hipaa-as information for employers

Under the Privacy Regulation, Wellmark needs to take steps with our fully insured and self-funded groups health plans to protect the confidentiality of protected health information collected or exchanged in the course of business operations. We consider self-funded health plans include fully and partially self-funded health plans and medical reimbursement plans (flexible spending accounts) administered by Wellmark.

Privacy Rule/protected health information

The Privacy Rule has consequences for health plans, sponsors of group health plans, health care practitioners and facilities. Covered entities are required to implement a number of administrative requirements to ensure privacy of "protected health information" or PHI.
 
The impact of the privacy regulations on each employer or health plan depends in part on the extent to which it uses PHI.

Summary health information

The Privacy Rule permits a plan sponsor to have "summary health information" to obtain premium bids for health insurance coverage for the group health plan, or to modify, change or terminate a group health plan.
 
"Summary health information" summarizes claims history, claims expense, or type of claims experienced by individuals for whom the plan sponsor has provided health benefits under a group health plan.
 
The Privacy Rule permits a health insurer to disclose plan enrollees' protected health information (PHI) for "plan administration functions." These are performed by the plan sponsor on behalf of the group health plan.
 
A fully-insured health plan is not subject to the administrative requirements of the Privacy Rule if it does not create or receive PHI except for summary health information and plan participation information (such as whether an individual is enrolled or disenrolled from a health insurance issuer or HMO offered by the plan). 
 
"Plan administration functions" do not include functions that the plan sponsor may perform in connection with any other benefit or benefit plan of the sponsor. However, before a health insurer may disclose protected health information to the plan sponsor for plan administration functions, the plan sponsor must certify that it adheres to and complies with Privacy Rule requirements.

Impact of privacy rule on employer/group health plan sponsors:

• HIPAA-AS, and specifically the Privacy Rule, does not apply to all employers but it does apply to a group health plan sponsored by an employer. If the employer and the plan sponsor are the same entity - the employer is affected.
• A clear intent of the Privacy Rule is to ensure that employees protect individually identifiable health information.
• The obligations of a group health plan sponsor will depend upon the type of health information it considers necessary to manage the group health plan.

Wellmark's role

If an insured group health plan receives or creates PHI, or if a group health plan is self-funded, compliance is the responsibility of the plan sponsor. Wellmark Blue Cross and Blue Shield will assist health plans that are subject to HIPAA-AS requirements, to the extent possible, with fact sheets and forms. Wellmark also will provide communication and updates about HIPAA-AS in general.
 
If you have questions or would like additional information, please contact your Wellmark Blue Cross and Blue Shield account manager or broker.

The Privacy Regulation was designed to provide rights and protections with regards to an individual's health information. Companies affected by the Privacy Regulation include self-funded group health plans. Fully insured health plans include maximum liability and minimum premium accounts.
Wellmark has sent its enrolled fully insured group health plans important information about:

• Privacy requirements for insured group health plans; how insured plans can avoid compliance requirements; and what a plan must do if it elects to receive PHI about plan members
• Authorized Representative Designation

Important messages include:

• Fully insured health plans can avoid most of the compliance requirements if they provide benefits solely through an insurance contract with an insurer or HMO and the plan does not create or receive health information for its plan members except for plan participation or summary health data which does not individually identify members
• If the health plan decides to receive PHI that identifies plan members, it is subject to the same compliance requirements as a self-funded group heatlh plans
• In order to receive individually identifiable PHI, the group must identify individuals in the organization who represent the health plan and are authorized to request and receive PHI. The designation of the plan's authorized representatives must be submitted in writing to Wellmark
• If the employer plan sponsor receives only summary health information, the plan document does not need to be amended
• HOWEVER - if the employer plan sponsor requires PHI to administer the health plan, the plan documents must be amended to include the provisions required by the Privacy Regulation

How Wellmark can assist enrolled fully insured group health plans

Designated Record Set

An individual may request his/her "designated record set" (DRS). The DRS includes information collected on or after April 14, 2003, and is used to make health care decisions or determine whether an insurance claim will be paid, including:

• Enrollment
• Payment
• Claims Adjudication
• Case or medical management records

The DRS includes all health information records maintained by Wellmark, including enrollment applications, attending physician statements and all claims-related documentation for a period of six years (starting April 14, 2003).  
The HIPAA-AS Privacy Rule require Wellmark to accommodate an individual's request for a copy of his/her DRS.
 
For an insured health plan, Wellmark will charge the member a cost-based fee for each request.
The fee will be required at the time the request is submitted.

Accounting of disclosures

The HIPAA-AS Privacy Rules require Wellmark to provide an accounting of the disclosures of an individual's protected health information, if requested, over the previous six years starting April 14, 2003.
 
Wellmark is not required to account for disclosures that occur due to normal payment and health care operations.
 
Wellmark will provide the first accounting in a 12-month period without charge to the member.
For an insured health plan, the first disclosure accounting will be provided without charge.

For each subsequent request in a 12-month period, Wellmark will charge the member a cost-based fee for each request.
 
The fee will be required at the time the request form is submitted.

IF the health plan is...

• Fully insured and
• Receives Personal Health Information (PHI)

Then the plan sponsor/employer must

• Provide certification of privacy regulation compliance to Wellmark
• Provide notice of privacy policy upon request of the plan

AND Wellmark

• Send our Privacy Notice to all plan participants.
• Provide sample documents as appropriate at the direction of the plan sponsor. The provision of sample documents is not intended to constitute legal advice.

---

IF the health plan is...

• Fully insured and
• Does not receive PHI (except for enrollment and summary information). Summary health information summarizes claim history, claim expenses or types of claim experience and is "de-identified" except for limited geographic information.

Then the plan sponsor/employer must

• Use the summary health information only for the purposes allowed by the HIPAA-AS privacy rule
• In this case, the plan sponsor has no obligation under the federal regulation to protect PHI.

AND Wellmark

• Send our Privacy Notice to all plan participants.
• Provide sample documents as appropriate at the direction of the plan sponsor. The provision of sample documents is not intended to constitute legal advice.

---

IF the health plan is...

• Partially self funded and
• Receives PHI and
• Wellmark provides partial group health plan coverage

Then the plan sponsor/employer must

• Send its Privacy Notice to all plan participants.
• Amend its plan document to include privacy provisions.
• Provide certification of privacy regulation compliance to Wellmark.

AND Wellmark

• Send our Privacy Notice to all plan participants.
• Amend agreement with plan sponsor to comply with Business Associate contract requirements.

---

IF the health plan is...

• Partially self funded and
• Receives PHI and
• Wellmark does not provide partial group health plan coverage

Then the plan sponsor/employer must

• Send its Privacy Notice to all plan participants.
• Amend its plan document to include privacy provisions.
• Provide certification of privacy regulation compliance to Wellmark.

AND Wellmark

• Amend agreement with plan sponsor to comply with Business Associate contract requirements.
• Provide sample documents as appropriate at the direction of the plan sponsor. The provision of sample documents is not intended to constitute legal advice.

---

IF the health plan is...

• Fully self funded and
• Receives PHI

Then the plan sponsor/employer must

• Send its Privacy Notice to all plan participants.
• Amend its plan document to include privacy provisions.
• Provide certification of privacy regulation compliance to Wellmark.

AND Wellmark

• Amend agreement with plan sponsor to comply with Business Associate contract requirements.
• Provide sample documents as appropriate at the direction of the plan sponsor. The provision of sample documents is not intended to constitute legal advice.

Note: The material on this web site is not legal advice and should not be used as legal advice. If you need legal advice upon which you can rely, we recommend you consult your attorney.

• Wellmark is a business associate of the self-funded health plan by providing administrative services for the plan and must provide assurance that we will safeguard and limit the use and disclosure of protected health information
• The business associate contract includes the terms for Wellmark to provide administrative services only for a self-funded health plan
• A self-funded health plan must identify the individuals in the organization who represent the health plan and are authorized to request and receive PHI
• If the employer plan sponsor receives ONLY SUMMARY HEALTH INFORMATION, the plan document does not need to be amended
• HOWEVER - if the employer plan sponsor requires PHI to administer the health plan, the plan documents must be amended to include the provisions required by the Privacy Regulation

Designated record set

After April 14, 2003, an individual may request his or her "designated record set" (DRS). The DRS includes information collected on or after April 14, 2003, and is used to make health care decisions or determine whether an insurance claim will be paid, including:

• Enrollment
• Payment
• Claims Adjudication
• Case or medical management records

The DRS includes all health information records maintained by Wellmark, including enrollment applications, attending physician statements and all claims-related documentation for a period of six years (starting April 14, 2003).
 
The HIPAA-AS privacy rules require Wellmark to accommodate an individual's request for a copy of his/her DRS.
 
For a self-funded group health plan, Wellmark will charge the group a cost-based fee for each request.
 
The fees will be added to the self-funded plan's monthly statement.
 
The self-funded plan may pass this charge on to its member by charging a cost-based fee for each request.

Accounting of disclosures

The HIPAA-AS privacy rules require Wellmark to provide an accounting of the disclosures of an individual's protected health information, if requested, over the previous six years starting April 14, 2003.
 
Wellmark is not required to account for disclosures that occur due to normal payment and health care operations.
 
For a self-funded health plan, Wellmark will charge the group a cost-based fee for every request.
 
The fees will be added to the self-funded plan's monthly statement.
 
The plan is not allowed to charge its member for the first accounting in a 12-month period.