As the Plan Sponsor/Employer you must contend with yet another federal requirement on your group health plans: the "Health Insurance Portability and Accountability Act" (HIPAA) privacy rules. The goal of the rules, to ensure that health information about employees and family members is not used for purposes other than health care, is laudable, but the implementing regulations and the flexibility granted to individual States to craft tougher privacy rules will be challenging for you.
One of the first challenges you must confront is a conceptual one. The rules directly regulate group health plans and not you. Given that a group health plan is usually nothing more than a plan document, it is the sponsor of the group health plan, the employer or the trustees, who must comply with the rules along with the companies and individuals who provide services to the group health plan.
Not all the health related information you maintain is subject to the HIPAA privacy rules. The health information you create, receive and maintain when operating in the group health plan capacity is subject to HIPAA privacy. The health information you create, receive and maintain when operating in the employer capacity is not subject to HIPAA privacy, but instead protected under other rules, such as the Americans with Disabilities Act and FMLA.
The regulations refer to health information the employer obtains when operating in the capacity of an employer as employment record information, which is separately maintained from group health plan information. While the regulations do not adopt a definitive definition of employment record, the regulations clarify that medical information needed to carry out an employer's obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees may be considered employment-related and not subject to HIPAA privacy. This would mean that you should not have copies of information relating to the health plan in an employment file.
As your third party administrator, GISC, can help you to achieve the separation of function that HIPAA envisions. The health information GISC creates, receives and maintains is associated with the group health plan and as such is subject to HIPAA privacy. If you request any individually identifiable health information from GISC, HIPAA imposes strict requirements on how that information can be used. If you use the information for anything other than plan administration functions, you must first obtain an authorization from the individual whose information you seek to view. HIPAA imposesdetailed requirements on the authorization form that you must use and it requires you to disclose the reason they seek to view the information.
GISC will be frequently reminding you of these requirements and will assist you by acting as a kind of sentinel of the plan information. If GISC questions you about why you want some information, remember that this is to prevent you from violating HIPAA privacy. GISC is acting in your best interest and helping you to avoid heavy monetary penalties. While GISC can be very helpful, the final responsibility always resides with the employer, plan sponsor or plan trustees. Note: In most cases, the purpose for which you request plan information from GISC is for plan administration functions and therefore authorizations will not be required.
Your responsibilities under the HIPAA privacy rule depend on what type of health information is viewed. Is it individually identifiable or is it summary information that is de-identified? If members of your workforce see or hear any individually identifiable information that comes from the plan, you must comply with HIPAA privacy. In most self-funded plans, some members of the workforce receive individually identifiable health information from the plan including but not limited to, check registers, audits, hold lists (funding requests), explanation of benefits, drug reports, 50% reports, etc. GISC has chose to de-identify the majority of this information so that you will not have to be concerned with a violation of HIPAA privacy.
Below is a brief overview of the group health plan requirements. As you will see the requirements are not overly burdensome, but they do require formalizing and documenting policies and procedures, as well as thinking through the flow of medical information in your offices.
Business Associate Agreement
When an employer on behalf of a group health plan hires a third party to perform some functions for the plan and those functions require access to employee medical information, the group health plan is required to have a "business associate agreement" with the third party to ensure that the medical information will be protected.
You need to be thinking about the organizations you contract with to provide services to the group health plan. In some cases you will contract directly with utilization review firms, pre-certification companies, brokers, pharmacy benefit management firms and networks. In other cases you will contract with GISC and rely on GISC to subcontract work to these entities. Many of you will have a hybrid approach and directly contract with some vendors, while relying on GISC to subcontract with other vendors.
As the "Covered Entity" you will need to have a "business associate agreement" with GISC as well as any vendor who you contract with directly such as a utilization review firms, pre-certification companies, brokers, pharmacy benefit management firms and networks, etc. If the GISC contracts with these firms on behalf of your group health plan, GISC will have a subcontractor agreement with these firms that flows down the restrictions of the business associate agreements to them. GISC has sent all of you a business associate agreement for you to sign as the "Covered Entity" and for GISC to sign as your business associate. Further, GISC has sent subcontractor agreements to all of the vendors to ensure that they comply with the privacy rules. Note: If you have a direct relationship with a vendor you are responsible to complete a business associate agreement with them this may also apply to your broker and/or consultant.
Policies and Procedures
You will need to develop policies and procedures relating to the use, disclosure and access to medical information of employees and family members. The first step in developing policies and procedures is to examine your office operations to determine who has access to this information and how the information is stored. The next step is to create safeguards (administrative, technical and physical) to protect the information from being accessed by individuals who should not be accessing it. The third step is to draft a procedure manual explaining your policies and procedures. The fourth step is to train members of your workforce regarding privacy requirements and document that the training has been provided.
HIPAA requires that you designate a "privacy official" that is responsible for the development and implementation of the privacy policies, as well as designate a contact person who is responsible for receiving complaints about privacy violations.
You will also need to have an avenue for individuals to make complaints concerning the privacy policies and procedures and document all complaints received and how they were handled. You will have to develop appropriate sanctions against members of your workforce who fail to comply with the privacy policies and procedures, as well as document the sanctions that are applied. You will need to take action to mitigate any harmful effect that is known of the improper use or disclosure of medical information.
For most of you the HIPAA privacy requirements will impose some rethinking of your office handling of medical information and will heighten your employees' sensitivity to proper handling of medical information. Once the policies and procedures are in place, HIPAA privacy should become a minimal routine part of standard office operations.