hipaa implementation impact for brokers

11Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association

HIPAA

Implementation Impact for Brokers

April 2003


Today’s presentation is not legal advice

This overview of Anthem’s compliance effort, created for our accounts and brokers is offered for informational purposes only.

It is not intended as a legal opinion or advice. Please contact your attorney for legal advice.

This information is subject to change. Please visit http://www.Anthem.com for updates.


HIPAA applies to Covered Entities

• Covered Entities are …– Providers (transmitting certain data)– Clearinghouses– Health Plans– Group Health Plans (whether fully-insured or self-

insured)


Definition of a Group Health Plan

• A Group Health Plan is the employee welfare benefit plan (as defined in ERISA), including insured and self-insured plans, to the extent that the plan provides medical care to employees or their dependents directly or through insurance, reimbursement, or otherwise.


When an employer forms a GroupHealth Plan (GHP), it assumes therole of a Plan Sposor. The GHP ispart of, and yet its operation mustbe separate from that of the PlanSponsor / employer. The GHP is acovered entity.

Plan Sponsor

GroupHealthPlan

2

An employer is NOT a coveredentity under HIPAA.

Employer

1

Diagram of an Employer/Plan Sponsor


Plan Sponsor

GroupHealthPlan

3

Diagram of an Employer/Plan Sponsor (Cont.)

• It takes people to carry on the administrative functions of a GHP. Because of the confidential nature of PHI, the Plan Sponsor must limit access to PHI by clearly designating the person(s), class of persons, and/or third-parties that the Plan Sponsor authorizes to perform the administrative functions of the GHP - those who will be "in-the-loop."

• Stars represent employees of the Plan Sponsor.

– White stars represent those employees designated to perform GHP functions (exposure to 18 February 2003PHI).

– Gray star(s) represent those employees who may have responsibilities for both the GHP and the employer (generally).

– Black stars represent those employees who are never authorized to access PHI.


HIPAA Administrative Simplification


HIPAA Diagram

HIPAA

Title IPortability

Title IIAdministrativeSimplification

Title III?

Title IV?

Title V?

TransactionStandards

Code SetStandards

Unique HealthCare Industry

Identifiers

PrivacyStandards

SecurityStandards


Anthem’s Status

• Privacy Standards


3 Classifications of HIPAA Information

• #1 Protected Health Information (PHI)– PHI is individually identifiable health information that is transmitted or

maintained by electronic media or in any other form or media– “Individually identifiable health information” is health information that

can identify the individual– “Health information” is very broadly defined as that which relates to

past, present or future health condition or relates to past, present or future provision of or payment for health care

– PHI includes, but is not necessarily limited to, such identifiers as …• Names, geographic subdivisions narrower than a 5 digit ZIP, all

elements of dates (except year), telephone numbers, email addresses, IP addresses, URLs, Social Security Numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, and biometric identifiers



• #2 Summary Health Information (SHI)– SHI is a subset of PHI. SHI is health information that summarizes

claims history, claims expenses, or type of claims experienced of a group health plan and from which most identifiers have been removed



• #3 De-identified Information – De-identified information may start out as PHI or SHI; however,

additional identifiers must be removed before PHI or SHI may be reclassified as De-identified Information

– To qualify for the De-identified Classification, all information that could link the information to an individual must be deleted

– There must be no reasonable basis to believe the information can be used to identify the individual

– To satisfy the reasonable basis test, a statistician should determine that the information has been sufficiently stripped of identifiers to the point that it cannot be re-identified

– Upon qualifying for the classification of De-identified Information, the information may be used by a covered entity without restriction


Organized Health Care Arrangement (OHCA)

• Organized Health Care Arrangement (OHCA) exists between an insurer and a fully-insured group health plan

• In the OHCA, these covered entities are allowed to share only the minimum necessary amount of PHI to coordinate operations to properly serve the enrollees such as …

– Audit and Reconciliation Purposes• To evaluate plan performance

• To evaluate insurance company performance

• To evaluate plan experiences


Business Associates

• A business associate creates, uses, or discloses PHI on behalf of a covered entity – Must provide Covered Entities with certain written assurances – Anthem’s Business Associate Agreements satisfy this requirement

• Anthem’s business associates include …– Medco– Davis Vision– Brokers

• When performing certain tasks, a Broker may be a Business Associate of Anthem

• Anthem is the Business Associate of the ASO Group Health Plan


Business Associate Agreements

• Anthem delivered Business Associate Agreements to it’s Brokers, and requires it’s brokers to sign and return the Agreements to Anthem

– When performing the types of tasks mentioned in Anthem’s Business Associate Agreement, Brokers may be business associates of Anthem

• Anthem also mailed a Business Agreement to self-insured group health plans

– Anthem is a business associate of ASO groups


Anthem Disclosure Policy

• Anthem will only disclose PHI to the Group Health Plan– ASO may receive PHI as defined in the Business Associate Agreement

– Fully-insured GHPs may receive PHI necessary to run the Organized Health Care Arrangement

– Fully-insured GHPs may elect to receive only SHI

– Plan Sponsor or Employer may receive SHI for purposes of obtaining premium bids or for modifying, amending or terminating the GHP

• Anthem cannot disclose PHI to an Employer

• Anthem cannot disclose PHI to a Plan Sponsor


Anthem Disclosure Policy (continued)

• If a Broker signed Anthem’s Business Associate Agreement and is an agent of record for the individual or group health plan, then

– Anthem can share the minimum necessary PHI with Broker/Producer to resolve member claims

– Anthem can share Summary Health Information (SHI) with Brokers/Producers in connection with delivering renewals

• Anthem will not share PHI with the Broker/Producer for other plan administration functions without written direction from the GHP that is eligible to receive PHI


Fully-insured GHP Election

• Fully-insured GHPs may elect NOT to receive or create PHI

• If GHPs elect not to create, or to receive PHI, they do not have to comply with certain privacy requirements

• Fully-insured GHPs may choose to receive only Summary Health Information (SHI)

• Anthem will provide an election form to fully-insured GHPs – Completing and returning the form will acknowledge to Anthem that the

GHP only wants to receive SHI

– Upon receipt of this election, Anthem will only provide SHI

– Request for member PHI requires the member’s authorization


Disclosures to Group Health Plans

• Anthem may disclose PHI to the ASO Group Health Plan as defined in the Business Associate Agreement

• Anthem may only disclose the PHI necessary to run the OHCA to the fully-insured Group Health Plan (not electing SHI only)

– Individual authorization is required if the PHI requested is in addition to or exceeds the PHI for running the OHCA

• Anthem may disclose SHI to the Fully Insured Group Health Plan

– For fully-insured Group Health Plans electing only SHI, PHI will not be disclosed without authorization from the individual


Group Reporting

• ASO Group Health Plans may receive account reports containing PHI as defined by the Business Associate Agreement

• Fully Insured Group Health Plans

– As a general rule, reports containing SHI will be provided along with enrollment/disenrollment or de-identified information to fully-insured GHPs. PHI reports may be provided upon request.

– Fully-insured Group Health Plans electing only SHI will receive reports containing SHI along with enrollment/disenrollment or de-identified information.


Group Reporting (continued)

• Summary Health Information: The Account Reporting area may provide reports that contain only Summary Health Information to the FI-GHP upon request (verbal, written, fax, e-mail)

• Enrollment/Disenrollment Information: The Account Reporting area may provide reports that contain Enrollment/Disenrollment information to the FI-GHP upon request (verbal, written, fax, e-mail)

• De-Identified Information: The Account Reporting area may provide reports that contain only De-Identified Information to the FI-GHP upon request (verbal, written, fax, e-mail)


Group Reporting (continued)

• Protected Health Information: The Account Reporting area may provide reports that contain Protected Health Information to a FI-GHP only if all of the following requirements are met:– The FI-GHP has requested a report that contains

Protected Health Information on Anthem’s Report Request Form; and

– The FI-GHP meets the regional size requirements for production of PHI reports (e.g. over 100 contracts); and

– Anthem determines that the requested information is needed to run the Organized Health Care Arrangement


Group Billing

• As a general rule, Anthem will provide bills that contain only Summary Health Information, Enrollment/Disenrollment Information, or De-identified Information to fully-insured group health plans.

– Summary Health Information: The billing area may provide bills that contain only Summary Health Information to the fully-insured group health plan

– Enrollment/Disenrollment Information: The Billing area may provide bills that contain Enrollment/Disenrollment information to the fully-insured group health plan

– De-identified Information: The Billing area may provide bills that contain only De-Identified Information to the fully-insured group health plan


When is authorization required?• If a fully-insured group health plan elected to receive only

SHI and requests PHI, then an individual’s authorization will be required

• If a fully-insured group health plan did not elect to receive only SHI, but the amount of PHI that it requests exceeds the minimum necessary to run the OHCA, then an individual’s authorization will be required

• If a broker requests PHI that exceeds minimum necessary to assist the individual with claim resolution, or to perform regular customer service functions on behalf of Anthem, then an individual’s authorization will be required


Privacy Notice

• Anthem has mailed its Privacy Notice to those members with individual policies

• The Privacy Notice is also available at www.Anthem.com

• If a group health plan is fully-insured, then Anthem has mailed its Privacy Notice to members of the fully-insured group health plan

• If a group health plan is self-insured, then Anthem has made its Privacy Notice available to the self-insured group health plan

– A self-insured group health plan is responsible for creating and distributing its own Privacy Notice to its members

– A self-insured group health plan’s HIPAA Privacy Notice cannot conflict with Anthem’s Privacy Notice

– Anthem’s Privacy Notice is also available at www.Anthem.com


• Who is calling?

• Name?

• Do they represent the GHP?

• GHP or Plan Sponsor/Employer?

• Is the requestor who he/she claims to be?

Access Control

Before using or disclosing PHI, a requestor must be verified:


Access Control (continued)

• If requesting on behalf of a group health plan, is the group health plan a fully-insured or self-insured group health plan

• Essential to establish what information the requestor has the authority to access

• If ASO, is there a BA Agreement in place?

• If fully insured, has the GHP elected only SHI?


Access Control (continued)

• If a broker requests PHI from Anthem, then Anthem will

– Meet previously discussed rules

– verify the broker number

– determine whether the broker’s signed business associate agreement is in place

– determine whether the Broker has the authority to act on behalf of the group health plan or individual (Agent of Record)


• April 14, 2003: Compliance deadline

• April 14, 2004: If you are a small health plan with annual receipts of $5 million or less

HIPAA Privacy Compliance Date


What is Anthem’s Status?


• will comply with HIPAA Privacy regulations no later than April 14, 2003

• is aggressively moving forward with all HIPAA implementation activities

• is adopting currently accepted practices to help ensure our policies and procedures comply with the HIPAA Privacy regulations

As a Covered Entity, Anthem …


In Addition, Anthem …

• established a Privacy and Security Office

• defined the role of the Privacy and Security Office

• completed an analysis of state privacy laws

• completed a review and summary of the final modifications to the privacy rule

• completed a comprehensive gap analysis and risk assessment based on the requirements of the proposed security regulations

• identified the security measures needed to support the privacy regulations


Communications

• Anthem has an ongoing communications effort for our constituents to:

– define Anthem’s ongoing relationship with accounts and brokers

– provide information about HIPAA Privacy Regulations, Anthem’s Privacy Notice and educational opportunities

– address and minimize potential operational barriers which may result from conducting business under the Privacy rule


Member Considerations

• More “Official” Rights

• May Need To Complete Authorizations

• Verification Process

• Disclosure Chart Changes

• Should not need to invoke a HIPAA right except under unusual circumstances


Group Considerations

• ASO Group Health Plan as a covered entity:

– Must Comply

– Needs Business Associate Agreement with Anthem

– Anthem to provide PHI to GHP only

– Reports Subject to Minimum Necessary

• Fully-insured Group Health Plan as a covered entity:

– If SHI (Does not create or receive PHI), the GHP is exempted from most of the privacy requirements -

– GHP can receive PHI, but only if it is necessary for running organized Health Care Management

– Reports subject to Minimum Necessary


Broker Considerations

• Must sign Business Associate Agreement

• Access Control and Process of Verification

– Can only view their Customers’ Information

– Subject to Minimum Necessary


Sources of Information About HIPAA

www.hipaadvisory.com Vendor sponsored site, contains all draft & final HIPAA

rules

www.ncpdp.org National Council for Prescription Drug Programs

www.cms.hhs.gov Centers for Medicare and Medicaid Services (formerly

HCFA)

www.ncvhs.hhs.gov National Committee on Vital and Health Statistics

www.mahicentral.org Mid Atlantic Health Initiative


Visit our web site at

www.anthem.com

For more Anthem-specific information


Questions?

hipaa implementation impact for brokers

Documents