print this page

April 8, 2003

AS DEADLINE FOR COMPLYING WITH HIPAA'S PRIVACY RULES FAST APPROACHES, A COMPLIANCE CHECKLIST TO REVIEW AND GUIDANCE ON "BUSINESS ASSOCIATES"

With the deadline for complying with the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA)* only days away (April 14, 2003), this Compliance Alert presents a brief checklist that sponsors of health plans may want to review. It also summarizes much-needed clarification of the term "business associates" that was in guidance on HIPAA's privacy rules issued by the Department Health and Human Services (HHS).

COMPLIANCE WITH HIPAA'S PRIVACY RULES: A CHECKLIST

Heath plan sponsors may want to review the following checklist:

• Identify how HIPAA's privacy rules affect the organization. How an organization is affected depends upon whether it is covered entity, a business associate or a "hybrid entity" (i.e., entities that perform both covered and noncovered functions). In addition, it is worth keeping in mind that not all benefits offered will be covered by the HIPAA privacy rules. Medical, hospital, drug, behavioral health and other health benefits are covered by HIPAA's privacy rules, but disability, workers' compensation and life insurance are not. Whether other benefits, such as employee assistance programs (EAPs), is a determination that should be made by legal counsel.
• Review relationships with service providers. Business associate agreements should be executed by April 14, 2003, for all business associates. However, if a contract with the service provider was in place as of October 15, 2002, and has not been amended, the deadline for executing a business associate agreement is extended one year to April 14, 2004. Changes in operations (e.g., reports generated and how individual privacy rights are handled) may be required.
• Amend plan documents, as needed. For example, plan documents for self-insured health plans must be amended. Plan documents for fully insured health plans may also have to be amended if PHI is used for purposes such as audits or quality control.
• Communicate the new privacy rules to employees. By April 14, 2003, most plan sponsors should have prepared a Notice of Privacy Practices and have a distribution plan. This effort may require coordination with business associates. Fully insured plans may be exempt from this requirement.
• Train staff personnel who will be involved in HIPAA compliance efforts. Employees who use PHI must be trained on how to comply with the new regulations prior to April 14, 2003.
• Prepare for the impact on employees. Employees will need to be advised of new procedures that will be in place to assure regulatory compliance. For example, employees may face new questions when interacting with benefits staff, call centers or health maintenance organizations about their health claims. Employee consent may be required for benefits staff to carry out routine tasks involving disability benefit applications, integrated disability management or implementing routine tasks related to the Americans with Disabilities Act and the Family and Medical Leave Act.

ADDITIONAL HHS GUIDANCE ON HIPAA'S PRIVACY RULES

• Which Entities Are Considered Business Associates under HIPAA?
• Which Entities May Be — but Are Not Necessarily — Business Associates?
• Which Entities Are Not — or Not Usually — Business Associates?

Which Entities Are Considered Business Associates under HIPAA?

The HHS guidance confirms that the following entities are business associates under HIPAA: third party administrators, pharmacy benefit managers, consultants and attorneys.

To return to the list of questions, click here.

Which Entities May Be — but Are Not Necessarily — Business Associates?

• Software Vendors If a software vendor needs access to protected health information (PHI) to provide a service for the plan, the vendor is a business associate. An example of this would be a software company that hosts the software containing PHI on its own server or accesses PHI when troubleshooting the software function. In contrast, a software company that simply sells or provides software, but has no access to PHI, is not a business associate. The guidance also states that a business associate agreement may not be necessary where an IT contractor's primary duty station is at the covered entity.** In this instance, the covered entity may choose to treat the contractor as a member of the covered entity's workforce rather than as a business associate.
• Paper-Shredding Services Entities that handle PHI on a regular basis, such as the routine handling of records or shredding of documents containing PHI, would likely be business associates of a covered entity. However, if the work is performed under the direct control of the covered entity, then the covered entity may treat the workers as part of the workforce instead of requiring a business associates agreement. For example, if shredding is performed on-site, the covered entity could train the on-site workers and forgo the business associate agreement.

To return to the list of questions, click here.

Which Entities Are Not — or Not Usually — Business Associates?

The HHS guidance provides the following clarifications about which entities are not — or not usually — business associates:

• Health Insurers and Health Maintenance Organizations (HMOs) A business associate agreement is not required between a group health plan and a health insurance issuer or HMO. This relationship is defined as an "organized health care arrangement," under HIPAA's privacy rule. Thus, covered entities can share PHI that relates to their joint health care activities without a business associate agreement and without individual authorization.
• Reinsurers The guidance states that reinsurers do not become business associates of a health plan simply by selling a reinsurance policy to a plan and paying claims under the policy. Only where the insurer performs another function on behalf of the plan, other than the provision of reinsurance benefits, is it a business associate. HHS' rationale is that by providing reinsurance the reinsurer is not providing a service for the plan, but is "acting on its own behalf."
• Health Care Providers health care providers generally are not business associates of payers, such as insurers or group health plans. However, a provider could be a business associate of a group health plan if a provider is performing a service for the health plan, such as case management services.
• Financial Institutions When a financial institution is providing its normal banking and financial services on behalf of consumers (e.g., debit, credit and clearing checks) that directly affects that transfer of funds for payment of health care or health plan premiums, it is not a business associate. In this scenario the financial institution is performing a service for its customers, it is not performing a function on behalf of a covered entity. This language in the new guidance is taken from the preamble to the final rules that were issued on December 28, 2000 (65 Fed. Reg. 82504-5). The preamble went on to state that when covered entities initiate such financial transactions they must meet the minimum necessary disclosure requirements. The preamble does not specifically state whether the financial institution is a business associate of the covered entity in this situation.
• Mail and Courier Services. Conduits of PHI, such as the US Postal Service, private couriers and their electronic equivalents, are not generally business associates because they do not access PHI other than on a random or infrequent basis.
• Plumbers, Janitors, Electricians, etc. The guidance states that plumbers, electricians and photocopy repair technicians are not business associates because they do not require access to PHI to perform their services. Generally, janitorial services are also not business associates because their work does not involve the use or disclosure of PHI. Any disclosures of PHI that occur (e.g., while emptying the trash) are "incidental" and permitted by the privacy rule.

To return to the list of questions, click here.

An Unanswered Question: Should Stop-Loss Vendors Be Considered Business Associates?

Although the HHS guidance does not mention stop-loss vendors, the guidance suggests that stop-loss vendors are not business associates because they are reinsurers. This guidance is perplexing given that group health plans provide a good deal of PHI to stop-loss vendors.

Even though no business associate agreement between group health plans and stop-loss vendors appears to be required under the privacy rules, plan sponsors may want to discuss with their legal counsel whether it would be prudent to attempt to negotiate confidentiality provisions with stop-loss vendors. Such provisions may protect of PHI.

A REMINDER ABOUT BUSINESS ASSOCIATE AGREEMENTS

Covered entities must incorporate HIPAA's privacy protections into their agreements with their business associates (by April 14, 2003 or April 14, 2004, depending on the nature of the agreement). Although covered entities generally do not need to monitor their business associates under HIPAA's privacy rule, if a covered entity finds out about a material violation of the agreement, it must take appropriate action, as detailed under the regulations. (Of course, sponsors of ERISA plans still have an obligation under ERISA to monitor their service providers.)

In these and all aspects of HIPAA compliance, plan sponsors should work closely with their attorneys and consultants.

Capital Checkup is The Segal Company's periodic electronic newsletter summarizing activity in Washington with respect to health care and related subjects. Capital Checkup is for informational purposes only. It is not intended to provide guidance on current laws or pending legislation. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.

Back to Top