part ii - employers : “4 buckets”
DESCRIPTION
Fully-Insured GHP (Summary Info). Fully-Insured GHP (receives PHI). Self-Funded GHP. Part II - Employers : “4 Buckets”. EMPLOYER. Employer-specific HIPAA Privacy Terms. “Summary Information” “Plan Administration”. Summary Information. - PowerPoint PPT PresentationTRANSCRIPT
Part II - Employers : “4 Buckets”
Self-Funded GHP
EMPLOYERFully-
Insured GHP
(Summary Info)
Fully-Insured GHP
(receives PHI)
Employer-specific HIPAA Privacy Terms
• “Summary Information”
• “Plan Administration”
Summary Information• Summarizes claims history, claims expenses, or
claim type of participants in a GHP
• Essentially is a category of information somewhere between de-identified data and PHI
• “Step above” De-identified information because it has some identifiers
• Uses/Disclosures are limited to 3 purposes
Plan Administration
• GHP “Operations” and “Payment”
• Plan Administration functions performed by Plan Sponsor/Employer (or its TPA)
– excludes functions performed in connection with any other plan of the Employer
– unless OHCA with other GHPs
BUCKET # 1
Employer as “Employer”
( HR Manager)
Bucket #1: Employer• Employer as HR Manager
– Hiring, Firing– FMLA Leave– Disability Leave– Workers’ Compensation Claims– Medical Absences– Drug and Alcohol Screening– Fitness for Duty Tests
• HIPAA does not regulate Employer in this Bucket!
BUCKET # 2
Self-Funded GHP
(Receives PHI)
Self-Funded
GHP
BUCKET # 2 - Self-Funded GHP
• Health benefits funded by employer• Claims administered internally• Creates PHI• MUST provide Notice of Privacy Practices• MUST comply with all of Privacy Rule’s
Administrative Requirements • MUST amend Plan Document, provide
Certification Statement, and make organizational changes
BUCKET # 3
Employer Insured
GHP
(Summary Info)
Employer insured
(Summary Info)
BUCKET # 3 - Insured GHP
• Health benefits insured by employer• Insurer does not provide PHI back to GHP or Sponsor• DOES NOT need to provide Notice and comply with
most of the Privacy Rule’s Administrative Requirements (except for non-waiver and non-retaliation)
• Assumption: Sponsor does not receive PHI beyond summary information for the 3 allowed uses– EXCEPTED from Plan Amendment and Certification
requirements
BUCKET # 4
Fully-Insured GHP
(Full PHI)
Fully-Insured GHP (PHI)
BUCKET # 4 - Fully-Insured GHP
• GHP provides health benefits solely through a health insurance issuer or HMO
• If Sponsor receives more than summary information:– Unique Notice obligations
– Must do Plan Amendment & Certification
– Issue: Comply with all Admin. Req’ts.?
• Gray area: e.g., where Plan Sponsor does not receive PHI from insurer but may assist employees with claims issues (advocacy)
Privacy Rule Requirements For Self-funded GHP
• Notice Requirements
• Amend Plan Documents
• Certification Statement
• Individual Rights
• Administrative Requirements
Content of the Notice of Privacy Practices
• Plain Language• Uniform Header• Description and at least one example each of
the types of uses and disclosures made for treatment, payment, and health care operations
• Description of each of the other purposes for which a use or disclosure is permitted or required without authorization
Content of the Notice of Privacy Practices (cont.)
• Each purpose must have “sufficient detail” to put individual on notice
• Statement that all other uses or disclosures will only be made with the individual’s authorization
• If applicable, a statement that the GHP, or a health insurance issuer or HMO providing benefits for GHP, will disclose PHI to Plan Sponsor
Provision of Notice
• No later than the Compliance Date for existing participants
• At time of enrollment for all new enrollees• Within 60 days of a material change to the
notice• Notification of availability of the notice
every 3 years (or less)• Requirement satisfied if provided only to
named insured and not dependents
Health Plan Notice Issues
• Notice is from Group Health Plan if there is no group insurance contract
• Notice is from the HMO or health insurance issuer in the insured context
• Notice maintained by the GHP if it receives PHI
• Notice to the named insured is sufficient
Other Notice Requirements • Specify GHP/Plan Sponsor duties
• Name Contact Person
• Establish Complaint Process
• Optional ability to impose limitations on allowable uses and disclosures
Plan Amendment & Certification
• Required elements for Plan amendments
• Required elements similar to elements of a BA contract
• Certification by GHP to Plan Sponsor
Required Amendments Establish the permitted and required uses
and disclosures of PHI by the Plan Sponsor
Not use or disclose PHI other than as permitted or required by the GHP or as required by law
Ensure that agents and subcontractors of the Plan Sponsor agree to abide by the Privacy Rule requirements
Required Amendments Provide an accounting of disclosures of PHI
Make internal practices, books and records pertaining to the use and disclosure of PHI received from the Plan available to DHHS for determining compliance
Return or destroy all PHI when no longer needed
Required Amendments Ensure adequate separation b/w the GHP
and Plan Sponsor
Describe employees or classes of employees under the control of the Plan Sponsor to be given access to PHI, including individuals who receive PHI in the ordinary course of business
Provide a mechanism for resolving noncompliance
Required Amendments
Plan Sponsor cannot use or disclose PHI for employment-related actions, or in connection with any other benefit or employee benefit plan of the Sponsor
Report to the GHP any inconsistent use or disclosure of which it becomes aware
Make PHI available to individuals and allow individuals to amend their PHI
Individual Rights
• Receive notice of privacy practices
• Access: inspect or copy PHI
• Amend
• Accounting
Individual Rights (cont.)
• Authorization
• Complaints to Secretary and/or GHP
• Permissive right to request restriction and confidential communication
Administrative Requirements
• Appoint privacy official and contact person
• Establish privacy policies and procedures and implementing forms e.g., request for access form
• Reconfigure technical, administrative and physical safeguards (i.e., firewalls)
Administrative Requirements
• Develop authorizations and notices
• Develop grievance/complaint procedures
• Develop sanction, mitigation, non-retaliation, and non-waiver of rights policies
Administrative Requirements
• Communicate privacy policy
• Training
• Written or electronic record of the actions, policies, procedures, and other forms required to be documented by the Privacy Rule (document communications required to be in writing)