By Timothy Stanton, Sarah Millar and Kathleen Sheil Scheidt
With the ink barely dry on the business associate agreements required by the HIPAA privacy rules, employers need to remember to act quickly on another component of HIPAA– the rules governing electronic exchanges of data involving employer-sponsored health plans and other HIPAA "covered entities."
Fortunately for employers, the HIPAA Electronic Transaction Rules are not likely to demand the same commitment of time and resources as the privacy rules require. If significant effort is required for some employers, much of that burden likely will fall on the IT or HRIS functions. Of course, HR and benefits professionals should alert the technology specialists to these new obligations and work with them in developing compliance strategies.
Most large employers last fall filed requests for a one-year extension of the compliance date, meaning the HIPAA Electronic Transaction Rules will take effect October 15, 2003, for their health plans (including medical, dental, prescription drug, vision and long-term care plans, along with health care flexible spending accounts and some employee assistance plans). This deadline applies to all plans; no additional time is available for "small health plans."
(A glossary of terms discussed in this client alert is posted in the table below).
What are the HIPAA Electronic Transaction Rules?
Exchanges of data are called "transactions" in health care parlance, and the HIPAA rules govern certain electronic transactions, based on the kind of data transferred and the reason for the transfer. These transactions include providers requesting information from plans, plans requesting information from providers or other plans, and payers providing payment information to health plans. Electronic transactions include those done by means of the Internet or on-line interactive transmission, or even by moving an electronic media like a tape or disk from one location to another. A few transactions that seem electronic are not treated that way under the rules. These include telephone voice response and "faxback" systems.
When an employer health plan (or its "business associate" on behalf of the plan) conducts certain transactions electronically, the HIPAA Electronic Transaction Rules require that these transactions use a standard set of electronic codes and include standard pieces of data. Such a transaction is called a "standard transaction."
GCD Note: Currently, hundreds of different code sets are in use in the health care industry. Standardizing them will improve efficiency and could save billions of dollars for health care payers and providers.
Non-electronic exchanges of information are not covered by these HIPAA Electronic Transaction Rules. So, for example, employer health plans that currently send coordination of benefits information on paper forms can continue doing so. But plans must be prepared to handle transactions like this electronically as standard transactions if another covered entity ever requests that they do so. Although the current guidance is not clear, this principle would likely apply to a request by a business associate, acting on behalf of a covered entity, that a health plan conduct transactions pertaining to that covered entity electronically.
Electronic codes and data standards have been set for eight separate transactions (which are described in the table on page 4). Standards may be issued for additional types of transactions in the future.
Another Component of HIPAA
The HIPAA Electronic Transaction Rules are part of the overall "administrative simplification" rules under HIPAA (which also include privacy, security, and provider identifiers). This means that many of the legal standards that apply in the electronic transactions area will already be familiar to employers from their privacy compliance efforts.
For example, like the HIPAA privacy rules, the HIPAA Electronic Transaction Rules are enforced by the Department of Health and Human Services ("DHHS"). And, as with the HIPAA privacy rules, covered entities could face penalties of up to $100 per violation, subject to a $25,000 annual cap on basic civil penalties for each violation. More serious violations can draw criminal penalties, including prison sentences that could range up to 10 years for the most serious violations. Also, HIPAA itself preempts some state laws, but not those that are "more stringent" than the HIPAA rules. Of course, even if HIPAA itself does not preempt a state law, the general ERISA preemption scheme remains in place – so a state law that "relates to" a benefit plan could be preempted.
Special Rules for Health Plans
Beyond the basic standard data requirements, other specific HIPAA Electronic Transaction Rules apply to health plans generally, though it is likely that many of these will be more relevant to health insurers, and third-party administrators and other business associates than to employer-sponsored plans.
For example, as noted above, a health plan must conduct particular transactions as standard transactions if another covered entity requests that it does so. Health plans may not require providers to change or add to the standard data elements, and may not reject a transaction because it contains other data that the plan does not need. Health plans also may not offer health care providers an incentive to conduct transactions under an exception to the HIPAA Electronic Transaction Rules. Also, health plans may not delay or reject a transaction, or attempt to adversely affect the other entity or the transaction, because the transaction is not a standard transaction. Finally, health plans cannot charge fees for the use of a health care clearinghouse that exceed the normal telecommunications fees and costs.
Practical Compliance Approach Using the table at the end of this article, an employer should:
1. Determine whether the employer (rather than the health plan) participates in the specific electronic exchanges of data covered by the HIPAA Electronic Transaction Rules. Under the rules, two of the covered transactions – sending enrollment information to a health plan, and sending premium payment information to a health plan – are treated as typically performed by an employer, not an employer’s health plan. This is important because an employer generally is neither a covered entity nor a business associate, so it is not required to follow the prescribed standards. It may be possible for an employer to handle other types of transactions, too. This seems unlikely, though, considering the "separation" between plan administration and all other employer functions that is required by the HIPAA privacy rules.
2. Determine whether the health plan itself (that is, internal plan administrators) actually participates in the specific electronic exchanges of data. If internal administrators conduct any of the eight specified transactions electronically, information systems should be modified as needed so that the electronic transactions comply with the standards issued by DHHS. Employers should consider whether this can be handled by their internal IT or HRIS resources, or whether outside technical expertise would be required. In some circumstances, the health plan’s third-party administrators may also provide some compliance assistance.
GCD Note: The actual code sets are identified in the DHHS regulations, and are subject to change. The most recent refinements, including the code set listing as of February 13, 2003, are available on the GCD website: http: // www.gcd.com/db30 /cgi- bin/pubsTransCodeSet RuleMarked.pdf.
3. Determine whether the plan’s outside business associates participate in these specific exchanges on behalf of the plan.
If an employer determines that the outside business associates engage in any of these transactions on a plan’s behalf, the employer will need to modify its services contracts or business associate agreements to ensure that the business associates are obligated to follow these standards.
GCD Note: Employers may not need to revise contracts with all of a plan’s outside vendors; it may turn out that only a few of them happen to exchange this specific data for these specific purposes.
Beyond these basic legal requirements there are business factors to consider. Even though the rules may not apply to a particular exchange of data (such as when an employer – rather than a plan – electronically sends enrollment information to a business associate) there may be other reasons why an employer wants to use standard electronic codes and data elements. These standards are designed to quickly become the industry norm. It may simply be more efficient or otherwise desirable to adopt them, and doing so may improve service from vendors.
How Do These Rules Really Work? An Example from DHHS
A large employer that sponsors a self-insured health plan hires several third-party administration firms to process claims under that plan, and a separate outsourcing or data services company to maintain eligibility and enrollment information on employees and perform other services that would make it a business associate of the plan. The TPAs make eligibility inquiries to the outsourcing company, rather than to the internal benefits administration staff at the employer. Health care providers also request eligibility information from the TPAs.
Must those eligibility inquiries from TPAs to the outsourcing company be conducted as standard transactions? No. An inquiry from one plan to another plan, or from a provider to a plan, to obtain eligibility information would have to be done as a standard transaction. But in this case, the transaction is between two business associates of the same plan.
What about the eligibility inquiries from providers? Those would have to be conducted as standard transactions. The reason is that inquiries from a provider to a plan are covered by the HIPAA Electronic Transactions Rules, and the TPAs here are business associates performing a plan administrative function on behalf of the plan. Therefore, this is an inquiry from a provider to a plan, so it would have to be conducted as a standard transaction.
HIPAA Glossary: Electronic Transactions
|
Term |
Definition |
|
Business Associate |
An entity that uses individually identifiable health information in the course of performing services for a plan, or performing certain specific services on behalf of a plan |
|
Covered Entity |
A health plan or health care clearinghouse, or health care provider that conducts the specified transactions electronically |
|
DHHS |
Department of Health and Human Services, the federal agency charged with enforcing the HIPAA Electronic Transaction Rules |
|
HIPAA |
Health Insurance Portability and Accountability Act of 1996 |
|
Small Health Plan |
A health plan with "annual receipts" of $5 million or less |
|
Standard Transaction |
An electronic transaction that complies with the relevant DHHS standard |
Identifying Electronic Transactions
This table lists all eight "transactions" for which standard codes and data elements have been developed. It can be used as a guide to evaluate whether an employer, the plan it sponsors, and the business associates of that plan conduct any of these transactions.
|
Type of transaction/description Please note that references to plans below include business associates performing plan administrative duties on behalf of plans. |
Does the employer (e.g., non-benefits or HR areas) ever exchange this type of data for this reason? |
Do the internal administrators of the plan (i.e., HRIS or benefits department) ever exchange this type of data for this reason? |
Do the plan’s external vendors (i.e., business associates) ever exchange this type of data for this reason? |
|
Enrollment/disenrollment in a health plan – transmission of subscriber enrollment information to a health plan to establish or terminate coverage |
|
|
|
|
Health plan premium payment – transmission from an entity that is arranging for the provision of health coverage (or is providing health care coverage payments for an individual) to a health plan of: payment, transfer of funds information, detailed remittance information about individuals, or payment processing information (including payroll deductions, group premium payments, and associated group premium payment information) |
|
|
|
|
Eligibility for health plan – inquiry from a provider to a plan or from one plan to another to obtain information about eligibility for benefits, health care coverage, or benefits associated with the plan (or a response from a plan to a provider’s inquiry) |
|
|
|
|
Health care claims or equivalent encounter information – transmission of a request by a health care provider to a health plan to obtain payment for health care (including accompanying information) |
|
|
|
|
Referral certification and authorization – request for the review of health care to obtain authorization for the health care or request to obtain authorization for referring an individual to another provider (or a response to such an inquiry) |
|
|
|
|
Health care claim status – inquiry to determine status of health care claims (or response to such an inquiry) |
|
|
|
|
Health care payment and remittance advice – transmission for health care of either: EOB or remittance advice from a health plan to a health care provider; or payment, transfer of funds, or payment processing information from a health plan to a health care provider’s financial institution |
|
|
|
|
Coordination of benefits – transmission of claims or payment information from any entity to a health plan for purposes of determining the payment obligations of the health plan |
|
|
|
Copyright 2003 Gardner Carton & Douglas
This article is not intended as legal advice, which may often turn on specific facts. Readers should seek specific legal advice before acting with regard to the subjects mentioned here.