Presentation on theme: "HIPAA Privacy: Implementing Privacy for Government Health Plans Roberta M. Ward Senior Counsel, Privacy Officer California Department of Health Services."— Presentation transcript:
HIPAA Privacy: Implementing Privacy for Government Health Plans Roberta M. Ward Senior Counsel, Privacy Officer California Department of Health Services Tuesday, September 16, 2003 * 11:00 am-Noon
What types of government health plans are covered by the Privacy Rule?
Specifically mentioned: ERISA employee plans HMOs Medicare, Parts A and B Medicaid Employee health benefits plans CHAMPUS Indian Health Service program Federal Employees Health Benefits Program State Child Health Plans under Title XXI Medicare + Choice Program State high risk pools to provide coverage to eligible individuals
General Catch-all Category: A group plan that provides, or pays the cost of medical care Not equivalent to a group health plan which is an employee plan under ERISA Comes under 45 CFR Health Plan (xvii): Any other individual or group plan,… that provides or pays for the cost of medical care
Exceptions Any policy, plan or program which pays for the cost of excepted benefits listed in 42 U.S.C. 300gg- 91(c)(1) A government funded program whose principal purpose is other than providing or paying the cost of health care or Whose principal activity is the direct provision of health care or The making of grants to fund the direct provision of health care
Continuing Confusion About Catch-all Category Any other group plan that provides or pays for the cost of medical care Group plan is not defined and is not restricted to ERISA plans, which are group health plans under the definition at 45 CFR Intent of the Privacy Rule coverage of government health plans is to be very expansive Commenters on the Privacy Rule argued that many government payment programs should not be included in the definition of a health plan, such as the AIDS Drug Assistance Program and Breast and Cervical Cancer Screening Programs
In the Final Rule, OCR excepts out only government programs that have a principal purpose other than providing or paying for cost of health care Or... Those which have as their principle activity the direct provision of health care or making of grants to fund the direct provision of health care
Specifically Mentioned in Preamble as Excluded: WIC Program Health care services for INS detainees Title X Public Health Service Act grantees for family planning programs
To the extent that a certain benefits plan or program otherwise meets the definition of health plan and is not explicitly excepted, that program or plan is considered a health plan under paragraph (1)(xvii) of the final rule. Where a public program meets the definition of health plan, the government agency that administers the program is the covered entity Preamble to Privacy Rule: 65 Fed. Reg (December 28, 2000)
Department of Health Services (DHS) is a hybrid entity under HIPAA Hybrid entity is a single legal entity which contains both covered and non-covered functions Hybrid must ensure that covered health care components of the entity comply with HIPAA, and Do not disclose PHI to another component of the covered entity when the Privacy Rule would prohibit disclosure if the health care component and other component were separate and distinct legal entities
Rules for Hybrid Entities Employees of hybrid entity must not use or disclose PHI created or received in the course of work for the covered health care component in a way prohibited by Privacy Rule when they work for both covered and noncovered components of the hybrid. Hybrid must document designations of covered health care components and must include any component that would meet the definition of a covered entity if it were a separate legal entity.
The advantage of being a hybrid entity is that strict HIPAA rules apply only to covered components and their internal business associates. HIPAAsaurus DHS
DHS Covered Components Medi-Cal County Medical Services Program (DHS runs program on behalf of counties) Childrens Treatment Program Physicians Services Contract Back/Emergency Medical Services Appropriation Refugee Health Services California Childrens Services Child Health and Disability Prevention Program Genetically Handicapped Persons Program Medical Therapy Program Family PACT Newborn & Prenatal Screening Aids Drug Assistance Program Aids Medi-Cal Waiver HIV Diagnostic Assay Program Cancer DetectionProstate Cancer Breast and Cervical Cancer Detection Program Long Term Care – SCAN Long Term Care – PACE
Federal Preemption Federal Preemption is when another federal statute or regulation is contrary to and more stringent than the provisions of the Privacy Rule. If the Federal statute or regulation relating to the privacy of PHI, is more stringent, in comparison to a standard, requirement or implementation specification of the HIPAA Privacy Rule, the provision of the Federal law controls.
More Stringent Means: With respect to a use or disclosure, the Federal law prohibits or restricts a use or disclosure in circumstances where the use or disclosure would be permitted under HIPAA, Except to the Secretary for determining compliance, or To the individual who is the subject of the PHI, or Permits greater rights of access or amendment to the individual, who is the subject of the PHI
What Does This Mean for the Medicaid Program? Medicaid rules on use and disclosure are much more restrictive than HIPAA The Federal Medicaid statute and regulations restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the state Medicaid program. (Section 1902(a)(7) of the Social Security Act and 42 CFR et.seq.) States are required to have statutes that provide legal safeguards against uses or disclosures of Medicaid information for purposes not directly connected with the administration of Medicaid and which impose sanctions for violations.
Purposes directly connected with Medicaid Administration are narrowly defined as: Establishing eligibility, determining the amount of medical assistance, providing services for recipients, and conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to Medicaid program administration.
Medicaid agencies must safeguard information about applicants and recipients, including: Names and addresses; medical services provided; social and economic conditions or circumstances; agency evaluation of personal information; medical data including diagnosis and past history of disease or disability; any information received for verifying income eligibility and amount of medical assistance; any third party liability information. Medicaid agencies must inform the court of the restrictions on use and disclosures in response to a subpoena for a case record or for an agency representative to testify concerning an applicant or recipient. Title XIX
Medicaid agencies may only distribute materials to applicants, recipients, or medical providers which directly relate to the administration of Medicaid. Medicaid agencies must not distribute holiday greetings, general public announcements,partisan voting information and alien registration notices. Medicaid agencies may distribute materials directly related to the health and welfare of applicants and recipients, such as announcements of free medical examinations, availability of surplus food, and consumer protection information. Allowable Distributions
How do the Medicaid restrictions on use and disclosure intersect with the HIPAA Privacy Rule? HIPAA permissible disclosures are generally not allowed under Medicaid: The Medicaid agency may not disclose PHI: –To public health authorities –To researchers, unless research is related to operation of the Medicaid program –In response to a subpoena, unless subpoena is for criminal or civil case related to Medicaid program, such as fraud and abuse –In response to beneficiarys own authorization, unless purpose is directly related to administration of the Medicaid program –To coroners, medical examiners, and funeral directors –To law enforcement, unless Medicaid fraud investigation or prosecution –For public safety or security reasons –In response to a court order, without informing the court first of the restrictive Medicaid rules on use and disclosures
What about the right of Medicaid beneficiaries to access their own records? Prior to HIPAA, information could only be released to beneficiaries for purposes directly connected with Medicaid operations. Post HIPAA, contrary laws may not restrict health plan beneficiaries rights to access or amend their own records. This has been acknowledged in conversations with federal attorneys, but CMS has not issued written guidance.
Plain languageshort sentences in active voice, use common everyday words, divide material into short sections Uses and disclosures must reflect the more stringent law: in this case, the Medicaid law (45 CFR (b)(1)(ii)(C)). Laundry list of HIPAA permissible disclosures should not be included as Medicaid agency is not permitted to make these disclosures by law. Should be translated into threshold languages for limited English proficiency beneficiaries Should be available in braille or on audiotape for sight impaired to comply with ADA What are the Requirements for a Medicaid Notice of Privacy Practices? (NPP)
Title VI of the Civil Rights Act of 1964 prohibits discrimination on the basis of race, color, or national origin in any program or activity that receives Federal Financial Assistance The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) has published Guidance to Federal Financial Assistance Recipients Regarding Title VI Prohibition Against National Origin Discrimination Affecting Limited English Proficient (LEP) Persons OCRs Guidance requires the translation of written materials which are considered vital documents NPPs Must be Translated
NPP is a Vital Document Vital documents include consent and complaint forms, intake forms, written notices of eligibility criteria, rights, etc. HIPAA Notices of Privacy Practices (NPPs) are written notices of rights and thus should be considered vital documents Safe Harbor rule is strong evidence of compliance with the recipients written-translation obligations: –The recipient of HHS federal financial assistance must provide written translation of vital documents for each LEP language group that constitutes 5 percent or 1,000, whichever is less, of the population of persons eligible to be served or likely to be affected or encountered by the program or provider
Entities Covered by OCR Guidance Entities covered by the OCR Guidance include any state or local agency, private institution or organization that (1) operates, provides, or engages in health, or social service programs and activities and (2) receives Federal financial assistance from HHS directly or through another covered entity. Covered entities with LEP obligations include: health care providers; managed care organizations; universities and other entities with health research programs; state, county and local health agencies; State Medicaid agencies.
Title VI HIPAA Obligations The Preamble to the Privacy Rule notes: (A)ny covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients service areas. Specifically, this Title VI obligation provides that, where a significant number or proportion of the population eligible to be served …by a federally assisted program needs service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in languages appropriate to such persons. 65 Fed. Reg (December 28, 2000)
Medi-Cal Threshold Languages Californias Medicaid NPP was translated into 13 threshold languages, including English and Spanish
Distribution of NPPs Health plans must distribute to individuals covered by the health plan (enrollees): As of the compliance date; After the compliance date, at enrollment in the health plan to new enrollees; After enrollment, within 60 days of a material revision to the content of the NPP; notify enrollees of the availability of the NPP every three years; and make it available upon request to any person. Only need to send to named insured, or head of household, not every dependent
Problems in Distributing NPPs Challenge with DHS health plans in which there is no stable enrollment, where coverage is episodic, and plans are the payors of last resort Patient identifying information is sent to the fiscal intermediary with the claim and not easily retrievable Family PACT program where adolescents receive family planning services, without parental notification
Actions Taken by DHS DHS asked providers to distribute NPPs for these health plans and preserve documentation of distribution Privacy Rule Preamble allows health plans to arrange for others to distribute NPPs on their behalf, such as health care providers affiliated with the health plan. Covered providers are required to distribute only their own NPP. If the other entity fails to distribute the NPP, health plan may be in violation of the Privacy Rule.
Preamble on Distribution by Others Preamble states: We require covered providers to distribute only their own notices, and neither require nor prohibit health plans and health care providers from devising whatever arrangements they find suitable to meet the requirements of this rule. 65 Fed. Reg (December 28, 2000)
HMOs Many State Medicaid programs have contracted out the operations of Medicaid to private HMOs Californias Medi-Cal program is about 50/50 fee-for-service and managed care Issues: Is the managed care organization (MCO) the business associate of the State Medicaid agency? What set of rules apply to uses and disclosures of Medicaid PHI by the MCO?
Business Associates Business associate performs a function or activity involving PHI on behalf of covered entity, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and/or provides management, administrative, or financial services to or for such covered entity
What Are MCOs? Could argue that MCOs are business associates of state Medicaid agencies Would require business associate agreements MCOs would be restricted to same uses and disclosures of PHI as the state Medicaid agency Medicaid agency would assume some liability for privacy breaches of MCOs
MCOs Not Medicaid Business Associates Because MCOs are generally full risk HMOs who are covered entities in their own right and dont like being considered business associates, prevailing view is that they are not business associates of state Medicaid agency.
MCOs Could be OHCAs Could be participants in Organized Health Care Arrangements (OHCAS) with the state Medicaid agency if they agree OHCA is an organized system of health care in which more than one covered entity participates and where the covered entities hold themselves out to the public as participating in a joint arrangement and participate in joint health care activities, such as UR, QA, or payment activities
Advantages of Being an OHCA OHCAs are formed by participating covered entities which share PHI to manage and benefit their common enterprise Covered entities in an OHCA can share PHI with each other for the arrangements joint health care operations Covered entities in an OHCA may issue a joint NPP
Joint Operation Most common interpretation is that MCOs and state Medicaid agency are jointly operating a government health plan Where a public agency is required or authorized by law to administer a health plan jointly with another entity, public or private, OCR considers each agency to be a covered entity Examples of joint administration include: –State and Federal Medicaid and SCHIP Programs –Medicare +Choice Plan and CMS
Contractual Obligations of MCOs State Medicaid agency allowed to limit uses and disclosures of PHI under MCO contract to only those restrictive uses and disclosures permitted by federal law for the single state Medicaid agency State Medicaid agency can put business associate protections in its contracts with MCOs Under the Balanced Budget Act, state Medicaid agency has obligation to ensure HIPAA compliance by its MCOs
Other State Agencies Other state agencies work in partnership with the state Medicaid program to implement certain Medicaid benefits An agency that does not administer a program, but which provides services for the program is not a covered entity Parts of these agencies may be a business associate of the state Medicaid program. 65 Fed. Reg (December 28, 2000) Business associate language may be incorporated into Inter-Agency Agreements or into regulations.
Eligibility & Enrollment Exception But there is an exception for government agencies that are authorized by law to collect eligibility or enrollment information for covered government health plans. These agencies are not considered business associates of the covered government health plans but the covered entity health plan is allowed to make disclosures of PHI to them. 45 CFR (e)(1)(ii)(C)
Providers are Not BAs Treating providers which are paid by the health plan are not thereby business associates of the health plan
Business Associate Agreements Business associate agreements should include timely notification to the covered entity of breach of security of PHI California law requires immediate notification by contractor of breach to the covered entity and subsequent notification of persons whose PHI has been acquired by an unauthorized person
FI Contracts Other important provisions in fiscal intermediary business associate agreements: Written privacy and security policies, duty to assist in defense, Time deadlines on duty to provide access to records and amend records, Access to internal practices, books and records by covered entity to audit compliance with privacy
Audits Medicaid and other government health plans audit and oversee their providers and contracted health plans for compliance with program rules and standards and to discover fraud and abuse Several sections of the Privacy Rule may be relied upon to allow the providers or other health plans to disclose the PHI to the auditors Disclosure may be required by state laws or regulations (and thus may be a required by law permissible disclosure under 45 CFR (a)
Disclosures for Operations A covered entity may disclose PHI to another covered entity for health care operations of the entity that receives the information, if each entity has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to the relationship, and the disclosure is for the purpose of health care fraud and abuse detection or compliance. 45 CFR (c)(4). If the disclosure is not required by law, and does not fit into the operations disclosure exception above, then argue that the disclosure is to a health oversight agency
Health Oversight Health oversight agencies are state or local agencies, or their agents, authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance. 45 CFR
Health Oversight Disclosures Covered entities may disclose PHI to health oversight agencies for oversight activities authorized by law, including audits and civil, administrative, or criminal proceedings or actions. Auditors are entitled to see records of beneficiaries from other programs or who are private pay, if necessary for health care oversight and auditing A covered entity may rely, if such reliance is reasonable, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials under , if the public official represents that the information requested is the minimum necessary for the stated purpose. 45 CFR (d)(3)(iii)(A).
Administrative Simplification By the Federal Government Are You Kidding?