Transcript No Slide Title

HIPAA
Implementation Impact for Brokers
April 2003
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
1
Today’s presentation is not legal advice

This overview of Anthem’s compliance effort,
created for our accounts and brokers is offered for
informational purposes only.

It is not intended as a legal opinion or advice.
Please contact your attorney for legal advice.

This information is subject to change. Please visit
http://www.Anthem.com for updates.
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
2
HIPAA applies to Covered Entities
• Covered Entities are …
–
–
–
–
Providers (transmitting certain data)
Clearinghouses
Health Plans
Group Health Plans (whether fully-insured or selfinsured)
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
3
Definition of a Group Health Plan
• A Group Health Plan is the employee welfare
benefit plan (as defined in ERISA), including
insured and self-insured plans, to the extent
that the plan provides medical care to
employees or their dependents directly or
through insurance, reimbursement, or
otherwise.
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
4
Diagram of an Employer/Plan Sponsor
2
1
Employer
An employer is NOT a covered
entity under HIPAA.
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
Group
Health
Plan
Plan Sponsor
When an employer forms a Group
Health Plan (GHP), it assumes the
role of a Plan Sposor. The GHP is
part of, and yet its operation must
be separate from that of the Plan
Sponsor / employer. The GHP is a
covered entity.
5
Diagram of an Employer/Plan Sponsor (Cont.)
3
•
It takes people to carry on the administrative
functions of a GHP. Because of the
confidential nature of PHI, the Plan Sponsor
must limit access to PHI by clearly
designating the person(s), class of persons,
and/or third-parties that the Plan Sponsor
authorizes to perform the administrative
functions of the GHP - those who will be "inthe-loop."
•
Stars represent employees of the Plan
Sponsor.
– White stars represent those employees
designated to perform GHP functions
(exposure to 18 February 2003PHI).
– Gray star(s) represent those employees
who may have responsibilities for both
the GHP and the employer (generally).
– Black stars represent those employees
who are never authorized to access PHI.
Group
Health
Plan
Plan Sponsor
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
6
HIPAA
Administrative Simplification
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
7
HIPAA Diagram
HIPAA
Title I
Portability
Transaction
Standards
Title II
Administrative
Simplification
Code Set
Standards
Title III
?
Unique Health
Care Industry
Identifiers
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
Title IV
?
Privacy
Standards
Title V
?
Security
Standards
8
Anthem’s Status
• Privacy Standards
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
9
3 Classifications of HIPAA Information
• #1
Protected Health Information (PHI)
– PHI is individually identifiable health information that is transmitted or
maintained by electronic media or in any other form or media
– “Individually identifiable health information” is health information that
can identify the individual
– “Health information” is very broadly defined as that which relates to
past, present or future health condition or relates to past, present or
future provision of or payment for health care
– PHI includes, but is not necessarily limited to, such identifiers as …
• Names, geographic subdivisions narrower than a 5 digit ZIP, all
elements of dates (except year), telephone numbers, email
addresses, IP addresses, URLs, Social Security Numbers, medical
record numbers, health plan beneficiary numbers, account numbers,
certificate/license numbers, and biometric identifiers
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
10
3 Classifications of HIPAA Information
• #2
Summary Health Information (SHI)
– SHI is a subset of PHI. SHI is health information that summarizes
claims history, claims expenses, or type of claims experienced of a
group health plan and from which most identifiers have been removed
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
11
3 Classifications of HIPAA Information
• #3
De-identified Information
– De-identified information may start out as PHI or SHI; however,
additional identifiers must be removed before PHI or SHI may be
reclassified as De-identified Information
– To qualify for the De-identified Classification, all information that
could link the information to an individual must be deleted
– There must be no reasonable basis to believe the information can be
used to identify the individual
– To satisfy the reasonable basis test, a statistician should determine that
the information has been sufficiently stripped of identifiers to the point
that it cannot be re-identified
– Upon qualifying for the classification of De-identified Information, the
information may be used by a covered entity without restriction
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
12
Organized Health Care Arrangement (OHCA)
• Organized Health Care Arrangement (OHCA) exists between an
insurer and a fully-insured group health plan
• In the OHCA, these covered entities are allowed to share only the
minimum necessary amount of PHI to coordinate operations to
properly serve the enrollees such as …
– Audit and Reconciliation Purposes
• To evaluate plan performance
• To evaluate insurance company performance
• To evaluate plan experiences
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
13
Business Associates
• A business associate creates, uses, or discloses PHI on behalf of a
covered entity
– Must provide Covered Entities with certain written assurances
– Anthem’s Business Associate Agreements satisfy this requirement
• Anthem’s business associates include …
– Medco
– Davis Vision
– Brokers
• When performing certain tasks, a Broker may be a Business Associate of
Anthem
• Anthem is the Business Associate of the ASO Group Health Plan
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
14
Business Associate Agreements
• Anthem delivered Business Associate Agreements
to it’s Brokers, and requires it’s brokers to sign and
return the Agreements to Anthem
– When performing the types of tasks mentioned in
Anthem’s Business Associate Agreement, Brokers may
be business associates of Anthem
• Anthem also mailed a Business Agreement to selfinsured group health plans
– Anthem is a business associate of ASO groups
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
15
Anthem Disclosure Policy
• Anthem will only disclose PHI to the Group
Health Plan
– ASO may receive PHI as defined in the Business Associate Agreement
– Fully-insured GHPs may receive PHI necessary to run the Organized
Health Care Arrangement
– Fully-insured GHPs may elect to receive only SHI
– Plan Sponsor or Employer may receive SHI for purposes of obtaining
premium bids or for modifying, amending or terminating the GHP
• Anthem cannot disclose PHI to an Employer
• Anthem cannot disclose PHI to a Plan Sponsor
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
16
Anthem Disclosure Policy (continued)
• If a Broker signed Anthem’s Business Associate
Agreement and is an agent of record for the individual
or group health plan, then
– Anthem can share the minimum necessary PHI with
Broker/Producer to resolve member claims
– Anthem can share Summary Health Information (SHI) with
Brokers/Producers in connection with delivering renewals
• Anthem will not share PHI with the Broker/Producer
for other plan administration functions without written
direction from the GHP that is eligible to receive PHI
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
17
Fully-insured GHP Election
• Fully-insured GHPs may elect NOT to receive or create PHI
• If GHPs elect not to create, or to receive PHI, they do not have to
comply with certain privacy requirements
• Fully-insured GHPs may choose to receive only Summary Health
Information (SHI)
• Anthem will provide an election form to fully-insured GHPs
– Completing and returning the form will acknowledge to Anthem that the
GHP only wants to receive SHI
– Upon receipt of this election, Anthem will only provide SHI
– Request for member PHI requires the member’s authorization
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
18
Disclosures to Group Health Plans
• Anthem may disclose PHI to the ASO Group Health Plan
as defined in the Business Associate Agreement
• Anthem may only disclose the PHI necessary to run the
OHCA to the fully-insured Group Health Plan (not electing
SHI only)
– Individual authorization is required if the PHI requested is in
addition to or exceeds the PHI for running the OHCA
• Anthem may disclose SHI to the Fully Insured Group
Health Plan
– For fully-insured Group Health Plans electing only SHI, PHI will
not be disclosed without authorization from the individual
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
19
Group Reporting
• ASO Group Health Plans may receive account reports
containing PHI as defined by the Business Associate
Agreement
• Fully Insured Group Health Plans
– As a general rule, reports containing SHI will be provided along
with enrollment/disenrollment or de-identified information to
fully-insured GHPs. PHI reports may be provided upon request.
– Fully-insured Group Health Plans electing only SHI will receive
reports containing SHI along with enrollment/disenrollment or deidentified information.
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
20
Group Reporting (continued)
• Summary Health Information: The Account Reporting
area may provide reports that contain only Summary
Health Information to the FI-GHP upon request (verbal,
written, fax, e-mail)
• Enrollment/Disenrollment Information: The Account
Reporting area may provide reports that contain
Enrollment/Disenrollment information to the FI-GHP upon
request (verbal, written, fax, e-mail)
• De-Identified Information: The Account Reporting area
may provide reports that contain only De-Identified
Information to the FI-GHP upon request (verbal, written,
fax, e-mail)
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
21
Group Reporting (continued)
• Protected Health Information: The Account Reporting
area may provide reports that contain Protected Health
Information to a FI-GHP only if all of the following
requirements are met:
– The FI-GHP has requested a report that contains
Protected Health Information on Anthem’s Report
Request Form; and
– The FI-GHP meets the regional size requirements for
production of PHI reports (e.g. over 100 contracts); and
– Anthem determines that the requested information is
needed to run the Organized Health Care Arrangement
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
22
Group Billing
• As a general rule, Anthem will provide bills that contain only Summary Health
Information, Enrollment/Disenrollment Information, or De-identified
Information to fully-insured group health plans.
– Summary Health Information: The billing area may provide bills that
contain only Summary Health Information to the fully-insured group health
plan
– Enrollment/Disenrollment Information: The Billing area may provide
bills that contain Enrollment/Disenrollment information to the fully-insured
group health plan
– De-identified Information: The Billing area may provide bills that contain
only De-Identified Information to the fully-insured group health plan
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
23
When is authorization required?
• If a fully-insured group health plan elected to receive only
SHI and requests PHI, then an individual’s authorization
will be required
• If a fully-insured group health plan did not elect to receive
only SHI, but the amount of PHI that it requests exceeds
the minimum necessary to run the OHCA, then an
individual’s authorization will be required
• If a broker requests PHI that exceeds minimum necessary
to assist the individual with claim resolution, or to perform
regular customer service functions on behalf of Anthem,
then an individual’s authorization will be required
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
24
Privacy Notice
•
Anthem has mailed its Privacy Notice to those members with individual
policies
•
The Privacy Notice is also available at www.Anthem.com
•
If a group health plan is fully-insured, then Anthem has mailed its
Privacy Notice to members of the fully-insured group health plan
•
If a group health plan is self-insured, then Anthem has made its Privacy
Notice available to the self-insured group health plan
–
A self-insured group health plan is responsible for creating and distributing
its own Privacy Notice to its members
–
A self-insured group health plan’s HIPAA Privacy Notice cannot conflict
with Anthem’s Privacy Notice
–
Anthem’s Privacy Notice is also available at www.Anthem.com
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
25
Access Control
Before using or disclosing PHI, a requestor must be verified:
• Who is calling?
• Name?
• Do they represent the GHP?
• GHP or Plan Sponsor/Employer?
• Is the requestor who he/she claims to be?
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
26
Access Control (continued)
• If requesting on behalf of a group health plan, is the
group health plan a fully-insured or self-insured
group health plan
• Essential to establish what information the requestor has
the authority to access
• If ASO, is there a BA Agreement in place?
• If fully insured, has the GHP elected only SHI?
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
27
Access Control (continued)
• If a broker requests PHI from Anthem, then Anthem
will
– Meet previously discussed rules
– verify the broker number
– determine whether the broker’s signed business associate
agreement is in place
– determine whether the Broker has the authority to act on
behalf of the group health plan or individual (Agent of
Record)
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
28
HIPAA Privacy Compliance Date
• April 14, 2003: Compliance deadline
• April 14, 2004: If you are a small health plan
with annual receipts of $5 million or less
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
29
What is Anthem’s Status?
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
30
As a Covered Entity, Anthem …
• will comply with HIPAA Privacy regulations
no later than April 14, 2003
• is aggressively moving forward with all HIPAA
implementation activities
• is adopting currently accepted practices to help ensure our
policies and procedures comply with the HIPAA Privacy
regulations
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
31
In Addition, Anthem …
• established a Privacy and Security Office
• defined the role of the Privacy and Security Office
• completed an analysis of state privacy laws
• completed a review and summary of the final modifications to
the privacy rule
• completed a comprehensive gap analysis and risk assessment
based on the requirements of the proposed security regulations
• identified the security measures needed to support the privacy
regulations
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
32
Communications
• Anthem has an ongoing communications effort for our
constituents to:
– define Anthem’s ongoing relationship with accounts
and brokers
– provide information about HIPAA Privacy Regulations,
Anthem’s Privacy Notice and educational opportunities
– address and minimize potential operational barriers which
may result from conducting business under the Privacy rule
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
33
Member Considerations
• More “Official” Rights
• May Need To Complete Authorizations
• Verification Process
• Disclosure Chart Changes
• Should not need to invoke a HIPAA right
except under unusual circumstances
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
34
Group Considerations
• ASO Group Health Plan as a covered entity:
– Must Comply
– Needs Business Associate Agreement with Anthem
– Anthem to provide PHI to GHP only
– Reports Subject to Minimum Necessary
• Fully-insured Group Health Plan as a covered entity:
– If SHI (Does not create or receive PHI), the GHP is
exempted from most of the privacy requirements -
– GHP can receive PHI, but only if it is necessary for running
organized Health Care Management
– Reports subject to Minimum Necessary
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
35
Broker Considerations
• Must sign Business Associate Agreement
• Access Control and Process of Verification
– Can only view their Customers’ Information
– Subject to Minimum Necessary
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
36
Sources of Information About HIPAA
 www.hipaadvisory.com
Vendor sponsored site, contains all draft & final HIPAA rules
 www.ncpdp.org
National Council for Prescription Drug Programs
 www.cms.hhs.gov
Centers for Medicare and Medicaid Services (formerly HCFA)
 www.ncvhs.hhs.gov
National Committee on Vital and Health Statistics
 www.mahicentral.org
Mid Atlantic Health Initiative
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
37
For more Anthem-specific information
Visit our web site at
www.anthem.com
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
38
Questions?
Independent licensees of the
Blue Cross and Blue Shield Association
®Registered marks Blue Cross and Blue Shield Association
39