160 likes | 490 Views
September 27, 2002. HIPAA COW Fall Conferencecrubin@weatrust.com. 2. WHAT KIND OF ENTITY IS A PBM?. Is a PBM and/or its subsidiaries:
E N D
1. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 1 BA Contracting Issues: Contracting with a PBM
2. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 2 WHAT KIND OF ENTITY IS A PBM? Is a PBM and/or its subsidiaries:
A Covered Entity?
If so, an OCHA? An Affiliated Entity?
Business Associate?
Trading Partner?
None of these?
All of these?
Some of these?
3. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 3 WHAT KIND OF ENTITY IS A PBM? The ANSWER . . . It depends:
4. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 4 OTHER QUESTIONS How do each of these components share information with pharmacies? Pharmaceutical companies? Various vendors?
Do these corporate components have the correct protections/walls/BA contracts in place?
Is any of your insureds’ PHI being shared with pharmaceutical companies?
If so, is it being used for direct (e.g., letters to your insureds about switching brands) or indirect (e.g., physician profiling) marketing purposes?
5. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 5 ONE EXAMPLE OF AN ATTEMPT TO FIND ANSWERS Sample letter to PBM (see handout).
Included a detailed notice reflecting our understanding of how the various PBM components worked.
Concern: PBM/pharmacies/pharmaceutical companies are areas of potentially significant abuse of PHI due to
Broad scope of health information available
Value of PBM information for marketing
Fact of Automation
6. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 6 Information/Opinions Provided to Date by Medco Health
7. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 7 MEDCO RESPONSE, JULY 30, 2002 Yes, will work toward a BA agreement for April 2003 (i.e., not extension).
Yes, plans to be compliant with Transactions Standards, NCPDP Version 5, Release 1, by September 28, 2002.
“Current view” is that Medco Health, the parent, is not a Covered Entity because does not perform any covered entity functions. It and Prescription Solutions, the retail network management subsidiary, are both BAs for the plans and “in some instances to the Pharmacy Companies.” (Import?)
Prescription Solutions (in providing prescription management services + management of the retail pharmacy network) = BA of health plan clients.
8. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 8 MEDCO RESPONSE, JULY 30, 2002(continued) Pharmacy Companies (18 home delivery pharmacy operations) = Covered Entities because acting as providers. The 18 licensed Pharmacy Companies will consider themselves an Affiliated Entity under HIPAA. (Import?)
As such, will draft and deliver its own privacy notice and give to home delivery users directly.
This notice is sufficient, payers need not do anything more. (accurate?)
Is in process of doing inventory and assessment of PHI flow; Has no single flow chart capturing all PHI flow.
9. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 9 MEDCO RESPONSE, JULY 30, 2002(continued) Is in process of reviewing all contracts with vendors and subcontractors, for TPA issues (what about BA issues?).
Problem: If Medco Health parent is not a CE, then various vendors cannot be BAs? Just TPAs? Just BAs of 18 pharmacies?
Will have TPA language drafted by end of 2002.
Per 80% completed privacy assessment, Merck finds no activities that are marketing activities under either the old rule’s definition of marketing, nor the March proposed revision of the definition of marketing.
10. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 10 SHARING OF PHI WITH PHARMACEUTICAL COMPANIES TO CALCULATE REBATE Issue: Is sharing non-aggregated PHI with pharmaceutical companies, or sharing it only internally at Medco Health, for purposes of calculating rebates, within the scope of the BA provision allowing use for “Business Associate’s proper management and administration” as long as PBM gets written confidentiality assurance from the pharmaceutical company?
If so, is that acceptable to payers?
11. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 11 SHARING OF PHI WITH PHARMACEUTICAL COMPANIES TO CALCULATE REBATE (continued) Medco Response:
“We do not share any PHI with pharmaceutical manufacturers in order to calculate rebates. PHI is used by Medco internally to develop reports used to calculate rebates. . . We have not yet determined whether the activity can be accomplished using only de-identified data, or if we will find that the internal use of PHI is justifiable as a payment or healthcare operation.”
Query: If Medco Health parent is not a CE, is use of PHI for “payment or healthcare operations” an option?
12. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 12 NEXT STEPS FOR WEA AND POSSIBLY FOR ALL HIPAA COW PAYERS? Determine what corporate unit performs other functions, such as Rational Med, Disease Management programs, and what ramifications?
Should Wisconsin payers all use the HIPAA COW BA template (perhaps with expanded language prohibiting use of PHI for any aspect of marketing) with PBMs so that PBMs conclude this is a condition of doing business in Wisconsin?
13. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 13 NEXT STEPS (continued) Get copy of PBMs privacy notice to be used for mail-order pharmacies.
Do we need to communicate with our insureds about this?
Demand copy of PBMs internal inventory and assessment of uses of PHI?
Demand complete list of all uses that do and do not constitute TPO?
What if our claims info is being used to profile prescribers to pharmaceutical companies without disclosures of any PHI? Does HIPAA permit this? Can we stop it by contract? Do we care?
14. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 14 NEXT STEPS (continued) Given past misuse by PBMs, pharmaceutical companies, and/or pharmacies, demand indemnity provision from any PBM, even though not required under HIPAA.
Given size and scope of PBMs, chain of trust concepts must be spelled out in BA agreement and possibly monitored.
15. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 15 NEXT STEPS (continued) If our insureds use PBMs mail order service, what responsibility, if any, do we have for abusive use of PHI obtained through that practice? Is it clear that the 18 mail-order pharmacies are not our BA’s?
If we provide financial incentives to use mail order?
If we encourage mail order use in non-financial ways?
If we provide website link to PBMs mail order service?
Will PBMs violate their BA Agreements? Should we actively monitor this category of BAs?
Others?
16. September 27, 2002 HIPAA COW Fall Conference
crubin@weatrust.com 16 Discussion/Questions?