2003 29_Exhibit_6_Ch_23_Employers_and_HIPAA by sPIK89

VIEWS: 5 PAGES: 48

									                                                                  Policy Memorandum 2003-29
                                                                                   Exhibit 6

                            Health Insurance Portability
                              and Accountability Act
                                      (HIPAA)
                                        PRIVACY
                         Use and Disclosure of
                      Protected Health Information



                         CHAPTER 23
       EMPLOYERS AND HIPAA

                       PUBLIC HEALTH
                    GROUP HEALTH PLANS
                      PLAN SPONSORS
                   WORKERS’ COMPENSATION




The tools and templates provided in CalOHI Policy and Information Memoranda have generally been
authored by HIPAA workgroups. Users should view the information presented in the context of their
own organizations and environments. Legal opinions and/or decision documentation may be needed
when interpreting and/or applying this information.
                                                                                        Policy Memorandum 2003-29
                                                                                                         Exhibit 6


                                      TABLE OF CONTENTS

OVERVIEW OF AN EMPLOYER ROLES AND HIPAA ................................................... 5
    Introduction ............................................................................................................... 5
    Employers ................................................................................................................. 5
       MAJOR CONSIDERATION: Other Federal Laws ................................................ 6
    Role of Employers .................................................................................................... 6
    Understanding Employer Roles ................................................................................ 7
       State Law ............................................................................................................. 8
1. PUBLIC HEALTH ACTIVITIES ................................................................................... 9
    Public Health Disclosures to Employers ................................................................... 9
    Disclosures to Employers ....................................................................................... 10
    Individually Identifiable Health Information (IIHI) ..................................................... 11
    Disclosure of Information by Employers.................................................................. 11
2. GROUP HEALTH PLANS ........................................................................................ 13
    Definition ................................................................................................................. 13
    Limited Disclosure .................................................................................................. 14
    Employers with Multiple Functions .......................................................................... 15
       NPP Requirements ............................................................................................. 15
    Enrollment and Disenrollment Definition ................................................................. 17
    Organized Health Care Arrangements (OCHAs) .................................................... 18
       ERISA and State Law ......................................................................................... 18
       MAJOR CONSIDERATION: ERISA .................................................................. 18
    Treatment, Payment and Health Care Operations (TPO) ....................................... 19
    PHI .......................................................................................................................... 19
    Administrative Requirements .................................................................................. 20
    Minimum Necessary ............................................................................................... 21
    Business Associate Agreements ............................................................................ 21
    Information Practices Act (IPA) ............................................................................... 21
       MAJOR CONSIDERATION: IPA and Group Health Plans ................................ 22
    Confidentiality of Medical Practices (CMIA) ............................................................ 22
       MAJOR CONSIDERATION: CMIA and Group Health Plans ............................. 22
3. PLAN SPONSORS................................................................................................... 23
    Definition – Plan Sponsors...................................................................................... 23
    Background............................................................................................................. 23
    Definition – Plan Administration Activities ............................................................... 24
    Definition – Plan Documents................................................................................... 25
    Disclosures without an Agreement ......................................................................... 25
    Plan Sponsor Agreement Amendment.................................................................... 26
    Plan Sponsor Certification ...................................................................................... 27
    Definition – Summary Health Information ............................................................... 29
    Summary Health Information .................................................................................. 30


                                                                 2
                                                                                        Policy Memorandum 2003-29
                                                                                                         Exhibit 6
    Payment Activities .................................................................................................. 31
    Health Care Operation Activities ............................................................................. 32
    Organized Health Care Arrangements .................................................................... 32
    Business Associate Agreements ............................................................................ 33
    Transactions and Code Sets................................................................................... 33
    Minimum Necessary ............................................................................................... 34
    Information Practices Act (IPA) ............................................................................... 34
       MAJOR CONSIDERATION: IPA and Plan Sponsors ........................................ 34
    Confidentiality of Medical Practices (CMIA) ............................................................ 35
       MAJOR CONSIDERATION: CMIA and Plan Sponsors ..................................... 35
4. NOTICES OF PRIVACY PRACTICES ..................................................................... 36
    Notice of Privacy Practices ..................................................................................... 36
5. WORKERS‘ COMPENSATION ................................................................................ 37
    Intent ....................................................................................................................... 37
    Permitted Disclosures ............................................................................................. 37
    Programs ................................................................................................................ 37
    Information Practices Act (IPA) ............................................................................... 38
       MAJOR CONSIDERATION: IPA and Workers‘ Compensation ......................... 38
    Confidentiality of Medical Practices (CMIA) ............................................................ 39
       MAJOR CONSIDERATION: CMIA and Workers‘ Compensation ...................... 39
    Not Covered by HIPAA ........................................................................................... 39
    DHHS Monitoring .................................................................................................... 40
    Minimum Necessary ............................................................................................... 40
    Required By Law .................................................................................................... 41
    Authorizations ......................................................................................................... 41
    Payment.................................................................................................................. 41
    Redisclosure ........................................................................................................... 41
    Dual Functions ........................................................................................................ 41
    Administrative Proceedings .................................................................................... 42
    State Law ................................................................................................................ 42
       MAJOR CONSIDERATION: Pre-Existing Conditions ........................................ 43
       MAJOR CONSIDERATION: Limited to Workers‘ Compensation Laws ............. 43
       MAJOR CONSIDERATION: Special Conditions................................................ 43
OTHER REQUIREMENTS ............................................................................................ 44
    Authorization ........................................................................................................... 44
    Pre-Enrollment Underwriting ................................................................................... 44
    Advocating for Employees ...................................................................................... 44
    Due Date................................................................................................................. 44
    Privacy Policies and Procedures ............................................................................ 45
STATE LAW .................................................................................................................. 46
    CMIA and Employers .............................................................................................. 46
       MAJOR CONSIDERATION: CMIA and Employers ........................................... 46
       MAJOR CONSIDERATION: IPA and Employers ............................................... 46
DECISION POINTS....................................................................................................... 47



                                                                 3
                                                                          Policy Memorandum 2003-29
                                                                                           Exhibit 6
MAJOR CONSIDERATIONS ........................................................................................ 48




                                                       4
                                                          Policy Memorandum 2003-29
                                                                           Exhibit 6

            OVERVIEW OF AN EMPLOYER ROLES AND HIPAA


Introduction   This chapter is broken into six different sections. Employers may be
               impacted by HIPAA in several different ways. They may:

                  Receive PHI from a covered entity for public health and safety
                   purposes,
                  Have a covered component within their organization, such as a
                   group health plan for their employees; or they may be a covered
                   entity with an employer role,
                  Receive PHI in the role of a sponsor of a group health plan,
                  Receive PHI concerning a workers’ compensation program,
                  Receive PHI by an authorization from an employee, or
                  Receive PHI as a business associate, trading partner or other
                   business relationship

               Each of these possible impacts is discussed in this chapter. Once PHI
               leaves the purview of a covered entity, their business associates, or
               other related entities such as plan sponsors, the information no longer
               is afforded protection under the Privacy Rule.



Employers      Employers are not covered entities under the privacy regulations.
               However, employers may be plan sponsors of a group health plan that
               is a covered entity under the rule. In such a case, specific
               requirements apply for the group health plan to release PHI to the
               employer.

               In addition, many employers may be subject to the federal disability
               discrimination laws, and therefore, must protect the confidentiality of all
               medical information concerning their applicants and employees.
               Employers subject to the Americans with Disabilities Act (ADA)
               nondiscrimination standards have confidentiality obligations regarding
               applicant and employee medical information. Employers must treat
               such medical information, including medical information from
               voluntarily disclosure, as a confidential medical record, subject to
               limited exceptions.




                                          5
                                                      Policy Memorandum 2003-29
                                                                       Exhibit 6


            MAJOR CONSIDERATION: Other Federal Laws
            Employers may have other federal and State laws that govern the
            confidentiality and use of employees‘ medical information. You
            should consult with your legal counsel to determine if HIPAA has an
            effect on your business practices concerning employees‘ medical
            records.


Role of      The following is a summary of the different roles that employers may
Employers    have under HIPAA. Hyperlinks have been provided to more detailed
             discussion that follow.


            1. Public Health Activity - An employer may have PHI released to
               them by a covered entity for public health activities. [45 C.F.R. §
               164.512(b)]
                  Examples of these types of disclosures would include:
                   Medical surveillance of the workplace, or
                   Work-related illness or injury.

            2. Covered Component - An employer may have a covered
               component within their organization. [45 C.F.R. § 164.504(c)]
                  For example, an employer may provide an onsite medical clinic
                  and the component may meet the definition of a covered health
                  care provider or health plan. The HIPAA Privacy Rule covers
                  any uses or disclosures of PHI by the onsite medical clinic,
                  including disclosures to the larger employer entity.

            3. Plan Sponsor - An employer may be a plan sponsor and perform
               eligibility, enrollment, and other functions for the health plan. [45
               C.F.R. § 164.504(f)] (See discussion below.)

                       a. Plan Sponsor Agreement Amendments/Certification (For
                          disclosure of PHI for functions on behalf of the group
                          health plan other than enrollment/disenrollment or
                          summary data.),
                       b. Enrollment/Disenrollment and Eligibility, or
                       c. Summary Data (A covered entity may receive PHI in a
                          modified de-identified form that provides an analysis of
                          utilization of health plan coverage to manage
                          occurrences of disability or illness among workforces as
                          long as it does not violate the HIPAA Privacy Rule). [45
                          C.F.R. § 164.504(f)(1)(ii)]



                                      6
                                                          Policy Memorandum 2003-29
                                                                           Exhibit 6
                4. Workers’ Compensation - An employer may have PHI released to
                   them for workers‘ compensation purposes. [45 C.F.R. § 164.512(l)]
                   (See discussion below.)

                5. Authorizations - An employer may have PHI released to them via
                   an employee-provided authorization. [45 C.F.R. § 164.508] (See
                   CalOHI Policy Memorandum 2003-27, Exhibit 2 at the CalOHI
                   Website at: CalOHI - Privacy - Use and Disclosure)

                 6. Required by Law - An employer may have PHI released to them
                    as required by law. [45 C.F.R. § 164.512a] (See Chapter 8,
                    Required by Law, Use and Disclosure to be issued soon. It will be
                    posted to the CalOHI website at: CalOHI - Privacy - Use and
                    Disclosure]

               7. Judicial or Administrative - An employer may have PHI released
                  to them resulting from a judicial or administrative hearing process.
                  [45 C.F.R. § 164.512(e)] (See Chapter 13 of Use and Disclosure to
                  be issued.)



Understanding It is important to understand health plans and their role with
Employer      employers to understand the roles of employers under HIPAA.
Roles

                 Health Plans - A health plan is defined singly or in combination, as
                  A group health plan,
                  A health insurance issuer,
                  An HMO,
                  Medicare,
                  Medicaid,
                  Long-term care insurer, or
                  An other programs specified in the HIPAA Privacy Rule. [45
                   C.F.R. § 160.103, definition of health plan]




                                          7
                                                      Policy Memorandum 2003-29
                                                                       Exhibit 6
            Group health plans - A group health plan is defined as:
                An employee welfare benefit that has 50 or more participants,
                  or
                Administered by an entity other than the employer that
                  establishes and maintains the plan. [45 C.F.R. § 160.103,
                  definition of group health plan]

            Group health plans may be fully insured or self-insured.

               A fully insured group health plan purchases the health benefit
                coverage directly from a health insurance issuer or HMO.
               A partially insured group health plan undertakes the health benefit
                costs incurred by covered participants up to a set amount. Any
                costs exceeding that amount are covered through the purchase of
                health coverage through a health insurance issuer or HMO.
               A self-insured group health plan undertakes all health benefit costs
                incurred by participants.

State Law   Under California State law, "self-funded" means a multiple employer
            welfare arrangement that undertook at all times and for a continuous
            period of five years to reimburse health benefit costs incurred by
            covered persons pursuant to the benefits and coverages provided by
            their plan exclusively from plan assets.

            "Partially self-funded" means a multiple employer welfare
            arrangement that undertook at all times and for a continuous period of
            five years to reimburse health benefit costs incurred by covered
            persons pursuant to the benefits and coverages provided by their plan
            exclusively from plan assets, provided, however, that these benefits
            are reimbursable to the multiple employer welfare arrangement by
            stop loss insurance only to the extent that the benefits exceed fifty
            thousand dollars ($50,000) per claim. [California Insurance Code §
            742.215]

            Plan Sponsors - A plan sponsor is an employer that sponsors a
            group health plan or an employee organization in the situation where
            the employee organization provides the group health plan. Plan
            sponsors are discussed in detail later in this document.




                                      8
                                                           Policy Memorandum 2003-29
                                                                            Exhibit 6


                       1. PUBLIC HEALTH ACTIVITIES


Public Health    HIPAA permits limited disclosures to employers as use and disclosure
Disclosures to   for public health activities. This provision is to ensure that employers
Employers        are able to obtain the information that they need to meet federal and
                 State laws designed to promote the safety of workers. These laws
                 are vital to protecting the health and safety of workers and DHHS
                 permits specified covered health care providers to disclose PHI as
                 necessary to carry out these purposes.

                 DHHS does not have statutory authority to regulate employers.
                 Therefore, it is beyond the scope of the privacy regulations to prohibit
                 employers from requesting or obtaining PHI. Covered entities may
                 disclose PHI about individuals who are members of an employer‘s
                 workforce with an authorization. Nothing in the privacy regulation
                 prohibits employers from obtaining an authorization as a condition of
                 employment. We note, however, that employers must comply with
                 other laws that govern them, such as nondiscrimination laws.

                        For example, if an employer receives a request for a
                        reasonable accommodation, the employer may require
                        reasonable documentation about the employee‘s disability and
                        the functional limitations that require the reasonable
                        accommodation, if the disability and the limitations are not
                        obvious. If the individual provides insufficient documentation
                        and does not provide the missing information in a timely
                        manner after the employer‘s subsequent request, the employer
                        may require the individual to go to an appropriate health
                        professional of the employer‘s choosing. In this situation, if the
                        employee does not authorize the disclosure of information to
                        substantiate the disability and the need for a reasonable
                        accommodation, the employer need not provide the
                        accommodation.




                                           9
                                                                Public Health Activities



Disclosures to   Covered entities may disclose PHI as public health activities to an
Employers        employer, about an individual who is a member of the workforce of
                 the employer, if:

                 1. The covered entity is a covered health care provider who is:
                     A member of the workforce of such employer, or
                     Who provides health care to the individual at the request of the
                       employer:
                        To conduct an evaluation relating to medical surveillance of
                          the workplace; or
                        To evaluate whether the individual has a work-related
                          illness or injury;

                 2. The PHI that is disclosed consists of findings concerning a work-
                    related illness or injury or a workplace-related medical
                    surveillance;

                 3. The employer needs such findings to comply with its obligations to
                    record such illness or injury or to carry out responsibilities for
                    workplace medical surveillance; and

                 4. The covered health care provider distributes a written notice to
                    the individual that PHI relating to the medical surveillance of the
                    workplace and work-related illnesses and injuries is disclosed to
                    the employer:
                     By giving a copy of the notice to the individual at the time the
                       health care is provided; or
                     If the health care is provided on the work site of the employer,
                       by posting the notice in a prominent place at the location where
                       the health care is provided. [45 C.F.R. § 164.512(b)(1)(v)]

                       This notice is separate from the Notice of Privacy Practices
                       that HIPAA requires be provided to all individuals by a covered
                       entity that creates or maintains their PHI. [45 C.F.R. 164.520]




                                          10
                                                                   Public Health Activities



                 DECISION POINT: Employers and Public Health Activities
                 Do you disclose PHI to employers for public health activities?
                   If you do, you will need to review the types of PHI you disclose to
                 determine which HIPAA Privacy Rule will permit you to continue such
                 disclosures.
                 Do you receive PHI about your employees from a covered entity for
                 public health purposes?
                 If you do, you will need to contact the covered entity and discuss how
                 the HIPAA Privacy Rule may affect your business practices. You may
                 no longer be able to receive some of the PHI you currently receive.
                 This will be part of your Privacy Policies and Procedures if you are a
                 covered entity.

                 Data - The HIPAA Privacy Rule provides substantial flexibility to
                 covered entities to provide general data and statistical analysis, to
                 employers and other customers. [45 C.F.R. § 164.514] An employer
                 may also receive PHI from a covered entity for any purpose with the
                 authorization of the individual. [45 C.F.R. § 164.508]


Individually     The definition of IIHI includes a reference to ―employer‖ in that IIHI
Identifiable     may be health information created, maintained or received by an
Health           ―employer.‖ However, the employer would need to be a covered
Information      entity for such information to become PHI. [45 C.F.R. § 160.103,
(IIHI)           definition of individually identifiable health information]

                 See CalOHI Policy Memorandum 2003-22, Exhibit 2, Access Process
                 for additional information about PHI and IIHI. This document may be
                 found at the CalOHI website at: CalOHI Privacy - Access and
                 Individual Rights.]



Disclosure of  The Privacy Rule does not affect disclosure of health information by
Information by employees to the employer when the information is not obtained from
Employers      a covered entity. The employers‘ access to information from an
               Employee Assistance Program (EAP), wellness program, or on-site
               medical clinic will depend on whether the program or clinic is a
               covered entity. However, other federal laws or California State law
               may affect the employers‘ access to such information.




                                           11
                                               Public Health Activities


MAJOR CONSIDERATION: Laws About Employee Information
Various State and federal laws and regulations apply to the
confidentiality of employee information. You should consult with your
legal counsel to determine how these different laws interact with the
HIPAA requirements.




                        12
                                                                   Group Health Plans



                       2. GROUP HEALTH PLANS

Definition   A group health plan means an employee welfare benefit plan
             including insured and self-insured plans to the extent the plan
             provides medical care, including items and services paid for as
             medical care, to employees or their dependents directly or through
             insurance, reimbursement, or otherwise, that:

                Have 50 or more participants, or
                Is administered by an entity other than the employer that
                 established and maintains the plan.

             Group health plans include:
              Self-insured plans,
              Insured plans,
              Church plans,
              Government plans, and
              Any other group health plans that provide medical care, including
                 items and services paid for as medical care, to employees or their
                 dependents directly or through insurance, or reimbursement.

             This definition is intended to capture the necessary sharing of PHI
             among:
              Health care providers who provide care, health plans
              Other insurers who pay for care,
              Their business partners,
              Sponsors of group health plans, such as employers who pay for
                  care and sometimes provide administrative services in
                  conjunction with payment activities.

                 For example, employers sometimes maintain the eligibility file with
                 respect to a group health plan.

             The terms ''employee welfare benefit plan'' and ''welfare plan'' mean
             any plan, fund, or program which was or is hereafter established or
             maintained by an employer or by an employee organization, or by
             both, for the purpose of providing its participants or their beneficiaries,
             through the purchase of insurance or otherwise,
              Medical, surgical, or hospital care or benefits,
              Benefits in the event of sickness, accident, disability, death or
                 unemployment, or vacation benefits,



                                       13
                                                                Group Health Plans


                Apprenticeship or other training programs,
                Day care centers,
                Scholarship funds, or
                Prepaid legal services.

             DECISION POINT: Group Health Plan
             Are you a group health plan?
             You will need to determine if you are or have a component of your
             organization that is a group health plan. This may require a review of
             the functions of your human resource or personnel activities. If you
             are a group health plan, you may wish to reflect this entity status
             determination as part of your Privacy Policies and Procedures.




Limited      A group health plan may: [45 C.F.R. § 164.504(f)(3)]
Disclosure

             1. Administrative Functions - Disclose PHI to a plan sponsor to
                carry out plan administrative functions that the plan sponsor
                performs in accordance with the plan sponsor documents and
                certification,

             2. Plan Sponsor - Not permit a health insurance issuer or HMO with
                respect to the group health plan to disclose PHI to the plan
                sponsor except as permitted,

             3. Notice of Privacy Practices (NPP) - Not disclose and not permit
                a health insurance issuer or HMO to disclose PHI to a plan
                sponsor unless the required statement is included in the Notice of
                Privacy Practices providing appropriate notice concerning such
                disclosures, [45 C.F.R. § 164.520. See below for more
                information about NPPs.]

             4. Employment- Related - Not disclose PHI to the plan sponsor for
                the purpose of employment-related actions or decisions or in
                connection with any other benefit or employee benefit plan of the
                plan sponsor, or




                                      14
                                                                    Group Health Plans


                5. Enrollment/ Disenrollment - A group health plan (or a health
                   insurance issuer or HMO acting for a group health plan) may
                   disclose to a plan sponsor information on whether the individual is:
                      o Participating in the group health plan, or
                      o Is enrolled in, or
                      o Is disenrolled from a health insurance issuer or HMO
                          offered by the plan.

                   This disclosure may be made without amending the plan
                   documents.
                [45 C.F.R. § 164.504(f)(1)(iii)]

                DECISION POINT: Group Health Plan Requirements
                Have you implemented the above five Group health plan
                Requirements?
                You will need to review your group health plan activities and
                determine what changes to your business practices that will need to
                be made to implement the above five requirements. Your new
                business procedures will be part of your Privacy Policies and
                Procedures.




Employers       Employees may perform multiple functions (i.e., group health plan and
with Multiple   employment-related functions) and receive PHI from group health
Functions       plans. The plan documents must certify that these employees will not
                use the information for activities not otherwise permitted by this rule
                including employment-related activities.

NPP             A covered entity must provide a notice that is written in plain language
Requirements    and that contains a statement that a group health plan of a health
                insurance issuer or HMO may disclose PHI to the sponsor of the plan.
                [45 C.F.R. § 164.502(b)(iii)(C)]

                The notice requirements for group health plans are different
                depending on the arrangement of the group health plan.

                1. A self-insured group health plan must maintain and distribute a
                   notice that meets the requirements of HIPAA.

                2. A combination self- and fully-insured group health plan must
                   maintain and distribute a notice with respect to PHI it creates or
                   receives through the self-insured arrangement.




                                         15
                                                     Group Health Plans



3. A fully insured group health plan must maintain a notice of privacy
   practices if they receive PHI in addition to summary
   information or enrollment/disenrollment information from the
   health insurance issuer or HMO. However, they are not required
   to distribute the notice, only make it available upon the request of
   any person.

4. A fully insured group health plan that only receives summary and
   enrollment status information is not required to maintain or provide
   a Notice of Privacy Practices. The participants who receive health
   benefits through an insurance contract, will receive the Notice of
   Privacy Practices from the health insurance issuer or HMO
   through which they receive their benefits. This is because the
   health insurance issuer or HMO is the covered health plan that
   must meet the notice requirement.

If a health plan wants the option to disclose PHI to a plan sponsor
without authorization, the group health plan, health insurance issuer,
or HMO must describe that practice in its notice. Health plans must
provide the notice to all health plan enrollees as of the April 14, 2003.
After that, health plans must provide the notice to all new enrollees at
the time of enrollment and to all enrollees within 60 days of a material
revision to the notice. Of course, the term ―enrollees‖ includes
participants and beneficiaries of group health plans.

A fully insured group health plan does not need to comply with the
Privacy Rule‘s notice requirements if the only PHI it creates or
receives is summary health information and/or information about
individuals‘ enrollment in, or disenrollment from, a health insurer or
HMO offered by the group health plan.

DECISION POINT: Notice of Privacy Practices
What type of notice do you need?
You will need to determine what type of notice you will need and how
you will distribute the notice. This will be part of your Privacy Policies
and Procedures.




                          16
                                                                      Group Health Plans


Enrollment and The Privacy Rule does not define the information that covered
Disenrollment  entities may transmit for enrollment and disenrollment purposes.
Definition     Rather, the Transactions Rule adopted a standard transaction for
               enrollment and disenrollment that a health plan will use to define
               enrollment and disenrollment information. That standard specifies
               the required and situationally required data elements to be
               transmitted as part of such a transaction (ASC X12N 834, Benefit
               Enrollment and Maintenance, Version 4010, May 2000, Washington
               Publishing Company).

                 While the standard enrollment and disenrollment transaction does not
                 include any substantial clinical information, the information provided
                 as part of the transaction may indicate whether there is tobacco use,
                 substance abuse, or short, long-term, permanent, or total disability,
                 when such information is available. However, in disclosing or
                 maintaining information about an individual‘s enrollment in or
                 disenrollment from, a health insurer or HMO offered by the group
                 health plan, the group health plan may not include medical
                 information about the individual beyond that which is required or
                 situationally required by the standard transaction. Otherwise, the
                 group health plan and sponsor will not continue to qualify for the
                 exceptions for enrollment and disenrollment information.

                Enrollment and disenrollment information fall under the statutory
                definition of ‗‗individually identifiable health information,‘‘ since it is
                received or created by a health plan, identifies an individual, and
                relates to the past, present, or future payment for the provision of
                health care to an individual. However, DHHS considers the
                enrollment and disenrollment information to be outside of the plan
                administration functions. The Department believes that the exception
                (the requirement for group health plans to amend plan documents)
                added to the Privacy Rule for enrollment and disenrollment
                information balances the legitimate need that plan sponsors have for
                enrollment, and disenrollment information against the individual‘s right
                to have such information kept private and confidential.

                DECISION POINT: Enrollment/Disenrollment
                Are you an employer who performs enrollment/disenrollment activities
                for participants in your group health plan?
                You will need to determine if you perform these functions and
                document that you perform these activities. You will not need to have
                a business associate agreement or a plan sponsor agreement for
                these activities to continue. This will be part of your Privacy Policies
                and Procedures.




                                          17
                                                                  Group Health Plans




Organized      An HMO may disclose PHI to a group health plan, or a third party
Health Care    administrator that is a business associate of the plan, because the
Arrangements   relationship between the HMO and the group health plan is defined as
(OCHAs)        an OHCA for purposes of the Rule. [45 C.F.R. § 164.501 definition of
               Organized Health Care Arrangement]

               DECISION POINT: OHCAs
               Do you have an OCHA relationship?
               You will need to determine if you have an OCHA relationship and
               document the OCHA as required by the HIPAA Privacy Rule. How
               and what PHI will you exchange within the OCHA will be part of your
               Privacy Policies and Procedures.




ERISA and      The Employee Retirement Income and Security Act (ERISA) was
State Law      enacted to regulate pension and welfare employee benefit plans
               established by private sector employers, unions, or both, to provide
               benefits to their workers and dependents. An employee welfare
               benefit plan includes plans that provide through the purchase of
               insurance. [Section 514a of 29 U.S.C. 1144(a)]

               ERISA requires portability, nondiscrimination, and renewability of
               health benefits provided by group health plans and group health
               insurance issuers. Numerous, although not all, ERISA plans are
               covered under the HIPAA Privacy Rule as ‗‗health plans.‘‘

               ERISA preempts all state laws that relate to any employee benefit
               plan. However, it expressly saves from preemption state laws that
               regulate insurance. However ERISA provides that an ERISA plan is
               deemed not to be an insurer. Therefore, under the deemer clause,
               states may not treat ERISA plans as insurers subject to direct
               regulation by state law.‘‘ [Section 514b of 29 U.S.C. § 1144(a); §
               1144(b)(2)(A); § 1144(b)(2)(B) & 1144(d)]



               MAJOR CONSIDERATION: ERISA
               You will need to determine how ERISA interacts with HIPAA and
               State insurance laws. You will need to determine the effect the laws
               may have on your business practices. You will need to consult with



                                        18
                                                                   Group Health Plans


              your legal counsel for assistance in this determination.




Treatment,     Group health plans and health insurance issuers are permitted to
Payment and    disclose summary health information to the plan sponsor in certain
Health Care    circumstances for the purpose of obtaining premium bids. Because
Operations     these disclosures fall within the definition of health care operations,
(TPO)          they do not require authorization.

               A group health plan need not obtain individual consent for use and
               disclosure of PHI for treatment, payment and or health care
               operations purposes. However, DHHS has imposed conditions
               (described below) for making such disclosures to the plan sponsor.
               This is because employees of the plan sponsor often perform health
               care operations and payment (e.g. plan administration) functions,
               such as claims payment, quality review, and auditing. Therefore,
               they may have a legitimate need for such information.

              DECISION POINT: TPO
              Do you exchange PHI for TPO with a plan sponsor?
              You will need to determine if you exchange PHI for TPO with a plan
              sponsor. If you do, you will need to examine whether the PHI you
              exchange is a permitted disclosure. This will become part of your
              Privacy Policies and Procedures.




PHI           All personal medical information is PHI when held by a fully-insured
              group health plan and transmitted to an health insurance issuer or an
              HMO. The Privacy Rule applies when the group health plan discloses
              such information to any entity, including a plan sponsor. If the group
              health plan receives information from the plan sponsor, it becomes
              PHI when received by the group health plan.




                                        19
                                                                    Group Health Plans


Administrative   1. A group health plan (fully insured) that provides benefits through
Requirements         health insurance issuers and HMOs and does not create, receive
                     or maintain PHI other than summary information or
                     enrollment/disenrollment information is not subject to the
                     administrative requirements regarding:
                     Designation of a privacy official and contact person, [45 C.F.R.
                        §§ 164.530((a)(1) & (2)]
                     Workforce training, [45 C.F.R. § 164.530(b)(1)]
                     Safeguards, [45 C.F.R. § 164.530(c)(1)]
                     Complaints, [45 C.F.R. § 164.530(d)(1)]
                     Mitigation, and [45 C.F.R. § 164.530(f)]
                     Policies and procedures. [45 C.F.R. § 164.530(i)]

                     In addition, because this group health plan does not have access
                     to PHI, the requirements that give access to PHI by individuals,
                     give the right to request amendments to PHI by individuals, and
                     give individuals the right to an accounting of disclosures of their
                     PHI, are not applicable.

                     Such a group health plan is only subject to the requirements
                     regarding documentation of its plan documents. These group
                     health plans will have only limited PHI and imposing the
                     administrative burden would not outweigh the corresponding
                     enhancement in privacy protection. The issuers and HMOs are
                     covered entities that have the independent obligation to comply
                     with the administrative requirements with respect to this type of
                     group health plan. Therefore, participants in this type of group
                     health plan have access to all HIPAA Privacy Rule rights through
                     the health insurance issuer or HMO.

                 2. All other group health plans must meet the administrative
                    requirements. To the extent that group health plans do not
                    provide health benefits through an insurance contract, they are
                    required to establish a privacy officer and provide training to
                    employees who have access to PHI, as well as meet the other
                    applicable requirements of the regulation. [45 C.F.R. § 164.503]




                                          20
                                                                    Group Health Plans



                DECISION POINT: Administrative Requirements
                Are you a fully insured group health plan or another type of group
                health plan?
                You will need to determine into which category of group health plan
                your plan falls. If you are not fully insured, you will need to implement
                the appropriate HIPAA Privacy Rule requirements. This will be part of
                your Privacy Policies and Procedures.




Minimum         Group health plans, and health insurance issuers or HMOs that
Necessary       disclose PHI to plan sponsors are subject to the minimum necessary
                standard.

                DECISION POINT: Minimum Necessary. What is and how will you
                ensure that the minimum necessary PHI will be shared with your plan
                sponsor? You will need to examine the PHI you share with your plan
                sponsor and determine what criteria to use to determine what is the
                minimum necessary amount of PHI to release to your sponsor. This
                will become part of your Privacy Policies and Procedures.

                For more information about the minimum necessary requirement, See
                Chapter 26, Use and Disclosure, to be issued soon. It will be posted
                on the CalOHI website at: CalOHI - Privacy - Use and Disclosure.



Business        A business associate agreement is not required for covered entities
Associate       that disclose PHI from group health plans to employers when the
Agreements      employer is not performing an activity other than enrollment or
                disenrollment activities on behalf of the group health plan.




Information     The IPA allows State agencies to disclose personal information in
Practices Act   specific circumstances. The IPA allows for disclosures for:
(IPA)                    To a government entity as required by law
                         Official duties, (preempted)
                         Constitutional duties, (preempted) or
                         Statutory duties. (preempted)
                [Civil Code § 1798.24(d), (e), & (f)]



                                         21
                                                                      Group Health Plans


                  MAJOR CONSIDERATION: IPA and Group Health Plans
                  The IPA provisions that allow disclosures of personal information for
                  official, constitutional or statutory duties are preempted by HIPAA
                  and cannot be used. You will need to determine the interaction
                  between the IPA, HIPAA, other State and federal laws and your
                  business practices. If you are a State agency that is a group health
                  plan, you should consult with your legal counsel in making this
                  determination.


Confidentiality   The CMIA allows health care service providers, health care service
of Medical        plans, or contractors to disclose medical information in specific
Practices         circumstances. Of those circumstances, disclosures for as required
(CMIA)            by law may meet the purpose of HIPAA permitted disclosures for
                  group health plans. In addition, the CMIA allows for disclosures to a
                  health care service plan by providers of health care that contract with
                  the health care service plan. Medical information may be transferred
                  among providers of health care that contract with the health care
                  service plan, for the purpose of administering the health care service
                  plan. [Civil Code § 56.10(b)(9) & 56.10(c)(5)]


                  MAJOR CONSIDERATION: CMIA and Group Health Plans
                  You will need to determine the interaction between the CMIA, HIPAA,
                  other State and federal laws and your business practices. You should
                  consult with your legal counsel in making this determination before
                  you disclose PHI to plan sponsors.




                                           22
                                                                        Plan Sponsors



                             3. PLAN SPONSORS

Definition –  A plan sponsor is:
Plan Sponsors  An employer for an employee benefit plan established or
                 maintained by a single employer
               The employee organization in the case of a plan established and
                 maintained by an employee organization, or
               The association, committee, joint board of trustees, or other similar
                 group of representatives of the parties who establish or maintain
                 the plan in the case of a plan established or maintained by two or
                 more employers or jointly by one or more employers and one or
                 more employee organizations. [45 C.F.R. § 164.501 Definition of
                 Plan Sponsor and 29 U.S.C. § 1102((16)(B)]

                 A plan sponsor may be the backer of the coverage, benefit, or
                 product. A sponsor could be an employer, union, government
                 agency, association, or insurance company. This term includes
                 church health plans and government health plans. Thus, a state
                 agency or county may be plan sponsors or may be a group health
                 plan.

                       For example, employee unions often sponsor group health
                       plans for types of employees that work for various
                       organizations, such as automobile mechanics. The unions buy
                       health insurance for insurers for their members. The State
                       Department of Personal Administration is the plan sponsor for
                       the dental and vision care plans available to State employees.



Background       If an employer-sponsored group health plan is closely linked to an
                 employer, the group health plan may be subject to Americans with
                 Disabilities Act confidentiality restrictions, as well as this privacy
                 regulation. The Americans with Disabilities Act may permit
                 transmission of applicant or employee health information by the
                 employer‘s management to the group health plan as medical
                 information for insurance purposes. Similarly, disclosure of such
                 medical information by the group health plan, under the limited
                 circumstances permitted by this privacy regulation, may involve use of
                 the information for insurance purposes.




                                         23
                                                                           Plan Sponsors



                 The rule includes insurance related activities such as creation,
                 renewal, or replacement of a contract for health insurance or health
                 insurance benefits, as well as ceding, securing or placing a contract
                 for reinsurance of risk relating to claims for health care (including
                 stop-loss and excess of loss insurance). Uses and disclosures for
                 these activities do not apply to individuals already enrolled in a health
                 plan.




                  DECISION POINT: Plan Sponsor
                  Do your share PHI with a plan sponsor?
                  You will need to determine if you share PHI with a plan sponsor. If
                  you do, you will need to examine what is exchanged if the PHI and
                  activity fits into one of the permitted disclosures. If you have any PHI
                  that is shared that does not fit into one of the permitted disclosures,
                  you will need to cease sharing that PHI. This will become part of
                  your Privacy Policies and Procedures.




Definition –      Plan administration functions mean administration functions
Plan              performed by the plan sponsor or a group health plan on behalf of
Administration    the group health plan. They include functions performed by the plan
Activities        sponsor in connection with any other benefit or benefit plan of the
                  plan sponsor. [45 C.F.R. § 164.504(a)]

                  Many activities included in the definitions of health care operations
                  and payments are commonly referred to as plan administration
                  functions in the group health plan. For purposes of this rule, plan
                  administration activities are limited to activities that would meet the
                  definition of payment or health care operations. Plan administration
                  functions include:
                      Eligibility and enrollment functions,
                      Quality assurance,
                      Claims processing,
                      Auditing,
                      Monitoring,
                      Trend analysis, and
                      Management of carve-out plans—such as vision and dental
                           plans.



                                           24
                                                                                   Plan Sponsors


                       ‗‗Plan administration‘‘ does not include:
                         Any employment-related function in connection with any other
                            benefits or benefit plans. Group health plans may not disclose
                            information for such purposes absent an authorization from the
                            individual. Employment-related functions would include fitness for
                            duty determinations, or duties related to other employee benefits
                            or plans.
                         Enrollment/disenrollment functions performed by the plan sponsor
                            on behalf of its employees are not considered plan administration
                            functions.
                         Functions to modify, amend, or terminate the plan or solicit bids
                            from prospective issuers.
                       Plan sponsors have access to PHI only to the extent group health
                       plans have access to PHI. Plan sponsors are permitted to use or
                       disclose PHI only as would be permitted by group health plans. That
                       is, a group health plan may permit a plan sponsor to have access to
                       or to use PHI only for purposes allowed by the HIPAA Privacy Rule.



Definition –           A plan document is a written instrument which:
Plan                      1) Is adopted by the employer;
Documents                 2) Complies with applicable law;
                          3) Is available upon request (within 30 days) to participants; and
                          4) Describes the:
                               Eligibility requirements,
                               Basis on which benefits will be paid or denied,
                               Plan year,
                               Allocation and authorization of discretionary
                                 responsibilities,
                               Funding policies, and
                               Procedures for amending or terminating the plan.1


Disclosures            Only summary health information and the enrollment status of the
without an             individual can be disclosed by the group health plan to the plan
Agreement              sponsor without amending the plan documents.




1
    This definition may be found at: http://www.sswhb.com/legal/grouphealth.html


                                                     25
                                                                        Plan Sponsors


Plan Sponsor   The plan documents under which a group health plan was established
Agreement      and is maintained must be amended before a group health plan may
Amendment      disclose PHI to a plan sponsor. [45 C.F.R. § 164.504(f)(2)] The
               amendments include the following:

               1. Use and Disclosure - Establish the permitted and required uses
                  and disclosures of PHI by the plan sponsor, provided that such
                  uses and disclosures are not inconsistent with the HIPAA Privacy
                  Rule. [45 C.F.R. § 164.504(f)(2)(i)]

               2. Certificate - Provide that the group health plan will disclose PHI to
                  the plan sponsor only upon receipt of a certificate by the plan
                  sponsor that the plan documents have been amended to
                  incorporate the certification provisions. [45 C.F.R. §
                  164.504(f)(2)(ii)] See below for more information about the Plan
                  Sponsor Certificate.

               3. Firewalls - Provide for adequate separation between the group
                  health plan and the plan sponsor. [45 C.F.R. § 164.504(f)(2)(iii)]
                  The plan documents must:

                  A. Describe those employees or classes of employees or other
                     persons under the control of the plan sponsor to be given
                     access to the PHI, and [45 C.F.R. § 164.504(f)(2)(i)]

                     An employer may identify who will have access to PHI in
                     whatever way best reflects their business needs as long as
                     participants can reasonably identify who will have access.
                     Identification in terms such as individuals who from time to time
                     may need access to PHI‖ or in other broad or generic ways, is
                     not sufficient.

                            For example, an employer may identify workforce
                            members by naming individuals, job titles (e.g. Director
                            of Human Resources), functions (e.g. employees with
                            oversight responsibility for the outside third party claims
                            administrator), divisions of the company (e.g. Employee
                            Benefits), or other entities related to the plan sponsor.

                  B. Describe those employees or persons who receive PHI relating
                     to payment, health care operations, or other matters pertaining
                     to the group health plan in the ordinary course of business. [45
                     C.F.R. § 164.504(f)(2)(iii)(A)]
                  C. Restrict the access to and use by such employees and other
                     persons to the plan administration functions that the plan
                     sponsor performs for the group health plan [45 C.F.R. §


                                        26
                                                                         Plan Sponsors

                      164.504(f)(2)(iii)(B)]; and
                   D. Provide an effective mechanism for resolving any issues of
                      noncompliance with the plan document provisions. [45 C.F.R.
                      § 164.504(f)(2)(iii)(C)]


                A group health plan must identify in the plan documents, by name or
                function, any employee of the plan sponsor who receives PHI for
                payment, health care operations, or other matters related to the group
                health plan. Any disclosure to employees or classes of employees
                not identified in the plan documents is not a permissible disclosure.
                To the extent a group health plan has its own employees separate
                from the plan sponsor‘s employees, as the workforce of a covered
                entity (i.e. the group health plan), they also are bound by the permitted
                uses and disclosures of the Privacy Rule.

                DECISION POINT: Plan Sponsor Agreement
                Has your plan sponsor agreement been amended to reflect these
                requirements?
                You will need to amend your plan sponsor agreement to reflect the
                HIPAA Privacy Rule. You need to document this in your Privacy
                Policies and Procedures.




Plan Sponsor    The certification must include that the plan sponsor agrees to: [45
Certification   C.F.R. § 164.504(f)(2)(ii)]

                Not use or further disclose the information other than as permitted or
                required by the plan document or as required by law.

                1. Sub-contractors - Ensure that any agents, including
                   subcontractors, to which PHI is provided from the group health
                   plan, agree to the same restrictions and conditions that apply to
                   the plan sponsor with respect to the information,

                2. Limit Use - Not use or disclose the information from employment-
                   related actions and decisions or in connection with any other
                   benefit or employee benefit plan of the plan sponsor,

                3. Report Violations - Report to the group health plan any use or
                   disclosure of the information of which it becomes aware that is
                   inconsistent with the uses and disclosures provided,




                                         27
                                                         Plan Sponsors


4. Access to PHI - Make available PHI in accordance with the
   access to PHI by individuals provision of the HIPAA Privacy Rule, .
   [45 C.F.R. § 164.524]

5. Amendments to PHI - Make available PHI for amendment
   requests by the individual and incorporate any amendments to PHI
   in accordance with the HIPAA Privacy Rule provisions providing
   an individual the right to request an amendment to his/her PHI;
   [45 C.F.R. § 164.526]

6. Accounting of Disclosures - Make available the information
   required to provide an accounting of disclosures to individuals, [45
   C.F.R. § 164.528]

7. Compliance - Make its internal practices, books, and records
   relating to the use and disclosure of PHI received from the group
   health plan available to the Secretary for purposes of determining
   compliance by the group health plan, [45 C.F. R. § 160.300]

8. Destruction - If feasible:
    Return or destroy all PHI received from the group health plan
     that the sponsor still maintains in any form,
    Retain no copies of such information when no longer needed
     for the purpose for which disclosure was made,
    Copies may be maintained if such return or destruction is not
     feasible, or
    Limit further uses and disclosures to those purposes that make
     the return or destruction of the information infeasible; and

9. Firewalls - Ensure that the adequate separation is established
   [45 C.F.R. § 164.504(f)(2)(iii)]

The certification requirement was included in part, as a way to reduce
the burden on health insurance issuers and HMOs. Without a
certification, organizations would need to review the plan documents
to ensure that group health plan or plan sponsor has made the
amendments before they could disclose PHI. The certification,
however, is a simple statement that the group health plan or plan
sponsor has made the amendments and the plan sponsor has agreed
to certain restrictions on the use and disclosure of PHI. The receipt of
the certification is sufficient basis for the health insurance issuer or
HMO to disclose PHI to the plan sponsor.




                         28
                                                                        Plan Sponsors



               DECISION POINT: Plan Sponsor’s Certification.
               Have you received your plan sponsor’s certification?
               You will need to obtain a certificate of your plan sponsor‘s agreement
               to meet the HIPAA Privacy Rule requirements for plan sponsors if
               your sponsor receives more than enrollment or summary PHI. This
               agreement will become part of your Privacy Policies and Procedures.




Definition –   Summary health information means information, that may be
Summary        individually identifiable health information, and:
Health
Information    1) That summarizes by individuals for whom a plan sponsor has
                  provided health benefits under a group health plan:
                   The claims history,
                   Claims expenses, or
                   Type of claims experienced; and
               2) From which the information has been deleted that must be
                  removed to de-identify IIHI [45 C.F.R. § 164.514(b)(2)(i)], except
                  that the geographic information need only be aggregated to the
                  level of a five-digit zip code. [Described in 45 C.F.R. §
                  164.514(b)(2)(i)(B)]

               This information does not constitute de-identified information because
               there may be a reasonable basis to believe the information is
               identifiable to a plan sponsor, especially if the number of participants
               in the group health plan is small. [45 C.F.R. § 164.504(a)]

               Summary information includes the provision of data and statistical
               analyses for policyholders of a health plan, plan sponsors, or other
               customers, as long as the PHI is not disclosed to such persons. Part
               of customer services includes the provision of data and statistical
               analysis that may include the use of PHI, but does not disclose the
               PHI.
                      For example, a plan sponsor may want to understand why its
                      costs are rising faster than average, or why utilization in one
                      plant location is different from in another location. An
                      association that sponsors an insurance plan for its members
                      may want information on the relative costs of its plan in
                      different areas. Some plan sponsors may want a more
                      detailed analysis that may identify health problems in a work
                      site.



                                        29
                                                                         Plan Sponsors



              This activity qualifies as a health care operation only if it does not
              result in the disclosure of PHI to the customer.



Summary       The Rule permits a health plan that provides insurance to a group
Health        health plan to provide summary information to the plan sponsor:
Information
                 To permit the plan sponsor to solicit premium bids from other
                  health plans, (because these disclosures fall within the definition
                  of health care operations, they do not require authorization), or
                 For the purpose of modifying, amending, or terminating the plan.

              As part of the Notice of Privacy Practices requirements, health plans
              must inform individuals that they may disclose PHI to plan sponsors.

              The provision to allow summaries of claims experience to be
              disclosed to plan sponsors allows them to shop for replacement
              coverage, and get meaningful bids from prospective issuers. It also
              permits a plan sponsor to get summary information as part of its
              consideration of whether or not to change the benefits that are offered
              employees or whether or not to terminate a group health plan. [45
              C.F.R. § 164.520]

                     For example, a plan sponsor may want to change its contract
                     from a preferred provider organization to a health maintenance
                     organization (HMO). To obtain premium information, the plan
                     sponsor may need to provide the HMO with aggregate claims
                     information. Under the rule, the plan sponsor can obtain
                     summary information with certain identifiers removed, in order
                     to provide it to the HMO and receive a premium rate.




              DECISION POINT: Summary Information
              Will you provide summary information to your plan sponsor?
              You will need to determine if you provide summary to your plan
              sponsor. If you do, you will need to establish a process to de-identify
              the information to be provided in the summary. This will be part of
              your Privacy Policies and Procedures.




                                        30
                                                                      Plan Sponsors


Payment      The definition of payment in the HIPAA Privacy Rule captures the
Activities   necessary sharing of PHI among health care providers who provide
             care, health plans and other insurers who pay for care. This includes
             their business partners, as well as sponsors of group health plans,
             such as employers, who pay for care and sometimes provide
             administrative services in conjunction with health plan payment
             activities.

                   For example, employers sometimes maintain the eligibility file
                   with respect to a group health plan.

             In some cases, a payment activity could result in the disclosure of PHI
             by a plan to an employer or to another payer of health care, or to an
             insurer that is not a covered entity, such as for coordination of
             benefits or to a workers‘ compensation carrier.

                   For example, a health plan could disclose PHI to an employer
                   in connection with determining the experience rate for group
                   coverage.

             Employers may have a legitimate need for such information because
             they often perform health care operations and payment functions,
             such as claims payment, quality review, and auditing. To protect such
             PHI, the plan sponsor must certify that the information will not be used
             for employment-related decisions.

             DHHS does not interpret the definition of payment to include activities
             involving the disclosure of PHI:
                  By a covered entity to a plan sponsor for the purpose of
                     obtaining payment under a group health plan maintained by
                     plan sponsor, or
                  For the purpose of obtaining payment from a health insurance
                     issuer or HMO with respect to a group health plan maintained
                     by the plan sponsor, unless the plan sponsor is performing
                     plan administration activities. [45 C.F.R. § 164.504(f)]




                                      31
                                                                         Plan Sponsors



               DECISION POINT: Payment Activities
               Will you provide PHI to your plan sponsor or health insurance
               issuer/HMO for payment activities?
               You will need to determine if you provide PHI to your plan sponsor,
               health insurance issuer, or HMO for payment purposes. If you do,
               you will need to establish a process to limit the amount of PHI
               disclosed to the minimum necessary. This will be part of your Privacy
               Policies and Procedures.




Health Care    The development and provision of summary data qualifies as a health
Operation      care operation only if it does not result in the disclosure of PHI to the
Activities     customer, e.g., a research firm or pharmaceutical manufacturer. A
               disclosure of PHI to the customer as a health care operation violates
               the rule.



Organized       In some instances, plan sponsors provide health benefits through a
Health Care     combination of group health plans. They may need to coordinate the
Arrangements    operations of such plans to better serve the participants and
                beneficiaries of the plans. This may include a combination of group
                health plans maintained by the same plan sponsor and the health
                insurance issuers and HMOs with respect to such plans. However,
                the coordination applies only to the PHI of such issuers and HMOs
                that relates to individuals who are or have been enrolled in such
                group health plans.

                In some instances, a plan sponsor may provide benefits through
                more than one group health plan, and such plans may fund the
                benefits through one or more issuers or HMOs. Again, coordinating
                health care operations among these entities may be necessary to
                serve the participants and beneficiaries in the group health plans.
                The necessary coordination may:
                     Involve the business associates of the covered entities and
                     Involve the participation of the plan sponsor to the extent that
                       it is providing plan administration functions and
                     Be subject to the limits in the Privacy Rule. [45 C.F.R. §
                       164.504]




                                         32
                                                                           Plan Sponsors


                Group health plans may disclose PHI to plan sponsors who conduct
                payment and health care operations activities on behalf of the group
                health plan if the HIPAA Privacy Rule requirements for group health
                plans are met.



Business        A business associate contract is not required for a group health plan
Associate       to make disclosures to the plan sponsor, to the extent that the health
Agreements      plan meets the applicable requirements of the Privacy Rule. If the
                employee organization were a plan sponsor of the group health plan,
                the certification of the plan agreement amendment would apply
                instead of the business associate requirements.

                Where a group health plan purchases insurance or coverage from a
                health insurance issuer or HMO, the provision of insurance or
                coverage by the health insurance issuer or HMO to the group health
                plan does not make the health insurance issuer or HMO a business
                associate. In such case, the activities of the health insurance issuer or
                HMO are on their own behalf and not on the behalf of the group health
                plan.

                An HMO may be a business associate with respect to functions or
                activities to provide services that are in addition to or not directly
                related to the provision of insurance functions, activities, or services.
                Under HIPAA, employers are not covered entities, so a health
                insurance issuer or HMO cannot act as a business associate of an
                employer. [45 C.F.R. § 164.504(f) & 164.502(e)(ii)(B)]]



Transactions     Plan sponsors of group health plans are not covered entities.
and Code Sets    Therefore, they are not required to use the standards established in
                 regulation to perform electronic transactions, including enrollment
                 and disenrollment transactions. Plan sponsors that perform
                 enrollment functions are doing so on behalf of the participants and
                 beneficiaries of the group health plan and not on behalf of the group
                 health plan itself. For purposes of this rule, plan sponsors are not
                 subject to the requirements of plan sponsors regarding group health
                 plans when conducting enrollment activities.




                                          33
                                                                        Plan Sponsors



                A plan sponsor could use standard transactions as part of their
                functions. The transaction could be used to:

                      Inquire about the eligibility, coverage, or benefits associated
                       with a benefit plan, employer, plan sponsor, subscriber, or a
                       dependent under the subscriber‘s policy, or
                      Communicate information about or changes to eligibility,
                       coverage, or benefits from information sources (such as
                       insurers, sponsors, and payers) to information receivers (such
                       as physicians, hospitals, third party administrators, and
                       government agencies).



Minimum         Plan sponsors are bound by the minimum necessary standard. [45
Necessary       C.F.R. § 164.514(d)]




Information     The IPA allows State agencies to disclose personal information in
Practices Act   specific circumstances. The IPA allows for disclosures for:
(IPA)                    To a government entity as required by law
                         Official duties,
                         Constitutional duties, or
                         Statutory duties.
                [Civil Code § 1798.24(d), (e), & (f)]


                MAJOR CONSIDERATION: IPA and Plan Sponsors
                The IPA provisions that allow disclosures of personal information for
                official, constitutional or statutory duties are preempted by HIPAA
                and cannot be used. You will need to determine the interaction
                between the IPA, HIPAA, other State and federal laws and your
                business practices. It is possible that you will not be able to
                utilize this permitted disclosure. You should consult with your legal
                counsel in making this determination before disclosing PHI to plan
                sponsors.




                                        34
                                                                          Plan Sponsors


Confidentiality   The CMIA allows health care service providers, health care service
of Medical        plans, or contractors to disclose medical information in specific
Practices         circumstances. Of those circumstances, disclosures as required by
(CMIA)            law may meet the purpose of this HIPAA permitted disclosure. In
                  addition, the CMIA allows for disclosures to a health care service plan
                  by providers of health care that contract with the health care service
                  plan. Medical information may be transferred among providers of
                  health care that contract with the health care service plan, for
                  administering the health care service plan. [Civil Code § 56.10(b)(9)
                  & 56.10(c)(5)]


                  MAJOR CONSIDERATION: CMIA and Plan Sponsors
                  You will need to determine the interaction between the CMIA, HIPAA,
                  other State and federal laws and your business practices. You should
                  consult with your legal counsel in making this determination before
                  disclosing PHI to plan sponsors.




                                           35
                                                      Notices of Privacy Practices



             4. NOTICES OF PRIVACY PRACTICES


Notice of   Health plans may satisfy the distribution of Notices of Privacy
Privacy     Practices requirement by providing the notice to the named insured
Practices   on behalf of the dependents of that named insured. A group health
            plan is not required to distribute the notice to each covered employee
            and to each covered dependent of those employees.

                   For example, a group health plan may satisfy its notice
                   requirement by providing a single notice to each covered
                   employee of the plan sponsor.

            Covered providers are required to distribute only their own notices,
            and may devise whatever arrangements they find suitable to meet
            the requirements of this rule. However, if a covered entity arranges
            for another person or entity to distribute the covered entity‘s notice
            on its behalf and individuals do not receive such notice, the covered
            entity would be in violation of the rule.

                   For example, a group health plan may have the plan sponsor
                   deliver their Notice of Privacy Practices, but they are
                   responsible if the plan sponsor fails to deliver the notice.




                                    36
                                                               Workers‘ Compensation



                    5. WORKERS’ COMPENSATION


Intent        The Privacy Rule is not intended to disrupt existing workers‘
              compensation systems as established by State law. In particular, the
              Rule is not intended to impede the flow of health information that
              is needed by employers, workers’ compensation carriers, or
              State officials to process or adjudicate claims and/or coordinate care
              under the workers‘ compensation system. To this end, the Privacy
              Rule explicitly permits a covered entity to disclose PHI as authorized
              by, and to the extent necessary to comply with, workers‘
              compensation or other similar programs established by law that
              provide benefits for work-related injuries or illnesses without regard to
              fault.

              The Congress did not include these programs in the definition of a
              ‗‗health plan‘‘. Further, HIPAA‘s legislative history shows the
              definition of ‗‗health plan‘‘ originally included certain benefit programs,
              such as workers’ compensation and liability insurance, but was later
              amended to clarify the definition and remove these programs. Thus,
              since the statutory definition of a health plan both on its face and
              through legislative history evidence Congress‘ intention to exclude
              such programs, DHHS does not have the authority to require that
              these programs comply with the standards. [Section 1171 of the
              HIPAA and House Report H. Rep. 104-496]

Permitted     HIPAA allows covered entities to disclose PHI as authorized by and to
Disclosures   the extent necessary to comply with laws relating to workers‘
              compensation or other similar programs, established by law, that
              provide benefits for work-related injuries or illness without regard to
              fault.

Programs      Workers’ compensation benefits include benefits under programs
              such as the Black Lung Benefits Act, the federal Employees‘
              Compensation Act, the Longshore and Harbor Workers‘
              Compensation Act, and the Energy Employees‘ Occupational Illness
              Compensation Program Act.




                                        37
                                                                  Workers Compensation



                DECISION POINT: Workers’ Compensation
                Do you disclose PHI to employers for workers’ compensation
                purposes?
                If so, you will need to consult with your legal counsel to determine
                what State laws require disclosure of PHI to employers. You will need
                to be cautious not to disrupt the flow of information necessary for
                workers‘ compensation activities. This will be part of your Privacy
                Policies and Procedures.


Information     The IPA allows State agencies to disclose personal information in
Practices Act   specific circumstances. The IPA allows for disclosures for:
(IPA)                   To a government entity as required by law
                        Official duties,
                        Constitutional duties,
                        Statutory duties, or .
                       [Civil Code § 1798.24(d), (e), & (f)]

                The IPA also permits disclose of personal information related to the
                settlement of claims for work related illnesses or injuries and
                maintained exclusively by the State Compensation Insurance Fund.
                [Civil Code § 1798.24(g)]


                MAJOR CONSIDERATION: IPA and Workers’ Compensation
                You will need to determine the interaction between the IPA, HIPAA,
                other State and federal laws and your business practices. The
                sections of the IPA that allow for disclosures for official, constitutional
                or statutory duties are preempted by HIPAA and cannot be used.
                However, you may be able to disclose PHI if it is required by other
                federal or State laws or regulations. However, we were not able to
                locate a State laws governing Workers‘ Compensation that makes a
                direct reference permitting the disclosure of medical information.
                Therefore, you may be limited on what information you may
                disclose for workers’ compensation purposes. You should
                consult with your legal counsel in making this determination before
                disclosing PHI for workers‘ compensation purposes.




                                           38
                                                                   Workers Compensation


Confidentiality   The CMIA allows health care service providers, health care service
of Medical        plans, or contractors to disclose medical information in specific
Practices         circumstances. Of those circumstances, disclosures as required by
(CMIA)            law may meet the purpose of this HIPAA permitted disclosure. In
                  addition, the CMIA allows for disclosures for employment related
                  health care services, law suits, arbitration, grievances, and leave from
                  work. It also provides a section for employers‘ use and disclosure of
                  employee medical information. (Partially preempted) [Civil Code §
                  56.10(b)(9) & (c)(8)]


                  MAJOR CONSIDERATION: CMIA and Workers’ Compensation
                  The CMIA section that allows for disclosure for employment related
                  health care services, lawsuits, arbitration, grievances, and leave from
                  work is partially preempted by HIPAA and you may be limited in how
                  you may use it. You will need to determine the interaction between
                  the CMIA, HIPAA, other State and federal laws and your business
                  practices. You should consult with your legal counsel. See the
                  Preemption Analysis on the CalOHI website at: CalOHI - Legal
                  Issues.


Not Covered       The rule specifically excludes from the definition any policy, plan, or
by HIPAA          program providing or paying the cost of the excepted benefits, as
                  defined in section 2971(c)(1) of the Public Health Services Act, 42
                  U.S.C. 300gg–91(c)(1). As defined in the statute, this includes but is
                  not limited to benefits under one or more (or any combination thereof)
                  of the following:
                      Coverage only for an accident, or
                      Disability income insurance, or
                      Any combination thereof;
                      Liability insurance, including general liability insurance and
                          automobile liability insurance; and
                      Workers’ compensation or similar insurance

                  [45 C.F.R. § 160.130(2)(i), definition of health plan.]




                                            39
                                                             Workers Compensation


DHHS         DHHS understands the potential chilling effect of the Privacy Rule
Monitoring   could have on the workers‘ compensation system. Therefore, as the
             Privacy Rule is implemented, DHHS will actively monitor the effects of
             the Rule on this industry to assure that the Privacy Rule does not
             have any unintended negative effects that disturb the existing
             workers‘ compensation systems. If they find that, despite the above
             clarification of intent, the Privacy Rule is being misused and
             misapplied to interfere with the smooth operation of the workers‘
             compensation systems, they will consider proposing modifications to
             the Rule to clarify the application of the minimum necessary standard
             to disclosures for workers‘ compensation purposes.
             _______________________________________________________

Minimum      Covered entities must comply with the minimum necessary provisions
Necessary    unless the law requires the disclosure. The minimum necessary
             standard permits covered entities to disclose any PHI that is
             reasonably necessary for workers’ compensation purposes in
             accordance with state or other law. [45 C.F.R. § 164.512(a)]

             The Privacy Rule‘s minimum necessary standard will not create an
             obstacle to the type and amount of information that currently is
             provided to employers, workers’ compensation carriers, and state
             administrative agencies under these state laws. In many cases, the
             minimum necessary standard will not apply to disclosures made
             pursuant to such laws. In other cases, the minimum necessary
             standard applies, but permits disclosures to the full extent authorized
             by the workers‘ compensation laws.

                    For example, Texas workers‘ compensation law requires a
                    health care provider, upon the request of the injured employee
                    or insurance carrier, to furnish records relating to the treatment
                    or hospitalization for which compensation is being sought.
                    Such disclosure is exempt from the minimum necessary
                    standard because law requires it.

                    The Texas law further provides that a health care provider be
                    permitted to disclose to the insurance carrier records relating to
                    the diagnosis or treatment of the injured employee without the
                    authorization of the injured employee to determine the amount
                    of payment or the entitlement to payment. Since this
                    disclosure only is permitted and not required by Texas law, the
                    HIPAA provision would govern to permit such disclosure. In
                    this case, the minimum necessary standard would apply to the
                    disclosure, but would allow information to be disclosed as
                    authorized by the statute, that is, as necessary to ‗‗determine
                    the amount of payment or the entitlement to payment.‘‘



                                       40
                                                                 Workers Compensation




Required By      Additionally, where a state or other law requires a disclosure of PHI
Law              for workers’ compensation purposes, such disclosure is permitted.
                 [45 C.F.R. § 164.512(a)]
                 _______________________________________________________

Authorizations    A covered entity also is permitted to disclose PHI to a workers’
                  compensation insurer where the insurer has obtained the
                  individual‘s authorization for the release of such information. The
                  minimum necessary provisions do not apply to disclosures required
                  by law or made pursuant to authorizations. [45 C.F.R. § 164.508]
                  _______________________________________________________

Payment          A covered entity is permitted to disclose information to any person or
                 entity as necessary to obtain payment for health care services, i.e.,
                 payment for services from a workers‘ compensation insurance fund.
                 The minimum necessary provision applies to such disclosures but
                 permit the covered entity to disclose the amount and types of
                 information that are necessary to obtain payment.

                 See Chapter 7, Treatment, Payment and Health Care Operations,
                 Use and Disclosure, for more information about payments, in the
                 CalOHI Policy Memorandum 2003-28, Attachment , which you may
                 find on the CalOHI website at: CalOHI - Privacy - Use and Disclosure
                 _______________________________________________________

Redisclosure     DHHS is not able to impose redisclosure restrictions upon worker
                 compensation agencies to which PHI is disclosed. Therefore, no
                 further protection of the PHI exists once it is disclosed to the agencies
                 other than is provided under State law.
                 _______________________________________________________

Dual             Under HIPAA, workers’ compensation is an excepted benefit
Functions        program and is excluded from the definition of ‗‗health plan.‘‘ As such,
                 a component of a covered entity that provides such excepted benefits
                 may not be part of a health care component that performs the
                 functions of a health plan. If workforce members of the larger entity
                 perform functions for both the health care component and the non-
                 covered component, they may not use PHI created or received by or
                 on behalf of the health care component for the purposes of the non-
                 covered component, unless otherwise permitted by the rule.

                        For example, information may be shared between the
                        components for coordination of benefits purposes.




                                           41
                                                                  Workers Compensation


Administrative   If the request for PHI in connection with a workers’ compensation
Proceedings      claim is part of an administrative proceeding, a covered entity must
                 meet the requirements set forth in permitted disclosure for
                 administrative proceedings before disclosing the information. As
                 noted, one permissible manner by which a covered entity may
                 disclose PHI is if the party seeking the disclosure makes reasonable
                 efforts to provide notice to the individual as required by this provision.
                 Under this method, the less formal process will not be disturbed. A
                 covered entity may disclose PHI in response to other types of
                 requests only as permitted by this regulation. [45 C.F.R. §
                 164.512(e)]



State Law        The State law pertaining to privacy of information for workers‘
                 compensation activities is found in the California Labor Code. The
                 law provides:
                   Workers‘ compensation insurers shall discuss all elements of a
                      claim file that affect the employer‘s premium with the employer.
                   Workers‘ compensation insurers shall supply copies of the
                      documents that affect the premium at the employer‘s expense
                      during reasonable business hours. Labor Code § 3762]
                 These disclosures do not extend to any documents that the insurer is
                 prohibited from disclosing to the employer under attorney-client
                 privilege, any other applicable privilege, or statutory prohibition upon
                 disclosure, or as limited by the State law governing workers‘
                 compensation fraud. [Insurance Code § 1877.4]


                 In addition, State law prohibits insurers, third-party administrators
                 retained by a self-insured employer, and those employees and agents
                 that administer the employer‘s workers‘ compensation claims from
                 disclosing or causing to be disclosed to an employer, any medical
                 information (as defined in the Confidentiality of Medical Information
                 Act, Civil Code § 56.05) about an employee who has filed a
                 compensation claim except for:
                  Medical information limited to the diagnosis of the mental or
                     physical condition for which workers‘ compensation is claimed and
                     the treatment provided for this condition, or
                  Medical information regarding the injury for which workers‘
                     compensation is claimed that is necessary for the employer to
                     have to modify the employee‘s work duties. [Labor Code §
                     3762(c)]




                                           42
                                                Workers Compensation


MAJOR CONSIDERATION: Pre-Existing Conditions
The State law is unclear on disclosure of pre-existing condition(s) that
may have contributed to workplace accidents or injuries. You should
consult your legal counsel to determine what PHI you should release.


MAJOR CONSIDERATION: Limited to Workers’ Compensation
Laws
The workers‘ compensation exclusion applies only to actions
processed through the workers‘ compensation system. In California,
those are actions brought under the Labor Code to the Workers‘
Compensation Appeals Board. This exclusion does not apply to any
follow-up civil court action that may be filed, which is governed by
State law and HIPAA for disclosures made by covered entities. Such
disclosures may fall within the HIPAA permitted disclosure for judicial
and administrative proceedings. You should consult your legal
counsel before making such disclosures.


MAJOR CONSIDERATION: Special Conditions
AIDS and HIV conditions have special status of confidentiality that
may exceed other permitted disclosures. You should consult your
legal counsel before making disclosures of PHI containing such
information.

_______________________________________________________




                         43
                                                                    Other Requirements



                          OTHER REQUIREMENTS

Authorization   An employer also may receive PHI from a covered entity for any
                purpose, with the authorization of the individual.



Pre-            A covered health care provider must obtain an authorization to
Enrollment      disclose PHI about an individual for purposes of pre-enrollment
Underwriting    underwriting. The underwriting is not an ‗‗operation‘‘ of the provider,
                and that disclosure is not otherwise permitted by a provision of this
                rule. [45 C.F.R. § 164.508]



Advocating      Nothing in the HIPAA Privacy Rule hinders or prohibits plan sponsors
for Employees   from advocating on behalf of group health plan participants or
                providing assistance in understanding their health plan. However, the
                plan sponsor could not obtain any information from the group health
                plan or a covered provider unless authorization was given. Obtaining
                an authorization when advocating or providing assistance is not
                impractical or burdensome since the individual is requesting
                assistance and should be willing to provide authorization. Advocating
                on behalf of an employee or plan participant or providing other
                assistance does not make the plan sponsor or the employer a
                covered entity.

                       For example, an employer may contact the group health plan
                       or the insurance issuer about a payment situation on behalf of
                       an employee where the group health plan or insurance issuer
                       refuses to cover a medical service that is covered by the health
                       plan.



Due Date        The Rule permits a group health plan to disclose PHI to a plan
                sponsor if, among other requirements, the plan documents are
                amended to appropriately reflect and restrict the plan sponsor‘s uses
                and disclosures of such information. The group health plan should
                only have one set of plan documents that must be amended. Thus,
                the Department expected that group health plans would have been
                able to modify plan documents in accordance with the Rule by the
                Rule‘s compliance date.




                                         44
                                                                 Other Requirements



Privacy        Covered entities are required to address disclosures related to
Policies and   employers in their privacy policies and procedures.
Procedures


               DECISION POINT: Privacy Policies and Procedures
               Have you included disclosures to employers in your Privacy
               Policies and Procedures?
               You will need to include in our Privacy Policies and Procedures
               information about how you will disclose PHI to employers, if
               appropriate.




                                        45
                                                                        State Law



                              STATE LAW

CMIA and    The main State law governing the treatment of medical information by
Employers   employers is in the Confidentiality of Medical Records Act. The law
            provides that employers who receive medical information shall have
            procedures to ensure confidentiality and protection from unauthorized
            use and disclosure. This includes instructions concerning the
            confidentiality of employees and agents handling files containing
            medical information and security systems restricting access to files
            that contain medical information. [Civil Code § 56.26, et.seq.]


            MAJOR CONSIDERATION: CMIA and Employers
            Some of the sections that govern treatment of medical information by
            employers are preempted while others are not. You should consult
            with your legal counsel before disclosing any medical information of
            employees. See the Preemption Analysis on the CalOHI website at:
            CalOHI - Legal Issues.



IPA and     The State law does not require a State government agency to
Employers   disclose personal information that would compromise the objectivity or
            fairness of a competitive examination for appointment or promotion in
            public service to determine fitness for licensure, or to determine
            scholastic aptitude. [Civil Code § 1798.40(e)]


            MAJOR CONSIDERATION: IPA and Employers
            This section of the IPA is partially preempted. You may not be able
            to use it. You should consult with your legal counsel before
            disclosing any medical information of employees. See the
            Preemption Analysis on the CalOHI website at: CalOHI - Legal
            Issues.




                                    46
                                                                                      State Law



                                            DECISION POINTS




                    COMPLETED


                                COMPLETED
                     PERCENT
          STARTED
IMPACTS
  ISSUE


            DATE




                                  DATE
                                                            ITEM DESCRIPTION



                                             Employers and Public Health Activities
                                             Group Health Plans
                                             Group Health Plan Requirements
                                             Notice of Privacy Practices
                                             Enrollment/Disenrollment
                                             OHCAs
                                             TPO
                                             Administrative Requirements
                                             Minimum Necessary
                                             Plan Sponsor
                                             Plan Sponsor Agreement
                                             Plan Sponsor‘s Certification
                                             Summary Information
                                             Payment Activities
                                             Workers‘ Compensation
                                             Privacy Policies and Procedures




                                                     47
                                                                                    State Law



                                 MAJOR CONSIDERATIONS




                    COMPLETED


                                COMPLETED
                     PERCENT
          STARTED
IMPACTS
  ISSUE


            DATE




                                  DATE
                                                          ITEM DESCRIPTION



                                            Other Federal Laws
                                            Laws About Employee Information
                                            ERISA
                                            IPA and Group Health Plans
                                            CMIA and Group Health Plans
                                            IPA and Plan Sponsors
                                            CMIA and Plan Sponsors
                                            IPA and Workers‘ Compensation
                                            CMIA and Workers‘ Compensation
                                            Pre-Existing Conditions
                                            Limited to Workers‘ Compensation Laws
                                            Special Conditions




                                                   48

								
To top