390 likes | 531 Views
HIPAA Implementation Impact for Brokers. April 2003. This overview of Anthem’s compliance effort, created for our accounts and brokers is offered for informational purposes only. It is not intended as a legal opinion or advice. Please contact your attorney for legal advice.
E N D
HIPAA Implementation Impact for Brokers April 2003
This overview of Anthem’s compliance effort, created for our accounts and brokers is offered for informational purposes only. It is not intended as a legal opinion or advice. Please contact your attorney for legal advice. This information is subject to change. Please visit http://www.Anthem.com for updates. Today’s presentation is not legal advice
Covered Entities are … Providers (transmitting certain data) Clearinghouses Health Plans Group Health Plans (whether fully-insured or self-insured) HIPAA applies to Covered Entities
A Group Health Plan is the employee welfare benefit plan (as defined in ERISA), including insured and self-insured plans, to the extent that the plan provides medical care to employees or their dependents directly or through insurance, reimbursement, or otherwise. Definition of a Group Health Plan
Diagram of an Employer/Plan Sponsor (Cont.) • It takes people to carry on the administrative functions of a GHP. Because of the confidential nature of PHI, the Plan Sponsor must limit access to PHI by clearly designating the person(s), class of persons, and/or third-parties that the Plan Sponsor authorizes to perform the administrative functions of the GHP - those who will be "in-the-loop." • Stars represent employees of the Plan Sponsor. • White stars represent those employees designated to perform GHP functions (exposure to 18 February 2003PHI). • Gray star(s) represent those employees who may have responsibilities for both the GHP and the employer (generally). • Black stars represent those employees who are never authorized to access PHI.
Privacy Standards Anthem’s Status
#1 Protected Health Information (PHI) PHI is individually identifiable health information that is transmitted or maintained by electronic media or in any other form or media “Individually identifiable health information” is health information that can identify the individual “Health information” is very broadly defined as that which relates to past, present or future health condition or relates to past, present or future provision of or payment for health care PHI includes, but is not necessarily limited to, such identifiers as … Names, geographic subdivisions narrower than a 5 digit ZIP, all elements of dates (except year), telephone numbers, email addresses, IP addresses, URLs, Social Security Numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, and biometric identifiers 3 Classifications of HIPAA Information
#2 Summary Health Information (SHI) SHI is a subset of PHI. SHI is health information that summarizes claims history, claims expenses, or type of claims experienced of a group health plan and from which most identifiers have been removed 3 Classifications of HIPAA Information
#3 De-identified Information De-identified information may start out as PHI or SHI; however, additional identifiers must be removed before PHI or SHI may be reclassified as De-identified Information To qualify for the De-identified Classification, all information that could link the information to an individual must be deleted There must be no reasonable basis to believe the information can be used to identify the individual To satisfy the reasonable basis test, a statistician should determine that the information has been sufficiently stripped of identifiers to the point that it cannot be re-identified Upon qualifying for the classification of De-identified Information, the information may be used by a covered entity without restriction 3 Classifications of HIPAA Information
Organized Health Care Arrangement (OHCA) exists between an insurer and a fully-insured group health plan In the OHCA, these covered entities are allowed to share only the minimum necessary amount of PHI to coordinate operations to properly serve the enrolleessuch as … Audit and Reconciliation Purposes To evaluate plan performance To evaluate insurance company performance To evaluate plan experiences Organized Health Care Arrangement (OHCA)
A business associate creates, uses, or discloses PHI on behalf of a covered entity Must provide Covered Entities with certain written assurances Anthem’s Business Associate Agreements satisfy this requirement Anthem’s business associates include … Medco Davis Vision Brokers When performing certain tasks, a Broker may be a Business Associate of Anthem Anthem is the Business Associate of the ASO Group Health Plan Business Associates
Anthem delivered Business Associate Agreements to it’s Brokers, and requires it’s brokers to sign and return the Agreements to Anthem When performing the types of tasks mentioned in Anthem’s Business Associate Agreement, Brokers may be business associates of Anthem Anthem also mailed a Business Agreement to self-insured group health plans Anthem is a business associate of ASO groups Business Associate Agreements
Anthem will only disclose PHI to the Group Health Plan ASO may receive PHI as defined in the Business Associate Agreement Fully-insured GHPs may receive PHI necessary to run the Organized Health Care Arrangement Fully-insured GHPs may elect to receive only SHI Plan Sponsor or Employer may receive SHI for purposes of obtaining premium bids or for modifying, amending or terminating the GHP Anthem cannot disclose PHI to an Employer Anthem cannot disclose PHI to a Plan Sponsor Anthem Disclosure Policy
If a Broker signed Anthem’s Business Associate Agreement and is an agent of record for the individual or group health plan, then Anthem can share the minimum necessary PHI with Broker/Producer to resolve member claims Anthem can share Summary Health Information (SHI) with Brokers/Producers in connection with delivering renewals Anthem will not share PHI with the Broker/Producer for other plan administration functions without written direction from the GHP that is eligible to receive PHI Anthem Disclosure Policy (continued)
Fully-insured GHPs may elect NOT to receive or create PHI If GHPs elect not to create, or to receive PHI, they do not have to comply with certain privacy requirements Fully-insured GHPs may choose to receive only Summary Health Information (SHI) Anthem will provide an election form to fully-insured GHPs Completing and returning the form will acknowledge to Anthem that the GHP only wants to receive SHI Upon receipt of this election, Anthem will only provide SHI Request for member PHI requires the member’s authorization Fully-insured GHP Election
Anthem may disclose PHI to the ASO Group Health Plan as defined in the Business Associate Agreement Anthem may only disclose the PHI necessary to run the OHCA to the fully-insured Group Health Plan (not electing SHI only) Individual authorization is required if the PHI requested is in addition to or exceeds the PHI for running the OHCA Anthem may disclose SHI to the Fully Insured Group Health Plan For fully-insured Group Health Plans electing only SHI, PHI will not be disclosed without authorization from the individual Disclosures to Group Health Plans
ASO Group Health Plans may receive account reports containing PHI as defined by the Business Associate Agreement Fully Insured Group Health Plans As a general rule, reports containing SHI will be provided along with enrollment/disenrollment or de-identified information to fully-insured GHPs. PHI reports may be provided upon request. Fully-insured Group Health Plans electing only SHI will receive reports containing SHI along with enrollment/disenrollment or de-identified information. Group Reporting
Summary Health Information:The Account Reporting area may provide reports that contain only Summary Health Information to the FI-GHP upon request (verbal, written, fax, e-mail) Enrollment/Disenrollment Information: The Account Reporting area may provide reports that contain Enrollment/Disenrollment information to the FI-GHP upon request (verbal, written, fax, e-mail) De-Identified Information: The Account Reporting area may provide reports that contain only De-Identified Information to the FI-GHP upon request (verbal, written, fax, e-mail) Group Reporting (continued)
Protected Health Information: The Account Reporting area may provide reports that contain Protected Health Information to a FI-GHP only if all of the following requirements are met: The FI-GHP has requested a report that contains Protected Health Information on Anthem’s Report Request Form; and The FI-GHP meets the regional size requirements for production of PHI reports (e.g. over 100 contracts); and Anthem determines that the requested information is needed to run the Organized Health Care Arrangement Group Reporting (continued)
As a general rule, Anthem will provide bills that contain only Summary Health Information, Enrollment/Disenrollment Information, or De-identified Information to fully-insured group health plans. Summary Health Information: The billing area may provide bills that contain only Summary Health Information to the fully-insured group health plan Enrollment/Disenrollment Information: The Billing area may provide bills that contain Enrollment/Disenrollment information to the fully-insured group health plan De-identified Information: The Billing area may provide bills that contain only De-Identified Information to the fully-insured group health plan Group Billing
If a fully-insured group health plan elected to receive only SHI and requests PHI, then an individual’s authorization will be required If a fully-insured group health plan did not elect to receive only SHI, but the amount of PHI that it requests exceeds the minimum necessary to run the OHCA, then an individual’s authorization will be required If a broker requests PHI that exceeds minimum necessary to assist the individual with claim resolution, or to perform regular customer service functions on behalf of Anthem, then an individual’s authorization will be required When is authorization required?
Anthem has mailed its Privacy Notice to those members with individual policies The Privacy Notice is also available at www.Anthem.com If a group health plan is fully-insured, then Anthem has mailed its Privacy Notice to members of the fully-insured group health plan If a group health plan is self-insured, then Anthem has made its Privacy Notice available to the self-insured group health plan A self-insured group health plan is responsible for creating and distributing its own Privacy Notice to its members A self-insured group health plan’s HIPAA Privacy Notice cannot conflict with Anthem’s Privacy Notice Anthem’s Privacy Notice is also available at www.Anthem.com Privacy Notice
Who is calling? Name? Do they represent the GHP? GHP or Plan Sponsor/Employer? Is the requestor who he/she claims to be? Access Control Before using or disclosing PHI, a requestor must be verified:
If requesting on behalf of a group health plan, is the group health plan a fully-insured or self-insured group health plan Essential to establish what information the requestor has the authority to access If ASO, is there a BA Agreement in place? If fully insured, has the GHP elected only SHI? Access Control (continued)
If a broker requests PHI from Anthem, then Anthem will Meet previously discussed rules verify the broker number determine whether the broker’s signed business associate agreement is in place determine whether the Broker has the authority to act on behalf of the group health plan or individual (Agent of Record) Access Control (continued)
HIPAA Privacy Compliance Date • April 14, 2003: Compliance deadline • April 14, 2004: If you are a small health plan with annual receipts of $5 million or less
will comply with HIPAA Privacy regulations no later than April 14, 2003 is aggressively moving forward with all HIPAA implementation activities is adopting currently accepted practices to help ensure our policies and procedures comply with the HIPAA Privacy regulations As a Covered Entity, Anthem …
established a Privacy and Security Office defined the role of the Privacy and Security Office completed an analysis of state privacy laws completed a review and summary of the final modifications to the privacy rule completed a comprehensive gap analysis and risk assessment based on the requirements of the proposed security regulations identified the security measures needed to support the privacy regulations In Addition, Anthem …
Anthem has an ongoing communications effort for our constituents to: define Anthem’s ongoing relationship with accounts and brokers provide information about HIPAA Privacy Regulations, Anthem’s Privacy Notice and educational opportunities address and minimize potential operational barriers which may result from conducting business under the Privacy rule Communications
More “Official” Rights May Need To Complete Authorizations Verification Process Disclosure Chart Changes Should not need to invoke a HIPAA right except under unusual circumstances Member Considerations
ASO Group Health Plan as a covered entity: Must Comply Needs Business Associate Agreement with Anthem Anthem to provide PHI to GHP only Reports Subject to Minimum Necessary Fully-insured Group Health Plan as a covered entity: If SHI (Does not create or receive PHI), the GHP is exempted from most of the privacy requirements - GHP can receive PHI, but only if it is necessary for running organized Health Care Management Reports subject to Minimum Necessary Group Considerations
Must sign Business Associate Agreement Access Control and Process of Verification Can only view their Customers’ Information Subject to Minimum Necessary Broker Considerations
Sources of Information About HIPAA • www.hipaadvisory.comVendor sponsored site, contains all draft & final HIPAA rules • www.ncpdp.orgNational Council for Prescription Drug Programs • www.cms.hhs.govCenters for Medicare and Medicaid Services (formerly HCFA) • www.ncvhs.hhs.gov National Committee on Vital and Health Statistics • www.mahicentral.org Mid Atlantic Health Initiative
For more Anthem-specific information Visit our web site at www.anthem.com