The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan, JD Morris, Manning & Martin, LLP Washington, DC

2 Road Map Overview of the HIPAA Privacy Rule Covered entities and products Compliance deadlines General requirements Impact on agents Business associate contract Disclosures to agents by insurers Impact on employers

3 Covered Entities Health plans Health care providers engaging standard electronic transactions Health care clearinghouses

4 Health PlansProvide or Pay Cost of Medical Care Health insurance issuers and HMOs Issuers of Medicare supplemental policies Issuers of long-term care policies (except nursing home fixed-indemnity policies) Group health plans (except self-administered with fewer than 50 participants) MEWAs State high risk pools Medicare, Medicare+Choice, CHAMPUS and certain other programs Any other individual or group health plan that provides or pays for the cost of medical care

5 Covered Products Major medical HMO Dental and vision Most long-term care Medicare supplemental Medicare+Choice

6 Excluded Products Life Accident only Disability income Coverage issued as supplement to liability insurance Liability insurance, including general liability and auto liability insurance Auto medical payment Credit-only Coverage for on-site medical clinics

7 Gray Area Specified disease Hospital indemnity

8 Compliance Deadlines Most health insurance issuers and HMOs and any group health plansApril 14, 2003 Small health plans (annual receipts of $5 million or less)April 14, 2004

9 General Requirements Restricts use and disclosure of protected health information (PHI) without written authorization Minimum necessary standard Individual Rights Restrictions on use and disclosure Access Accounting of disclosures Amendment Business associate contracts Amend group health plan documents in some cases to impose requirements on sponsor

10 General Requirements, Cont. Notice of privacy practices Administrative requirements, including: Privacy officer Privacy contact office Privacy policies and procedures Trainingworkforce only

11 Permitted Uses and Disclosures Pursuant to written authorization compliant with HIPAA For treatment, payment or health care operations To individual or personal representative Friend, family member or other person identified by individual with written or oral agreement Required by law Regulators Judicial and administrative proceedings Law enforcement To health oversight agency as authorized by law

12 Permitted Uses and Disclosures Health Care Operations Health care operations include: Activities by or on behalf of health plan relating to the creation, renewal or replacement of a contract for health insurance or health benefits Customer service by or on behalf of health plan

13 Permitted Uses and Disclosures Payment Payment includes: Activities by or on behalf of health plan to determine eligibility or coverage Claims management by on behalf of health plan

14 Disclosure By Health Plan To Agent Payment or health care operations Friend, family member or other person identified by individual: PHI directly relevant to persons involvement in individuals health care Written or oral agreement, opportunity to object and no objection or reasonable inference of no objection based on professional judgment Written authorization

15 Required Uses and Disclosures Individual access to PHI Secretary of DHHS for investigating covered entitys compliance

16 Required Elements of the Business Associate AgreementPart I Establish permitted and required uses and disclosures of PHI by business associate May not authorize the business associate to use or disclose information in a way that would violate the Privacy Rule if done by covered entity, with exceptions where necessary for business associates management and administration and for data aggregation services

17 Required Elements of the Business Associate AgreementPart II Provide that the business associate will: Not further use or disclose PHI other than as permitted or required by law Use appropriate safeguards to prevent use or disclosure other than as provided by the agreement If aware of any use or disclosure not provided by the agreement, report it to covered entity Ensure that any agents, including subcontractors, to whom it provides PHI agree to same restrictions

18 Required Elements of the Business Associate AgreementPart III Provide that the business associate will: Make PHI available for access by the individual Make PHI available for amendment and incorporate any amendments Make PHI available to provide an accounting of disclosures Make its internal practices, books, and records available to DHHS for investigating covered entitys compliance

19 Required Elements of the Business Associate AgreementPart IV At termination of contract, if feasible, return or destroy all PHI received from covered entity or created or received on behalf of covered entity and retain no copies. If return or destruction not feasible, extend protections of contract to information retained and limit use and disclosure to purposes for which information must be retained.

20 Permitted Elements of the Business Associate Agreement May permit the business associate to use and disclose PHI as necessary for: Management and administration of its business; and To carry out its legal responsibilities But unless disclosure required by law, business associate must obtain reasonable assurances from person to whom PHI is disclosed that: PHI will be held confidentially; PHI will be further disclosed only as required by law or for purpose for which it was disclosed to the person; and Person will notify business associate of any known breach of confidentiality

21 Breach of Business Associate Contract Required Action By Covered Entity Take reasonable steps to cure the breach If unsuccessful, terminate contract if feasible If termination not feasible, report problem to DHHS To extent practicable, mitigate any known harm from violation

22 Group Health Plans Self-insured plansall of the Privacy Rules provisions apply, including: Provide privacy notice Implement policies and procedures Train workforce Plans offering flexible savings accountsmay need to treat as a self-insured plan Insured plansdepends on how much PHI created or received from issuer or HMO

23 Insured Group Health Plans If group health plan creates or receives only summary PHI and information about whether individual has enrolled or disenrolled, duties greatly reducedfor example: No notice required No need for written policies and procedures No training required If group health plan creates or receive other PHI, then: Must maintain notice and provide on request All other requirements of Privacy Rule apply

24 Plan Sponsor No requirements, if plan sponsor only receives: Summary PHI for purpose of obtaining premium bids or modifying, amending or terminating plan; Information on whether individual has enrolled or disenrolled; or PHI disclosed pursuant to a written authorization If sponsor receives other PHI, must amend plan documents and group health plan must receive written certification of amendment and give notice

25 Amendment of Group Health Plan Documents Much like business associate contract, with added provisions Not use or disclose PHI for employment-related actions and decisions Not use or disclose PHI in connection with any other benefit or employee benefit plan of sponsor Ensure adequate separation between group health plan and sponsor

26 Adequate Separation Describe employees or classes of employees and other persons under control of plan sponsor with access to PHI Restrict access to and use of PHI by employees and other persons to plan administration functions Provide effective mechanism for resolving issues of noncompliance by employees and persons with access to PHI

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan, JD Morris, Manning & Martin, LLP Washington, DC