September 2003
THE HIPAA QUAGMIRE:
Compliance Guidelines for the
Health Insurance Portability and Accountability Act
by Cynthia M. Masbaum, Joseph J. Perkoski and Laura M. Sinars, attorneys
Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
The Illinois Association of School Boards gratefully acknowledges the permission of the authors to publish this document. Please note that this material is not a substitute for legal counsel and is published for informational purposes only. Please contact your district's attorney for legal advice.
For more information, visit the HIPAA web site of the U.S. Department of Health and Human Services .
______
I.INTRODUCTION
In 1996, the Health Insurance Portability and Accountability Act (“HIPAA”) was signed into law. The primary focus of HIPAA is to guarantee the continuity of health insurance benefits for individuals changing employment. The other major component of HIPAA is to promote the standardization and efficiency in the manner in which health care claims are submitted, processed, and paid. The law was designed to streamline the administration of health care claims by requiring compliance with consistent rules for the manner in which many transactions and claims are processed electronically.
Recognizing that advances in technology could quickly erode the privacy of health information, Congress also included within HIPAA the requirement for the U. S. Department of Health and Human Services to establish security and privacy standards for electronic transmissions that contain health information. As a result, the Department has issued regulations, known collectively as the “Privacy Rule” to establish such standards [45 C.F.R. §§ 160 and 164.] There is a good deal of confusion regarding the Privacy Rule and whether – and, if so, how – it applies to school districts and cooperatives.
II.OVERVIEW OF THE PRIVACY RULE
A.Purpose
- To limit the use and disclosure of health records
- To provide patients greater notice and control concerning the distribution of their private health information
B.Requirements
Under the Privacy Rule, “covered entities” must:
1)provide information to patients about their privacy rights and how their information will be used;
2)adopt and implement clear privacy procedures;
3)train employees to understand and follow the privacy procedures;
4)designate individuals responsible for ensuring the adoption and implementation of the privacy procedures and complaint processes; and
5)secure patient records containing individually identifiable health information so that they are accessible only by those who are required to access them in order to carry out their duties.
C.Covered Entities
- Covered entities include:
a)health plans;
b)health care clearinghouses; and
c)health care providers who transmit any health information in electronic form in connection with any transaction covered by the Privacy Rule.
- Application to educational entities
The definition of “covered entities” has raised many issues as to whether educational entities might be considered a covered entity for purposes of the Privacy Rule either through health and/or benefit plans offered to their employees or through the provision of health care services to students. Of the three categories of covered entities, only the first and third would apply to educational entities.
D.Enforcement
- Civil Penalties
The Office for Civil Rights has been provided authority to impose significant civil monetary penalties and criminal penalties against covered entities that fail to comply with the Privacy Rule. The Rule allows for individuals who believe their privacy rights have been violated may file a complaint with the Office for Civil Rights.
Fines and penalties can be steep. The Office for Civil Rights may impose civil monetary penalties of $100 per failure to comply with any Privacy Rule requirement. This type of penalty may not exceed $25,000 per year for multiple violations of the same requirement within a calendar year.
- Criminal Penalties
Criminal penalties, which are more steep than the civil penalties, may also be imposed, through the Department of Justice. These penalties range from $50,000 and up to a one-year jail sentence for any person found to have knowingly obtained or disclosed protected health information in violation of HIPAA to $250,000 and up to a ten-year jail sentence for being found guilty of attempting to sell, transfer, or otherwise use protected health information for commercial advantage, personal gain, or malicious harm.
Because of the serious penalties, which may be imposed under the Privacy Rule, it is essential for school districts and cooperatives to carefully analyze the plans and services provided in order to determine whether steps must be taken to comply with the Privacy Rule.
III. HEALTH PLANS
A.Definition
- Defined broadly to mean any individual or group plan that provides medical care or pays the cost of medical care.
- The regulations include seventeen categories of examples of what the Department of Health and Human Services considers a health plan. The relevant consideration for educational entities is that the definition of a health plan includes any “employer-sponsored group health plan” which is defined as an “employee welfare benefit plan ... including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that (1) has 50 or more participants or (2) is administered by an entity other than the employer that established and maintains the plan.
B.Factors to Consider to Determine Whether Educational Employers are Considered Health Plans
- Does the school district have a self-insured group health plan?
Educational employers that are self-insured for hospitalization and physician services are considered health plans and must comply with HIPAA’s Privacy Rules. There is debate whether educational employers that are self-insured for dental and vision care are health plans that must comply with the Privacy Rule. However, a careful district would err on the side of caution and treat the dental and vision care as health plans that must comply with the Privacy Rule.
- Is the school district in a self-funded health care trust or health care insurance cooperative?
Educational employers that participate in self-funded health care trusts or health care insurance cooperatives may be health plans. The trust or cooperative can choose to deem itself the health plan, which makes it responsible for Privacy Rule compliance. Alternatively, it may deem the school or district the health plan. Educational administrators should contact the board of the cooperative or trust to determine who the health plan has then determined it to be. The party that is not the health plan is called a “business associate,” which is described below. Health plans must ensure that business associates also comply with the Privacy Rule either through the trust or cooperative agreement itself, or through a separate business associate agreement.
- Does the school district or college sponsor a flexible spending account (FSA)?
Educational employers sponsoring a self-insured FSA or health reimbursement account are health plans and are obligated to comply with the Privacy Rule, unless it has fewer than 50 participants and is self-administered.
C.Plan Sponsors
- Definition
Educational employers that are fully insured for hospitalization and physician services are considered “plan sponsors” of a health plan under the Privacy Rule, and not “health plans.” Plan sponsors include the following:
- The employer, in the case of an employee benefit plan established or maintained by a single employer;
- The employee organization, in the case of a plan established or maintained by an employee organization;
- The association, committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan, in the case of a plan established or maintained by two or more employers or jointly by one or more employers or one or more employee organizations.
Therefore, under most situations it appears that an educational entity that pays health care insurance premiums on behalf of employees and dependents would most likely be considered a “plan sponsor” and not a “health plan”.
- Plan sponsors’ access to information
- If the educational entity is considered a plan sponsor, that entity may no longer have access to information from the health insurance company that they previously were able to access. According to the Privacy Rule, any “group health plan” is required to restrict the “use and disclosure of [health information] by the plan sponsor.”
- However, health plans may disclose participants’ health information to plan sponsors in certain circumstances. These include the following:
1)Enrollment and dis-enrollment information so that the plan sponsor has knowledge of the participants in the group health plan;
2)Information relating to the amendment and termination of plan documents;
3)Information on plan participants when needed for the purpose of obtaining bids for insurance purposes; and
4)Protected health information with the written authorization of the plan participant.
- The health plan may require the plan sponsor to sign a certification agreeing to safeguard participants’ protected health information and promising not to use the information in employment and benefits decisions. This is different from a “business associate agreement,” which is described below.
IV.HEALTH CARE PROVIDERS
Health care providers who (1) transmit health information in electronic form (2) in connection to a transaction covered by the Privacy Rule (3) related to providing health care services are considered “covered entities” who must comply with HIPAA’s Privacy Rule.
A. Definitions
- Health care provider
“A provider of medical or health services ... and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”
- Health care
- Any services that are preventative, maintaining, diagnostic, therapeutic, and/or rehabilitative concerning any aspect of a person’s physical or mental condition.
- This broad definition means that any physician, nurse, occupational therapist, physical therapist, social worker, and/or psychologist who provides such services would all be considered health care providers.
- Further, recall that “health care provider” includes any organizations that furnishes, bills, or is paid for health care.
- Health information
Any information, whether oral or recorded in any form, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school district or university, or health care clearinghouse and which relates to the physical or mental health of an individual, the provision of health care to an individual, or the payment of health care services to an individual.
- Covered transaction
The transmission of information between two parties to carry out financial or administrative activities related to health care. This includes:
- processing of health care claims (a request to obtain payment and necessary accompanying information, from a health care provider to a health plan, for health care);
- benefit eligibility inquiries (inquiries into eligibility to receive health care services, level/amount of coverage, benefits associated with the benefit plan, along with responses to any such inquiries);
- requests for referral authorizations (a request from the health plan to obtain authorization to provide health care services and/or to refer an individual to another health care provider, along with the response to such a request);
- health care claim status inquiry (inquiry and response into the status of a health care claim);
- transmission of enrollment/ disenrollment information in order to establish or terminate insurance coverage;
- health care payment and remittance advice (transmission of payment, information concerning transfer of funds, payment processing information, Explanation of Benefits, and/or remittance advice);
- health plan premium payment (transmission of payment, information concerning transfer of funds, detailed remittance information concerning premiums being paid, payment processing information);
- coordination of benefits (transmission of information to determine relative payment responsibilities).
- Note: If a health care provider uses another entity to conduct the covered transactions on the health care provider’s behalf, the health care provider still continues to be considered as conducting such a transaction.
B.Interplay with FERPA
- Exceptions within the Privacy Rule:
- The definition of “protected health information” includes an explicit exception for education records that are covered under the Family and Educational Rights and Privacy Act (“FERPA”);
- Another exception includes “records on a student who is 18 years of age or older or who is attending a post-secondary school, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional and our made in connection with the provision of treatment to the student, if such records are not made available to anyone other than people providing such treatment.”
- The current debate concerning the FERPA exception
- Although these exceptions exist within the definitions of the Privacy Rule, the Department of Health and Human Services has indicated that it did not intend a categorical exemption based upon the FERPA exception for school districts from the Privacy Rule.
- The information transmitted to Medicaid and/or a parents’ insurance policy for billing purposes would not normally be considered an educational record and maintained under FERPA. Given the requirements under FERPA, it does not seem advisable for an educational entity to attempt to modify their practices to treat such billing records as a record which must be maintained under FERPA.
- Educational records which fall under the definition of FERPA continue to be covered under FERPA and are exempt from HIPAA’s Privacy Rule, even if such educational records contain health-related information.
- The Department of Health and Human Services is currently analyzing the interplay between HIPAA and FERPA as it applies to educational entities and will be issuing guidance on this matter. Lobbying efforts are underway at the national level to encourage an interpretation, which would exempt educational entities from the requirements of the Privacy Rule altogether.
- Factors to consider to determine whether activities engaged in by educational entities trigger compliance with the Privacy Rule
- Does the educational entity electronically bill for services provided to students with disabilities?
Although as stated above, debate continues concerning the impact of the FERPA exception, the current interpretation of the Privacy Rule would likely require compliance if the educational entity transmits any health information electronically to Medicaid or private insurance for billing purposes or for any other transaction that falls under one of the “covered transactions.” Since billing and administrative records are not maintained as “educational records” under FERPA, compliance with the Privacy Rule would be advised. However, an educational entity may declare itself a “hybrid,” as described below, which will serve to limit compliance with the Privacy Rule to the specific departments or divisions, which undertake activities which trigger compliance.
- Does the educational entity have a nurse or on-campus medical clinic?
Educational employers that provide health care services to their employees and/or students through a school nurse or on-campus medical clinic must assess the nature of their transactions to determine whether they are considered health care providers. If the school nurse or clinic transmits health information in electronic form for any transaction covered by HIPAA, the nurse or clinic would be considered a health care provider subject to the Privacy Rule.
V.BUSINESS ASSOCIATES
A.Definition
- A person or organization, other than a member of a covered entity’s work force, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity and which functions involve the use or disclosure of individually identifiable health information.
- These functions or activities may include claims processing, data analysis, utilization review, and billing.
- The Privacy Rule mandates that covered entities ensure that their business associates comply with their privacy practices.
B.Business Associate Agreement
- When a covered entity uses a contractor to perform business associate services or activities, the Privacy Rule requires that the covered entity include certain protections for the health information in a business associate agreement.
- The covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.
VI.HYBRID ENTITIES
A.Definition
- A single legal entity that is a covered entity and whose covered functions are not its primary functions.
- Use of “hybrid status”
- The benefit of declaring hybrid status is to insulate non-covered functions from covered functions so that only functions that trigger compliance with the Privacy Rule are required to comply.
- To become a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” After making this designation, the requirements of the Privacy Rule will apply only to the health care components. Failing to designate those components which are covered by the Privacy Rule would cause the covered entity to be subject in its entirety to the Privacy Rule.
- It is important to carefully identify which functions will be considered as the “health care components,” taking into account that health information may be shared between persons involved in covered and non-covered functions. Consideration should be given whether to be over-inclusive in identifying which components are “health care components,” which may be easier for administrative purposes and continuity. If the educational entity chooses not to include all such functions within the privacy policy, it is recommended that business associate agreements are executed between the departments that may exchange protected health information.
VII.STEPS TO COMPLIANCE
Educational entities that are required to comply with the HIPAA Privacy Rule, even as a hybrid entity, can follow these steps toward compliance: