| It may be hard to believe, but the HIPAA Privacy rules have been in effect for nearly five years!! Is it time for a Compliance Check-up? Although the Group Health Plan is the covered entity under HIPAA, many TPAs provide HIPAA Privacy related services on behalf of the Plan Sponsor/Employer. Below are some items to consider.
Notice of Privacy Practice (NPP)
As required by the rule, the initial NPP had to be provided by April 14, 2003, (for most plans) to all plan participants. The notice includes the plan’s uses and disclosures of Protected Health Information (PHI), the individual’s privacy rights and the plan’s legal duties regarding PHI.
Questions to ask concerning your current NPP procedures:
Have you been providing the NPP to newly enrolled plan participants? Have you made any material revisions to the NPP? If so, have you provided the revised NPP to plan participants within 60 days of those revisions? Are you providing the NPP to plan participants upon request?
Remember, the notice must separately describe each use and disclosure the plan makes of PHI, and it must provide that the plan will disclose PHI to the plan sponsor
Business Associate Agreements
A business associate agreement is required between a covered entity and its service entities that have access to, or create PHI. This agreement sets forth requirements the business associate must follow with regard to confidentiality, security, and the use and disclosure of PHI. In the event that a business associate, acting on behalf of a covered entity, is disclosing PHI to another entity, it could enter into a “sub” business associate agreement with that entity as well, or otherwise obtain reasonable assurances that such “sub” business associate will comply with the business associate’s obligations, so that the same requirements are imposed for all that share PHI. For example, a TPA is the business associate of the Group Health Plan. The TPA may have a contract with a medical review vendor to perform utilization management services. In that event, the Group Health Plan would have a business associate agreement with the TPA and the TPA would have a “sub” business associate agreement with the medical review vendor.
Questions to ask about business associate agreements:
Are all your "sub" business associate agreements in place? Are you entering in agreements when you engage a new vendor?
Disclosures of PHI
The Accounting of Disclosures section of HIPAA Privacy rule requires a log be maintained of all PHI disclosures. Plan participants are entitled to an accounting of PHI.
Questions to ask about disclosures of PHI:
Do you have a tracking system in place that will enable you follow disclosures and provide this information upon request?
If you are interested in a complete HIPAA Privacy Check-Up, services are available by contacting our senior health consultant, Mary Barninger at 877-247-0962 or mary.barninger@relius.net
|
