The purpose of the privacy rule is to require group health plans not to use or disclose individually identifiable health information for any purpose unless it is permitted under the Department of Health & Human Services ("HHS") regulation governing the privacy of medical information.
Permitted uses include activities related to eligibility, coverage determinations and billing.
- Review all contracts with vendors and providers to assess need for HIPAA Privacy Compliance.
- Develop a budget.
- Designate a Privacy Officer.
- Prepare Participant's Privacy Notices, Fund Privacy Policy, consents and authorizations.
- Fund counsel should review all plan documents and amend as required to comply with the HIPAA privacy requirements.
- Develop a HIPAA Privacy training plan for Fund personnel. This will include who is to be trained, nature of the training, i.e., live training, videos.
- Fire walls may need to be established between Fund Office employees administering the group health plan and other employees who are not so involved.
- Is referred to as the provision and management of health care by one or more medical providers.
- In the event PHI is not to be used for TPO as above, an individual authorization is required from the participant in order to use or disclose the participant's PHI.
- Plans may disclose PHI for premium determination or reimbursement or in connection with providing coverages and benefits.
- Payment activities include eligibility or coverage determinations. It also includes coordination of benefits and subrogation.
- Communications with stop loss carriers are considered part of payment.
- Utilization Review.
HEALTH CARE OPERATIONS
- Quality Assurance.
- Underwriting and Premium Determination.
- Review of Claims.
- Legal Services. If your Fund attorneys receive any PHI in connection with claims review, they are considered to be involved in a health care operation.
- Auditing.
CONSENTS & AUTHORIZATIONS:
-
The regulation does not require consent to be obtained by a medical provider before treatment.
-
Plans do not have to obtain a consent from their participants before using PHI for TPO purposes. However, I recommend that Plans prepare appropriate consent and authorization documents for signature by Participants.
-
The authorization is particularly important since the Board of Trustees of a Taft-Hartley health fund is technically not a covered entity under HIPAA. Accordingly, the Participant should sign an authorization permitting the Fund Administrator to furnish PHI to the Board of Trustees in connection with TPO. In conjunction with this, the Board of Trustees will have to adopt a privacy policy protecting the confidentiality of the PHI. The policy is similar to that which business associates must adopt. I recommend that the Trustees do this by Resolution, and that the Trustees Privacy Policy on PHI be distributed to Participants as a summary of material modifications to the Summary Plan Description. It should also be included in the Summary Plan Description when it is revised.
MINIMUM DISCLOSURE REQUIREMENT:
- Identify the persons in the plan workforce who require access to PHI to carry out their duties.
- Delineate the categories of PHI which each of such persons requires to perform their assigned duties.
-
Trustees should establish conditions which apply to accessing PHI.
-
The plan's privacy policy should, at a minimum, set forth the various types of PHI to be disclosed, the persons who have access to such PHI and the conditions applying to such access.
NOTICES TO BE PROVIDED BY PLANS:
-
Self-insured plans must provide their participants with a notice concerning the use and disclosure of PHI.
-
The notice must also indicate the individual's rights concerning PHI.
-
Every three years participants must receive a notice of the availability of the privacy notice and how to obtain a copy.
-
The notice should include at least the following:
- The use and disclosure of PHI pursuant to the TPO exception with examples of each component of the TPO.
- It must advise participants how to file complaints with the plan or the Department of Health & Human Services. The notice should identify the privacy officer at the plan as the person to contact.
- The notice should state how changes in the notice will be communicated to participants.
- If your plan is insured, a notice need not be provided, as the insurer is required to furnish the notice. However, if the plan is insured, but still may receive PHI, it must maintain the notice and provide it to participants upon request.
PARTICIPANT'S RIGHTS AS TO PHI:
-
The plan must give participants access to health information that is utilized by the plan concerning such participant's coverage.
-
Participants must have the right to inspect and copy plan health information concerning themselves.
-
Participants have the right to request amendments to their health information and to restrict its use and disclosure. However, the plan is not required to restrict the use or disclosure of PHI.
-
The plan must give a participant information concerning disclosure it has made of the participant's PHI for purposes other than TPO.
VARIOUS REQUIREMENTS PLANS MUST COMPLY WITH:
- A procedure for Participants to file complaints about non-compliance with the privacy requirements.
- Sanctions for employees violating the Privacy Policy.
- Establish safeguards to prevent misuse of PHI.
ACCOMMODATIONS OF FACILITIES TO ACHIEVE PRIVACY COMPLIANCE
- Isolating and locking file cabinets containing PHI, or record rooms, if applicable.
- Having claims processors work in a separate room or separate area in the facility.
- Provide additional security such as passwords on computers which contain PHI.
- If necessary, the record systems containing PHI should be configured for employees to have the ability to access only certain fields as required for their job duties.
- In many instances, Trustees should check with their computer consultants to see if there are available tools related to people's access to PHI, such as opaque computer screens.
REQUIREMENTS FOR PLAN'S BUSINESS ASSOCIATES:
A "Business Associate" is an entity who utilizes or discloses health information in furtherance of performing a function on behalf of the plan. An example of such services are legal, actuarial, accounting, consulting, administrative and accreditation
-
Contracts with Business Associates should contain, at a minimum, the Business Associate's provisions set forth in the Privacy Regulation.
-
The Trustees need not monitor the action of Business Associates.
-
If the Trustees become aware of a violation, they have a duty to take reasonable measures to cure the violation, or if not cured, to terminate the contract.
PENALTIES FOR NON-COMPLIANCE:
-
Civil penalties are $100 for each violation of a requirement, with a cap of $25,000 for all violations during a calendar year.
-
Penalties will not be imposed if the plan demonstrates reasonable cause and not wilful neglect, and if the infraction is corrected within a 30-day period after the plan should have known that the failure to comply occurred.
-
Criminal penalties are predicated upon the degree of intent. A fine of up to $50,000 and one year imprisonment is applicable for use or disclosure of individually identifiable health information.
-
If the use or disclosure was done under false pretenses, the fine may be up to $100,000 and a prison term of up to 5 years.
-
If the disclosure was done with an intent to sell for commercial advantage or personal gain, the fine may be up to $250,000 with a prison term up to 10 years.
AMENDMENTS TO PLAN DOCUMENTS:
The Plan documents should be amended in the following respects relating to PHI:
-
Set forth the permitted uses and disclosures of PHI.
-
Since, in many instances, there is no actual plan document, the Fund's Privacy Policy should be distributed to Participants as a summary of material modifications of the Summary Plan Description. The Fund's Privacy Policy should also be included in the Summary Plan Description when it is revised.
HEALTH FUND'S EMPLOYEES' CHECKLIST FOR COMPLIANCE WITH THE HIPAA PRIVACY AND SECURITY REGULATIONS
The purpose of the HIPAA Privacy and Security Regulations are to require group health plans not to use or disclose individually identifiable health information for any purpose unless it is permitted under the Department of Health & Human Services ("HHS") regulation governing the privacy of medical information.
WHAT IS PROTECTED HEALTH INFORMATION (PHI)?
-
PHI is individually identifiable health information that is transmitted by electronic media, paper and/or oral communications.
-
If the information received by the Fund Office relates to a participant's health or payment for treatment of medical conditions, and the information identifies an individual or can be utilized to identify an individual, it is PHI for purposes of the Fund's Privacy Rule.
TREATMENT, PAYMENT OR HEALTH CARE OPERATIONS (TPO)
-
Use and disclosure of PHI are permitted for TPO purposes as long as they are the minimum amount necessary to achieve the uses that are permitted by the regulation.
-
Review of claims is considered part of Health Care Operations.
The Minimum Disclosure Requirement is to be utilized by the Fund Office.
Employees may only use the minimum amount of PHI that is necessary to achieve the purpose of the use or disclosure.
-
The Fund should identify the persons in the Fund Office who require access to PHI to carry out their duties and the conditions applying to such access.
-
The Fund should also designate the categories of PHI each person requires to perform their assigned duties.
-
Staff shall only be able to access PHI in accordance with the requirements of their job description.
-
Employees who violate the privacy and/or security policy of the Fund will be sanctioned, including possible termination.
SECURITY REGULATION
-
EPHI, Electronic Protected Health Information, is the same as PHI as used under the Privacy Rule except it is limited to electronic form.
-
The Security Rule requires two-step action -- risk analysis management, and documentation thereof.
-
The previously appointed Privacy Officer may be appointed the Security Officer pursuant to the Security Regulation.
-
Compliance Date is April 21, 2005.
-
Encryption is not required, but will be implemented if the risk analysis indicates it should be.
EMPLOYEE'S EFFORTS TO ACHIEVE PRIVACY AND SECURITY COMPLIANCE:
-
Employees must isolate and lock file cabinets containing PHI or record rooms, if applicable.
-
Employees must not leave claims files on their desk when they leave their desk.
-
The employee's computer terminal, if the screen contains PHI, shall be provided with an opaque screen so third parties cannot read the matters on the screen.
-
The computer system containing health claims should be configured so that you will need special passwords and/or keys to access the fields required for your job description.
-
There should be no conversation between employees about health claims unless the conversation is required in connection with treatment, payment or review of such claims.
-
The Fund Office should designate an employee to open mail containing claims, and such mail shall only be distributed to employees who have to review the correspondence in connection with treatment, payment or administration of the Fund.
-
Similarly, employees phone conversations concerning participants' PHI should only be conducted if you have reasonable grounds to believe that you are talking to a person that has the right to access the information.
-
Employees should maintain a log of phone calls containing the date, time, who made the call and the nature of the conversation concerning PHI.
-
The claims files shall be locked in the evening with only designated persons with the access key.
-
Employees must make a reasonable attempt to keep any PHI as private as possible, except in connection with the use of such information for treatment, payment or Fund administration.
-
The Fund should establish a separate area for consultation with Participants concerning PHI.
-
A unique user identification number is required.
-
The Fund must implement an emergency access procedure.
-
The Fund should review its procedures to control access to the Fund Office.
-
The Fund should implement a procedure for disposing of its hardware and electronic media.
-
The Fund should prepare a procedure to allow employees temporary authorization to obtain access to the Fund Office and equipment in emergencies to restore lost data.
-
The Fund is required to implement an Emergency Mode Operation Plan.
-
The Fund must implement a schedule for testing the Fund's emergency plan.
-
The Fund should implement procedures for denying access to EPHI of terminated employees.
-
The Fund should document its formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection thereof.
-
The Fund must provide for protection of physical computer systems and equipment from fire and other natural hazards, as well as from intrusion. These safeguards should include, but are not limited to, locks, keys and measures to control access to computer systems and facilities.
-
The Fund will have to implement technical security services to protect, control and monitor information access.
-
The Fund must initiate technical security mechanisms to prevent unauthorized access to data that is transmitted over a communications network.
-
The Fund must establish a contingency plan which includes data backup, disaster recovery, emergency-mode operation and must show evidence of testing for the emergency-mode operation. The foregoing must be evidenced by documented policies and procedures for the storage and dissemination of EPHI.
-
The Fund should adopt a procedure for an internal audit and review of records to detect unauthorized user activity.
-
I recommend that the Fund enter into employee confidentiality agreements pertaining to HIPAA privacy and security.
-
It is essential that a Fund documents its rules and procedures concerning HIPAA security.
-
The Fund must obtain a risk analysis study.
-
I recommend that on the termination of an employee:
- If applicable, locks should be changed.
- Terminated employees should be removed from access lists.
- Any keys or token cards should be returned.
-
The staff should be trained in workstation physical safeguards to minimize the possibility of unauthorized access.
-
The Fund should install locking devices to prevent theft of equipment or other assets.
-
The Fund should establish automatic log off to protect unattended computers from unauthorized access.
-
A log should be maintained of each computer user's activities.
HEALTH FUND SUBROGATION
-
The Supreme Court in the case of Great-West Annuity & Life Insurance v. Knudson restricted the ability of Health Benefit Funds to enforce the subrogation provisions of health benefit funds relating to benefits paid to or on behalf of a Participant when the Participant recovers monetary damages in a lawsuit against a third party who caused the injury to the Participant.
-
Health Benefit Funds should adopt the following procedures to reduce the impact of the Great-West decision:
-If the proceeds of the third-party action have been disbursed to the Participant, the Fund should commence an action in State Court to recoup the benefits from the participant.
-Funds, in order to protect their interests, should intervene in the third-party tort actions brought by the participant/ beneficiary.
Funds may commence an action under ERISA against the personal injury defendant's insurer or the participant's personal injury attorney seeking to obtain a constructive trust on any monetary recovery to avoid disbursement of the monies prior to the Fund obtaining payment.
HEALTH FUND PRESCRIPTION BENEFIT
-
The importation of Canadian drugs at lower cost has been negatively targeted by the Federal Food & Drug Administration. In a submission that I made for a Benefit Fund, I was advised by the Employee Benefit Security Administration to withdraw it because they said that their opinion would be that the importation would be illegal.
-
Growth in prescription drug spending has been in double digits for the last several years.
-
Major pharmaceutical benefits managers have been sued for the kickbacks they allegedly receive from drug manufacturers.
-
In point of fact, when Health Benefit Funds negotiate for average wholesale price, it is fictitious since the major pharmaceutical manufacturers set the average wholesale price on a daily basis.
-
Efforts should be made to provide audits of pharmacy benefit managers to ascertain that they are not retaining too much from the discount off the average wholesale price.
-
Pharmaceutical manufacturers are striving not to disclose the rebate deals they make on formularies with the Pharmacy Benefit Managers. A formulary plan is when the Fund receives rebates if participants use specific drugs that are manufactured by the prescription manufacturers.
-
Medicare Part D is effective for prescription drug benefits in 2006.
-The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 ("MMA") will establish a standard drug benefit.
-Benefit plans have two primary options for their retiree groups for prescription coverage. They may be primary with a subsidy or provide a supplemental drug coverage.
-Plans may seek to be designated by Medicare as a qualified Rx plan in which they directly manage the prescription benefit for retirees and receive direct subsidies. Plans must demonstrate that the Plan's retiree prescription drug benefit is actuarially equivalent to the Medicare Part D standard benefit. The deadline for applying for the subsidy is September 30, 2005. The average annual subsidy is projected to be 28% of the allowable retiree drug costs between $250 and $5,000 (indexed annually).
-Some plans may be changed to encourage or require retirees to enroll in a Part D Plan. The Plan can then pay a portion of the members costs and coordinate with Medicare.
-All Funds Must Issue Notice of Creditable Coverage - Deadline November 15, 2005
Regardless of whether or not a Plan is actuarially equivalent to the Medicare Part D standard plan, the Plan is obligated to comply with the MMA's notification rules. The MMA requires plans to provide a Notice of Creditable Coverage to all Medicare-eligible members, informing them whether or not Plan benefits are actuarially equivalent to the Medicare Part D standard plan.
DEFINED BENEFIT PENSION PLAN
PENSION FUNDING ACT OF 2004:
Effective for the first plan year beginning after December 31, 2004, each defined benefit pension plan is required to furnish each contributing employer with an annual funding notice that discloses the financial status of the plan. The Notice must contain the following:
-
A statement of the plan's funded current liability percentage for the plan year.
-
A statement of the value of the plan assets, the amount of benefit payments and the ratio of the assets to the benefit payments for the plan year.
-
A summary of the rules governing the insolvency of the multiemployer defined benefit plan.
-
A general description of the plan benefits which are eligible for coverage by the Pension Benefit Guaranty Corporation (PBGC).
-
The notice must be furnished no later than two (2) months after the plan's filing of its Form 5500 or any extension thereof.
EMPLOYER WITHDRAWAL LIABILITY IN THE CONSTRUCTION INDUSTRY
-
Withdrawal in the construction industry means not just discontinuance of contributions.
-
The liability is incurred only if the employer is no longer obligated to contribute, but continues or within five (5) years resumes the same type of work in the same area as was covered by the employer's collective bargaining agreement and does not contribute to the pension fund for that work.
-
In the construction industry, the liability is determined pursuant to the presumptive rule which assigns a share of the pension fund's unfunded liability to the employer that has withdrawn.
-
In substance, each employer is assigned a pro rata share of the unfunded vested liabilities that were incurred while that employer was obligated to contribute.
-
Each year the change in the fund's unfunded vested liability, either upwards or downwards, is allocated among the employers that were required to contribute in that year predicated upon what they were obligated to contribute over the preceding five (5) years.
-
An employer that withdraws is required to pay its liability in annual amounts based on its contributions in the preceding ten (10) years. An employer's payments can continue up to but not more than twenty (20) years.
-
There is a de minimus rule if the liability is less than $50,000, there is no withdrawal liability, but the $50,000 deductible vanishes as the liability exceeds $100,000. In substance, the deductible is reduced by one dollar for each dollar of the excess liability over $100,000.
-
There is a partial withdrawal in the construction industry if the employer continues under the plan for an insubstantial portion of its work in the craft and area jurisdiction of the collective bargaining agreement.
BENEFIT FUNDS TRUSTEES COLLECTION POLICY
-
The Trustees are required, pursuant to ERISA, to have a collection policy and to attempt to collect delinquent Employer contributions.
-
Delinquent Employer contributions are treated as loans from the Fund to a delinquent Employer and are, thus, prohibited transactions.
-
The Trustees must arduously implement their collection policy, as the typical Trustees fiduciary insurance policy does not cover litigation against the Trustees for their failure to collect Employer contributions.
-
The Trustees, pursuant to ERISA, have the right to obtain information relating to employer contributions, including the right to audit.
-
Typically, pursuant to the ERISA statute and Case Law, Funds may not file liens against the owners of property where there are delinquent contributions for work performed by Union employees on the property. However, Funds' attorney can avoid the lien restriction by filing individual liens for the workers who worked on the property for delinquent contributions and thereafter assign the individual liens to the Benefit Funds.
BENEFIT FUNDS UNIFORMED SERVICES EMPLOYMENT AND REEMPLOYMENT RIGHTS ACT OF 1994 (USERRA)
USERRA impacts your Benefit Plans as follows:
Pension and Annuity Plans
-
Pursuant to the Act, the liability for retroactive contributions to the Plan is allocated to the last Employer.
-
Plans are permitted to provide that any contributions required by USERRA can be made from the assets of the Pension and/or Annuity Plan. This also applies to Health Plans.
Health Plans:
Reemployment:
-
If the person serves 181 days or more, he must apply for reemployment no later than ninety (90) days after completion of his military service, except if he cannot apply because of a disability incurred or aggravated during the period of military service.