Standards and Regulation for Healthcare Admiistrators

Standards and Regulation for Healthcare Admiistrators

Federal Benefit Developments The New HIPAA Regulations: Some Answers, More Questions Russell E. Greenblatt and Daniel B. Lange R ecently released portability regulations under the Health Insurance Portability and Accountability Act of 1996, as amended, (HIPAA), provide additional information regarding what exclusionary practices are or are not permitted. Plan sponsors and insurance carriers may need to update their documents and procedures to come in line with the new requirements, effective for some plans as early as July 1, 2005. On December 29, 2004, the Department of the Treasury, the Department of Labor and the Department of Health and Human Services (Departments) released final regulations for health coverage portability under HIPAA. The final regulations were published in the Federal Register at 69 Fed. Reg. 78720 (December 30, 2004). In addition to answering many questions left unanswered by the interim regulations that were published in the Federal Register on April 8, 1997, the final regulations close several loopholes and create additional obligations that leave plan sponsors and insurance companies with additional obligations (along with a corresponding increased opportunity for error) in a highly technical area of plan administration. The final regulations go into effect for plan years beginning on or after July 1, 2005 (January 1, 2006, for calendar plan years). Until such time, the interim regulations apply. Discussed below are some of the more significant issues addressed in the final regulations and the impact that they may have on plan sponsors and insurance companies. Pre-Existing Condition Loopholes The final regulations and the preamble thereto discuss several examples of practices that, while not specifically permitted by the interim regulations, were not prohibited thereunder. In the final regulations, the Departments adopted language intended to curtail the practices set forth below. As clarified in the final regulations, denials of coverage based o

ORDER A PALGIARISM FREE PAPER NOW

n the following types of plan provisions are subject to HIPAA’s limitations for pre-existing condition exclusions: Russell Greenblatt and Daniel Lange are attorneys in the Employee Benefits and Executive Compensation Group of the Chicago office of the law firm Katten Muchin Zavis Rosenman. BENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 77 77 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:45 AM Federal Benefit Developments • A plan provision that provides coverage for accidental injury only if the injury occurred while covered under the plan; • A plan provision that counts amounts received under prior health coverage against its own lifetime benefit limits; and • A plan provision that denies benefits for pregnancy until 12 months after an individual generally becomes eligible for benefits under the plan. In addition to the above, the final regulations also contain rules prohibiting the total denial of coverage for specific congenital conditions if the plan generally covers such conditions. For example, if a plan covers treatment for a cleft palate only if the participant has been covered by the plan since birth, then the denial of coverage for a cleft palate of a participant who began coverage after birth would be a pre-existing condition exclusion subject to the limitations of HIPAA. The Departments stated, however, that such coverage would be unavailable if, by plan terms, no coverage for such conditions was available to any participant. Therefore, if the plan never covered treatment for cleft palates, then no HIPAA violation would result from a total denial of claims related to such treatment. Another loophole the Departments closed in the final regulations was the practice of disallowing coverage altogether for pre-existing conditions that arose before a new insurance contract becomes effective with respect to an ongoing plan. Such denials of coverage were based on the argument that HIPAA (and the interim regulations) only provided for limited pre-existing condition exclusionary periods upon an individual first becoming eligible for coverage under the plan. The argument therefore was that individuals already covered under the plan were susceptible to pre-existing condition exclusions, without the limitation of periods provided under HIPAA, when the plan switched to a new insurance provider. The final regulations clarify that an exclusionary period can apply when a participant first becomes eligible for coverage under the plan, as well as under specific insurance contracts thereunder. Therefore, if a new insurance company attempts to deny coverage for a pre-existing condition when a plan changes to the new carrier, then the limitations of HIPAA will apply to the exclusionary period, and such periods will thus be limited to the extent prior creditable coverage can be shown or as otherwise provided under HIPAA. Applicability to Dependents Under the final regulations, a “dependent” is defined as any individual who is or may become eligible for coverage under the terms BENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 78 78 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:45 AM Federal Benefit Developments of a group health plan because of a relationship to a participant. Therefore, it appears that while certain tax code provisions may apply with respect to whether an individual is eligible for tax-free benefits from a plan, such rules are irrelevant for purposes of HIPAA. More simply stated, under the final regulations, if a plan allows coverage for individuals that are outside of the definition of a dependent allowed under Internal Revenue Code (IRC) Sections 105, 106, and 152, the fact that the cost of coverage provided with respect to such individuals may be taxable to the participant does not affect whether such individual is allowed all of the rights afforded to other plan dependents under HIPAA. This includes the use of creditable coverage to offset pre-existing condition exclusions, individualized certificates of creditable coverage, and special enrollments periods, all provided under HIPAA and the final regulations. Special attention to such rules should be paid by plans and insurers that provide coverage to dependent children beyond December 31 of the year in which such child reaches age 18 (age 23 for full time students), as well as domestic partner/same-sex spouse coverage. Lifetime Limits Where an individual has a claim denied under a prior plan due to a lifetime limit on benefits, HIPPA provides a special enrollment period under the new plan. Under both the interim regulations and the final regulations, a plan must offer such special enrollment periods, during which certain individuals are allowed to enroll outside of the annual enrollment period as a result of certain events. Under the interim regulations, such special enrollment periods arose, for example, if a person lost other health coverage, if employer contributions toward the other coverage cease, or if a person becomes a dependent (through marriage, birth, adoption, or placement for adoption). In order to qualify for such special enrollment, a person must otherwise have been eligible for coverage under the plan (i.e., they must meet the plan’s eligibility requirements). Under the final regulations, special enrollment right arises upon the date that a claim is first denied under a prior plan by reason of exceeding its lifetime limit, and continues for 30 days thereafter. The preamble to the regulations identifies that if an individual is aware that the limit has been surpassed, then the special enrollment period could begin on the date the claim was incurred, even though the 30 days would not commence until the claim is denied, effectively extending the special enrollment period. Allowing a special enrollment for reaching lifetime benefit limits can result in a substantial benefit for employees with sick dependents. For example, consider the case where an employee with a sick dependent changes jobs at a time when the dependent is nearBENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 79 79 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:45 AM Federal Benefit Developments ing a lifetime limit under the prior employer’s plan. The dependent can elect to remain covered by the prior employer’s plan under the Consolidated Omnibus Budget Reconciliation Act of 1985 (to the extent applicable). Then, upon exhaustion of the lifetime limit, the dependent can enroll in the new employer’s plan and start over with a new lifetime limit. In addition, because of the closure of the loopholes discussed above, the new plan’s lifetime limit may not be offset by claims incurred under the prior plan. Required Notices According to the interim regulations, a plan may not impose a pre-existing condition exclusion against any individual without first providing a general notice to the participant. The interim regulations were unclear, however, as to the timing of such notice. Some plans would delay sending a notice until after a large claim was filed by the participant. Under the final regulations, however, the general notice must be provided as part of any written application materials distributed by the plan or insurer for enrollment or, if not provided at such time, by the earliest date following a request for enrollment that the plan or insurer, acting in a reasonable and prompt fashion, can provide the notice. The final regulations also have additional requirements for information that must be included in the general notice, including the terms of the plan’s exclusion and the name and contact information of someone who can provide additional assistance. In addition, the final regulations make clear that the general notice must apply specifically to the plan or policy of the participant receiving the notice. Therefore, if an insurance company has policies with six-month exclusions and others with 12-month exclusions, then the general notice sent to participants in the respective policies must specifically state the timeframe for the exclusion under their own policy. Apparently, a general statement that either a six-month or 12-month exclusion may apply (to the extent not reduced by prior creditable coverage) is not acceptable. For compliance assistance, a model general notice was supplied in the final regulations. Once a plan or insurance company determines that a pre-existing condition exclusion applies to a specific participant or dependent (a determination that, under the final regulations, must be completed within a reasonable time), the plan or insurance company must provide such participant with an individual notice stating the length of such exclusion. Such notice is not required to identify any specific medical condition to which the exclusion applies. For clarity and compliance assistance, the final regulations contain a sample notice. BENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 80 80 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:46 AM Federal Benefit Developments While compliance assistance is given in the regulations through the use of examples and model notices, the plan sponsors and insurers should be aware that failure to provide the required notices could lead to a pre-existing condition exclusion becoming nonenforceable. Exceptions for Certain Benefit Plans The final regulations also provide guidance with regard to which particular types of benefits and benefit plans are not covered by the HIPAA portability requirements. Set forth below is a brief summary of those rules—though it should be noted that referring to the regulations alone is unlikely to provide the researcher with all the guidance available on the subject. Rather, the preamble to the regulations provides many examples and conditions or limitations regarding excepted benefits and benefit plans. Generally, the requirements do not apply to a plan with respect to a plan year if on the first day of that plan year the plan has fewer than two participants who are current employees. In addition, some types of benefits are excepted from HIPAA in all circumstances. These benefits include coverage only for accident (including accidental death and disability coverage), disability income coverage, workers’ compensation and similar coverage, automobile medical payment insurance, and coverage for on-site medical clinics. Limited scope dental benefits, limited scope vision benefits, and long-term care benefits are excepted if they are provided under a separate policy, certificate, or contract of insurance or are otherwise not an integral part of the plan, if participants have the right not to elect coverage for the benefits, and if participants who elect such coverage must pay an additional premium or contribution for it. The regulations (supplemented by the preamble) provide significant guidance as to how to determine whether a particular arrangement qualifies for this exemption, and the exception has been significantly expanded and clarified from the interim regulations. Health Flexible Spending Arrangements (FSAs) are generally excepted from the portability requirements. The final regulations contain standards for determining which health FSAs are or are not eligible for the exception. Generally, the final regulations expand the list of requirements that must be met, including incorporating into the final regulations the “clarification” to the interim regulations issued on December 29, 1997.1 Among such requirements is that the maximum benefit payable for the employee under the FSA for the year does not exceed two times the employee’s salary reduction election under the FSA for such year, the employee must have other coverage available under a group health plan of the employer for such year, and such coverage cannot be limited to the benefits that are excepted under HIPAA. BENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 81 81 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:46 AM Federal Benefit Developments Health Savings Accounts (HSAs) are also excepted from the HIPAA portability rules. This exception is because HSAs are generally not employee welfare benefit plans.2 What about Health Reimbursement Arrangements (HRAs)? Unfortunately, neither the final regulations nor the preamble addresses the question of whether HRAs are excepted benefit plans. Language in the regulations and preamble that pertains to other excepted benefit arrangements, however, would seem to apply with equal force in the case of an HRA, and thus, presumably, HRAs will similarly be excepted. For example, 29 Code of Federal Regulations (CFR) Section 2590.732(c)(5)(C) provides that “supplemental benefits” are excepted from HIPAA portability coverage if they are ”provided under a separate policy, certificate, or contract of insurance” and, after giving several examples, defines one type of exception as follows: Similar supplemental coverage provided to coverage under a group health plan. To be similar supplemental coverage, the coverage must be specifically designed to fill gaps in primary coverage, such as coinsurance or deductibles. Similar supplemental coverage does not include coverage that becomes secondary or supplemental only under a coordination-of-benefits provision. The preamble, when discussing the exceptions provided to other types of benefit arrangements (such as FSAs), refers to the purpose and operation of those arrangements in a manner that can apply with equal force to most HRAs. Thus, it would appear that, at least with respect to those HRAs that are sponsored by employers who also provide coverage under a primary health care plan, an HRA would appear to be eligible for the exclusion. Hopefully, guidance will be provided in the near future with respect to this question. Conclusion As the reader undertakes to bring a plan into compliance with the final regulations, care should be taken to read the preamble in conjunction with the regulations. Several examples and explanations (absent from the actual regulations) are set forth in the preamble that allow for a greater understanding of the intent of the final regulations. In reacting to the final regulations, plan sponsors should be careful to complete a timely amendment of plan documents, summary plan descriptions, and plan administrative procedures. In addition, sponsors should work with insurance providers (including stop-loss carriers) and third party administrators to ensure total plan compliance on a timely basis. Finally, take note, in addition to promulgating final regulations, the Departments also published a request for comments and a notice of proposed rule-making on issues that are not addressed in BENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 82 82 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:47 AM Federal Benefit Developments the final regulations, such as extending the break in coverage allowance to up to 107 days (from the 63 days currently allowed) as well as benefits-specific waiting periods.3 Therefore, additional HIPAA guidance can be expected in the near future. Notes 1. 62 Fed. Reg. 67688. 2. DOL Field Assistance Bulletin 2004-01. 3. See 69 Fed. Reg. 78800–78825, 69 Fed. Reg. 78825–78827 (Dec. 30, 2004). BENEFITS LAW JOURNAL BLJ Sum05 18.2.indd 83 83 VOL. 18, NO. 2, SUMMER 2005 4/18/2005 11:43:47 AM Scripts for Success When It Comes to HIPAA Implementation Examples of Work Products That Could Be Adapted to Fit Your Needs Robert Falk T Robert Falk is counsel at Powell, Goldstein, Frazer & Murphy LLP in Washington, DC. He concentrates on advising health care providers in matters associated with regulatory compliance, including fraud and abuse, reimbursement, and privacy issues. He can be contacted at 202/ 624-7318 or by email at rfalk@pgfm.com. he April 14th deadline for HIPAA implementation has now passed, but the practice of HIPAA remains new. HIPAA implementation is rolling out in stages. In phase one, providers engage in a mad scramble towards meeting the technical requirements of the rule. Here, basic questions drive the HIPAA juggernaut. Is the notice of privacy practices in place? Do we have a procedure that enables us to provide an accounting to patients? In phase two, HIPAA privacy officials spend a great deal of time responding to the minute questions that arise from living day-today with HIPAA. Another provider claims we have to have an authorization form before they share information. What do we do? A police officer is at the front door asking if Mr. X is a client here. What can we tell him? Given the enormity of HIPAA, phases one and two generally leave the staff members who are charged with implementing HIPAA exhausted. At some juncture, however, organizations living with HIPAA need to move on to phase three, in which the fundamental question becomes: How do we making living with HIPAA easier? The purpose of this article is not to provide a regurgitation on the technical requirements of the rule or to identify its gray areas. Rather, it offers some sample tools or scripts that could make working in this brave new HIPAA world more manageable. The article takes some real-life problems that staff will frequently encounter and provides guidance on how communication can be handled in such a way that the HIPAA workload might be lightened. We identify an issue, the challenge, and a potential path for reducing the impact of the problem. The scripts are offered as models and should be adapted to the needs of any particular provider. Issue: Explaining the Notice of Privacy Practices The Challenge: If line staff members feel that they are required to explain the notice Journal of Health Care Compliance • July-August 2003 of privacy practices to each client on the first post-HIPAA encounter, registration procedures will slow to unacceptable levels. On the other hand, patients will want the opportunity to talk to someone regarding what is in the notice. The Objective: To let the client know in general terms what the document is, that they do not have to agree to it now, and that they can get further information about the contents but at a later time. The Script: Ms. Jones, I am required to give you this document. It is our organization’s notice of privacy practices. The notice informs you of your federal and state rights related to the confidentiality of your medical information, and it tells you how we might use your information. If you have recently gone to another doctor or another provider, you probably have been given a similar document about your rights. I am required to ask you to sign the last page, which states that we have given this document to you. You may choose to sign this acknowledgment form now, or you may refuse to sign it. If you would like to take time to read the document and then ask questions about our confidentiality policies, we have staff members who are available to you. You can call them at __________ between the hours of ______ and ______. Would you mind signing the form for me? Issue: Patient Requesting Copies of His or Her Medical Record The Challenge: If the individual has been a longstanding patient, the medical chart may be quite thick. If the request is not narrowed, significant staff time can be spent copying the record. The Objective: To encourage the patient to either narrow the scope of the request or to consider reviewing the record in hard copy rather than obtaining a photocopy. The Script: Mr. Rodriquez, I understand that you have asked for a copy of your medical chart. Under federal regulations and our policies, you have a right to receive a copy of your record unless certain limited 19 Scripts for Success When It Comes to HIPAA Implementation exceptions apply. I want you to know that we would like you to have access to whatever information you feel you need. Please understand, however, that it can take a good bit of time for us to copy your record. If you could tell me a little bit more about what you want the copy for, maybe we could figure out if a copy of only parts of your record would meet your needs. Or, if you only want to see what information is in your chart, we could arrange for you to come in to read it, rather than giving you a copy. If you want to just read your chart, you would save copying costs, which are $__ per page. Do you think that either approach, either copying only a portion of the record or reading it in person, will work for you? If so, let’s discuss how we can make this happen. Issue: Routine (or Non-Routine) Audit of Patient Records by Outside Agency The Challenge: An auditor may show up asking to review 30, 50, or 100 patient charts. It may be difficult to create a contemporaneous entry in the accounting log for each file. The Objective: To get sufficient information from the auditor to create a photocopied sheet with a blank name and date that can be inserted into each patient file as the auditor goes through it. The Script: Ms. Chen, I recognize that your agency has the right to audit our patient files for compliance purposes. Under the federal privacy regulations, however, we have certain obligations with respect to our patients. One of these obligations is to be able to account for disclosures made to outside entities if our patients want that information. I would like to ask for your help in making sure our patient rights are protected. First, I would like to know your name, your agency, and what the purpose of this audit is. I will then take five minutes to prepare a standard form that can be inserted in each patient file. I will provide you with a stack of (30/50/ 100) of these forms. When you look at a file, would you mind writing the patient’s name on the top of one of these forms so that it can be inserted in the patient’s chart? If you are not comfortable doing that, would you at least pull the file and set it aside so that we can insert the form later? I thank you for your help in this process. (Please see Exhibit 1 for an example of the form.) Clearly, this form could be adapted for other purposes, including public health reporting purposes like cancer registry review or reporting sexually transmitted diseases. Issue: Personal Representative Seeks to Act on Behalf of the Patient The Challenge: An individual may arrive at your door demanding their rights to one of your patient’s medical records as the patient’s personal representative. Staff must avoid releasing information to the person improperly and must gather the relevant information from this individual to determine if the individual is entitled to the information. The Objective: To obtain necessary information based on a few targeted questions to ensure that the individual qualifies as a personal representative under federal and state law but without appearing hostile or unhelpful to the individual. The Script: Mr. Smith, I understand that you would like to review the medical records of Ms. Green as her personal representative. We hope you understand that Exhibit 1—Notice of Disclosure Form Information about you has been disclosed to the _______ department, which is responsible for overseeing compliance with regulatory standards regarding ________________. This disclosure is permissible under HIPAA as a public purpose disclosure and is required by [state/federal] law. The purpose of this disclosure is to enable the agency to _________________________________________________. The following information may have been disclosed about you: [_] Your entire medical file may have been reviewed by the auditors. [_] Limited portions of your medical file may have been reviewed by the auditors. These portions would include: _____________________________________________. [_] Records regarding the billing for services provided may have been reviewed by the auditors. To the extent necessary, the auditors may have reviewed medical information to determine medical necessity. [_] Other This disclosure was made on ____________________ (Date). The contact information for the agency conducting the review is as follows: [Contact name or position] [Agency address] [Agency phone number] 20 Journal of Health Care Compliance • July-August 2003 Scripts for Success When It Comes to HIPAA Implementation we are very concerned about the privacy of our patients, and other providers across the country have had problems with individuals who have falsely claimed to be an individual’s representative to get improper access to an individual’s medical information. I am required to confirm that you qualify as a personal representative of this patient under federal and state law. Would you explain how you are related or have responsibility for the patient? Are you a parent, guardian, acting in loco parentis or ______? Can you provide some form of documentation relating to this role? Do you have any court order or a power of attorney for health care that might give you the right to review the information? If you don’t mind, I am going to make a copy of this documentation for the file so that next time you come into the office, our staff will know who you are when you request copies of Ms. Green’s records. [Some alternative language] I understand that you are Ms. Green’s [husband, brother, son, partner]. However, I am not authorized to give you access to her information automatically in the circumstances. I would like to have you talk directly with our chief privacy officer so that he or she can help you. Would you like me to place this call now, or would you like the number so that you can call him or her directly? Issue: A Patient Seeks to Make Complaints The Challenge: An upset patient makes complaints to various staff members. Staff must determine whether the patient’s complaint may be resolved informally or if the patient actually is requesting to formally lodge a complaint. The Objective: To determine the actual nature of the complaint and, if possible, provide the patient with informal solutions that will be less cumbersome than formal procedures and to encourage the patient to use the provider’s grievance process exclusively. The Script: Ms. Todd, I understand that you would like to lodge a complaint relating to how our office handled your medical information. I am really sorry that you feel that you have had a negative experience, and I want to help make sure we get the matter resolved. Under federal law, you have a right to file your complaint in writing with our office. We do have a formal grievance process, and I can give you that form to fill out. I’m wondering, however, whether there’s anything I can do to help resolve the problem more immediately. Would you like to talk to me about the issue? What is the nature of the problem? What would you like to see happen as a solution? Are there any steps you think we could take to minimize the impact of the problem? What Journal of Health Care Compliance • July-August 2003 do you think we could do to prevent the problem in the future? If you would like, I would be glad to arrange a conversation with our privacy officer about these matters. Would that be helpful? Issue: Refusals to Disclose Medical Records Without Patient Authorization The Challenge: When a provider needs to obtain the medical records of a patient from another provider for treatment or payment functions and the provider refuses to disclose this information without patient authorization. The Objective: Provide staff members with the tools to educate providers regarding how they may share the information without patient authorization. The Script: Dr. Brown, I understand that you are refusing to send to our office certain medical records relating to Ms. Jones without her written consent or authorization. We need access to this information in order to treat Ms. Jones. The federal privacy regulations expressly permit health care providers to share patient information with one another for the purpose of treating patients without having to get patient authorizations. As we have not obtained an authorization from Ms. Jones and federal law allows you to disclose these records, would you send these records to our office today? If you need confirmation of your ability to do this, I would suggest going to http://www.hhs.gov/ocr/ hipaa, and then looking at the frequently asked questions section. If you then look at question six: Can a physician’s office FAX patient medical information to another physician’s office?1—I think you will find information that will give you comfort. If you don’t have Internet access, I can fax the text to you. Would that be helpful? These scripts are samples of work products that might be helpful to line staff. They clearly would need to be adapted to reflect state law and provider internal policies. Now that the initial push to achieve HIPAA compliance should be over, however, compliance officers should take the time to make the day-to-day administration easier. Reference 1. Q: Can a physician’s office FAX patient medical information to another physician’s office? A: The HIPAA privacy rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician’s office and placing the fax machine in a secure location to prevent unauthorized access to the information. See 45 CFR164.530(c). 21 Copyright of Journal of Health Care Compliance is the property of Aspen Publishers Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.
Purchase answer to see full attachment