Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to reform health care. It is intended to streamline industry inefficiencies, reduce paper work, make it possible for workers to switch jobs even if they or a family member has a pre-existing condition and to protect the privacy of individual medical information.
HIPAA's administrative simplification regulations affect health care providers, clearinghouses, and health plans including insurance companies, HMOs and employer-sponsored health plans. These regulations require standardized electronic transactions, improved privacy and security methods, and greater access to and rights for individuals regarding their health information.
HIPAA is a federal law that creates a starting point for protecting individual health information. To the extent other laws already apply, they are still applicable (e.g. Data Privacy Act).
HIPAA affects virtually all health care providers in the United States who conduct certain financial and administrative transactions electronically; health care clearinghouses; health plans, including insurance companies, HMOs and most employer-sponsored health plans; and any business associates of any of the aforementioned groups, such as third party administrators and/or the city's agent, broker and/or benefits consultant.
For more detailed definitions about what entities are considered to be covered entities under HIPAA, see §160.102 Applicability and §160.103 Definitions of the HIPAA privacy rule.
The HIPAA privacy rules mandate that a covered entity (e.g., a group health plan) must implement policies and procedures with respect to protected health information (PHI). The policies and procedures must be reasonably designed, taking into account the size and type of activities that relate to PHI undertaken by the covered entity to ensure compliance.
At a minimum, the security standards require that a covered entity conduct a risk assessment and document their determinations regarding whether the security measures apply to them. Even if a city thinks it is not subject to the security standards, it should go through this assessment and document the reasons why it is not covered under the security standards (e.g., the city does not conduct billing or enrollment online, the city only communicates with vendors/insurance carriers and employees by telephone regarding employee claim questions and issues, and none of the information containing PHI is stored on the computer—it is only kept in file cabinets under lock and key).
If a city is subject to the security standards, there are five sets of safeguards and requirements that must be met (more information about each can be found by going to the HIPAA Security Overview Information Sheet):
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational requirements
The good news is that the security standards allow covered entities some flexibility to determine which of the security measures are appropriate for their circumstances. The security standards are designed to be general and flexible enough to be used in varying degrees according to the size of the covered entity, sophistication, and financial capability.
Covered entities must address the security measures under each safeguard and determine whether the measure is reasonable and appropriate to implement for that organization. If it is appropriate, then the measure must be implemented. If not, it must be documented why it is unreasonable and implement an equivalent, alternative measure if reasonable to do so.
Protected health information (PHI) is individually identifiable information, which is created, modified, received or maintained by a covered entity that relates to an individual's past, present or future physical or mental condition, treatment or payment for care. This information is protected if transmitted in electronic, written or oral form.
The following information may be considered PHI or may contain PHI:
- Medical records
- Diagnosis of a certain condition
- Procedure codes on claim forms
- Claims data or information
- Explanation of Benefits (EOB)
- Pre-authorization forms
- Crime reports
- Coordination of benefit forms
- Enrollment information and forms
- Election forms
- Reimbursement request forms
- Records indicating payment
- Claims denial and appeal information
Protected health information does not necessarily need to provide an individual's name, address or Social Security number to be considered individually identifiable information—a high dollar claim report that contains only diagnoses or procedures and amounts paid during a specific period might contain individually identifiable information if the city has a relatively small number of participants in the health plan. Therefore, small cities may need to take extra precautions to ensure that they are protecting employee health information—even if the information is provided on an aggregate/group basis.
Where the privacy standards cover all PHI regardless of the form it takes (whether it is written, verbal, electronic), the security standards cover only PHI that is in electronic form (i.e., PHI that is electronically maintained or transmitted regardless of form).
E-PHI is PHI in electronic form, including storage media such as hard drives and disks, as well as transmission media such as through the Internet, leased lines, dial-up lines and private networks. Telephone voice response and faxback systems are covered under the security standards but not paper-to-paper faxes, video conferencing, or messages left on voicemail. There is no distinction between internal or external communications, so even internal transactions within an organization must meet the requirements.
A health plan that is subject to the HIPAA Privacy and Security Standards may generally use or disclose PHI without obtaining an individual authorization for purposes of payment, treatment, or health care operations; or for public policy purposes (e.g., as required by law or to avert a serious health or safety issue). However, use or disclosure of PHI generally must be kept to the minimum necessary to accomplish the task. Applies internally and externally.
No. As an employer, the city is not subject to the HIPAA privacy and security rules. However, keep in mind that many cities sponsor a group health plan of some sort, so the city as a sponsor of those plans would likely be a covered entity. The city will also need to make sure that there is adequate separation between its employment-related functions and the group health plan functions to ensure that information from the group health plan is not used for making employment related decisions.
Many cities conduct certain functions that may fall under HIPAA and other functions that do not fall under HIPAA (e.g. health plan functions and employer/HR functions). Each of these functions may be treated separately in what is called a hybrid entity. A hybrid entity is an entity that has some covered and some non-covered functions (§164.504 discusses hybrid entities and their responsibilities). HIPAA dictates that the covered functions must act (in regards to protected health information) as if they were a separate company, requiring the same separation and controls as if they were actually separate legal entities.
The HIPAA privacy and security rules do not apply to a city's group health plan that is self-insured, has fewer than 50 participants AND is self-administered—it is important to realize that all three conditions must be met in order for the city to be exempt from all of the privacy and security requirements.
Yes. Each city should identify the health plans that it sponsors and conduct an assessment for each one. Since HIPAA applies to the separate plans, it is important to think about the role of the plan, not the employer, when conducting this assessment. For example, if you have a separate dental, medical and flex plan, they may each have different requirements under HIPAA, so you need to run separate assessments for each one.
Once each plan has been identified, the city should go through the flow chart on the previous page to identify whether or not each plan is a covered entity and if so, to what degree it will need to comply with the HIPAA privacy standards. It is also important to document your city's assessment for each plan. If you do not think that you are a covered entity under HIPAA, we recommend that you document the fact that you conducted the assessment and the reasons for why you think you are not subject to HIPAA's requirements.
A health plan, regardless of size, is exempt from many of the HIPAA privacy requirements if (1) the plan provides health benefits only through an insurance contract with a health insurer or an HMO, and (2) the plan does not create or receive any individually identifiable "protected health information" other than summary health information (i.e., information which has had all identifiers deleted from it other than some geographic information) and basic enrollment and disenrollment information. Note: This same exemption does not apply to the security standards.
Because the plan does receive some limited protected health information, such as enrollment and eligibility information, the plan should get a business associate agreement with their agent/broker or anyone else doing anything on their behalf that receives PHI. Note: Under HIPAA, the plan is not required to get a business associate agreement with the insurance carrier/HMO (e.g., Medica, HealthPartners, BCBS) or the plans sponsor/employer (e.g., the city).
Our city offers a fully insured health plan, but we also self-insure some of the benefits (e.g. we reimburse employees for their out of pocket costs, such as deductibles or copays). Is this a covered entity?
In this situation, you have two separate plans that you must assess individually to determine the level of compliance responsibility. If you do not meet the small group exception, then you will have to comply with the HIPAA privacy standards. (See questions 6 and 7 in the Flow Chart Q & A (pdf) for the administrative requirements necessary to comply with these standards.)
We are part of a self-insured pool through a Joint Powers Agreement (such as the Service Cooperatives). To what extent does the city need to comply with HIPAA?
As part of a Joint Powers Agreement, you are considered to be a self-insured plan that would have to comply with HIPAA's privacy standards—even if you do not receive protected health information. You will need to enter into a business associate agreement with the joint powers organization or third party administrator to ensure that they take steps to comply with HIPAA and to outline which party will be responsible for certain compliance activities.
You will want to carefully review what functions the city will perform and what functions the business associate (i.e., joint powers organization or third party administrator) will perform. An argument could be made that the joint powers organization or third party administrator would have a bulk of the responsibility for complying with HIPAA. A city might be able to minimize its obligations under HIPAA by delegating many of the compliance activities to the third party administrator or joint powers organization, such as modifying plan documents, providing privacy notices to employees, etc.
However, even if the city delegates many of the responsibilities to the third party, the city ultimately is responsible for making sure those entities are HIPAA compliant. In other words, your obligation under HIPAA doesn't cease to exist by delegating compliance responsibilities to a third party.
What if the city has more than one health plan that falls under the HIPAA privacy requirements—essentially, the city has more than one covered entity?
HIPAA allows multiple health plans that are covered entities and maintained by the same plan sponsor to work together as if it were just one covered entity. This is referred to as an Organized Health Care Arrangement (OHCA).
An OHCA allows a city to satisfy the HIPAA requirements just once rather than multiple times. In other words, if a city has two health plans (e.g., a self-insured medical plan and a medical reimbursement plan), the city could "bundle" those plans together and form an OHCA. Therefore, the city would only have to comply once rather than two separate times.
Please note that this OHCA designation is only allowed under HIPAA and does not extend to other benefit laws and regulations (e.g., COBRA, IRS tax code, etc.).
There are a variety of ways in which a city may be considered a covered entity under HIPAA. Cities self-insuring employee benefits, including group health plans and health flexible spending accounts, city-owned medical clinics, hospitals and/or nursing homes, and cities with public health departments are likely considered a covered entity that must comply with the HIPAA administrative simplification standards (including the privacy and security standards).
Since the HIPAA privacy and security standards may impact various departments within the city, such as human resources, the technology department, fire departments with ambulance services or the police and corrections department (relating primarily to health information on inmates), cities are encouraged to conduct a department-by-department assessment to determine which areas may be subject to HIPAA—including evaluating which departments may have access to and use individually identifiable health information, as well as how access to this information can be limited (i.e., what fire walls or protections can be put in place to limit access to this information).
HIPAA potentially impacts several departments if the city does any of the following: - Receives, uses, discloses or maintains private health information
- Administers a public health program
- Contracts with or is considered a business associate of a covered entity, such as a third party administrator for its self-insured health plan or is a plan sponsor under a fully insured health plan
- Owns medical clinics, hospitals, ambulance services, home health care agencies and/or nursing homes
- Performs certain health plan functions on behalf of the insurance carrier
- Has a Health Flexible Spending Account
- Transmits individual health information electronically
In addition, cities that charge a fee (or are thinking of charging a fee) to citizens for first responders (ambulance, firefighters, police officers) should be aware that by doing so, the city may end up falling under the HIPAA requirements if they provide medical care to those citizens. In this case, the city would fall under HIPAA as a health care provider.
All cities should now be in compliance with HIPAA's privacy standards. The deadline for complying with the privacy standards for most covered entities was April 13, 2003. However, there was a one-year extension for small health plans (those plans with less than $5 million in premiums—for fully-insured plans—or $5 million in claims—for self-insured plans). Most cities will have fallen under the extension and will need to have complied with HIPAA by April 14, 2004.
The deadline for complying with the security standards for most covered entities and large health plans was April 20, 2005. As with the privacy standards, small health plans (and therefore many cities) received a one-year extension and needed to comply with the security standards by April 21, 2006.
The following resources may be of some assistance to cities as they evaluate how these regulations apply to the city or its departments:
The League has worked with a benefits attorney to develop templates of policies and procedures for both the privacy and security standards.
If you are interested in these additional tools or if you have questions about HIPAA compliance for your city, League HR & Benefits staff are here to help.
Contact Donyelle Mikacevich
(651) 281-1202 or (800) 925-1122