Rx Hints

Careers

Our Privacy Promise

HIPAA White Paper

QUICK LOGIN

 

HIPAA White Paper

August, 2003

CBCA, a third party administrator (TPA), provides health benefit claims administration and an array of other outsourcing services to companies on a national basis. CBCA and each of its operating divisions have been working on a variety of HIPAA initiatives for several years now to ensure its compliance with the federal HIPAA regulations. At CBCA, we have been committed to implementing appropriate policies and procedures and enhancing security systems not only to prepare CBCA and its clients to meet the regulatory mandates of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but also to preserve and enhance our core services. CBCA continues to update this White Paper to provide you with certain information regarding some of your responsibilities under HIPAA and to update you on the steps CBCA has taken, or is taking, to achieve compliance with the Administrative Simplification regulations of HIPAA.

Who Must Comply

The HIPAA regulations apply to those entities classified as “covered entities.” A “covered entity” is defined as a:

  • Healthcare provider,

  • Health plan, or

  • Healthcare clearinghouse.

For HIPAA purposes, a health plan includes virtually all arrangements that pay the cost of medical care, including group health plans, health insurance issuers, managed care organizations, HMOs, ERISA plans, Medicare, Medicaid, Medicare supplemental policies, the veterans’ health care program, the health care program for active military personnel, CHAMPUS, the Indian Health Service, the Federal Health Benefit Program, and comprehensive long-term care coverage.

Under this definition, most CBCA clients will have to comply with the HIPAA regulations with respect to their respective health plans or insurance products. If your health plan or insurance product is designated as a covered entity, you, as Plan Sponsor/Plan Administrator, must provide to individuals a notice of your privacy practices in connection with your Plan. You must give individuals, including plan participants, access to their records, the right to request changes, and the right to receive an accounting of past non-routine disclosures. You must also implement written privacy procedures and appropriate safeguards. Other specific requirements include designating a privacy officer, training employees, establishing a process by which individuals can lodge complaints, developing a system of sanctions for those who violate the rules, and ensuring that any downstream user of protected health information agrees to comply with the same privacy requirements that apply to the health plan.

CBCA is a Business Associate

CBCA is in the unique position of being a TPA which would identify CBCA as a non-covered entity as defined in the HIPAA rules. Given this, CBCA is clearly defined as a business associate of many covered entities, including employer health plans and insurance carriers. CBCA also operates its own health plan for its employees utilizing its own administrative services to service the plan and therefore its own health plan is a covered entity under the HIPAA rules. Given the logical need to serve its client base and its own employee health plan, CBCA is required to implement uniform standards for transmitting, utilizing, disclosing and safeguarding the confidential medical information that it creates, receives or maintains on behalf of its clients and its employees.

The fluid nature of HIPAA demonstrates the need to closely monitor ongoing developments. CBCA is continually monitoring the Federal Register and other industry resources for notice of further action by HHS. See Attachment A of this White Paper for a more complete list of activity related to the HIPAA regulations.

Serving as a business associate also means that CBCA will continue its ongoing vigilance of new privacy legislation at the State level where statutory and regulatory uncertainties abound. Considerable legislative action occurred last year and we anticipate aggressive State action on privacy legislation continuing for the foreseeable future. This being the case, our legal department is continuing to conduct legal preemption analyses of the state laws. Focused first on those states where we have a critical mass of covered employees/members/participants, hold TPA licenses, and have office locations. We believe that HIPAA creates the privacy floor and State law the privacy ceiling.

Areas of Application for Compliance

HIPAA consists of three major rules with separate effective dates. These rules are:

  • The Privacy Rule – effective date April 14, 2003 (except for “small health plans” who have until April 14, 2004 to come into compliance);

  • The Electronic Transaction and Code Set Rule – effective date October 16, 2003; and

  • The Security Rule – effective date April 21, 2005 (except “small health plans” who have until April 21, 2006 to come into compliance).

The proposed rules were first published in 1999 and CBCA began a systematic company-wide effort to prepare for compliance. CBCA’s Corporate Director of Privacy & Compliance (Privacy Officer), in conjunction with managers and staff across all departments, completed an enterprise-wide gap analysis of CBCA’s processes and compared them to those contemplated by the proposed rules. The analysis encompassed all aspects of the organization including business operations, information systems and client specific needs in each of the three substantive categories that are covered under the HIPAA regulations. The remainder of this White Paper will provide you with an update on CBCA’s current status in each of these three categories.

The Electronic Transaction and Code Set Rule

The Transaction and Code Set Rule was scheduled to be the first of the three rules to become effective. However, in December 2001, the U.S. Department of Health and Human Services announced a one-year extension for the transaction and code set deadlines. This one-year extension was granted to all who filed a compliance extension plan. CBCA filed for a TCS Rule Compliance Extension Plan and encouraged all clients to do the same. The CBCA August 2002, White Paper provided detailed instructions to assist clients with filing for an extension and a letter was sent to all clients regarding to the need to file a compliance extension plan.

Thus, CBCA’s effective date for transactions and code sets, with respect to its clients, became October 16, 2003. The only proviso of the compliance extension plan was that one must be actively testing transactions by April 16, 2003. CBCA has met this proviso and anticipates that we will be compliant with all transaction adopted under this rule by October 16, 2003.

With regard to the TCS Rule, CBCA has been aggressively executing its project plan in order to meet the timelines established by the Rule. Among other things, CBCA has accomplished the following:

  1. Established an EDI TCS project plan with timelines and target dates;

  2. Completed a detailed system inventory and assessment;

  3. Mapped inbound and outbound workflow diagrams;

  4. Selected a data translator after completing due diligence on 4-6 vendors;

  5. Data translator installed and functional; all appropriate staff trained;

  6. Designed and developed a “HIPAA Gateway” to receive and send standard transactions uniformly regardless of which system the transaction is to be processed by;

  7. Developed and executing Trading Partner Agreements, where appropriate;

  8. Selected ClarediSM as our external comprehensive testing and definitive certification vendor for compliance with transactions;

    Currently certified by Claredi for the 837 P, 837 I (March 27, 2003 and April 4, 2003)
    Testing 834 inbound with Claredi began 6/2/03
    Testing the 835 transaction

  9. Currently developing and conducting internal testing on:

    1. 270-271, and 276–277 inbound and outbound transactions;
    2. 997 Functional Acknowledgements; and
    3. All development is at the Version 4010 Amended Implementation level even though the final transaction modifications rule was not published until February 20, 2003

    10.  

  10. Developed Companion Documents and registration forms for trading partners;

  11. Identified and testing with beta test partners for external transaction testing after Claredi certification;

  12. Assessing source of current (non-standard) electronic transactions by volume;

CBCA currently has the ability to read and write client data that complies with most of the new transaction formats.

The Privacy Rule

The Privacy Rule is the first of the rules to reach a compliance date. CBCA has been in substantial compliance with the Privacy Rule since April 14, 2003.

To achieve this compliance, CBCA accomplished, among other things, the following:

  1. Completed gap analyses across all locations and detailed project plans to guide implementation;

  2. Executed, or are executing, business associate agreements with clients [as the Covered Entity] with special emphasis on those clients who have an April 14, 2003 effective date;

  3. Some of our clients are exercising their rights under the HIPAA Transition Provision for Business Associate Agreements - which may allow them up to April 14, 2004 to execute their business associate agreements.

  4. Although HIPAA holds the Covered Entity (our client) responsible for initiating a business associate agreement, CBCA utilized the model agreement suggested by HHS to create a model Business Associate Agreement, on behalf or our clients, to help them obtain compliance with the required provisions without passing along additional administrative costs to our clients.

  5. To best protect our clients, CBCA’s operating procedure is to treat the client as if their HIPAA Privacy effective date is April 14, 2003, in those rare situations where the client has not communicated in writing whether it is a “small health plan”.

  6. Executed Subcontractor Amendments with all subcontractors, vendors, agents, etc., who receive, create or maintain PHI on behalf of CBCA and its clients;

  7. Developed letters to address situations of wrongful determination of business relationships under HIPAA.

  8. Developed and implemented Intranet applications to display in an easily accessible, user friendly format HIPAA documentation, tip sheets, outlines, FAQs, client HIPAA effective dates, policies, procedures, forms, Notices of Privacy Practices, and other call center resources for employees;

  9. Developed/revised and implemented all policies and procedures required to comply with the HIPAA privacy standards;

  10. Developed and implemented all forms and tracking mechanisms required to comply with the HIPAA privacy standards;

  11. Developed on-line training materials and post training test, trained and tracked the training of all CBCA workforce members on HIPAA policies and procedures, including a process to train all new employees on HIPAA within fourteen days of employment (CBCA requires all employees to complete mandatory HIPAA training and testing every year. Prior to April 14, employees who use or disclose PHI were also required to attend additional HIPAA training);

  12. Developed reference tools and provided additional training for call center employees regarding caller verification, disclosure rules, and scripts to assist with objections from parents and providers.

  13. Designed/revised and implemented administrative, technical and physical safeguards to protect the integrity and security of protected health information (PHI) (e.g., secured access, identification badges, proper disposal, e-mail, fax, password protection etc.);

  14. Developed and distributed tools to provide support and assistance to our clients with respect to HIPAA (e.g., HIPAA Privacy Q&A, templates for HIPAA policies and procedures, templates for HIPAA forms, templates for Notice of Privacy Practices; diagrams to assist clients with identifying their business relationships as it relates to HIPAA, descriptions of how to determine if the plan is a “small health plan”, and Business Associate Agreements, etc.)

  15. Developed a model Plan Amendment and Certification to guide clients through the plan amendment process and to assist CBCA staff in identifying which employees of the plan sponsor are authorized to receive PHI on the plan’s behalf;

  16. Developed and implemented an internal Privacy Compliance audit. A copy of the compliance audit is provided to the operations meeting each month. Internal violations of HIPAA privacy are tagged with the following statement and tracked until the violation is cured.

HIPAA VIOLATION

The law is clear: Failure to adhere to federal HIPAA regulations can result in compromised Individual privacy, decreased customer trust, damage to our reputation, and lost revenue. It may also result in penalties for our clients.

The Security Standards

To assess our security risks and implement appropriate security to address our business requirements CBCA began its VAST (Vulnerability Assessment Swat Team) Assessment in the first quarter of 2002. Since the Security Standards have a different scope from the other regulations (entire enterprise, not just EDI information) and cover “data at rest” as well as “data on the move” CBCA has tried hard to avoid the trap of assuming that the HIPAA Privacy and Security Rules should be treated as independent regulations. To address the intersections between the Privacy and Security Rule CBCA developed its Security Project Plan in February 2002, and completed a Security Self-Evaluation Assessment in May of 2002. Analysis of the security assessment allowed CBCA to include implementation initiatives for the seven intersections between privacy and security in its privacy implementation plan. The intersections covered in our Privacy implementation are as follows:

  • Appropriate and reasonable measures to safeguards PHI;

  • Understand the flow of PHI both internally and externally;

  • Appropriate policies and procedures to protect all PHI, regardless of medium;

  • Access controls for user authentication and limiting access to PHI to that which is needed to perform a job function;

  • Execute third party agreements for the protection of PHI;

  • Designating a specific person to be responsible to make certain PHI is protected; and

  • Training to make sure all employees understand the importance of protecting PHI and the means by which they must do so.

On February 20, 2003, HHS published the final Security Rule. CBCA is in the process of digesting the final rule and revising project plans and gap assessments, for new business acquisitions and new standards, to bring CBCA into compliance with the Security Rule.

Finally, CBCA believes that the successful implementation of the HIPAA standards for administrative simplification will depend, in great part, on the parallel efforts of the clients it serves and its business partners. Similarly, to the extent protected health information is accessible to its business partners, the cooperation of those business partners will be essential in designing and implementing security mechanisms for access control, authorization control, and user authentication. CBCA is working with its business partners to effectuate the timely and effective implementation of our respective compliance plans.

TOP