HIPAA Advisory Bulletin
HIPAA
Update
- Compliance for Small Group Health Plans
- Business Associate Contracts
- National Provider Identifiers
By Jason
T. Froggatt, Rebecca
L. Williams, Paul
T. Smith and Robyn Todd
[April 2004]
April brings two HIPAA compliance deadlines. April 14 is the privacy
compliance date for small group health plans--those with “receipts”
of less than $5 million for the last plan year. It is also the last
date for covered entities to enter into business associate agreements
with contractors who receive or create health information. This
update contains some suggestions for small group health plans, and
some lessons learned from the past year of business associate contracting.
We also include a summary of the final regulation on national provider
identifiers that was published recently.
COMPLIANCE FOR SMALL GROUP HEALTH PLANS
Information—and misinformation—has swirled around HIPAA
privacy compliance since the regulations first were proposed in
1999. Small group health plans can learn much from the compliance
experiences of their larger counterparts, which were required to
comply a year ago.
For employers sponsoring small group health plans, the following
three steps will assist in determining what you need to do to make
sure your group health plans are compliant with the HIPAA privacy
requirements:
| 1. |
Are You Excluded as a Small Self-Administered
Plan?
HIPAA privacy regulations create an exclusion for group health
plans that have fewer than 50 participants and are administered
by the employer that established and maintains the plan. Both
requirements must be met—plans that use third-party
administrators are covered by HIPAA, even if they have fewer
than 50 participants. Plans that designate the employer as
plan administrator, but receive administrative services (such
as claims adjudication) from third parties likely are not
“self-administered” either. However, a self-administered
health flexible spending account program or medical reimbursement
arrangement may fall within this exclusion even if the employer’s
medical and dental plans do not. |
2. |
Do You Sponsor Any Insured Plans That Receive Only Limited
Health Information?
The second step in compliance is to determine whether any
of your plans fall within the so-called “fully insured”
exception. Although all group health plans are covered entities
under HIPAA (except for the limited exclusion described above),
group health plans that are fully insured have only minimal
compliance obligations, as long as they receive no health
information other than enrollment and disenrollment information
or summary health information for the purposes of obtaining
premium bids, or amending or terminating the plan. Such plans
do not have to comply with the use and disclosure rules, do
not have to provide for individual rights, and do not have
to satisfy the administrative requirements imposed under HIPAA,
except for the prohibitions against intimidating or retaliatory
acts and against requiring a waiver of HIPAA rights.
In particular, this means that if you sponsor a fully-insured
plan that receives only enrollment or disenrollment information
or summary health information, your plan does not have to
appoint a privacy official, prepare or distribute a privacy
notice, amend the plan document, or enter into business associate
contracts. The plan may not need to take additional compliance
measures. |
3. |
Who Is Responsible for HIPAA Compliance for Your Plan and
What Needs to Be Done?
If your plan is covered by HIPAA and is not fully insured,
compliance will consist of the following actions. A fully-insured
plan that receives more than just summary health information
and enrollment and disenrollment information will also have
to comply with respect to the additional information:
- Appoint a Privacy Official and Contact Person.
The privacy official is responsible for HIPAA compliance
for the group health plan. The contact person, who may be
the same as the privacy official, answers questions and
receives complaints relating to privacy.
- Amend Plan Documents. If the employer sponsor
receives protected health information (PHI) in order to
administer its group health plan, the group health plan
must be amended to include provisions that restrict the
sponsor’s use and disclosure of plan information to
necessary plan administration functions. This may be done
in a stand-alone document, or may be incorporated in a restated
plan document. Moreover, the employer, as plan sponsor,
will need to take actions to safeguard plan-PHI, such as
to establish firewalls between plan and employer functions.
- Prepare Notice of Privacy Practices. The plan
must develop a notice of privacy practices describing how
it uses and disclosures health information, individual rights,
administrative procedures, and other required elements.
For many plans, especially self-insured plans, the notice
must be provided to participants in the plan prior to April
14, 2004. Thereafter, the group health plan will need to
provide the notice to newly enrolled participants. If the
notice is amended, then the new notice must be provided
to participants within 60 days of a material change. Bear
in mind that if the plan is fully insured, but receives
more health information than just summary health information
and enrollment and disenrollment information, at a minimum
must develop a notice of privacy practices and provide the
notice when requested. It is not necessarily required to
distribute the notice.
- Develop Policies and Procedures. The regulations
recognize that small employers cannot afford the time and
expense to adopt complex policies and procedures. They require
only that the policies and procedures adopted be reasonable
in light of the size and circumstance of the group health
plan.
- Enter into Business Associate Contracts. If your
plan is administered by a third-party administrator, the
TPA is a business associate of the plan, and the plan is
required to have a contract with the TPA that requires the
TPA to safeguard plan information, to restrict its use of
the information, and to return or destroy the information
on termination of the contract. You will also need business
associate contracts with other contractors who have access
to the plan’s health information, such as actuaries
and attorneys.
|
Many third-party administrators or benefits consultants are prepared
to handle or assist you with group health plan HIPAA compliance.
But you should not assume that they will handle your HIPAA compliance
for you. With respect to most group health plans, the employer,
as plan administrator, will be the fiduciary that is obligated to
insure on-going group health plan compliance (including HIPAA compliance).
Following these three steps should allow most small group health
plans to quickly determine their HIPAA compliance requirements.
For more detail on the privacy rules, please see "A
Road Map for Employer Compliance with HIPAA" (Spring 2002).
BUSINESS ASSOCIATE CONTRACTS
April 14 is also the deadline for covered entities to amend or
supplement contracts with business associates (BAs) to include the
provisions required by the HIPAA Privacy Rule. These clauses require
BAs to safeguard PHI, restrict uses and disclosures to those contemplated
by the underlying agreement, and to return or destroy PHI on termination
of the contract. Generally, “business associate” includes
any contractor who receives or creates individually identifiable
health information in the course of assisting the covered entity
with operations, including payment.
While they are making these amendments, covered entities should
consider including the additional language required by the final
Security Rule for BAs who handle electronic health information.
While these provisions are not required until 2005, including them
now will avoid another round of revisions. These provisions can
be worked into the existing text at appropriate points. They must
require BAs to:
- adopt administrative, physical and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity
and availability of electronic PHI, and to require their subcontractors
to do the same, and
- report security incidents concerning electronic PHI.
What lessons have been learned from the first round of business
associate contracting?
Not all relationships are the same. While a standard
form of agreement will serve for most BA relationships, some require
special attention. This is particularly true for BAs who handle
many business processes involving PHI, such as third-party administrators
of group health plans. Some thought should be given to the special
risks in these relationships.
Less May be More. That said, a covered entity
should think carefully about adding provisions to the BA agreement
that are not mandated by the regulation. Why? Every additional provision
beyond the required minimum creates a new negotiating opportunity
for the parties, and a new negotiating opportunity means more time
and expense. In our experience, indemnification clauses have been
the greatest source of controversy. Before insisting on them, covered
entities might consider whether common-law principles of indemnification
are not adequate. Conversely, if the underlying contract substantially
limits the BA’s liability (as many technology contracts do),
covered entities might want to clarify that the limits do not apply
to violations of the BA provisions.
Beware of Subcontractors. The standard contract
provision allows a BA to disclose PHI to its subcontractors as long
as they agree to the same restrictions and conditions that apply
to the BA. This agreement with the subcontractor need not conform
to any particular standards, or even be in writing. A covered entity
may not even know that its BA is disclosing PHI to subcontractors.
In a much-publicized incident, a university medical center discovered
that its medical records had found their way to a transcriptionist
in Pakistan through a chain of subcontracts. It was reported that
the Pakistani transcriptionist threatened to publish the records
on the Internet in a dispute over payment.
This kind of subcontracting is not forbidden by HIPAA, and there
is nothing in the standard BA contract that would prevent it. However,
the risks to reputation are clear, and individuals may be able to
claim for loss of privacy on grounds other than HIPAA. Covered entities
should consider insisting on express approval of subcontracting
by BAs.
Accounting for Disclosures. How should the CE
gather information about the disclosures made by BAs which the CE
must include in an accounting to an individual? The approach we
most often see is for the BA to maintain the record of disclosures,
and to provide information to the CE on request. A more efficient
approach might be to require BAs to report disclosures to the CE
as they occur, if they would need to be included in an accounting.
This approach would permit the CE to maintain a centralized record
of disclosures, and avoid polling its BAs whenever it receives a
request for an accounting.
NATIONAL PROVIDER IDENTIFIERS
On January 23, 2004, the Centers for Medicare & Medicaid Services
published the “Standard Unique Health Identifier for Health
Care Providers” regulations. As expected, these final regulations
adopt the National Provider Identifier (NPI) as the unique identifier
for health providers for use in standard transactions and for other
lawful purposes. The NPI will replace the numerous UPINs, Legacy,
Medicaid, and other numbers currently in use.
The NPI has ten all-numeric positions (with the last position being
a check digit). Based on current provider growth, CMS estimates
that unique NPIs will be available for 200 years. In response to
industry concern, the NPI will contain no embedded information about
the provider.
The NPI will be issued by the National Provider System (NPS), which
is being built under a CMS contract. A CMS contractor, called the
“enumerator” – a title that could wind up in the
movies someday – will operate the NPS. The enumerator will
be responsible for receiving (and assisting providers with) applications,
assigning a unique NPI to each requesting provider, deactivating
and reactivating NPIs, updating information, and generally troubleshooting
the NPS. Protections will be in place to guard against a deactivated
number’s being assigned to another provider.
Only health care providers may receive an NPI. Covered providers
must have an NPI; non-covered providers may request one as well.
For health entities, such as hospitals and health systems with multiple
sites, the regulations allow “subparts” of a provider
organization to apply for separate NPIs.
Covered health providers and most health plans must comply with
these regulations by May 23, 2007, with small health plans having
an additional year to come into compliance. Covered providers may
begin applying for their NPIs on May 23, 2005 (which is the effective
date of these regulations). Recognizing the impending heavy workload,
CMS asks non-covered providers to wait an additional year or two.
For
more information about how Davis Wright Tremaine LLP can assist
you with your group health plan HIPAA compliance efforts, please
see "What
DWT Can Do,” or contact:
Rebecca
L. Williams, Seattle, (206) 628-7769, beckywilliams@dwt.com
Jason
T. Froggatt, Seattle, (206) 628-7629, jasonfroggatt@dwt.com
Paul
T. Smith, San Francisco, (415) 276-6532, paulsmith@dwt.com
Sarah
L. Bhagwandin, Seattle, (206) 903-3959, sarahbhagwandin@dwt.com
This HIPAA Alert is a publication of the
Health Law Group of Davis Wright Tremaine LLP. Our purpose in publishing
this Alert is to inform our clients and friends of recent HIPAA
developments. It is not intended, nor should it be used, as a substitute
for specific legal advice as legal counsel may only be given in
response to inquiries regarding particular situations.
© 2004 DWT LLP |
Published by Davis Wright Tremaine LLP
return to Advisory Bulletins
main page
|
