Attorney Alden Bianchi details in this installment of his guide the general outlines of the HIPAA privacy and electronic security rules and how group health plans are regulated under the regulation. Next month, he will talk about how brokers and consultants can comply with HIPAA's so-called 'business associate' requirements. Ed.
The Health Insurance Portability and Accountability Act of 1996 established a comprehensive set of rules regulating, among other things, the privacy and security of medical information. The rules issued under HIPAA describe in minute detail the manner in which 'covered entities' must conduct themselves in order to comply. Covered entities include health care providers, health care clearinghouses and health plans. Faced with the need to comply with HIPAA, employers often rely for help on their benefits brokers and consultants. (Because benefits consultants routinely offer both brokerage and consulting services, this advisory uses the term 'brokers/consultants' to refer collectively to these roles. But where HIPAA is concerned, the terms 'broker' and 'consultant' describe different roles with different regulatory consequences.)
When it enacted HIPAA, Congress chose not to regulate employers and their vendors and service providers, so the law does not apply to them. Under the basic HIPAA standards, sensitive medical information which the privacy rule refers to as 'protected health information' and the security rule refers to as 'electronic protected health information' generally can be shared only among covered entities.
This presented the regulators with something of a conundrum: Orderly administration of group health plans requires employers and their business associates to have access to all sorts of HIPAA-protected medical information, but access would be barred under the basic regulatory scheme absent some special rule or exemption. The solution was to require employers to adopt conforming plan amendments and to designate and train the plan's workforce, and service providers (which HIPAA refers to as 'business associates') to enter into agreements that include 'business associate' covenants.
This advisory explores the HIPAA privacy and security rules from the perspective of the broker/consultant that needs access to PHI as a part of the services provided to its group health plan clients. In contrast to the highly prescriptive rules that govern the conduct of covered entities, the requirements imposed on business associates are far less exacting. This is particularly true with respect to the sorts of internal controls and safeguards that a business associate must adopt. To make matters worse, despite the vaunted efforts of the regulators to make the privacy and security rules congruent, there are some important differences that will affect business associates.
Overview of HIPAA
The HIPAA medical privacy and security requirements are a subset of its 'administrative simplification' rule, the policy goal of which is to streamline the administrative and claims processing components of the U.S. health care system. Congress was aware of the extent to which the Internet and electronic media had transformed the medical claims processing landscape. With more than 400 different health care coding, billing and reporting formats in use by the various providers and payers, unnecessary delays and costs were inevitable. But the private sector appeared unable or unwilling to agree upon and adopt uniform standards, so the job was left to Congress.
By prescribing uniform standards which are referred to as 'transactions and code sets' Congress projected annual savings on the order of $5 billion. The transaction and code set rules prescribe data content and code and format standards for 'covered transactions.' These rules are alternatively referred to as the 'electronic data interchange' rules.
(a) Privacy rule
Although the transaction and code set rules held out the promise of substantial savings, other privacy and security protections were needed for the rule to work. In the days when most medical records were in paper form and safely locked up in physicians' offices, privacy typically was not considered a problem. But once those same records were converted to electronic form and transmitted nearly instantaneously over the Internet, privacy became very much a concern. The HIPAA privacy standards are designed to ensure that the savings from standardized electronic claims processing are not accompanied by a wholesale loss of privacy.
The privacy rules took effect in April 2003 for large group health plans, defined as plans with premiums (in the case of insured plans) or claims (in the case of self-funded plans) of more than $5 million. The effective date for all other group health plans was April 2004. Compliance requires varying levels of employer involvement, depending on whether the plan is self-funded or fully insured.
(1) Self-funded plans. Since someone must act on behalf of the self-funded plan because there is no covered entity or insurer to do so, the plan's workforce typically consists of persons who work for the employer. While it might be possible to outsource the plan's covered functions in their entirety to an administrative services-only provider, this is rare, at least in part because the ASO provider would need to be a plan fiduciary for ERISA purposes.
(2) Fully insured plans. In the case of fully insured plans, the level of compliance depends on the extent to which the plan sponsor needs or wants access to PHI. Fully insured group health plans are exempt from the bulk of the privacy rule's compliance burdens if they receive no PHI or if they receive only 'summary health information,' and only for the purpose of obtaining premium bids to provide group health insurance coverage or modifying, amending or terminating the group health plan. An employer that fits within this exception must refrain from any retaliatory acts, nor can it require a waiver of HIPAA privacy rights as a condition of enrolling in the group health plan or of eligibility, treatment or payment.
Comment: These exceptions are most valuable to community-rated plans that never see any PHI, since the plan's experience does not affect premiums. This often means plans of 100 or fewer participants. Experience-rated groups, on the other hand, often are accustomed to seeing detailed claims data, at least with respect to large claims. These groups are usually unwilling to significantly limit the health information they receive to 'summary health information,' and then only for underwriting purposes. As a result, self-funded plans and large, fully insured plans share similar compliance profiles.
(b) Security rule
The promise of privacy rings hollow without also ensuring security, so Congress included a security component as a part of administrative simplification. The security rule focuses on such things as unauthorized network access, breaches of network firewalls, hackers, computer viruses and compromised passwords that could disrupt the flow of ePHI. The security rule is intended to protect ePHI against careless or malicious individuals who may inadvertently or intentionally exploit system vulnerabilities and misuse sensitive medical data. While the privacy rules determine who should have access to medical records, the security provisions establish the manner in which medical records must be protected from inappropriate access.
HIPAA instructed the Secretary of Health and Human Services to develop security standards that, among other things, 'ensure the integrity and confidentiality of [health] information' and protect against unauthorized uses and disclosures. Acting on this mandate, CMS issued its final rule in February 2003. It requires covered entities to:
Ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the rule.
Ensure compliance with the rule by its workforce.
The final rule addresses only the security of information in electronic format. The privacy rule has its own 'mini-security' requirements, however, that address data stored in formats other than electronic. It is because of these provisions, for example, that paper medical records are generally kept in locked file cabinets.
The HIPAA security rule generally took effect for large and mid-size plans on April 21, 2005, although small group health plans need not comply until April 21 of this year.
The final security rule establishes a series of 18 security standards, or baseline security requirements, covering administrative, physical and technical safeguards, which, according to HHS, are based on 'generally accepted security procedures.' For some, but not all, of these standards, the rule also prescribes 'implementation features,' which explain how to go about satisfying the requirement. The implementation specifications are further classified as 'required' or 'addressable.' While the covered entity must adopt those that are required, it can choose alternative ways to comply with those that are addressable, or it can choose not to comply so long as, in each case, the rationale for the alternative or non-compliance is reasonable and documented. The implementation specifications of the security awareness and training standard, for example, are addressable. This means that they need not be followed to the letter if there is a good reason to deviate.
(c) Plan vs. vendor
Most private-sector group health plans are regulated as 'welfare benefit plans' under ERISA. In the case of an insured plan, the insurance company through which benefits are provided is not the ERISA-covered group health plan but rather, the service provider to the plan. According to the U.S. Supreme Court, the 'plan' is the set of promises that the employer makes to its employees about health care, together with the supporting administrative scheme that enables the employer to make good on those promises. Lacking competence in plan operation, most employers hire an outside vendor, such as an insurer, to handle the particulars. What makes this confusing is that the terms of the insurance contract provide many of the material terms of the plan.
HIPAA regulates both the ERISA-covered group health plan and the insurance contract through which benefits are provided. For HIPAA purposes, these are both covered entities. Where employees make up the plan's workforce, and where these individuals get PHI and ePHI in the course of administering the plan, both the HIPAA privacy and security rules are invoked and compliance is required. While a broker/consultant might, in his capacity as a business associate, lend assistance, HIPAA compliance rests with the covered entity.
Alden J. Bianchi is group leader of the employee benefits and executive compensation practice at the law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo. He has written of three books and dozens of articles, and is a fellow of the American College of Employee Benefits Counsel.
(c) 2006 Employee Benefit Adviser and SourceMedia, Inc. All Rights Reserved.
http://www.employeebenefitadviser.com http://www.sourcemedia.com
