EXECUTIVE SUMMARY

OF THE PRIVACY RULE IMPLEMENTING

HIPAA’S PRIVACY REQUIREMENTS

 

IMPORTANT NOTE:  READ THIS BEFORE REVIEWING THIS EXECUTIVE SUMMARY

The Executive Summary below was written for IIABA members that offer health insurance products to clients or have access to individually identifiable health information about employees of clients.  IIABA will provide a separate summary of the impact of the new rules on IIABA members in their role as employers.

September 30, 2002

This Executive Summary and the Memorandum dated September 30, 2002 regarding the Final HIPAA Privacy Regulations are not intended to provide specific advice about individual legal, business or other questions.  They were prepared solely for use as a guide, and are not a recommendation that a particular course of action be followed.  If specific legal or other expert advice is required or desired, the services of an appropriate, competent professional, such as an attorney, should be sought.

INTRODUCTION

On August 14, 2002 the Department of Health and Human Services (HHS) published the final revised rule on the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule).  The final Privacy Rule reflects changes which IIABA successfully advocated for to create a better business environment for members, enabling them to shop group health care policies without onerous restrictions on access to or disclosure of information required to effectively shop such coverage.

The Privacy Rule implements the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), by regulating how health care clearinghouses, most health care providers, and group health plans (Covered Entities), and third party administrators, legal counsel, accountants, consultants and other plan providers (Business Associates) handle protected health information.  Protected health information (PHI) includes any individually identifiable health information that:  (i) is created or received by an employer or a Covered Entity; (ii) relates to an individual’s health or the provision of or payment for health care; and (iii) identifies the individual or offers a reasonable basis for such identification.   Compliance with the Privacy Rule is required by April 14, 2003, except for “small” group health plans with annual receipts of $5 million or less.  For these “small” health plans, the compliance deadline is April 14, 2004.

Additionally, there is a completely separate set of “electronic code set requirements” under HIPAA’s Standards for Electronic Transmissions regulations, with which essentially all employer benefit plans and any agent/broker/third party administrator that processes claims or participates in the plan participant enrollment process will need to comply by October 16, 2002, unless:  (i) a one-year extension is requested by October 15, 2002; or (ii) the plan has annual receipts of $5 million or less, in which case it receives an automatic one-year extension.  Any extension for compliance with these electronic transmissions requirements does not extend the April 14, 2003 compliance date for the HIPAA Privacy Rule (or the April 14, 2004 compliance date for “small” health plans).   The attached Final HIPAA Privacy Regulations Memorandum (Memorandum) explains how to qualify and file for an extension in Appendix 2 at page 43.

PRIVACY RULE OVERVIEW

HIPAA’s Privacy Rule prohibits a Covered Entity and its Business Associates from disclosing or using PHI except as permitted or required in the Privacy Rule.  Penalties for noncompliance are severe, with civil fines of up to $25,000 per year for multiple violations, even for disclosures made in error.  For each knowing violation, criminal penalties include fines of up to $50,000 and/or imprisonment for one year.  Other penalties for wrongful disclosure of PHI include fines of up to $100,000 and/or up to five years in prison for obtaining or disclosing information under false pretenses and up to $250,000 and/or 10 years imprisonment for obtaining PHI with the intent to sell, transfer, or use it for commercial advantage, gain or malicious harm.

Simply stated, the Privacy Rule (i) prescribes the type of notice that a Covered Entity must provide to the recipient of health care and health insurance benefits; (ii) requires that a Covered Entity either obtain an authorization from the recipient (opt-in requirement) for the use and disclosure of PHI or determine that the proposed use is one for which consent is presumed; (iii) requires that a Covered Entity permit recipients to access and amend their health care information and receive an accounting of disclosures of PHI made by the Covered Entity under certain circumstances; and (iv) requires that a Covered Entity implement policies and procedures to protect the privacy of an individual’s PHI.

FINAL HIPAA PRIVACY REGULATIONS MEMORANDUM

To facilitate compliance with the provisions of the Privacy Rule, the Memorandum titled “Final HIPAA Privacy Regulations” is attached.  The Memorandum is organized into Sections and Appendices as follows:

Section I describes the types of entities subject to the Privacy Rule and the types of PHI protected (See Memorandum starting on page 4);

Section II details the compliance requirements (described in the next section of this Executive Summary) (See Memorandum starting on page 9);

Section III discusses when PHI may be used or disclosed without an opt-in (See Memorandum starting on page 13);

Section IV covers compliance in two situations in which an opt-in may be required (See Memorandum starting on page 17);

Section V addresses requirements applicable to Business Associates of Covered Entities (See Memorandum starting on page 22);

Section VI describes the relationship among the Privacy Rule, the privacy provisions of the Gramm Leach Bliley Act (GLBA), and state privacy laws (See Memorandum starting on page 24);

Section VII describes the compliance obligations on agents and brokers when they: (i) sell health insurance directly to an individual; (ii) sell an employer a group health plan; and (iii) when they (or a third party administrator) set up and/or manage a self-insured health plan covered by stop loss insurance (See Memorandum starting on page 25);

Appendix 1 is a sample privacy notice that complies with both GLBA and the HIPAA Privacy Rule (See Memorandum starting on page 34);

Appendix 2 is a memorandum that describes HIPAA’s Standards for Electronic Transmission, a separate set of regulations that mandate adoption of HHS-prescribed code sets by entities that exchange PHI in an electronic format.  The deadline for compliance with the HHS-prescribed code sets is October 16, 2002.  HHS will grant an automatic extension of one year (to October 16, 2003) only if the request for an extension is requested on or before October 15, 2002.  In addition, if the plan has annual receipts of $5 million or less, it receives an automatic one-year extension.  Section 2 of Appendix 2 describes the extension process.  Use of the HHS-prescribed code set is mandated for employer-sponsored group health plans (whether fully insured or self-insured), third party administrators of such plans, or an agent or broker that participates in any of the following electronic health transactions in relation to such a plan: (i) health claims; (ii) health plan eligibility; (iii) enrollment and disenrollment; (iv) payments for care and health care premiums; (v) claim status; (vi) first injury reports; (vii) coordination of benefits; and (viii) related transactions.  (See Memorandum starting on page 40.)

FOUR GENERAL COMPLIANCE REQUIREMENTS

The Privacy Rule imposes four general compliance requirements on Covered Entities.  Business Associates acting on behalf of Covered Entities must comply with the Privacy Rule and sign contracts to that effect with each Covered Entity[1].  These requirements are described in detail in Section II of the attached Memorandum (starting on page 9), and can be summarized as follows:

1.         Notice

            Covered Entities generally must maintain a HIPAA privacy policy notice and provide that notice to recipients of health care and health insurance benefits at the time of enrollment and at least once every three years thereafter.  The requirements for the content of the notice are similar (but not identical) to those imposed under the GLBA, and must include statements concerning the individual’s rights, the Covered Entity’s duties, and the types of information uses and disclosures that may be made.

2.         “Opt-In”

In general, HIPAA establishes an opt-in regime for the use or disclosure of protected health information (as opposed to the opt-out regime of the GLBA).  Thus, in order to use or disclose protected health information, a Covered Entity must do one of the following:

·         Determine that the use or disclosure does not require an opt-in.

·         Rely on one of three versions of the information from which certain identifiers have been stripped and comply with the rules for using such filtered information.

·         Obtain written permission from the individual (an “opt-in”).  An executed “opt-in” is valid for the duration of a plan participant’s term of employment if it is so stated on the authorization form.

3.         Access

A Covered Entity must permit individuals to access and amend their protected health information.  If the Covered Entity does not maintain the information, it must inform the individual where to direct the request.  The access rules also include a requirement that Covered Entities provide individuals upon request with an “accounting of disclosures” made for certain purposes, such as marketing.

4.         Administration

Covered Entities must designate a individual to serve as privacy compliance officer and an individual to receive and respond to complaints and inquiries about the entity’s privacy policies and practices.  Covered Entities also must implement data security policies, such as procedures to enable the entity to verify the identity of the individual requesting protected information, and ensure that the information it discloses is the “minimum necessary” to carry out the purpose for which the information was requested.

The deadline for compliance with all four sets of requirements described above is April 14, 2003.  For small health plans with annual receipts of $5 million or less, the compliance deadline is April 14, 2004.  The HHS Office of Civil Rights has enforcement authority and can levy substantial civil penalties for non-compliance.  It also may charge violators with a federal crime for the wrongful disclosure of protected information; however, no private right of action exists for individuals or businesses to enforce the regulations or to collect damages for wrongful disclosure.

EXCLUSIONS FROM THE PRIVACY RULE

HIPAA’s Privacy Rule specifically excludes workers’ compensation, life, disability, property and casualty, and automobile insurance benefits from its coverage.   Therefore, the Privacy Rule’s compliance requirements do not apply to PHI gathered in the course of offering these products.   For agents and brokers that sell health insurance and any of these excepted benefits, the Privacy Rule offers them the option of compliance for all of their activities or segregating their activities to comply with the Privacy Rule only when handling PHI in connection with health insurance activities. 

* * * * *