Updates on Two HIPAA Issues for Employers
Regulations published under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) could have a substantial impact on any employers who maintain group health plans for their employees or an employee health service to treat work-related injuries or illnesses. Below are updates on two HIPAA issues that affect such employers.
EDI Regulations Compliance Extension for Employee Benefit Plans
On August 17, 2000, the United States Department of Health and Human Services (“HHS”) issued Electronic Health Care Transactions and Code Sets standards (the “EDI Regulations”) under HIPAA. The EDI Regulations apply to health plans, health care clearinghouses, and most health care providers (“covered entities”). The EDI Regulations required compliance with these electronic transactions standards and code sets by October 16, 2002, except that small health plans (health plans with annual receipts of five million dollars or less) were not required to be compliant until October 16, 2003.
In December 2001, the Administrative Simplification Compliance Act (“ASCA”) was signed into law. It allows covered entities, other than small health plans, to file with the Centers for Medicare and Medicaid Services (“CMS”) a compliance plan to obtain a one-year extension of the October 16, 2002 compliance date. CMS has published a Model Compliance Plan extension form, available at http://www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.pdf, that can be filed electronically. Note that an extension obtained by a covered entity as provider would not apply to the covered entity’s group health plan because group health plans are considered separate legal entities from their employer-sponsors.
Since the passage of ASCA and the publication of the Model Compliance Plan, there has been a great deal of confusion regarding the filing obligations of group health plans that do not themselves conduct any of the transactions for which HHS has adopted a standard (“covered transaction”) but whose third-party administrators (“TPAs”) or insurance carriers do conduct covered transactions on the group health plans’ behalf. Specifically, many employer-sponsors of such group health plans have wondered whether they must file for an extension of the EDI Regulations’ compliance date on behalf of their group health plans, or whether a filing by the TPA or insurer could cover the group health plan.
Recent public statements by CMS officials, and informal conversations with CMS representatives, indicate that CMS believes that each group health plan must independently file for an extension under ASCA. The group health plan cannot rely on the TPA’s own filing, even if that filing references the group health plan as an account on behalf of which the TPA conducts covered transactions. Note that for insured group health plans, it is uncertain what penalties could result from a failure to file for an extension under ASCA. Insured group health plans generally do not conduct any covered transactions, and transactions conducted by their issuers or HMOs will not likely be viewed as conducted on behalf of the insured group health plans. Therefore, it is not clear what an insured group health plan could gain by filing for an extension of the compliance date for regulations that it will never violate. Nevertheless, CMS seems to believe that every group health plan should file, irrespective of whether the group health plan itself conducts (or will ever conduct) any covered transaction.
CMS has stated on its website that a TPA may file a compliance plan on the group health plan’s behalf if the group health plan authorizes the TPA to do so, but the information on the form must be that of the group health plan and not the TPA. As a result, employers should consult immediately with their TPAs, insurers, and/or HMOs regarding how an appropriate extension will be filed and by whom. In many cases, the TPA, insurer, or HMO may be in the best position to make the necessary filing.
First Reports of Injury
HHS also published Standards for Privacy of Individually Identifiable Health Information (the “Privacy Regulations”) under HIPAA on December 28, 2000, and HHS modified the Privacy Regulations on August 14, 2002. Under the Privacy Regulations, employers who provide on-premises treatment for sick or injured employees are “health care providers.” The Privacy Regulations, however, only apply to health care providers who transmit health information in electronic form in connection with a covered transaction.
This issue arises when an employee health service submits a first report of injury electronically to a workers’ compensation carrier and/or to a state industrial accidents or workers’ compensation board. The first report of injury is a covered transaction under HIPAA. This submission could therefore be viewed as an electronic transmission of health information in connection with a covered transaction that would cause the employee health service to be a covered health care provider subject to the Privacy Regulations.
However, many states’ workers’ compensation laws require employers, and not treating providers, to make first reports of injury. In those states, one compliance option that an employee health service may wish to evaluate is to adjust the responsibilities of the employee health service so as to eliminate involvement in any potential covered transactions (e.g. by transferring; any electronic first injury report function to a human resources department or other non-provider office within the employer). Under the law in many states, an internal report filed in that manner will not by itself constitute a “first report of injury” transaction. Then, when the human resources department makes the first report of injury as required by state law, that transaction will not be conducted by the provider component (i.e., the employee health service).
Another compliance option for an employee health service to consider, in states that do not require electronic filing of first reports of injury, is to file first reports of injury by telephone, facsimile, mail, or other non-electronic means. This option may be available even in states that do require treating providers to make first reports of injury.
Through one of these two options, the first injury reporting process may be structured in such a way that the employee health service will not conduct any covered transactions electronically and will thus not be covered by the Privacy Regulations. In those situations where the employee health service constitutes the only potential “covered entity” component within an employer’s operations, following one of these two options should allow the employer to avoid altogether the administrative and compliance requirements imposed by the Privacy Regulations.
* * * * *
To ease their HIPAA compliance burdens, employers should take advantage of both ASCA’s compliance date extension and opportunities under state workers’ compensation laws for employee health providers to avoid electronic filing of first reports of injury. Nevertheless, both the EDI Regulations and the Privacy Regulations pose many other HIPAA compliance challenges. Ropes & Gray continues to be at the forefront of working on these and many other HIPAA compliance issues. If you have any questions about filing a compliance plan for an extension of the EDI Regulations’ compliance date, about your employee health service, or about any other aspect of your HIPAA implementation efforts, please contact your regular contact at the firm.