Presentation on theme: "HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development."— Presentation transcript:
HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development
Presented in a 3-Part Series “What, I’m a Health Plan?” “Employers: 4 Buckets” HIPAA Reference
Part I - What? I’m a Health plan? (And other common questions Employers have about HIPAA)
Topics for Review Am I Covered by HIPAA? –Identifying whether you (or your sponsor) are a health plan. What Is it? –Identifying the type of plan What does it do? –Identifying the activities of the plan Why it Matters
HIPAA regulates “covered entities” If you don’t know your status and identify whether and which functions are regulated: –You may unnecessarily apply HIPAA restrictions to parts of your entity not regulated. –You may not be in compliance for the parts of your entity that are regulated.
HIPAA Application HIPAA requirements depend on the characteristics discussed below –Whether you have benefits covered by the rule –The identity of the legal entity –The types of plans offered ( full or self insured, self or third party administered) –The amount of health information received, and the purposes for which it is used
Am I Covered by HIPAA? HIPAA does not cover employers or sponsors directly. HIPAA applies to health plans. (including those that the employer or sponsor create and pay for). –In reality, even for entities covered by ERISA, an employer is merely wearing two different hats. –Human resource or personnel department are the staff for the employer/employee related issues and for the health plan. –HIPAA only regulates these staff when they are acting as, or for, the health plan.
Employer’s Multiple Hats Employers that provide or pay for health related benefits for their employees and dependents may be covered by HIPAA. The employer itself may be directly covered, or it may have set up a separate entity that holds its benefits plan(s). –If you are subject to ERISA (29 U.S.C. 1002) your benefits plans are a separate entity. (e.g. most employers) Often the separate entity is nothing more than a plan document. –If you are not subject to ERISA, you may not have a separate entity that contains your employee benefits. (e.g. local governments). Often managed by human resources or personnel.
HIPAA Coverage Health Plans covered by HIPAA –A Health Plan means an individual or group plan that provides, or pays the cost of, medical care... Including 16 named types of plans 45 C.F.R. 160.103 –A group health plan means an employee welfare benefit plan (as defined by ERISA) including insured and self-insured plans to the extent that the plan provides medical care…including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement or otherwise that has 50 or more participants or is administered by an entity other than the employer that established and maintains it.
Where is my Plan? First, Identify the Health Related benefits that you offer: –Group health plan/ other health plan –Add-on health benefits: Dental, Vision, Pharmacy, Long-term Care, etc. –Employee assistance programs –Flexible Savings Accounts (§125 medical) –On-Site Medical Facility or Clinic – (may be health care provider, not addressed here)
What isn’t my ( HIPAA ) plan? HIPAA Health Plans exclude “excepted benefits” ( Defined at 42 U.S.C. 300gg-91(c)(1)) Health-Related Benefits Excluded: –Coverage only for accident, or disability income insurance –Liability insurance, including general liability insurance and automobile liability insurance –Workers Compensation or similar insurance –Coverage for on-site medical clinics
Put your HIPAA in the (right) box Second, Identify the legal entity your benefits are in: Are all the covered benefits included in the ERISA plan? –If so, only the ERISA entity is regulated by HIPAA. –If not, the entity or organization as a whole is regulated by HIPAA.
Put your HIPAA in the (right) box For an employer with benefits not included under ERISA entity: –The Privacy rule allows entities to elect Hybrid Status. Must separate out their component(s) that are regulated and apply privacy only to those parts. –Employer can choose to segregate its health related benefits into a “health care component” Document hybrid status election, if applicable
What breed of HIPAA? Third, Identify the type of health plan(s) that you offer: For each plan or benefit type identify whether it is Self Insured or Fully insured. –Self Insured (or self-funded) means that the employer pays for the cost of the services or care used by covered members. (May pay claims directly or through a third party administrator). For self-insured, it will also be useful to also identify whether it is administered in-house or by a third party. –Fully Insured means that the employer purchases coverage/insurance ( e.g. from an insurance issuer or HMO). The employer pays a capitated or per member/per month rate regardless of whether members utilize services.
What does my HIPAA plan do? Fourth, Identify the plan activities: Most employers have not separated or defined the activities or functions that staff perform as a plan from those performed for the employer. –HIPAA applies differently depending on the activities performed. –HIPAA only regulates the activity of the plan. Can Identify all activities related to health benefits for employees (e.g. human resources), or review the rule for typical functions –Note: fully insured plans and third party administered plans may have very few activities
Plan Activities Payment and health care operations examples: –Payment – actions to provide benefits, obtain premiums, determine or fulfill coverage responsibilities, and obtain reimbursement for health care –quality assurance –claims processing –auditing –monitoring and management of carve-out plans (vision and dental) –Customer services –For fully insured plans, underwriting and rate changes, and reviewing experience reports
Other Activities Employers acting as a sponsor typically: –Enrollment and changes to enrollment –Functions performed for benefits not covered by HIPAA –Explaining/counseling employees about benefits and plan options –Actions to modify, amend, or terminate the plan or solicit bids from prospective issuers underwriting and rate changes, and reviewing experience reports
What information does my plan receive? Fifth: Determine what PHI you (as the plan) create or receive. (Plan directly or business associate). The type and amount of protected health information (PHI) received determines whether certain responsibilities apply. There are fewer obligations for most plans that limit PHI to : –Enrollment and changes to enrollment –Summary health information Information that summarizes claims history, claims expenses, or types of claims experienced by individuals covered where direct identifiers removed (see 45 C.F.R. 164.504(a))
Summary Identify: One: Health Benefits Offered Two: Legal Entity –Hybrid Status if applicable Three: Type of Plan Four: Plan functions or activities Five: Health Information Received