HIPAA Privacy: Implementing Privacy for Government Health Plans Roberta M. Ward Senior Counsel, Privacy Officer California Department of Health Services Tuesday, September 16, 2003 * 11:00 am-Noon
What types of government health plans are covered by the Privacy Rule?
ERISA employee plans
Medicare, Parts A and B
Employee health benefits plans
Indian Health Service program
Federal Employees Health Benefits Program
State Child Health Plans under Title XXI
Medicare + Choice Program
State high risk pools to provide coverage to eligible
General Catch-all Category:
A group plan that provides, or pays the cost of medical care
Not equivalent to a “group health plan” which is an employee plan under ERISA
Comes under 45 CFR 160.103 Health Plan (xvii): “Any other individual or group plan,… that provides or pays for the cost of medical care”
Any policy, plan or program which pays for the cost of excepted benefits listed in 42 U.S.C. 300gg-91(c)(1)
A government funded program whose principal purpose is other than providing or paying the cost of health care or
Whose principal activity is the direct provision of health care or
The making of grants to fund the direct provision of health care
Continuing Confusion About Catch-all Category
“ Any other group plan that provides or pays for the cost of medical care”
“ Group plan” is not defined and is not restricted to ERISA plans, which are “group health plans” under the definition at 45 CFR 160.103
Intent of the Privacy Rule coverage of government health plans is to be very expansive
Commenters on the Privacy Rule argued that many government “payment programs” should not be included in the definition of a health plan, such as the AIDS Drug Assistance Program and Breast and Cervical Cancer Screening Programs
In the Final Rule, OCR excepts out only government programs that have a principal purpose other than providing or paying for cost of health care Or . . . Those which have as their principle activity the direct provision of health care or making of grants to fund the direct provision of health care
Specifically Mentioned in Preamble as Excluded:
Health care services for INS detainees
Title X Public Health Service Act grantees for family planning programs
“ To the extent that a certain benefits plan or program otherwise meets the definition of “health plan” and is not explicitly excepted, that program or plan is considered a “health plan” under paragraph (1)(xvii) of the final rule.”
“ Where a public program meets the definition of “health plan”, the government agency that administers the program is the covered entity
Department of Health Services (DHS) is a “hybrid entity” under HIPAA
Hybrid entity is a single legal entity which contains both covered and non-covered functions
Hybrid must ensure that covered health care components of the entity comply with HIPAA, and
Do not disclose PHI to another component of the covered entity when the Privacy Rule would prohibit disclosure if the health care component and other component were separate and distinct legal entities
Rules for Hybrid Entities
Employees of hybrid entity must not use or disclose PHI created or received in the course of work for the covered health care component in a way prohibited by Privacy Rule when they work for both covered and noncovered components of the hybrid.
Hybrid must document designations of covered health care components and must include any component that would meet the definition of a covered entity if it were a separate legal entity.
The advantage of being a hybrid entity is that strict HIPAA rules apply only to covered components and their internal business associates.
DHS Covered Components
County Medical Services Program (DHS runs program on behalf of counties)
Children’s Treatment Program
Physicians’ Services Contract Back/Emergency Medical Services Appropriation
Refugee Health Services
California Children’s Services
Child Health and Disability Prevention Program
Genetically Handicapped Persons Program
Medical Therapy Program
Newborn & Prenatal Screening
Aids Drug Assistance Program
Aids Medi-Cal Waiver
HIV Diagnostic Assay Program
Cancer Detection—Prostate Cancer
Breast and Cervical Cancer Detection Program
Long Term Care – SCAN
Long Term Care – PACE
Federal Preemption is when another federal statute or regulation is contrary to and more stringent than the provisions of the Privacy Rule.
If the Federal statute or regulation relating to the privacy of PHI, is more stringent, in comparison to a standard, requirement or implementation specification of the HIPAA Privacy Rule, the provision of the Federal law controls.
More Stringent Means:
With respect to a use or disclosure, the Federal law prohibits or restricts a use or disclosure in circumstances where the use or disclosure would be permitted under HIPAA,
Except to the Secretary for determining compliance, or
To the individual who is the subject of the PHI, or
Permits greater rights of access or amendment to the individual, who is the subject of the PHI
What Does This Mean for the Medicaid Program?
Medicaid rules on use and disclosure are much more restrictive than HIPAA
The Federal Medicaid statute and regulations restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the state Medicaid program. (Section 1902(a)(7) of the Social Security Act and 42 CFR 431.300 et.seq.)
States are required to have statutes that provide legal safeguards against uses or disclosures of Medicaid information for purposes not directly connected with the administration of Medicaid and which impose sanctions for violations.
Purposes directly connected with Medicaid Administration are narrowly defined as:
Establishing eligibility, determining the amount of medical assistance, providing services for recipients, and conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to Medicaid program administration.
Medicaid agencies must safeguard information about applicants and recipients, including:
Names and addresses; medical services provided; social and economic conditions or circumstances; agency evaluation of personal information; medical data including diagnosis and past history of disease or disability; any information received for verifying income eligibility and amount of medical assistance; any third party liability information.
Medicaid agencies must inform the court of the restrictions on use and disclosures in response to a subpoena for a case record or for an agency representative to testify concerning an applicant or recipient.
Medicaid agencies may only distribute materials to applicants, recipients, or medical providers which directly relate to the administration of Medicaid.
Medicaid agencies must not distribute holiday greetings, general public announcements,partisan voting information and alien registration notices.
Medicaid agencies may distribute materials directly related to the health and welfare of applicants and recipients, such as announcements of free medical examinations, availability of surplus food, and consumer protection information.
How do the Medicaid restrictions on use and disclosure intersect with the HIPAA Privacy Rule?
HIPAA permissible disclosures are generally not allowed under Medicaid:
The Medicaid agency may not disclose PHI:
To public health authorities
To researchers, unless research is related to operation of the Medicaid program
In response to a subpoena, unless subpoena is for criminal or civil case related to Medicaid program, such as fraud and abuse
In response to beneficiary’s own authorization, unless purpose is directly related to administration of the Medicaid program
To coroners, medical examiners, and funeral directors
To law enforcement, unless Medicaid fraud investigation or prosecution
For public safety or security reasons
In response to a court order, without informing the court first of the restrictive Medicaid rules on use and disclosures
What about the right of Medicaid beneficiaries to access their own records?
Prior to HIPAA, information could only be released to beneficiaries for purposes directly connected with Medicaid operations.
Post HIPAA, contrary laws may not restrict health plan beneficiaries’ rights to access or amend their own records.
This has been acknowledged in conversations with federal attorneys, but CMS has not issued written guidance.
Plain language—short sentences in active voice, use common everyday words, divide material into short sections
Uses and disclosures must reflect the more stringent law: in this case, the Medicaid law (45 CFR 164.520(b)(1)(ii)(C)).
Laundry list of HIPAA permissible disclosures should not be included as Medicaid agency is not permitted to make these disclosures by law.
Should be translated into threshold languages for limited English proficiency beneficiaries
Should be available in braille or on audiotape for sight impaired to comply with ADA
What are the Requirements for a Medicaid Notice of Privacy Practices? (NPP)
Title VI of the Civil Rights Act of 1964 prohibits discrimination on the basis of race, color, or national origin in any program or activity that receives Federal Financial Assistance
The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) has published Guidance to Federal Financial Assistance Recipients Regarding Title VI Prohibition Against National Origin Discrimination Affecting Limited English Proficient (LEP) Persons
OCR’s Guidance requires the translation of written materials which are considered vital documents
NPP’s Must be Translated
NPP is a Vital Document
Vital documents include consent and complaint forms, intake forms, written notices of eligibility criteria, rights, etc.
HIPAA Notices of Privacy Practices (NPP’s) are written notices of rights and thus should be considered “vital documents”
Safe Harbor rule is strong evidence of compliance with the recipient’s written-translation obligations:
The recipient of HHS federal financial assistance must provide written translation of vital documents for each LEP language group that constitutes 5 percent or 1,000, whichever is less, of the population of persons eligible to be served or likely to be affected or encountered by the program or provider
Entities Covered by OCR Guidance
Entities covered by the OCR Guidance include any state or local agency, private institution or organization that (1) operates, provides, or engages in health, or social service programs and activities and (2) receives Federal financial assistance from HHS directly or through another covered entity.
Covered entities with LEP obligations include: health care providers; managed care organizations; universities and other entities with health research programs; state, county and local health agencies; State Medicaid agencies.
Title VI HIPAA Obligations
The Preamble to the Privacy Rule notes: “(A)ny covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients’ service areas. Specifically, this Title VI obligation provides that, where a significant number or proportion of the population eligible to be served …by a federally assisted program needs service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in languages appropriate to such persons.” 65 Fed. Reg. 82547 (December 28, 2000)
Medi-Cal Threshold Languages
California’s Medicaid NPP was translated into 13 threshold languages, including English and Spanish
Distribution of NPP’s
Health plans must distribute to individuals “covered by the health plan” (enrollees):
As of the compliance date;
After the compliance date, at enrollment in the health plan to new enrollees;
After enrollment, within 60 days of a material revision to the content of the NPP; notify enrollees of the availability of the NPP every three years; and make it available upon request to any person.
Only need to send to named insured, or head of household, not every dependent
Problems in Distributing NPP’s
Challenge with DHS health plans in which there is no stable enrollment, where coverage is episodic, and plans are the payors of last resort
Patient identifying information is sent to the fiscal intermediary with the claim and not easily retrievable
Family PACT program where adolescents receive family planning services, without parental notification
Actions Taken by DHS
DHS asked providers to distribute NPP’s for these health plans and preserve documentation of distribution
Privacy Rule Preamble allows health plans to arrange for others to distribute NPP’s on their behalf, such as health care providers affiliated with the health plan.
Covered providers are required to distribute only their own NPP. If the other entity fails to distribute the NPP, health plan may be in violation of the Privacy Rule.
Preamble on Distribution by Others
Preamble states: “We require covered providers to distribute only their own notices, and neither require nor prohibit health plans and health care providers from devising whatever arrangements they find suitable to meet the requirements of this rule.” 65 Fed. Reg. 82720 (December 28, 2000)
Many State Medicaid programs have contracted out the operations of Medicaid to private HMO’s
California’s Medi-Cal program is about 50/50 fee-for-service and managed care
Issues: Is the managed care organization (MCO) the business associate of the State Medicaid agency?
What set of rules apply to uses and disclosures of Medicaid PHI by the MCO?
Business associate performs a function or activity involving PHI on behalf of covered entity, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and/or provides management, administrative, or financial services to or for such covered entity
What Are MCO’s?
Could argue that MCO’s are business associates of state Medicaid agencies
Would require business associate agreements
MCO’s would be restricted to same uses and disclosures of PHI as the state Medicaid agency
Medicaid agency would assume some liability for privacy breaches of MCO’s
MCO’s Not Medicaid Business Associates
Because MCO’s are generally full risk HMO’s who are covered entities in their own right and don’t like being considered business associates, prevailing view is that they are not business associates of state Medicaid agency.
MCO’s Could be OHCA’s
Could be participants in “Organized Health Care Arrangements” (OHCA’S) with the state Medicaid agency if they agree
OHCA is an organized system of health care in which more than one covered entity participates and where the covered entities hold themselves out to the public as participating in a joint arrangement and participate in joint health care activities, such as UR, QA, or payment activities
Advantages of Being an OHCA
OHCA’s are formed by participating covered entities which share PHI to manage and benefit their common enterprise
Covered entities in an OHCA can share PHI with each other for the arrangement’s joint health care operations
Covered entities in an OHCA may issue a joint NPP
Most common interpretation is that MCO’s and state Medicaid agency are jointly operating a government health plan
Where a public agency is required or authorized by law to administer a health plan jointly with another entity, public or private, OCR considers each agency to be a covered entity
Examples of joint administration include:
State and Federal Medicaid and SCHIP Programs
Medicare +Choice Plan and CMS
Contractual Obligations of MCO’s
State Medicaid agency allowed to limit uses and disclosures of PHI under MCO contract to only those restrictive uses and disclosures permitted by federal law for the single state Medicaid agency
State Medicaid agency can put business associate protections in its contracts with MCO’s
Under the Balanced Budget Act, state Medicaid agency has obligation to ensure HIPAA compliance by its MCO’s
Other State Agencies
Other state agencies work in partnership with the state Medicaid program to implement certain Medicaid benefits
An agency that does not administer a program, but which provides services for the program is not a covered entity
Parts of these agencies may be a business associate of the state Medicaid program. 65 Fed. Reg. 82578 (December 28, 2000)
Business associate language may be incorporated into Inter-Agency Agreements or into regulations.
Eligibility & Enrollment Exception
But there is an exception for government agencies that are authorized by law to collect eligibility or enrollment information for covered government health plans.
These agencies are not considered business associates of the covered government health plans but the covered entity health plan is allowed to make disclosures of PHI to them. 45 CFR 164.502(e)(1)(ii)(C)
Providers are Not BA’s
Treating providers which are paid by the health plan are not thereby business associates of the health plan
Business Associate Agreements
Business associate agreements should include timely notification to the covered entity of breach of security of PHI
California law requires immediate notification by contractor of breach to the covered entity and subsequent notification of persons whose PHI has been acquired by an unauthorized person
Other important provisions in fiscal intermediary business associate agreements:
Written privacy and security policies, duty to assist in defense,
Time deadlines on duty to provide access to records and amend records,
Access to internal practices, books and records by covered entity to audit compliance with privacy
Medicaid and other government health plans audit and oversee their providers and contracted health plans for compliance with program rules and standards and to discover fraud and abuse
Several sections of the Privacy Rule may be relied upon to allow the providers or other health plans to disclose the PHI to the auditors
Disclosure may be required by state laws or regulations (and thus may be a “required by law” permissible disclosure under 45 CFR 164.512(a)
Disclosures for Operations
A covered entity may disclose PHI to another covered entity for health care operations of the entity that receives the information, if each entity has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to the relationship, and the disclosure is for the purpose of health care fraud and abuse detection or compliance. 45 CFR 164.506(c)(4).
If the disclosure is not required by law, and does not fit into the operations disclosure exception above, then argue that the disclosure is to a health oversight agency
Health oversight agencies are state or local agencies, or their agents, authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance. 45 CFR 164.501.
Health Oversight Disclosures
Covered entities may disclose PHI to health oversight agencies for oversight activities authorized by law, including audits and civil, administrative, or criminal proceedings or actions.
Auditors are entitled to see records of beneficiaries from other programs or who are private pay, if necessary for health care oversight and auditing
A covered entity may rely, if such reliance is reasonable, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials under 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose. 45 CFR 164.514(d)(3)(iii)(A).