Employer-sponsored health plans are covered entities under the HIPAA Privacy Rule (45 CFR Parts 160 and 164). The Privacy Rule treats the health plan as a separate entity, distinct from the sponsoring employer. In virtually all cases, this is a legal fiction because an employer-sponsored health plan normally exists only as a contractual arrangement evidenced by certain plan documents. Furthermore, it is common for the employees of the sponsoring employer to perform certain functions that are necessary for the administration of the health plan. Consequently, the Privacy Rule permits a health plan (and its insurer or HMO, as applicable) to disclose a participant's protected health information ("PHI") to a plan sponsor if the plan sponsor meets certain requirements.
Fully-insured health plans (that is, plans that provide benefits solely through an insurance or HMO contract) are exempt from many of the Privacy Rule's requirements, provided that the plans receive from the insurer or HMO only enrollment information and limited amounts of PHI known as "summary health information." In practice, however, the employees of the plan sponsor often receive PHI from plan participants when assisting them in navigating the insurance system or advocating on their behalf with insurers or HMOs. In order to maintain the exemptions afforded to a fully-insured plan, an employer should obtain an authorization from the participant before providing such assistance and should establish policies and procedures designed to (1) limit the plan sponsor employees who will provide claims assistance and (2) prohibit the use of PHI for anything other than providing such authorized assistance.
Unlike fully-insured plans, self-funded health plans must comply with a number of provisions of the Privacy Rule. If the plan sponsor has access to the PHI of the plan participants, the Privacy Rule requires the sponsor to certify that it has amended the plan documents to ensure that the PHI will be used only for plan administration functions performed by the sponsor on behalf of the plan. The amendments must specify the particular administrative functions to be performed by the sponsor on behalf of the plan, must prohibit the use of PHI for employment-related functions, and must contain other statements as set forth in the Rule. In essence, the amendments must create a "firewall" separating those employees of the plan sponsor who will have access to the PHI from those who won't. Once the firewall is established, the employer must (1) communicate to plan participants the identity of those employees inside the firewall, and (2) train supervisors and others outside the firewall to re-route health plan questions to employees inside the firewall. The self-funded health plan must also comply with the administrative requirements of the Privacy Rule including: appointment of a privacy officer, designation of a contact person to receive privacy-related complaints, establishment of a privacy training program for those employees inside the firewall, establishment of policies and procedures for complying with the Privacy Rule, establishment of sanctions to be used against employees who violate the policies and procedures or the Privacy Rule, and entering into business associate agreements with TPAs and contractors, as applicable.
The Privacy Rule's provisions distinguishing "plan administration" functions from "employment" functions lead to some strange results. For example, those employees designated as within the firewall will be able to discuss coverage issues with participants, but others will not. In addition, medical information kept by the employer to carry out its obligations under the Family & Medical Leave Act, the Americans with Disabilities Act, and similar laws, as well as records regarding occupational injuries, disability insurance eligibility, and fitness-for-duty exams are not considered PHI and are not protected by the HIPAA Privacy Rule.
If you have a fully-insured plan, compliance should be simple: make sure that your HMO or insurer is not providing you with PHI beyond enrollment information and summary health information.
Self-funded plans have a host of compliance responsibilities and should consider seeking legal assistance. Such employers should first determine which plan administration functions are performed by the plan sponsor and in particular which employees perform those functions. Next, legal counsel should review the plan documents and make the appropriate "firewall" amendments. The plan must then document the policies and procedures that the sponsor's employees inside the health plan firewall will follow with respect to the use and disclosure of PHI. The employer will then need to train plan participants to address their health plan questions to those employees inside the firewall and train supervisors and other managers to re-direct employees with health plan questions to those employees within the firewall. Finally, the employer must take an inventory of the health plan's business associates and prepare appropriate business associate agreements. Self-funded plans with receipts of $5 million or less are considered "small health plans" under the Privacy Rule and have until April 14, 2004 to reach full compliance. Now is the time to start.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
|
