In addition to those items listed below, more new and archived information has recently been added to our site. Check our Publications section to read our recent newsletters or use our search engine located in the upper righthand corner of every page to find specific information of interest.

A GUIDE TO HIPAA IMPLEMENTATION FOR EMPLOYERS

By: Margaret Kostopulos

While the Health Insurance Portability and Accountability Act ("HIPAA" or "the Act") does not identify employers as "covered entities" subject to its rules and regulations, many municipalities nonetheless have HIPAA obligations. An employer who sponsors an insurance plan other than a fully insured plan must be cognizant of and conform with HIPAA rules and regulations designed to ensure the privacy of certain health information referred to as "protected health information" ("PHI").

A municipality itself may be identified as the "covered entity" under the Act, as either a health care provider (generally through its EMS services) or as a health plan if it provides a self insured health insurance program. Identification as a covered entity incurs greater privacy protection responsibilities under the Act. HIPAA obligated health care providers as well as health plans to conform to its privacy rules by April 14, 2003 unless the health plan is a "small plan" under the Act (defined as having receipts of less than $5 million). Small health plans must conform by April 14, 2004. This memo will not address the obligations of employers who are also covered entities, but will describe HIPAA implementation obligations for employers only.

A. Amendment of the "Plan."

HIPAA requires the health plan that is the covered entity to amend its Plan document to incorporate the privacy provisions of HIPAA. Municipalities that provide their own health insurance plan document should ensure that it includes HIPAA privacy provisions.

B. Privacy Official

The Act requires that the covered entity must identify a privacy official whom has the general responsibility to ensure compliance with the Act's privacy rules and regulations and to oversee the complaint process for claims of misuse of PHI or other violations of HIPAA. While an employer is not obligated to identify a privacy official, it is advisable to designate a contact person or on-site privacy official for the municipality to ensure compliance with privacy procedures. This individual should be someone with great familiarity with benefit issues and is willing to assume the ongoing responsibility.

C. HIPAA Privacy Policy and Procedures:

The Act requires covered entities to adopt a Privacy Policy and Procedures. A municipal employer must certify that it will follow the policies and procedures of the plan relating to HIPAA regulations.

D. Notice to Participants of Privacy Requirements

The covered entity must send a Notice of Privacy Requirements to each participant of the plan or recipient of health care services. Under HIPAA rules each employee or former employee of a municipality who is or may become eligible to receive health insurance benefits is entitled to receive this notice. No obligation exists to notify spouses or other dependents of the employee or former employee. While this is the obligation of the covered entity, the employer, as the sponsor of the health insurance program should be aware of the contents of the Notice in order to respond to questions from employees. Among groups of individuals that should receive these documents, in addition to current employees, are retirees who have maintained their coverage as well as individuals who continued their coverage under COBRA

E. Use and Disclosure of PHI

The greatest employer obligation likely arises in ensuring the appropriate use and disclosure of protected health information under HIPAA. This may occur when an employee seeks assistance with a claim or information on coverage or when an insurer seeks information from a benefits manager regarding an employee or dependent. Any release of information for a purpose other than treatment, payment or health care operations, can only be done after obtaining an authorization from the individual who is the subject of the information or their representative in appropriate circumstances. While a broad authorization would be easiest, the HIPAA rules and regulations prohibit use of a sweeping or all purpose authorization.

An authorization is not necessary in order for an individual to speak to a benefits coordinator or other employee when the subject is their own PHI. An authorization is needed for the benefit coordinator (or other similar employee) to take action on that employee's behalf relative to PHI. Prior to an employer representative inquiring or acting on behalf of an employee, or seeking information regarding an employee, the employee in question must complete an authorization. The following are examples of situations in which an authorization will likely be necessary:

1. To assist in claims adjustment or for information regarding an EOB.
2. To coordinate benefits.
3. To use or disclose psychotherapy notes - even if the use or disclosure is for payment, treatment or health care operations. Psychotherapy notes only include actual discussions with the patient and are kept separate from other records.
4. To use for administering other benefit plans. For example, an authorization is necessary to determine whether an individual is eligible for a disability benefit.
5. To administer ADA, FMLA or other related employee benefits.
6. To provide data related to pre-enrollment physicals to life insurance companies.
7. To obtain pre-employment physicals or to disclose a pre-employment physical to another entity.
8. To use PHI for other employment purposes such as fitness for duty exams or drug testing. (NOTE: This does not require an employer to obtain an authorization for a doctor's note that an individual was absent due to illness)

Employers that disclose PHI, either with authorization or pursuant to treatment, payment or health care operations, only the minimum necessary may be disclosed. It is advisable to check with the Privacy Official on questions of minimum necessary information.

Employers with access to PHI must maintain copies of all of the following items for a period of at least six years from the date the documents were created or last in effect:

1. When disclosure of PHI is made;
2. The date of the disclosure
3. The name of the person or entity who received the PHI and, if known, the address of the entity or person
4. A brief description of PHI disclosed
5. Individual Authorizations

F. Individual Request to Inspect Health Information

Under HIPAA's privacy rules, an individual can request permission to see and copy his or her own PHI. An employer who receives this request is obligated to provide the requestor only that information held in the "designated record set". Individuals have the right to see and obtain copies of their PHI for as long as it is maintained in the designated record set. HIPAA regulations also require that such information be sent electronically if the participant requests such and the entity has the capability. Generally, the designated record set includes medical records, billing records, enrollment, payment, claims adjudication and case or medical management record systems maintained for a health plan as well as records used by the covered entity to make decisions about individuals. An example of information that is not in the designated record set is employment information, such as pre-employment physicals or drug test results (although this type of information may be PHI for other purposes)

The following guidelines should be followed if a request to inspect health information is received:

1. The employer representative must contact the Privacy Official to coordinate approval or deny the Request.
2. A response is due in 30 days unless a specific extension is sought. The extension cannot exceed 60 days from the date of the Request.
3. The individual may authorize a summary of the information be provided. This should be checked on the form if it is applicable.
4. The individual must sign and date the form.
5. A log of requests must be maintained along with their dispositions.

A response to inspection request allows for one of three options:

1. Grant the request
2. Obtain an extension of time
3. Deny the request and provide the reason therefore.

The response must be signed and dated by the Privacy Official or on-site designee.

G. Amending a Record

Individuals can also amend their PHI. This is done to correct any errors which might exist in the designated record set. If the employer did not create the information, it is under no obligation to correct it. A request to amend or correct must be signed and dated by the individual.

Much like the response to inspection request, the response to amendment or correction request, requires the Privacy Official or on-site designee to select from three choices:

1. Grant the request to amend or correct the designated record set.
2. Seek an extension of time, with the reason therefore. Note: this extension can be for no more than 60 days from the date of the request.
3. Deny the request with the reason for the denial included.

The response must also contain a provision for filing of a statement of disagreement by the individual if amendment or correction is denied. This statement should be limited to two 8½ x 11 pages, must be kept with the designated record set and disclosed along with other information that is authorized to be disclosed regarding the individual. Furthermore, the individual may request that the original request and denial be provided with future disclosures of the PHI at issue.

H. Individual Request Not to Use or Disclose Information

While HIPAA allows individuals to request restrictions on the use and disclosure of their PHI, agreement to this restriction is discretionary with the covered entity. Attachment 13 is the Request Not to Use or Disclose Information as well as the Response. Again, ensure that the form is signed and dated.

I. Business Associate Agreements

A covered entity must ensure that all health plan or health care service providers, called "business associates", take steps to avoid inappropriate use or disclosures of PHI. The privacy rules provide that the covered entities must enter into written agreement to honor the privacy policies and procedures. Under the contract, the business associate assumes the obligations relative to privacy of the covered entity.

Employers must ensure that all business relationships in which PHI is used or disclosed, are governed by a business associate agreement. Insurers and TPA's may seek such agreements from municipalities. A business associate agreement may be required for any person or organization which provides the following services to or for a municipal employer if the service requests use or disclosure of PHI:

1. legal
2. actuarial
3. accounting
4. consulting
5. data aggregation
6. management
7. administrative
8. accreditation
9. financial services

J. Segregation of PHI to Ensure Confidentiality

Finally, HIPAA requires all PHI to be physically segregated from other personnel information. The designated record set described above must be kept in not only a separate file, but also preferably a separate locked file cabinet. Fax machines from which PHI may be received must be kept in an area away from public view and telephone calls and other conversations in which PHI is disclosed must be held in places that ensure complete privacy. Prior to faxing PHI, the sender must ensure that the receiving fax machine is secure.

Test your knowledge of municipal practices and procedures by checking out our new Question and Answer page.

Ancel Glink's 2003 Guide for Newly-Elected Officials is now on-line. Included are articles on the Illinois Gift Ban Act, the Open Meetings Act, personnel and labor issues, conflicts of interest, practices and procedures, revenue and expenditures and tort litigation.

The latest edition of Local Government News is now on-line with articles on political sign ordinances, zoning board variances, a student invocation at a school football game ruled unconstitutional, corporate sponsorships for park districts, the Illinois State Agency Historic Resource Preservation Act and the National Historic Preservation Act, and terminiating a municipal officer.

Read Legal Update on Technology by Bill Kling and avoid getting a moving violation on the information superhighway

School officials may want to look a recent issue of School Law Briefing which includes 13 suggestions from Stewart Diamond on how to shorten and improve school board meetings. IDEA reauthorization and the revision of Illinois' due process hearing system were addressed in a recent Special Education newsletter.

Rob Bush unravels the mystery of Permanent Partial Disability in a lengthy memorandum on Illinois Workers' Compensation law and practice.

Are you aware of the regulations for owners of underground storage tanks and the mandated upgrades which must be made to those tanks? Read about it here.

Anyone involved with liquor license revocation or suspension hearings should read Stewart Diamond's memorandum outlining the duties of the Local Liquor Control Commissioner.

The regulation of signs and billboards to aid in the beautification of communities was the topic of a speech we recently presented to the Illinois chapter of the American Planning Association. View the text of the speech.

New and archived materials will regularly be added to our site. Come back frequently for news affecting local governments and schools.