The February 2003 issue of Tech Flex focuses entirely on the HIPAA Electronic Data Interchange (EDI) and Privacy Regulations. This information reflects ProBusiness' view of these HIPAA regulations and their impact on the transactions that occur between the client and ProBusiness and those transactions between the client's insurance carriers and ProBusiness. Included in this communication are general HIPAA EDI and Privacy overviews, as well as ProBusiness' analysis of the regulations pertaining to its business. At the end of this communication, you will find a link to a HIPAA Frequently Asked Questions document that contains a compilation of questions received by ProBusiness by its clients and the broker community. It is important to note, that the following communication is based on ProBusiness' belief regarding the intent of the HIPAA regulations in relation to its Service Provider role and should not be construed as being legal advice. We strongly recommend that you confer with your legal counsel regarding these issues and act accordingly based on your legal counsel's guidance.

HIPAA Electronic Data Interchange (EDI)

As reported in past issues of Tech Flex, effective October 16, 2002, the Health Insurance Portability and Accountability Act (HIPAA) requires that Health Plans, Health Care Clearinghouses, and Health Care Providers (Covered Entities) and their Business Associates that engage in certain specified electronic transactions are required to comply with rules designed to standardize the format and content (the EDI Standards) of these specified transactions. Insured plans with less than $5 million in annual premiums or a self-insured plan paying less than $5 million in benefits has an automatic (no filing required) one-year extension in relation to HIPAA EDI. These plans must be HIPAA EDI compliant by October 16, 2003.

The final HIPAA EDI regulations require that any Covered Entity engaging in a Covered Transaction either internally or with another Covered Entity, or its Business Associate, must comply with the EDI Standards, unless the Covered Entity has filed an extension. In addition, a Business Associate performing a Covered Transaction (e.g. electronically transmitting eligibility data) on behalf of a Covered Entity (plan sponsor) also must also comply with certain standards related to the EDI Standards. Based on the functions ProBusiness generally performs on behalf of its clients, specifically eligibility, enrollment / disenrollment and premium payment, ProBusiness believes electronic transmissions performed between ProBusiness and the client are not required to be performed utilizing the EDI Standards. However, if ProBusiness should forward eligibility, enrollment / disenrollment or premium payment information electronically to a Covered Entity, such as a insurance carrier, ProBusiness would be required, on behalf of the client to transmit such information in EDI format. Should ProBusiness perform any function other than eligibility, enrollment / disenrollment or premium payment on behalf of the client, EDI Standards may apply to transmissions between the client and ProBusiness.

Please Note: Although ProBusiness believes that electronic transmission between the client and ProBusiness regarding eligibility, enrollment / disenrollment or premium payment do not need to be sent utilizing HIPAA EDI, ProBusiness is capable of receiving information from, and transmitting information to, the client utilizing HIPAA EDI should the client request such an arrangement. We strongly recommend that you confer with your legal counsel regarding these issues and act accordingly based on your legal counsel's guidance.

HIPAA Privacy Regulations

When Congress enacted the Administrative Simplification (EDI) provisions that encourage the increased use of electronic exchanges of health care information, it also recognized the need for privacy and security protections. The privacy regulations to be imposed under HIPAA set out rules regarding the use and disclosure of Individually Identifiable Health Information in various situations. Any health information received by certain Covered Entities is protected and applies regardless of whether it is communicated in oral, written or electronic form. Covered Entities include Health Plans, Health Care Clearinghouses, and most Health Care Providers and any related entity such as a laboratory. Few Covered Entities are able to perform all aspects of plan administration themselves. Instead, they hire outside entities or persons to assist them with performing specific plan functions. The entities or persons that are hired by Covered Entities are known as Business Associates. Business Associates often have a legitimate reason to access and use Individually Identifiable Health Information. And although Business Associates such as ProBusiness are not Covered Entities, the information that is disclosed to them and/or used by them must be protected. The privacy regulations as applicable to Covered Entities and Business Associates are effective April 14, 2003. "Small health plans" defined as insured plans with less than $5 million in annual premiums or a self-insured plan paying less than $5 million in benefits have until April 14, 2004 to comply with the HIPAA Privacy Regulations.

Information Protected By HIPAA Privacy Regulations:

Basically, any Individually Identifiable Health Information (IIHI) that is transmitted or maintained in any form, whether electronic or otherwise, is protected under the privacy rules. Such information is known as Protected Health Information (PHI).

IIHI is defined as information that:

• Is created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse;
• Relates to the past, present, or future physical or mental health of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of the health care information of the individual; and
• Either identifies the individual to whom it relates or creates a reasonable basis on the part of the disclosing entity for believing that the information may be used to identify the individual.

PHI is generally defined as information relating to:

• An individual's medical condition; or
• Provisions of medical care for that individual; or
• Payments for that individual's medical care.

Contract Requirements between Covered Entity and Business Associate:

A Covered Entity is required to enter into a Business Associate contract with its Business Associates. Such a contract must:

• Describe the permitted and required uses and disclosures by the Business Associate, which may not exceed that which is allowed for the Covered Entity;
• Prohibit the Business Associate from disclosing the information further;
• Require the Business Associate to implement safeguards to prevent the improper use and disclosure of information;
• Require the Business Associate to report to the Covered Entity any improper uses or disclosures of information;
• Impose the same requirements on all the Business Associate's subcontractors;
• Require the Business Associate to make PHI available in compliance with the individual's rights to access, amend, and receive an accounting related to such information;
• Require the Business Associate to make its internal books and records available to DHHS for purposes of determining the Covered Entity's compliance with HIPAA;
• Require the Business Associate to return or destroy PHI, if feasible, upon termination of relationship; and
• Authorize the Covered Entity to terminate the contract if the Business Associate has violated a material term of the contract.

On November 6, 2002, ProBusiness distributed a template Business Associate Addendum to its Benefits clients and will shortly distributing this document to its Payroll clients as well. Please be aware that the responsibility to execute the Business Associate Addendum is that of the client and must be executed no later than April 14, 2003, subject to the extension guidelines described below.

Extension for Business Associate Contracts:

The August 14, 2002 release provided an additional year for certain Covered Entities to modify its service agreements (contracts) with Business Associates. The additional time is available only to Covered Entities that have existing written contracts in place with their Business Associates prior to October 15, 2002 and where that written contract is not renewed or modified prior to April 14, 2003. The extension of the deadline ends on the earlier of (1) the date the contract with the Business Associate is renewed or modified, or (2) April 14, 2004. Written contracts entered into, renewed, or modified after October 15, 2002 will not qualify for the extension of time.

Client HIPAA Designated Contact Person:

The HIPAA regulations state that covered entities must designate who within its workforce is entitled to access PHI. Specifically, 45 CFR § 164.514(d)(2)(i)(A) states: A covered entity must identify those persons or classes of persons, as appropriate, in its workforce who need access to PHI to carry out their duties. This would include communications from your organization inquiring into Flexible Spending Account, COBRA, and health insurance coverage matters pertaining to specific employees and former employees of your organization.

In order to assist your organization meet the legislatively mandated obligations, should you be a Covered Entity, ProBusiness has created a document (see below) that the authorized individual within your organization must complete and return to ProBusiness. This document will designate the personnel within your organization who are authorized to inquire about, and receive an individual's PHI. Please be advised, that it is the duty of your organization to update ProBusiness in a timely manner regarding the designated personnel within your organization. If ProBusiness receives an inquiry about PHI regarding one of your organization's current or former employees, spouses, or dependents, from an individual not designated by your organization on the attached document, ProBusiness will be unable to release PHI to such a non-designated individual. If you have not yet received or completed the attached form, please do so immediately and return to ProBusiness.

Instructions:

Complete the HIPAA Client Designated Contact Person form (hipaa_designated_contact.doc, Word format, approx. 23KB). Attach a completed copy to your Plan Document and return the electronic version to BenefitsAdmin@probusiness.com or print a copy and mail to the following address:

ProBusiness
20000 North Creek Parkway
Bothell, WA 98011
Attn: Linda Johnson

If returning via email, your email address shall be considered your signature.

Return to Top

HIPAA and ProBusiness Payroll Clients

The HIPAA EDI designated transactions specifically include transmissions in relation to health plan premium payments. 45 C.F.R. § 162.1701 stipulates the following:

Health plan premium payments transaction.
The health plan premium payment transaction is the transmission of any of the following from the entity that is arranging for the provision of health care or is providing health care coverage payments for an individual to a health plan:
(a) Payment.
(b) Information about the transfer of funds.
(c) Detailed remittance information about individuals for whom premiums are being paid.
(d) Payment processing information to transmit health care premium payments including any of the following:
           (1) Payroll deductions.
           (2) Other group premium payments.
           (3) Associated group premium payment information.

Consequently, ProBusiness believes that when ProBusiness is electronically transmitting information regarding payroll deductions for health care premiums to the insurance carrier, that ProBusiness must, on behalf of the client, utilize the required HIPAA EDI standard for this transaction. Furthermore, should ProBusiness electronically transmit eligibility or enrollment /disenrollment information to a insurance carrier on behalf of the client, ProBusiness would also be required, on behalf of the client, to send such information via the appropriate HIPAA EDI format. However, based on the functions ProBusiness generally performs on behalf of its clients, specifically eligibility, enrollment / disenrollment and premium payment, ProBusiness believes electronic transmissions performed between ProBusiness and the client are not required to be performed utilizing the EDI Standards. Should ProBusiness perform any function other than eligibility, enrollment / disenrollment or premium payment on behalf of the client, EDI Standards may apply to transmissions between the client and ProBusiness.

Please Note: Even though ProBusiness believes that electronic transmission between the client and ProBusiness regarding eligibility, enrollment / disenrollment or premium payment do not need to be sent utilizing HIPAA EDI, and furthermore, even though ProBusiness believes that transmissions between the client's vendors except for health plans and ProBusiness are not a required HIPAA EDI transmission, ProBusiness is capable of receiving from the client or its vendors and transmitting information to the client and its vendors utilizing HIPAA EDI should the client or client vendor request such an arrangement. We strongly recommend that you confer with your legal counsel regarding these issues and act accordingly based on your legal counsel's guidance.

Return to Top

HIPAA Frequently Asked Questions

Please find below a link to the most HIPAA Frequently Asked Questions document that contains a compilation of questions received by ProBusiness by its clients and the broker community in relation to HIPAA EDI and Payroll issues and ProBusiness' responses based on ProBusiness' analysis of the applicable regulations. It is important to note, that the following communication is based on ProBusiness' view of the HIPAA regulations in relation its Service Provider role and should not be construed as being legal advice. We strongly recommend that you confer with your legal counsel regarding these issues and act accordingly based on your legal counsel's guidance.

http://www.probusiness.com/clients/viproom/documents/HIPAA_FAQ_1-27-03.pdf

Return to Top

Please contact ProBusiness for further information at:
20000 North Creek Parkway, Suite 200, Bothell, WA 98011
Phone: (425) 415-4000 Fax: (425) 417-4795
e-mail: bsa@probusiness.com

(ProBusiness does not make any representation or warranty that the information contained in this newsletter, when used in a specific and actual situation, meets applicable legal requirements. This newsletter should not be construed as legal advice. Your legal counsel should be consulted on all specific fact situations.)

Return to Top