Part II - Employers : “4 Buckets”

Part II - Employers : “4 Buckets”

Self-Funded GHP

EMPLOYERFully-

Insured GHP

(Summary Info)

Fully-Insured GHP

(receives PHI)

Employer-specific HIPAA Privacy Terms

• “Summary Information”

• “Plan Administration”

Summary Information• Summarizes claims history, claims expenses, or

claim type of participants in a GHP

• Essentially is a category of information somewhere between de-identified data and PHI

• “Step above” De-identified information because it has some identifiers

• Uses/Disclosures are limited to 3 purposes

Plan Administration

• GHP “Operations” and “Payment”

• Plan Administration functions performed by Plan Sponsor/Employer (or its TPA)

– excludes functions performed in connection with any other plan of the Employer

– unless OHCA with other GHPs

BUCKET # 1

Employer as “Employer”

( HR Manager)

Bucket #1: Employer• Employer as HR Manager

– Hiring, Firing– FMLA Leave– Disability Leave– Workers’ Compensation Claims– Medical Absences– Drug and Alcohol Screening– Fitness for Duty Tests

• HIPAA does not regulate Employer in this Bucket!

BUCKET # 2

Self-Funded GHP

(Receives PHI)

Self-Funded

GHP

BUCKET # 2 - Self-Funded GHP

• Health benefits funded by employer• Claims administered internally• Creates PHI• MUST provide Notice of Privacy Practices• MUST comply with all of Privacy Rule’s

Administrative Requirements • MUST amend Plan Document, provide

Certification Statement, and make organizational changes

BUCKET # 3

Employer Insured

GHP

(Summary Info)

Employer insured

(Summary Info)

BUCKET # 3 - Insured GHP

• Health benefits insured by employer• Insurer does not provide PHI back to GHP or Sponsor• DOES NOT need to provide Notice and comply with

most of the Privacy Rule’s Administrative Requirements (except for non-waiver and non-retaliation)

• Assumption: Sponsor does not receive PHI beyond summary information for the 3 allowed uses– EXCEPTED from Plan Amendment and Certification

requirements

BUCKET # 4

Fully-Insured GHP

(Full PHI)

Fully-Insured GHP (PHI)

BUCKET # 4 - Fully-Insured GHP

• GHP provides health benefits solely through a health insurance issuer or HMO

• If Sponsor receives more than summary information:– Unique Notice obligations

– Must do Plan Amendment & Certification

– Issue: Comply with all Admin. Req’ts.?

• Gray area: e.g., where Plan Sponsor does not receive PHI from insurer but may assist employees with claims issues (advocacy)

Privacy Rule Requirements For Self-funded GHP

• Notice Requirements

• Amend Plan Documents

• Certification Statement

• Individual Rights

• Administrative Requirements

Content of the Notice of Privacy Practices

• Plain Language• Uniform Header• Description and at least one example each of

the types of uses and disclosures made for treatment, payment, and health care operations

• Description of each of the other purposes for which a use or disclosure is permitted or required without authorization

Content of the Notice of Privacy Practices (cont.)

• Each purpose must have “sufficient detail” to put individual on notice

• Statement that all other uses or disclosures will only be made with the individual’s authorization

• If applicable, a statement that the GHP, or a health insurance issuer or HMO providing benefits for GHP, will disclose PHI to Plan Sponsor

Provision of Notice

• No later than the Compliance Date for existing participants

• At time of enrollment for all new enrollees• Within 60 days of a material change to the

notice• Notification of availability of the notice

every 3 years (or less)• Requirement satisfied if provided only to

named insured and not dependents

Health Plan Notice Issues

• Notice is from Group Health Plan if there is no group insurance contract

• Notice is from the HMO or health insurance issuer in the insured context

• Notice maintained by the GHP if it receives PHI

• Notice to the named insured is sufficient

Other Notice Requirements • Specify GHP/Plan Sponsor duties

• Name Contact Person

• Establish Complaint Process

• Optional ability to impose limitations on allowable uses and disclosures

Plan Amendment & Certification

• Required elements for Plan amendments

• Required elements similar to elements of a BA contract

• Certification by GHP to Plan Sponsor

Required Amendments Establish the permitted and required uses

and disclosures of PHI by the Plan Sponsor

Not use or disclose PHI other than as permitted or required by the GHP or as required by law

Ensure that agents and subcontractors of the Plan Sponsor agree to abide by the Privacy Rule requirements

Required Amendments Provide an accounting of disclosures of PHI

Make internal practices, books and records pertaining to the use and disclosure of PHI received from the Plan available to DHHS for determining compliance

Return or destroy all PHI when no longer needed

Required Amendments Ensure adequate separation b/w the GHP

and Plan Sponsor

Describe employees or classes of employees under the control of the Plan Sponsor to be given access to PHI, including individuals who receive PHI in the ordinary course of business

Provide a mechanism for resolving noncompliance

Required Amendments

Plan Sponsor cannot use or disclose PHI for employment-related actions, or in connection with any other benefit or employee benefit plan of the Sponsor

Report to the GHP any inconsistent use or disclosure of which it becomes aware

Make PHI available to individuals and allow individuals to amend their PHI

Individual Rights

• Receive notice of privacy practices

• Access: inspect or copy PHI

• Amend

• Accounting

Individual Rights (cont.)

• Authorization

• Complaints to Secretary and/or GHP

• Permissive right to request restriction and confidential communication

Administrative Requirements

• Appoint privacy official and contact person

• Establish privacy policies and procedures and implementing forms e.g., request for access form

• Reconfigure technical, administrative and physical safeguards (i.e., firewalls)

Administrative Requirements

• Develop authorizations and notices

• Develop grievance/complaint procedures

• Develop sanction, mitigation, non-retaliation, and non-waiver of rights policies

Administrative Requirements

• Communicate privacy policy

• Training

• Written or electronic record of the actions, policies, procedures, and other forms required to be documented by the Privacy Rule (document communications required to be in writing)