or a response about the status of a health claim.
5. Enrollment and disenrollment in a health plan, which is the transmission of subscriber enrollment information to a health plan to establish or terminate coverage.
6. Eligibility for a health plan, which is an inquiry from a health care provider to a health plan, or from one health plan to another health plan, about (a) an individual’s eligibility to receive health care under the health plan, (b) the coverage under the health plan, or (c) benefits associated with the plan. A response by the health plan to the health care provider or other health plan is also covered under this transaction.
7. Health plan premium payments, which is the transmission of payment or certain information about payment from the entity that is arranging for the provision of health care or is providing health care coverage payments for an individual to a health plan.
8. Referral certification and authorization, which is (a) a request for the review of health care to obtain an authorization for the health care, or (b) a request to obtain authorization for referring an individual to another health care provider, or (c) a response to either (a) or (b).
9. First report of injury (This transaction has not been defined yet.)
10. Health claims attachments (This transaction has not been defined yet.)
Although virtually all health plans are subject to these rules, many of them do not engage in any of the listed electronic transactions. However, a health plan’s service providers likely will engage in these transactions on behalf of the health plan.
Unfortunately, all health plans are required to conduct a transaction according to the standard forms required by the rules if requested to do so by another party to the transaction. Again, for many health plans, this will have no effect in practice (except upon the plan’s service providers who will be conducting covered transactions on behalf of the plan).
The specific details of the HHS’s electronic transactions regulations are well beyond the scope of this summary. HHS has published a set of “HIPAA Implementation Guides” that include all of the details (approximately 3,000 pages worth). The Guides are available for free download online at http://www.wpc-edi.com/hipaa/HIPAA40.asp.
E. What is the Exception to the Electronic Transaction Rule? Fortunately, the electronic transaction rule applies only if the covered transaction in question is carried out by a covered entity in electronic form. Therefore, the rule can be ignored if the transaction is carried out in paper form (unless another party to the transaction requests that it be handled as a standard). Therefore, many employers are “reverting to the 20th century” and deciding simply to conduct all health plan transactions in paper form in order to enable themselves to ignore the electronic transaction rule (and its 3,000 pages worth of “Guides”). Note that faxes and emails are “electronic transactions” for purposes of the rule, although snail mail and telephone conversations are not. Other employers are putting forth the effort to determine which of their electronic transactions are covered transactions — and preparing to conduct them in the federal code sets and formats — and which are not.
F. What Mechanical Steps Must Be Taken By Employers? Employers lucky enough to never have to carry out a covered electronic transaction, or lucky enough to be able to cease carrying out covered transactions in electronic form before October 16, 2003, may ignore the electronic transaction rule. Employers who must continue to carry out covered health plan transactions must learn the standard federal code sets and formats and begin using them on October 16, 2003.
G. What Agreements Must Employers Enter Into With Their Vendors? Whether or not an employer will carry out covered transactions in electronic form, the employer must require its health plan vendors to enter into contracts specifying that the vendors will follow the federal code sets and formats for any covered transactions that they carry out electronically. Many employers are including this contractual provision in the HIPAA privacy rule Business Associate Agreements they are entering into with their health plan vendors.
H. What’s the Bottom Line? First, every employer that sponsors a large health plan should immediately visit the HHS web site and file a model compliance plan in order to enjoy the delayed October 16, 2003 effective date. Second, every employer needs to enter into written agreements with its health plan vendor under which the vendor agrees to follow the electronic transaction rule with respect to covered transactions that it carries out in electronic form. (For insured health plans, this contractual commitment likely will appear in the insurance contract.)
Also, each employer needs to determine whether it will carry out covered transactions in electronic form after October 15, 2003 (other than through its vendors). If it will, it needs to learn and implement the applicable federal code sets and formats. If it will not, it can ignore the electronic transaction rule, but it needs to train its affected employees not to carry out covered transaction in electronic form after October 15, 2003.