HIPAA Privacy Rules:What Are Plan Sponsors Required to Do?

Objectives Today

•Overview of the HIPAA Privacy Rules•HIPAA Privacy Legislative Guide•What are Plan Sponsors required to do?•Areas where clarification is needed

Overview of the HIPAA Privacy Rules•Regulates Protected Health Information

(PHI)•Requires that patients be told how their

PHI will be used and disclosed•Sets limits on how patients’ PHI may be

used and disclosed•Imposes fines where the requirements

contained within the regulations are not followed

Zywave Legislative Guides

What Are Plan Sponsors Required to Do?

•The rules do not directly regulate plan sponsors or employers

•Compliance obligations indirectly imposed upon plan sponsors will vary depending on access to PHI

•Plan sponsor functions•Plan administration functions

Plan Sponsor Functions•Assist employees with claim disputes

pursuant to a written authorization•Receive Summary Health Information (SHI)

for purposes of obtaining premium bids or modifying, amending or terminating the plan

•Conducting enrollment and disenrollment activities

= Minimal HIPAA Privacy compliance obligations

Plan Administration Functions

•Claims processing•Quality improvement•Fraud detection activities

= Considerable HIPAA Privacy compliance obligations

Plan Sponsors that have access to PHI for plan administration must:•Amend the plan document to allow the

plan sponsor to have access to PHI•Certify to the group health plan that it

will limit its use and disclosure of PHI as required by the Privacy Rule

•Comply with all of the administrative requirements of the Privacy Rule

HIPAA Privacy Rules – Administrative Requirements•Appoint a privacy officer•Train members of workforce with access to

PHI•Create written policies and procedures related

to handling PHI•Create and distribute notice of privacy

practices•Provide plan members with a right to access,

copy and amend PHI in your possession•Create internal firewalls•Enter into written contracts with business

associates

What is a Business Associate?

•A person or entity that receives PHI from a Covered Entity in order to perform services on behalf of the Covered Entity

•Services may include treatment, payment or health care operations

•The Covered Entity must enter into a contract with the Business Associate

•The contract extends HIPAA’s protections to the information exchanged

Areas Where Clarification is Needed•Are authorizations required when an

employer or broker needs access to PHI to advocate on behalf of an employee?

•Is enrollment/disenrollment information held by the plan sponsor considered PHI?

•How can employers deal with fraud against the health plan and abide by restrictions on use of PHI?