Articles 


Jim Hamilton

HIPAA Privacy Part II Looms for Indiana Employers

As seen in the Indianapolis Business Journal
by Jim Hamilton

The second phase of the HIPAA Privacy Rule will have a dramatic impact upon most Indiana employers. Employer group health plans must comply with the Privacy Rule by April 14, 2004. The definition of employer group health plans includes medical, prescription drug, dental, vision, employee assistance and long-term care plans, as well as health flexible spending accounts. 

Large group health plans, those with annual receipts in excess of $5 million, were required to comply with the Privacy Rule earlier this year. The following lessons may be learned from those entities required to comply with the 2003 deadline. 





 

 

  1. Employers with self-funded group health plans will be responsible to bring their plans into compliance. Most Indiana employers will be affected because they maintain health flexible spending accounts that are deemed to be self-funded group health plans.

  2. It is a myth that third party administrators (TPA) will assume compliance obligations on behalf of their clients. On occasion, TPAs will prepare a HIPAA business associate agreement between the TPA and the health plan. However, these TPA-prepared agreements need to be closely reviewed because of the apparent conflict that exists when a TPA is permitted to draft an agreement that is designed to place restrictions upon the TPA. 

  3. The Privacy Rule requires health plans to enter into formal, written agreements with each of their business associates restricting the use and disclosure of protected health information. These agreements often take time to negotiate, particularly if they contain indemnification provisions protecting the health plan from errors made by the business associate. 

    The process of identifying business associates may also be problematic for some health plans. Business associates are persons or entities that perform certain functions or activities that involve the use or disclosure on behalf of, or provide services to, a health plan. Common business associates for health plans include TPAs, attorneys, consultants, prescription drug and COBRA vendors. Business associate agreements are not generally required between a health plan and a re-insurer or stop-loss carrier.

  4. Human resources professionals have also struggled with disclosure issues relating to health information. The Privacy Rule provides that a group health plan may not use or disclose protected health information without an authorization signed by the participant. However, health plans may disclose protected health information to their business associates for purposes of treatment, payment and health care operations. This exception will continue to permit most disclosures to plan vendors that occurred prior to the implementation of the Privacy Rule.

    Employer group health plans are permitted to disclose protected health information directly to the participant. In addition, it is generally permissible to disclose health information about a participant to the spouse of the participant unless the discloser has actual knowledge that it would be inappropriate to disclose this information to the spouse. A group health plan may also continue the industry practice of sending family member explanation of benefit (EOB) statements to the employer. However, parents of adult children generally will not be permitted to receive protected health information relating to the child without an authorization.

  5. It has been unclear to what extent an employer may advocate on behalf of participants in its health plan with insurance companies. Employers may assist an employee in claims disputes if the employee signs an authorization permitting disclosure of his or her protected health information to the employer, or if specific amendments are made to the plan documents. Based upon our experience, most insurance companies will insist upon an authorization before they will disclose protected health information to an employer. Authorizations must comply with specific requirements set forth in the Privacy Rule.

  6. Disclosures for underwriting have also generated a significant amount of confusion. Self-funded group health plans are permitted to disclose protected health information for its underwriting purposes to brokers and consultants that are business associates of the plan. Underwriting is considered to be a permissible health care operation of the plan and thus an authorization is not necessary. On the other hand, insurance companies will generally disclose only summary health information to the plan sponsor of a fully insured group health plan. Summary health information is information that summarizes claims history, expenses, or type of claims experienced by individuals, provided that specific personal and geographic information is removed. Generally, insurance companies will be able to disclose information relating to gender, age in years and generic claims data for underwriting purposes.

    The Privacy Rule and its accompanying commentary is nearly five hundred pages long, three columns per page with tiny print. The law continues to evolve as the federal government is forced to address more practical problems raised by employers. Given the dramatic scope and complexity of the Privacy Rule, it will be important for employers to be diligent and careful in bringing their group health plans into compliance.   


© 2007 Bose McKinney & Evans LLP All Rights Reserved 		Disclaimer Español Japanese