You Ought To Know: September 20, 2013 – HIPAA Privacy FAQs


Published on

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

You Ought To Know: September 20, 2013 – HIPAA Privacy FAQs

  1. 1. You Ought To Know: September 20, 2013 – HIPAA Privacy FAQs The issuance of final HIPAA Privacy Rules has necessitated changes to employee benefit plans and the internal privacy policies used by plans. In addition, significant changes were required within most plans’ Notice of Privacy Practices. As employers have focused on these updates, many questions have been raised concerning plan design, HIPAA requirements, and how to best use the model HIPAA materials that Willis has created. This FAQ addresses some of the most common HIPAA Privacy questions. Question 1: My plan is insured. Do I need to send out a Notice of Privacy Practices? Answer 1: It depends. The specifics of which plans need to send a Notice of Privacy Practices are included within two Employer Guides which are available on Willis Essentials. The relevant Employer Guides are named the HIPAA Privacy Long Route: An Employer Guide and the HIPAA Privacy Shortcut Route: An Employer Guide. Within Willis Essentials, you can access these materials by clicking on the “NLRG” tab and then clicking on “HIPAA” in the drop-down menu. Plans that qualify for the compliance shortcut need not have or send a Notice of Privacy Practices. Plans that are fully-insured, but do not qualify for the shortcut must have a Notice of Privacy Practices, but they need not send it to plan participants unless requested. The compliance shortcut is available to group health plans that meet two conditions: n All health benefits under the plan are provided only through an insurance contract or a similar contract with a health maintenance organization (HMO) (that is, the benefits are “fully insured”); and n Neither the plan nor the sponsoring employer creates, maintains, or receives protected health information (PHI) other than summary health information. If any health benefits under the plan are not provided solely through a health insurance policy and/or a similar contract with an HMO, the compliance shortcut is not available at all for that plan. Example: Employer A maintains an ERISA welfare benefits plan that includes a fully- insured PPO, an HMO, and a health care flexible spending account (HFSA). This plan will not qualify for the shortcut because the plan includes the self-funded HFSA. Considering the requirements for shortcut HIPAA compliance, plan sponsors may choose to restructure their benefits so that, to the extent that fully-insured HIPAA-subject benefits are offered, they are provided under a plan that does not include self-insured HIPAA-subject benefits.
  2. 2. Example: Employer A, from the previous example, amended its plan to split it into two separate ERISA plans, one for the insured PPO and HMO and one for the HFSA. The plan including the PPO and HMO would be considered fully insured for purposes of the compliance shortcut. The HFSA plan would be considered self-funded, for this purpose. Splitting the plan in this manner probably will ease the employer’s compliance burden because compliance without the shortcut will be much easier for the HFSA alone than it would be for the HFSA, PPO and HMO together. Question 2: I am updating our company’s HIPAA materials using the Willis templates that are available within the HIPAA Employer Guides. There are bracketed areas that ask us to indicate the date that the plan became subject to HIPAA Privacy. The date options provided as suggested answers are dates from 2003 or 2004. What does this mean, and which date should we choose? Answer 2: The original compliance date for the Privacy Rules was April 14, 2003, except that it was one year later (April 14, 2004) for small plans (those with annual receipts of $5 million dollars or less). Unfortunately, the EDI and Privacy Rules did not define “annual receipts.” HHS said however, that plans under which total payments for health insurance premiums, and total claims payments for self-insured benefits, totaled $5 million or less would qualify as small plans. For most employer plans, this guidance meant that some fairly large plans qualified as small plans for this purpose. Based on an annual, per-employee coverage or claims cost of less than $10,000, most health plans covering up to 500 employees would qualify as small plans. Using this above guidance, plans that existed when the HIPAA Privacy rules were created should choose the 2003 or 2004 date that applied to the plan sponsor. Obviously, plans that came into existence after 2003 or 2004 would not have HIPAA Privacy rules applying until the plan that was subject to HIPAA was actually created. Question 3: What benefits are subject to the HIPAA Privacy rules? Answer 3: More information on this topic is included within two Employer Guides which are available on Willis Essentials. The relevant Employer Guides are named the HIPAA Privacy Long Route: An Employer Guide and the HIPAA Privacy Shortcut Route: An Employer Guide. If a plan number includes benefit options from both columns in the chart below, then that plan will be subject to HIPAA Privacy compliance, and because there are HIPAA-subject and non-HIPAA- subject benefits under the same plan, a Hybrid Entity will exist, and the plan sponsor will need to include a “Hybrid Designation Form” within its HIPAA compliance materials. This form is not distributed to employees, but it is used in the event of an audit in order to indicate that the plan sponsor is aware that some of its benefits are subject to the HIPAA Privacy rules but that other benefits are not subject to the HIPAA Privacy rules. A Hybrid Designation Form is available within both HIPAA Privacy Employer Guides.
  3. 3. Subject to HIPAA Privacy Not Subject to HIPAA Privacy Government-sponsored health plans Life Insurance Church-sponsored health plans Accidental Death & Dismemberment Insurance Small health plans of small employers Adoption Assistance Self-insured health plans n Health Reimbursement Arrangement (Code Section 105 medical reimbursement) n Health FSA Disability income coverage Fully-insured health plans n HMO n PPO n EPO n Traditional Indemnity n Open Access HMO n POS n Minimum Premium On-site medical clinics (not deemed to be a health plan, but clinics may be covered under the Privacy Rules as “health care providers” – this discussion is beyond the scope of this article). Dental benefits n Indemnity Dental n DMO Medical leave programs Vision benefits Automobile Liability coverage Prescription drug benefits Workers’ compensation Executive Physical Program Credit-only insurance Employee Assistance Plan General Liability coverage Retiree Medical Legal services Voluntary medical benefits – see below to determine which entity is responsible for HIPAA Privacy compliance Dependent Care FSA Wellness program Adoption Assistance Long-term Care Education Assistance
  4. 4. Question 4: Within the Willis template HIPAA compliance materials, there are bracketed areas where “Name of Plan” should be inserted. What is the name of the Plan? Answer 4: For plan sponsors subject to ERISA, the name of the Plan would be the name that has been designated within the ERISA plan document. For instance, a plan sponsor may have a legal plan document that wraps together its medical, dental, and vision benefits under Plan Number 501, and the plan name that has been chosen might be “XYZ Company Welfare Benefit Plan.” That plan name is what would be entered within the brackets in the HIPAA compliance materials. If a plan sponsor subject to ERISA does not have legal plan documents, then it should immediately put plan documents in place. Willis has recorded a webcast on the topic of Plan Documents. That webcast is available here. For plan sponsors which are not subject to ERISA or that sponsor health benefits programs with respect to which no Form 5500 is filed, the boundaries of a particular plan may not be well defined. In that case the available documents regarding the health benefits (for example insurance policies, benefits booklets, and enrollment forms) will determine which health benefits are associated with which plan. Absent other documentation, each health benefits program generally should be treated as a separate plan for purposes of the Privacy Rules. For example, an employer that offers an HMO and a health flexible spending account should treat them as two separate plans, absent documentation showing that they have been combined into a single plan. In that instance, a Notice of Privacy Practices should be issued for each single plan that is subject to HIPAA, and each Notice would include the name of one of the HIPAA-subject “plans.” Question 5: On September 16, 2013 the Department of Health and Human Services issued a “Model Notice of Privacy Practices” that may be used by entities required to distribute the Model Notice of Privacy Practices. Willis also has a “Model Notice of Privacy Practices” which is different from the HHS Notice. May we use either Notice? Answer 5: Yes. HHS indicated that its Notice is a “baseline” for compliance, and there was no indication that covered entities or insurers were required to use the HHS Notice. So, Willis believes that either Notice may be used. Willis’ “Model Notice of Privacy Practices” is available within the HIPAA Privacy Long Route: An Employer Guide, and the HHS Notice is available at Question 6: For covered entities which must distribute the Notice of Privacy Practices, how is that distribution accomplished? Answer 6: The answer to this question is included within the HIPAA Privacy Long Route: An Employer Guide. If the covered entity maintains a website including benefits information, the revised Notice of Privacy Practices must be posted on the website by September 23, 2013. In addition, the Notice of Privacy Practices must also be delivered to individuals. This delivery can
  5. 5. be made by email (if the individual has agreed to receive electronic distribution of such notices) or the notice may be mailed (first class mail) or it may be delivered by hand. Delivery of the Notice does not require a special mailing, and the covered entity may choose to include the Notice within the SPD or annual enrollment materials. If the covered entity does not have a website with benefits information, then the revised Notice of Privacy Practices must be distributed to individuals within 60 days of the material revision of the Notice. The information in this publication is not intended as legal or tax advice and has been prepared solely for informational purposes. You may wish to consult your attorney or tax adviser regarding issues raised in this publication.