hipaa implementation impact for brokers
DESCRIPTION
HIPAA Implementation Impact for Brokers. April 2003. This overview of Anthem’s compliance effort, created for our accounts and brokers is offered for informational purposes only. It is not intended as a legal opinion or advice. Please contact your attorney for legal advice. - PowerPoint PPT PresentationTRANSCRIPT
11Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
HIPAA
Implementation Impact for Brokers
April 2003
22Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Today’s presentation is not legal advice
This overview of Anthem’s compliance effort, created for our accounts and brokers is offered for informational purposes only.
It is not intended as a legal opinion or advice. Please contact your attorney for legal advice.
This information is subject to change. Please visit http://www.Anthem.com for updates.
33Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
HIPAA applies to Covered Entities
• Covered Entities are …– Providers (transmitting certain data)– Clearinghouses– Health Plans– Group Health Plans (whether fully-insured or self-
insured)
44Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Definition of a Group Health Plan
• A Group Health Plan is the employee welfare benefit plan (as defined in ERISA), including insured and self-insured plans, to the extent that the plan provides medical care to employees or their dependents directly or through insurance, reimbursement, or otherwise.
55Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
When an employer forms a GroupHealth Plan (GHP), it assumes therole of a Plan Sposor. The GHP ispart of, and yet its operation mustbe separate from that of the PlanSponsor / employer. The GHP is acovered entity.
Plan Sponsor
GroupHealthPlan
2
An employer is NOT a coveredentity under HIPAA.
Employer
1
Diagram of an Employer/Plan Sponsor
66Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Plan Sponsor
GroupHealthPlan
3
Diagram of an Employer/Plan Sponsor (Cont.)
• It takes people to carry on the administrative functions of a GHP. Because of the confidential nature of PHI, the Plan Sponsor must limit access to PHI by clearly designating the person(s), class of persons, and/or third-parties that the Plan Sponsor authorizes to perform the administrative functions of the GHP - those who will be "in-the-loop."
• Stars represent employees of the Plan Sponsor.
– White stars represent those employees designated to perform GHP functions (exposure to 18 February 2003PHI).
– Gray star(s) represent those employees who may have responsibilities for both the GHP and the employer (generally).
– Black stars represent those employees who are never authorized to access PHI.
77Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
HIPAA Administrative Simplification
88Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
HIPAA Diagram
HIPAA
Title IPortability
Title IIAdministrativeSimplification
Title III?
Title IV?
Title V?
TransactionStandards
Code SetStandards
Unique HealthCare Industry
Identifiers
PrivacyStandards
SecurityStandards
99Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Anthem’s Status
• Privacy Standards
1010Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
3 Classifications of HIPAA Information
• #1 Protected Health Information (PHI)– PHI is individually identifiable health information that is transmitted or
maintained by electronic media or in any other form or media– “Individually identifiable health information” is health information that
can identify the individual– “Health information” is very broadly defined as that which relates to
past, present or future health condition or relates to past, present or future provision of or payment for health care
– PHI includes, but is not necessarily limited to, such identifiers as …• Names, geographic subdivisions narrower than a 5 digit ZIP, all
elements of dates (except year), telephone numbers, email addresses, IP addresses, URLs, Social Security Numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, and biometric identifiers
1111Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
3 Classifications of HIPAA Information
• #2 Summary Health Information (SHI)– SHI is a subset of PHI. SHI is health information that summarizes
claims history, claims expenses, or type of claims experienced of a group health plan and from which most identifiers have been removed
1212Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
3 Classifications of HIPAA Information
• #3 De-identified Information – De-identified information may start out as PHI or SHI; however,
additional identifiers must be removed before PHI or SHI may be reclassified as De-identified Information
– To qualify for the De-identified Classification, all information that could link the information to an individual must be deleted
– There must be no reasonable basis to believe the information can be used to identify the individual
– To satisfy the reasonable basis test, a statistician should determine that the information has been sufficiently stripped of identifiers to the point that it cannot be re-identified
– Upon qualifying for the classification of De-identified Information, the information may be used by a covered entity without restriction
1313Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Organized Health Care Arrangement (OHCA)
• Organized Health Care Arrangement (OHCA) exists between an insurer and a fully-insured group health plan
• In the OHCA, these covered entities are allowed to share only the minimum necessary amount of PHI to coordinate operations to properly serve the enrollees such as …
– Audit and Reconciliation Purposes• To evaluate plan performance
• To evaluate insurance company performance
• To evaluate plan experiences
1414Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Business Associates
• A business associate creates, uses, or discloses PHI on behalf of a covered entity – Must provide Covered Entities with certain written assurances – Anthem’s Business Associate Agreements satisfy this requirement
• Anthem’s business associates include …– Medco– Davis Vision– Brokers
• When performing certain tasks, a Broker may be a Business Associate of Anthem
• Anthem is the Business Associate of the ASO Group Health Plan
1515Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Business Associate Agreements
• Anthem delivered Business Associate Agreements to it’s Brokers, and requires it’s brokers to sign and return the Agreements to Anthem
– When performing the types of tasks mentioned in Anthem’s Business Associate Agreement, Brokers may be business associates of Anthem
• Anthem also mailed a Business Agreement to self-insured group health plans
– Anthem is a business associate of ASO groups
1616Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Anthem Disclosure Policy
• Anthem will only disclose PHI to the Group Health Plan– ASO may receive PHI as defined in the Business Associate Agreement
– Fully-insured GHPs may receive PHI necessary to run the Organized Health Care Arrangement
– Fully-insured GHPs may elect to receive only SHI
– Plan Sponsor or Employer may receive SHI for purposes of obtaining premium bids or for modifying, amending or terminating the GHP
• Anthem cannot disclose PHI to an Employer
• Anthem cannot disclose PHI to a Plan Sponsor
1717Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Anthem Disclosure Policy (continued)
• If a Broker signed Anthem’s Business Associate Agreement and is an agent of record for the individual or group health plan, then
– Anthem can share the minimum necessary PHI with Broker/Producer to resolve member claims
– Anthem can share Summary Health Information (SHI) with Brokers/Producers in connection with delivering renewals
• Anthem will not share PHI with the Broker/Producer for other plan administration functions without written direction from the GHP that is eligible to receive PHI
1818Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Fully-insured GHP Election
• Fully-insured GHPs may elect NOT to receive or create PHI
• If GHPs elect not to create, or to receive PHI, they do not have to comply with certain privacy requirements
• Fully-insured GHPs may choose to receive only Summary Health Information (SHI)
• Anthem will provide an election form to fully-insured GHPs – Completing and returning the form will acknowledge to Anthem that the
GHP only wants to receive SHI
– Upon receipt of this election, Anthem will only provide SHI
– Request for member PHI requires the member’s authorization
1919Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Disclosures to Group Health Plans
• Anthem may disclose PHI to the ASO Group Health Plan as defined in the Business Associate Agreement
• Anthem may only disclose the PHI necessary to run the OHCA to the fully-insured Group Health Plan (not electing SHI only)
– Individual authorization is required if the PHI requested is in addition to or exceeds the PHI for running the OHCA
• Anthem may disclose SHI to the Fully Insured Group Health Plan
– For fully-insured Group Health Plans electing only SHI, PHI will not be disclosed without authorization from the individual
2020Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Group Reporting
• ASO Group Health Plans may receive account reports containing PHI as defined by the Business Associate Agreement
• Fully Insured Group Health Plans
– As a general rule, reports containing SHI will be provided along with enrollment/disenrollment or de-identified information to fully-insured GHPs. PHI reports may be provided upon request.
– Fully-insured Group Health Plans electing only SHI will receive reports containing SHI along with enrollment/disenrollment or de-identified information.
2121Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Group Reporting (continued)
• Summary Health Information: The Account Reporting area may provide reports that contain only Summary Health Information to the FI-GHP upon request (verbal, written, fax, e-mail)
• Enrollment/Disenrollment Information: The Account Reporting area may provide reports that contain Enrollment/Disenrollment information to the FI-GHP upon request (verbal, written, fax, e-mail)
• De-Identified Information: The Account Reporting area may provide reports that contain only De-Identified Information to the FI-GHP upon request (verbal, written, fax, e-mail)
2222Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Group Reporting (continued)
• Protected Health Information: The Account Reporting area may provide reports that contain Protected Health Information to a FI-GHP only if all of the following requirements are met:– The FI-GHP has requested a report that contains
Protected Health Information on Anthem’s Report Request Form; and
– The FI-GHP meets the regional size requirements for production of PHI reports (e.g. over 100 contracts); and
– Anthem determines that the requested information is needed to run the Organized Health Care Arrangement
2323Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Group Billing
• As a general rule, Anthem will provide bills that contain only Summary Health Information, Enrollment/Disenrollment Information, or De-identified Information to fully-insured group health plans.
– Summary Health Information: The billing area may provide bills that contain only Summary Health Information to the fully-insured group health plan
– Enrollment/Disenrollment Information: The Billing area may provide bills that contain Enrollment/Disenrollment information to the fully-insured group health plan
– De-identified Information: The Billing area may provide bills that contain only De-Identified Information to the fully-insured group health plan
2424Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
When is authorization required?• If a fully-insured group health plan elected to receive only
SHI and requests PHI, then an individual’s authorization will be required
• If a fully-insured group health plan did not elect to receive only SHI, but the amount of PHI that it requests exceeds the minimum necessary to run the OHCA, then an individual’s authorization will be required
• If a broker requests PHI that exceeds minimum necessary to assist the individual with claim resolution, or to perform regular customer service functions on behalf of Anthem, then an individual’s authorization will be required
2525Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Privacy Notice
• Anthem has mailed its Privacy Notice to those members with individual policies
• The Privacy Notice is also available at www.Anthem.com
• If a group health plan is fully-insured, then Anthem has mailed its Privacy Notice to members of the fully-insured group health plan
• If a group health plan is self-insured, then Anthem has made its Privacy Notice available to the self-insured group health plan
– A self-insured group health plan is responsible for creating and distributing its own Privacy Notice to its members
– A self-insured group health plan’s HIPAA Privacy Notice cannot conflict with Anthem’s Privacy Notice
– Anthem’s Privacy Notice is also available at www.Anthem.com
2626Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
• Who is calling?
• Name?
• Do they represent the GHP?
• GHP or Plan Sponsor/Employer?
• Is the requestor who he/she claims to be?
Access Control
Before using or disclosing PHI, a requestor must be verified:
2727Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Access Control (continued)
• If requesting on behalf of a group health plan, is the group health plan a fully-insured or self-insured group health plan
• Essential to establish what information the requestor has the authority to access
• If ASO, is there a BA Agreement in place?
• If fully insured, has the GHP elected only SHI?
2828Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Access Control (continued)
• If a broker requests PHI from Anthem, then Anthem will
– Meet previously discussed rules
– verify the broker number
– determine whether the broker’s signed business associate agreement is in place
– determine whether the Broker has the authority to act on behalf of the group health plan or individual (Agent of Record)
2929Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
• April 14, 2003: Compliance deadline
• April 14, 2004: If you are a small health plan with annual receipts of $5 million or less
HIPAA Privacy Compliance Date
3030Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
What is Anthem’s Status?
3131Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
• will comply with HIPAA Privacy regulations no later than April 14, 2003
• is aggressively moving forward with all HIPAA implementation activities
• is adopting currently accepted practices to help ensure our policies and procedures comply with the HIPAA Privacy regulations
As a Covered Entity, Anthem …
3232Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
In Addition, Anthem …
• established a Privacy and Security Office
• defined the role of the Privacy and Security Office
• completed an analysis of state privacy laws
• completed a review and summary of the final modifications to the privacy rule
• completed a comprehensive gap analysis and risk assessment based on the requirements of the proposed security regulations
• identified the security measures needed to support the privacy regulations
3333Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Communications
• Anthem has an ongoing communications effort for our constituents to:
– define Anthem’s ongoing relationship with accounts and brokers
– provide information about HIPAA Privacy Regulations, Anthem’s Privacy Notice and educational opportunities
– address and minimize potential operational barriers which may result from conducting business under the Privacy rule
3434Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Member Considerations
• More “Official” Rights
• May Need To Complete Authorizations
• Verification Process
• Disclosure Chart Changes
• Should not need to invoke a HIPAA right except under unusual circumstances
3535Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Group Considerations
• ASO Group Health Plan as a covered entity:
– Must Comply
– Needs Business Associate Agreement with Anthem
– Anthem to provide PHI to GHP only
– Reports Subject to Minimum Necessary
• Fully-insured Group Health Plan as a covered entity:
– If SHI (Does not create or receive PHI), the GHP is exempted from most of the privacy requirements -
– GHP can receive PHI, but only if it is necessary for running organized Health Care Management
– Reports subject to Minimum Necessary
3636Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Broker Considerations
• Must sign Business Associate Agreement
• Access Control and Process of Verification
– Can only view their Customers’ Information
– Subject to Minimum Necessary
3737Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Sources of Information About HIPAA
www.hipaadvisory.com Vendor sponsored site, contains all draft & final HIPAA
rules
www.ncpdp.org National Council for Prescription Drug Programs
www.cms.hhs.gov Centers for Medicare and Medicaid Services (formerly
HCFA)
www.ncvhs.hhs.gov National Committee on Vital and Health Statistics
www.mahicentral.org Mid Atlantic Health Initiative
3838Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Visit our web site at
www.anthem.com
For more Anthem-specific information
3939Independent licensees of the Blue Cross and Blue Shield Association®Registered marks Blue Cross and Blue Shield Association
Questions?