Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - HIPAA/advisory bulletins
Home

Practice Areas: HIPAA
 

Legal Services

Related Practice Areas

Advisory Bulletins

Publications & Resources

HIPAA Search
 

 
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin

printer friendly version

HIPAA Update

  • Compliance for Small Group Health Plans
  • Business Associate Contracts
  • National Provider Identifiers

By Jason T. Froggatt, Rebecca L. Williams, Paul T. Smith and Robyn Todd
[April 2004]

April brings two HIPAA compliance deadlines. April 14 is the privacy compliance date for small group health plans--those with “receipts” of less than $5 million for the last plan year. It is also the last date for covered entities to enter into business associate agreements with contractors who receive or create health information. This update contains some suggestions for small group health plans, and some lessons learned from the past year of business associate contracting. We also include a summary of the final regulation on national provider identifiers that was published recently.


COMPLIANCE FOR SMALL GROUP HEALTH PLANS

Information—and misinformation—has swirled around HIPAA privacy compliance since the regulations first were proposed in 1999. Small group health plans can learn much from the compliance experiences of their larger counterparts, which were required to comply a year ago.

For employers sponsoring small group health plans, the following three steps will assist in determining what you need to do to make sure your group health plans are compliant with the HIPAA privacy requirements:
1.

Are You Excluded as a Small Self-Administered Plan?

HIPAA privacy regulations create an exclusion for group health plans that have fewer than 50 participants and are administered by the employer that established and maintains the plan. Both requirements must be met—plans that use third-party administrators are covered by HIPAA, even if they have fewer than 50 participants. Plans that designate the employer as plan administrator, but receive administrative services (such as claims adjudication) from third parties likely are not “self-administered” either. However, a self-administered health flexible spending account program or medical reimbursement arrangement may fall within this exclusion even if the employer’s medical and dental plans do not.

2.


Do You Sponsor Any Insured Plans That Receive Only Limited Health Information?

The second step in compliance is to determine whether any of your plans fall within the so-called “fully insured” exception. Although all group health plans are covered entities under HIPAA (except for the limited exclusion described above), group health plans that are fully insured have only minimal compliance obligations, as long as they receive no health information other than enrollment and disenrollment information or summary health information for the purposes of obtaining premium bids, or amending or terminating the plan. Such plans do not have to comply with the use and disclosure rules, do not have to provide for individual rights, and do not have to satisfy the administrative requirements imposed under HIPAA, except for the prohibitions against intimidating or retaliatory acts and against requiring a waiver of HIPAA rights.
In particular, this means that if you sponsor a fully-insured plan that receives only enrollment or disenrollment information or summary health information, your plan does not have to appoint a privacy official, prepare or distribute a privacy notice, amend the plan document, or enter into business associate contracts. The plan may not need to take additional compliance measures.

3.


Who Is Responsible for HIPAA Compliance for Your Plan and What Needs to Be Done?

If your plan is covered by HIPAA and is not fully insured, compliance will consist of the following actions. A fully-insured plan that receives more than just summary health information and enrollment and disenrollment information will also have to comply with respect to the additional information:

  • Appoint a Privacy Official and Contact Person. The privacy official is responsible for HIPAA compliance for the group health plan. The contact person, who may be the same as the privacy official, answers questions and receives complaints relating to privacy.

  • Amend Plan Documents. If the employer sponsor receives protected health information (PHI) in order to administer its group health plan, the group health plan must be amended to include provisions that restrict the sponsor’s use and disclosure of plan information to necessary plan administration functions. This may be done in a stand-alone document, or may be incorporated in a restated plan document. Moreover, the employer, as plan sponsor, will need to take actions to safeguard plan-PHI, such as to establish firewalls between plan and employer functions.

  • Prepare Notice of Privacy Practices. The plan must develop a notice of privacy practices describing how it uses and disclosures health information, individual rights, administrative procedures, and other required elements. For many plans, especially self-insured plans, the notice must be provided to participants in the plan prior to April 14, 2004. Thereafter, the group health plan will need to provide the notice to newly enrolled participants. If the notice is amended, then the new notice must be provided to participants within 60 days of a material change. Bear in mind that if the plan is fully insured, but receives more health information than just summary health information and enrollment and disenrollment information, at a minimum must develop a notice of privacy practices and provide the notice when requested. It is not necessarily required to distribute the notice.

  • Develop Policies and Procedures. The regulations recognize that small employers cannot afford the time and expense to adopt complex policies and procedures. They require only that the policies and procedures adopted be reasonable in light of the size and circumstance of the group health plan.

  • Enter into Business Associate Contracts. If your plan is administered by a third-party administrator, the TPA is a business associate of the plan, and the plan is required to have a contract with the TPA that requires the TPA to safeguard plan information, to restrict its use of the information, and to return or destroy the information on termination of the contract. You will also need business associate contracts with other contractors who have access to the plan’s health information, such as actuaries and attorneys.

Many third-party administrators or benefits consultants are prepared to handle or assist you with group health plan HIPAA compliance. But you should not assume that they will handle your HIPAA compliance for you. With respect to most group health plans, the employer, as plan administrator, will be the fiduciary that is obligated to insure on-going group health plan compliance (including HIPAA compliance).
Following these three steps should allow most small group health plans to quickly determine their HIPAA compliance requirements. For more detail on the privacy rules, please see "A Road Map for Employer Compliance with HIPAA" (Spring 2002).


BUSINESS ASSOCIATE CONTRACTS

April 14 is also the deadline for covered entities to amend or supplement contracts with business associates (BAs) to include the provisions required by the HIPAA Privacy Rule. These clauses require BAs to safeguard PHI, restrict uses and disclosures to those contemplated by the underlying agreement, and to return or destroy PHI on termination of the contract. Generally, “business associate” includes any contractor who receives or creates individually identifiable health information in the course of assisting the covered entity with operations, including payment.

While they are making these amendments, covered entities should consider including the additional language required by the final Security Rule for BAs who handle electronic health information. While these provisions are not required until 2005, including them now will avoid another round of revisions. These provisions can be worked into the existing text at appropriate points. They must require BAs to:

  • adopt administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI, and to require their subcontractors to do the same, and

  • report security incidents concerning electronic PHI.

What lessons have been learned from the first round of business associate contracting?

Not all relationships are the same. While a standard form of agreement will serve for most BA relationships, some require special attention. This is particularly true for BAs who handle many business processes involving PHI, such as third-party administrators of group health plans. Some thought should be given to the special risks in these relationships.

Less May be More. That said, a covered entity should think carefully about adding provisions to the BA agreement that are not mandated by the regulation. Why? Every additional provision beyond the required minimum creates a new negotiating opportunity for the parties, and a new negotiating opportunity means more time and expense. In our experience, indemnification clauses have been the greatest source of controversy. Before insisting on them, covered entities might consider whether common-law principles of indemnification are not adequate. Conversely, if the underlying contract substantially limits the BA’s liability (as many technology contracts do), covered entities might want to clarify that the limits do not apply to violations of the BA provisions.

Beware of Subcontractors. The standard contract provision allows a BA to disclose PHI to its subcontractors as long as they agree to the same restrictions and conditions that apply to the BA. This agreement with the subcontractor need not conform to any particular standards, or even be in writing. A covered entity may not even know that its BA is disclosing PHI to subcontractors. In a much-publicized incident, a university medical center discovered that its medical records had found their way to a transcriptionist in Pakistan through a chain of subcontracts. It was reported that the Pakistani transcriptionist threatened to publish the records on the Internet in a dispute over payment.

This kind of subcontracting is not forbidden by HIPAA, and there is nothing in the standard BA contract that would prevent it. However, the risks to reputation are clear, and individuals may be able to claim for loss of privacy on grounds other than HIPAA. Covered entities should consider insisting on express approval of subcontracting by BAs.

Accounting for Disclosures. How should the CE gather information about the disclosures made by BAs which the CE must include in an accounting to an individual? The approach we most often see is for the BA to maintain the record of disclosures, and to provide information to the CE on request. A more efficient approach might be to require BAs to report disclosures to the CE as they occur, if they would need to be included in an accounting. This approach would permit the CE to maintain a centralized record of disclosures, and avoid polling its BAs whenever it receives a request for an accounting.


NATIONAL PROVIDER IDENTIFIERS

On January 23, 2004, the Centers for Medicare & Medicaid Services published the “Standard Unique Health Identifier for Health Care Providers” regulations. As expected, these final regulations adopt the National Provider Identifier (NPI) as the unique identifier for health providers for use in standard transactions and for other lawful purposes. The NPI will replace the numerous UPINs, Legacy, Medicaid, and other numbers currently in use.

The NPI has ten all-numeric positions (with the last position being a check digit). Based on current provider growth, CMS estimates that unique NPIs will be available for 200 years. In response to industry concern, the NPI will contain no embedded information about the provider.

The NPI will be issued by the National Provider System (NPS), which is being built under a CMS contract. A CMS contractor, called the “enumerator” – a title that could wind up in the movies someday – will operate the NPS. The enumerator will be responsible for receiving (and assisting providers with) applications, assigning a unique NPI to each requesting provider, deactivating and reactivating NPIs, updating information, and generally troubleshooting the NPS. Protections will be in place to guard against a deactivated number’s being assigned to another provider.

Only health care providers may receive an NPI. Covered providers must have an NPI; non-covered providers may request one as well. For health entities, such as hospitals and health systems with multiple sites, the regulations allow “subparts” of a provider organization to apply for separate NPIs.

Covered health providers and most health plans must comply with these regulations by May 23, 2007, with small health plans having an additional year to come into compliance. Covered providers may begin applying for their NPIs on May 23, 2005 (which is the effective date of these regulations). Recognizing the impending heavy workload, CMS asks non-covered providers to wait an additional year or two.

For more information about how Davis Wright Tremaine LLP can assist you with your group health plan HIPAA compliance efforts, please see "What DWT Can Do,” or contact:

Rebecca L. Williams, Seattle, (206) 628-7769, beckywilliams@dwt.com
Jason T. Froggatt, Seattle, (206) 628-7629, jasonfroggatt@dwt.com
Paul T. Smith, San Francisco, (415) 276-6532, paulsmith@dwt.com
Sarah L. Bhagwandin, Seattle, (206) 903-3959, sarahbhagwandin@dwt.com

This HIPAA Alert is a publication of the Health Law Group of Davis Wright Tremaine LLP. Our purpose in publishing this Alert is to inform our clients and friends of recent HIPAA developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

© 2004 DWT LLP | Published by Davis Wright Tremaine LLP

return to Advisory Bulletins main page
Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP
return to Advisory Bulletin main page