The Empire Plan is a unique health insurance plan designed especially for public employees in New York State. Empire Plan benefits include inpatient and outpatient hospital coverage, medical/surgical coverage, Centers of Excellence for transplants, infertility and cancer, home care services, equipment and supplies, mental health and substance abuse coverage and prescription drug coverage.
GOVERNOR
DEPARTMENT OF CIVIL SERVICE
ALBANY, NEW YORK 12239
www.cs.ny.gov
COMMISSIONER
DANIEL E. WALL
EXECUTIVE
DEPUTY COMISSIONER
PA03-05
TO: Participating Agency Health Benefits Administrators
FROM: Robert W. DuBois
SUBJECT: Health Insurance Portability and Accountability Act (HIPAA)
DATE: March 25, 2003
Last September we provided you with some general information regarding the Health Insurance Portability and Accountability Act (HIPAA). As we indicated at that time, the HIPAA privacy regulations, which have been codified at 45 CFR Parts 160 and 164, have a compliance date of April 14, 2003. In recent months the HIPAA privacy regulations have been finalized and we have taken steps to ensure that NYSHIP is in full compliance. This material provides you with an update on those steps as well as information about how HIPAA affects the relationship between NYSHIP and your agency. For your information, I have also included background information about HIPAA.
If you have any questions, please don't hesitate to contact the Division’s Policy Unit at (518) 457-4402.
March 25, 2003
Dear Chief Executive Officer:
Last September we provided you and your Agency’s Health Benefits Administrator with some general information regarding the Health Insurance Portability and Accountability Act (HIPAA). As we indicated at that time, the HIPAA privacy regulations, which have been codified at 45 CFR Parts 160 and 164, have a compliance date of April 14, 2003. In recent months the HIPAA privacy regulations have been finalized and we have taken steps to ensure that NYSHIP is in full compliance. I want to take this opportunity to provide you with an update on those steps as well as information about how HIPAA affects the relationship between NYSHIP and your agency. For your information, I have also included background information about HIPAA.
A copy of the attached material also is being provided to your agency’s health benefits administrator. Health benefit administrators also have and will continue to receive HIPAA information through broadcast messages and/or memos from the Employee Benefits Division.
I hope you find this information helpful. If you have any questions or concerns, please do not hesitate to contact me.
Sincerely,
Robert W. DuBois, CEBS
Director
Employee Benefits Division
HIPAA BACKGROUND INFORMATION
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 to improve the efficiency and effectiveness of the nation’s health care system. The act includes a series of administrative simplification provisions requiring the use of industry-wide standard data sets and calls for new safeguards on the privacy and security of the personal health information.
What do the HIPAA privacy regulations address?
The HIPAA privacy regulations, entitled "The Standards for Privacy of Individually Identifiable Health Information" were issued by the U.S. Department of Health and Human Services pursuant to the federal HIPAA statute. The HIPAA Privacy Regulations, which take effect on April 14, 2003, provide the first comprehensive federal protection for the privacy of individuals' medical records and other personal health information. In general, the HIPAA Privacy Regulation:
- Give individuals the right to access their medical records;
- Limit the use and disclosure of individually identifiable health information;
- Restrict most disclosures of information to the minimum needed for the intended purpose; and
- Provide civil and criminal penalties if these privacy rights are violated.
What types of organizations and individuals are required to comply with HIPAA?
HIPAA privacy standards apply to:
- Health care providers who transmit any health information electronically in connection with certain transactions;
- Health plans; and
- Health care data clearinghouses.
What is covered by HIPAA?
HIPAA covers Protected Health Information (PHI) which is individually identifiable health information relating to:
- Past, present or future physical or mental health or condition of an individual;
- Provision of health care to an individual; or
- The past, present or future payment for health care provided to an individual.
This broad definition includes medical records and history, enrollment data, health plan choice and health insurance premium information.
HIPAA: NYSHIP and Its Participating Agencies
Please note that the following information relates to your agency as a Participating Agency in NYSHIP only. If your agency offers other health insurance plans to employees you should consult with your legal counsel regarding how the provisions of HIPAA affect you in relation to those plans. Also, this information pertains only to HIPAA privacy regulations. Other HIPAA regulations may be issued in the future and result in additional requirements and/or obligations.
What is NYSHIP’s status under HIPAA?
As a group health plan NYSHIP is a covered entity under HIPAA and as such must fully comply with the requirements of HIPAA. NYSHIP’s plan sponsor is the Health Insurance Council, as established in NYS Civil Service Law. The Council consists of the President of the Civil Service Commission, the Director of the Budget and the Director of the Governor’s Office of Employee Relations.
As a Participating Agency in NYSHIP, how is your agency affected by HIPAA privacy regulations?
As the result of our review of the HIPAA privacy regulations we have determined that, within the context of NYSHIP participation, a Participating Agency is subject to some HIPAA privacy requirements. HIPAA has the effect of restricting the flow of certain types of information related to the health care of the employer’s employees; and restricts the circumstances under which those types of information can be disclosed to the employer by the plan and the plan’s insurers.
Pursuant to 45 CFR 164.504(f), the NYSHIP and the Empire Plan insurers may disclose to a Participating Agency information on whether an employee is enrolled in, or has disenrolled from, the Empire Plan. Additionally, the NYSHIP and the Empire Plan insurers may disclose summary health information to a Participating Agency if the Participating Agency requests the summary health information for one of the following purposes:
- To obtain premium bids from other plans;
- To provide health insurance coverage under the Participating Agency's group health plan; or
- To modify, amend, or terminate the Participating Agency's group health plan.
In the past, the NYSHIP Empire Plan has provided Participating Agencies with enrollment information and summary health information upon request, and will continue to do so as long as the information is for the purposes described above, consistent with HIPAA privacy requirements. The NYSHIP Empire Plan has not disclosed individual-specific health information to Participating Agencies in the absence of a signed authorization by the individual, and will continue to follow that practice, consistent with HIPAA privacy requirements. Therefore, if an employee requests assistance from agency staff in resolving a NYSHIP claims problem that involves the disclosure of protected health information, such authorization will be required.
What steps does your agency need to take to ensure compliance with HIPAA?
Because a NYSHIP Participating Agency may receive and use only enrollment information and summary health information, being a NYSHIP Participating Agency does not make your agency subject to most HIPAA privacy implementation requirements. For example, as a NYSHIP Participating Agency your agency is:
- Not required to amend any documents it has produced describing the terms of its local group health plans [45 CFR 164.504(f)];
- Not required to maintain or provide a Notice of Privacy Practices [45 CFR 164.520(a)];
- Not required to designate a privacy official or a complaint official; and
- Not required to implement policies and procedures regarding other HIPAA requirements such as training, organizational safeguards, a complaint process, sanctions for noncompliance by employees that violate HIPAA standards, mitigation procedures to address violations of HIPAA standards, or to otherwise implement other implementation standards that the NYSHIP Empire Plan has been required to implement.
However, as a NYSHIP Participating Agency, your agency is subject to the following HIPAA privacy requirements [45 CFR 164.530]:
- A Participating Agency may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual as a consequence of the individual having exercised any right he or she may have pursuant to HIPAA, or as a consequence of an individual having participated in any process established by the HIPAA regulations, such as filing a complaint with the Empire Plan or with the Secretary of Health and Human Services concerning the Empire Plan's privacy practices. Also, no such action may be taken against any individual(s) who testify, assist, or participate in an investigation, compliance review, proceeding, or hearing under Part C of Title XI of the Social Security Act, or for opposing any act or practice that the person believes violates HIPAA privacy requirements as long as the individual acts in good faith, the manner of opposition is reasonable, and the manner of opposition does not involve a disclosure of another person's protected health information.
- A Participating Agency may not require any individual to waive their right under 45 CFR 160.306 to file a complaint with the Secretary of Health and Human Services concerning a potential violation of HIPAA privacy requirements as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
What steps is NYSHIP taking to be HIPAA compliant by April 14, 2003?
NYSHIP will be fully compliant with HIPAA by the effective date. NYSHIP has or is in the process of taking the following steps in accordance with HIPAA requirements:
- Amending its Plan documents;
- Amending its contracts with Empire Plan insurers;
- Maintaining a Notice of Privacy Practice;
- Designating a privacy official and a complaint official;
- Providing HIPAA training to staff;
- Implementing security safeguards;
- Establishing a complaint process;
- Establishing sanctions for noncompliance by employees that violate HIPAA standards; and
- Establishing mitigation procedures to address violations of HIPAA standards.
Additionally, Empire Plan enrollees will be receiving the Notices of Privacy Practices from each of the Empire Plan's four insurers. Enrollees may request a copy of NYSHIP's Notice of Privacy Practice by contacting the Employee Benefits Division; it will also be available on the Department's website at www.cs.state.ny.us, and click on Employee Benefits.