Topics included in this issue:
Shopping for Health Insurance Under
the New HIPAA Privacy Rules
Employers that offer fully insured health benefits often use an insurance agent or broker to assist with obtaining bids for new insurance and making decisions about coverage placement. Under the HIPAA Privacy Rules, there is a distinct advantage to being fully insured, because the Privacy Rules allow a fully insured employer to avoid complying with most of the burdensome administrative requirements so long as it maintains a "hands-off" approach (i.e., does not create, maintain, or receive protected health information—often referred to as "PHI"). In such cases, the insurance carrier that provides the coverage holds the PHI and is legally obligated to comply with the more burdensome aspects of the Privacy Rules.
If you are a fully insured "hands-off" employer, you may receive PHI for certain purposes without losing your status as a "hands-off" employer:
- to perform enrollment and disenrollment functions;
- to assist employees with claims disputes and help them understand their benefits; and
- to receive "summary health information" from an insurer for the limited purpose of obtaining premium bids or modifying, amending, or terminating the plan.
"Summary health information" is health information that summarizes claims history, expenses, or the type of claims experienced by individuals for whom you have provided benefits under the plan, and from which all personally identifiable information (e.g., name, social security number, address, etc.) has been removed. In many instances, summary health information should be sufficient to allow an insurer or stop-loss carrier to assess risk and provide a premium bid. But if an insurer or stop-loss carrier asks you for more than this, the only way you can obtain the information from your current insurer is by obtaining signed authorizations from those covered by your insurance. Moreover, the privacy rules for the most part make such authorizations voluntary, meaning that you cannot condition an employee's enrollment or qualification for benefits on his or her providing the authorization, unless (i) the authorization is requested prior to the employee's enrollment and (ii) the authorization is sought to perform the plan's eligibility and enrollment functions or for underwriting or risk determinations. In short, you may not be able to get the information that the insurer or stop-loss carrier is seeking. Insurers and stop-loss carriers will have to learn that there may not be as much information available as there was before HIPAA.
The broker with whom you work may ask you to sign a "business associate" agreement. If you are a "hands-off" employer with a fully insured health plan, you should be cautious about entering into a business associate agreement with the insurance agent, particularly if he or she will create or receive PHI above and beyond enrollment information or summary health information. Any PHI that the insurance agent creates or receives beyond this basic information may be attributed to you, in which case you may lose your "hands-off" status and become obligated to comply with the full scope of the Privacy Rules (e.g., plan amendments, firewalls, appointing a privacy officer, drafting privacy policies and procedures, etc.).
If you have questions as to how your plan may safely shop for health coverage under HIPAA, please contact a member of WN&J's HIPAA Task Force.
Complaint-Driven System Emerges
Is your organization a covered entity subject to the HIPAA privacy, transaction, and related rules? If so, does your organization know what to expect if a complaint is filed against it for violations of these rules? Covered entities now have a better sense of the procedures they face if a complaint is filed and the Department of Health and Human Services ("HHS") decides to impose a civil monetary penalty against them. HHS published interim final rules on April 17, 2003, which it calls a "first installment" of the "Enforcement Rule." The rules were effective on May 19, 2003, and remain in effect until September 16, 2003, when HHS expects to have final rules in place.
HIPAA authorizes civil penalties of up to $100 per violation, with an annual maximum of $25,000 for a single type of violation. HHS states that the HIPAA enforcement process "will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan." However, if HHS decides to assess a penalty, it must notify the covered entity of its intent to impose a civil penalty. The covered entity then can request a hearing before an administrative law judge. If the covered entity does not request a hearing within 60 days after receiving the notice, the penalty will be imposed and cannot be appealed.
If you receive a notice from HHS that it has received a complaint of a HIPAA violation, call a member of WN&J's HIPAA Task Force to help you respond.
Questions to Ask Your Software Vendors and
Business Associates Regarding the
New HIPAA Transaction Rules
Are you ready for the new transaction standards that go into effect on October 16, 2003?
If you are an employer who sponsors a health plan, the good news is that HIPAA does not require you to conduct electronic transactions—often referred to as Electronic Data Interchange, or EDI. The bad news is that if you have hired a third-party administrator ("TPA") or other service that conducts EDI transactions on your behalf (for example, to pay health claims), then you can be liable if the TPA or service provider fails to use the HIPAA standard transactions.
If you are a health care provider who bills electronically—either directly, or through a business associate such as a billing service—then you or your business associate must also be ready to use the new standards come October 16.
If you haven't been talking to your software vendor, third-party administrator, billing company, or other business associate involved in your EDI transactions about the HIPAA transaction standards, you should do so soon. Since testing for HIPAA compliance was to have begun in April of this year, your software vendor or service provider should have a pretty good idea by now of how ready it is to conduct the new standard transactions. Some issues you may want to explore include the following:
- Have they tested the software for internal consistency with the HIPAA transaction standards?
- How do they plan to implement the changes with payers or providers?
- Have they tested the ability of the software to correctly interface with all trading partners ("end-to-end" testing)?
- Can they do any necessary translations both ways (i.e., into standard transaction format and out of standard transaction format)?
- Have they obtained any third-party certification as to their readiness (e.g., Claredi, Foresight)?
- Will they be making any changes to products or services to ensure HIPAA compliance? Are there any additional costs involved?
The Centers for Medicare and Medicaid Services ("CMS") has posted a more complete list of questions to ask vendors, TPAs and clearinghouses at the following Internet address:
A few pointed questions now could save you a lot of frustration come October 16.
Five Things to Look For When Reviewing a
HIPAA Business Associate Agreement
By Norbert F. Kugele
A health plan covered by HIPAA must enter into a "business associate agreement" with any company or individual (not part of the health plan's workforce) that provides services to the plan involving the use of protected health information ("PHI"). Business associates include third-party claims administrators, COBRA administrators, benefits consultants, outside attorneys who advise the health plan regarding individual claims, and so on. A business associate must agree to protect the PHI to the same extent as you are required to do. If you share information with these service providers without a valid business associate agreement in place, you could be fined for violating HIPAA.
Many service providers will ask you to use their own form of business associate agreement. You will want to review these forms carefully. Here are five issues that we frequently encounter when reviewing a business associate agreement:
- Are All Requirements Included?
The agreement may not contain all requirements for a valid business associate agreement. (You can find a copy of these requirements on the Internet at http://www.hhs.gov/ocr/hipaa/finalreg.html.) You should look at the implementation requirements in the privacy rule and compare them to what you see in the business associate agreement. If a required provision is missing, or the proposed language doesn't seem to precisely require what is stated in the rule, the proposed agreement may be invalid. You should not sign the agreement without resolving this issue.
- Does It Address Individual Rights?
The agreement may not address the business associate's duty to honor individual rights and disclosures. Under the privacy rules, individuals are given rights with respect to their own PHI. Two important rights are the right to request additional restrictions on the use or disclosure of PHI and the right to confidential communications. The right to confidential communications is particularly important because it gives someone like a battered wife the ability to redirect communications about her health care to an alternative address or telephone number.
The Department of Health & Human Services ("HHS") has provided sample language for business associate agreements. Curiously, neither the privacy rules nor the sample language directly addresses a business associate's responsibility with respect to individual requests for additional restrictions or confidential communications. If the business associate (for example, a third-party administrator) will be communicating directly with a participant in the health plan (for example, by sending her an explanation of benefits), you want to ensure that the business associate agreement requires the business associate to comply with the restrictions and confidential communications to which you have agreed.
- Is There a Right to Terminate?
Be sure the agreement allows you to terminate your relationship with the business associate in the event of a breach. If the business associate breaches the terms of the business associate agreement, you must be able to terminate both the business associate agreement and your relationship with the business associate. Some business associate agreements allow termination of only the business associate agreement itself, and not the underlying contractual relationship. If you see a business associate agreement that is structured this way, it must be revised.
- Does It Unfairly Limit Liability?
The business associate agreement may include a limitation on the business associate's liability for a breach of the contract that excludes certain types of damages, such as indirect, consequential or punitive damages. The agreement may also cap the business associate's liability, perhaps limiting losses to the fees you pay the business associate during a given year. To determine whether the limitation on liability is reasonable, you will need to evaluate what the business associate does, how much and what type of PHI the business associate comes in contact with, and the harm that may arise from an unauthorized disclosure.
For example, a business associate who has information only about whether employees are enrolled in your health plan probably would not cause much harm if it improperly disclosed that information to others, since the information is extremely limited. On the other hand, a business associate who provides services relating to the treatment of AIDS patients could cause significant harm if it discloses PHI about the AIDS patients to the wrong people. In order to ensure that your agreement is fair, you may want to specifically carve out certain kinds of harm that would not be subject to the limitations on liability.
- Are You Indemnified for Unauthorized Disclosures?
If you receive a form business associate agreement from the business associate, look to see if it contains a provision indemnifying you for the business associate's actions in breach of the business associate agreement. It probably doesn't. Under an indemnification provision, if you are held liable because of the business associate's unauthorized disclosure of PHI, the business associate agrees to pay some or all of your damages. Something to keep in mind, however, is that indemnification provisions are usually not covered by liability insurance, so the business associate may not agree to such a provision. Sometimes, a business associate will suggest mutual indemnification language. In that case, you need to review the language to make sure that the indemnification provision is really mutual (sometimes they are one-sided), and you need to make sure you don't have any insurance issues yourself. Depending upon how your risk manager feels about indemnification clauses, you may decide not to have any indemnification provision at all.
Subpoenas and HIPAA
On Monday morning you open your mail to find a subpoena requesting all health plan records for one of your employees. The subpoena looks official and is signed by a lawyer. What to do? One of the common issues facing health care providers, health plans, and others covered by HIPAA are subpoenas seeking information protected by HIPAA. If you are a health care provider, the subpoena may seek medical records about one of your patients. If you are an employer, the subpoena may seek health plan records relating to one of your employees or a member of his or her family. In either case, the subpoena is seeking information that HIPAA regards as protected health information ("PHI").
HIPAA rules set forth four circumstances under which you can respond to the subpoena:
- if the individual whose records are being requested provides a written authorization allowing you to disclose the records;
- if you receive satisfactory assurance from the party seeking the information that the individual has been notified of the subpoena and has not objected;
- if the court has entered an appropriate protective order relating to the PHI; or
- if the subpoena is accompanied by a court order requiring you to produce the records.
Under any of these options, you should carefully review the information that has been provided to you to make sure your response is permitted under the HIPAA privacy regulations.
Reviewing Authorization Forms
Often, a subpoena will be accompanied by an authorization form from the individual whose records are being sought. If the authorization form is valid, you can release the information. To be valid, the authorization must meet a number of specific requirements.
If you have any doubts about the validity of the authorization, you should discuss it with legal counsel. If it turns out that the authorization is invalid, then any disclosure of PHI in response to the subpoena would violate HIPAA and possibly expose you to sanctions from the Department of Health & Human Services.
Reviewing Notifications to the Individual
If you do not receive an authorization with the subpoena, you may still be able to respond if the party seeking the PHI has given you adequate assurance that it has notified the individual whose records are at issue about the subpoena and has given that person an opportunity to object. To satisfy HIPAA, the assurances you receive must be in writing and accompanied by documentation (such as copies of the correspondence to the individual and any relevant court orders) demonstrating that:
- written notice has been sent to the individual, or to his or her last known address;
- the notice informed the individual about the case;
- the notice gave the individual a reasonable amount of time (such as 30 days) to raise an objection with the court; and
- the time for the individual to raise an objection has passed, and:
- no objection was filed; or
- an objection was filed and resolved by the court, and the subpoena is consistent with the court's resolution.
When someone seeking records provides you with this information, you are permitted but not required to produce the documents. This means if you are not certain that the individual actually received the notice or did not object, you have the option to simply object to the subpoena. You also have the option of contacting the individual yourself to make sure that the individual does not object to the disclosure.
Reviewing Protective Orders
Another alternative for the party seeking the information is to obtain a qualified protective order that limits the uses that can be made of the PHI. A protective order will satisfy HIPAA if it:
- prohibits the parties from using or disclosing the information for any purpose other than the litigation at hand; and
- requires that the PHI be returned or destroyed at the end of the litigation.
In some instances, the subpoena may be accompanied by a court order requiring you to respond. In those situations, you can respond without an authorization, notice to individual or entry of a protective order. Be sure, however, to carefully scrutinize the order and release only the documents or information that the order authorizes. If your response exceeds the scope of the order, you will be in violation of HIPAA.
What about the Monday morning subpoena? Since the subpoena is signed only by an attorney, it is not a court order. Unless it is accompanied by one of the documents that satisfies the requirements discussed above, you should write back to the attorney who issued the subpoena and inform him or her that you cannot respond because the subpoena does not meet the requirements of HIPAA.
If you have any questions about responding to a subpoena, or any other request for access to protected health information, please call a member of Warner Norcross & Judd's HIPAA Task Force.
* * * *
HIPAA Alert is published by Warner Norcross & Judd LLP to inform clients and friends of new developments. It is not intended as legal advice. If you need additional information on the topics in this issue, please contact your Warner Norcross attorney or any member of the Firm's HIPAA Task Force at 616.752.2000.