Colleen Grimes
AVP, HIPAA Compliance
AMERIGROUP Corporation
4425 Corporation Lane
Virginia Beach, VA 23426
(757) 321-3115
cgrimes@amerigroupcorp.com
Good morning. My name is Colleen Grimes and I am the Assistant Vice President, HIPAA Compliance for AMERIGROUP Corporation.For the past 20 years, I have served in executive positions for a variety of health care providers, integrated healthcare systems, and health plans including Kaiser Permanente, Sentara Healthcare, HealthNet, Blue Cross of California and Sharp Healthcare. Six of these years have entailed working on HIPAA. I am appearing today on behalf of the American Association of Health Plans (AAHP) to highlight how health plans are working toward implementation of the HIPAA privacy rule.In addition, I would like to discuss how the Office for Civil Rights (OCR) can assist health plans and health care providers prepare for compliance.
AAHP is the principal national organization representing health maintenance organizations, preferred provider organizations, and other network plans.AAHP’s member health plans arrange health care services for approximately 160 million members nationwide. AMERIGROUP is a multi-state managed healthcare company focused on serving people who receive health care benefits through state-sponsored programs including Medicaid, State Children’s Health Insurance Programs (SCHIP), and FamilyCare.Our company arranges health care services for more than 525,000 Medicaid members in Texas, Maryland, New Jersey, Illinois, and the District of Columbia. By January 2003, AMERIGROUP will serve more than 700,000 Medicaid members in six states. Although AMERIGROUP’s focus is government-sponsored programs, our experience in the implementation of the HIPAA privacy rule is similar to the compliance efforts being undertaken by commercial health plans.
I would like to focus my remarks on three areas: (a) the challenges faced by health plans in implementing the privacy rule; (b) efforts by AAHP and other industry groups to assist with compliance activities; and (c) ways that OCR can help covered entities to implement the rule.
AMERIGROUP and AAHP’s member health plans strongly support the goal of protecting the confidentiality of health information. The issue for health plans is balancing this important consumer protection with the need to arrange the delivery of high quality, cost-effective health care.The HIPAA privacy rule impacts almost every aspect of health plan operations – much of what health plans do on a daily basis involves the use and disclosure of protected health information (PHI) that is governed by the privacy rule.
Health plans are making great progress towards implementing the privacy rule by the April 14, 2003 compliance date (April 14, 2004 for “small” health plans).These efforts involve a substantial financial and administrative cost for the industry. As an example, AMERIGROUP has 24 full time employees working on implementing the HIPAA privacy rule, data security, and the transactions and code sets standards. By the end of 2002, AMERIGROUP estimates that it will have invested more than five million dollars in associate resources, business process reengineering, and technology to support HIPAA compliance.
AMERIGROUP has finalized its privacy rule policies and procedures and is currently training non-HIPAA associates and developing the administrative systems necessary to support compliance with the privacy rule such as privacy notices and business associate agreements.Similar efforts are underway at other health plans.The challenge for health plans is taking the extensive and comprehensive requirements of the privacy rule and making them work at an operational level.
One example of this challenge involves the privacy rule provisions regarding access to and amendment of PHI.The privacy rule provides that health plan members have the right to access, amend, or obtain an accounting of disclosures concerning health information contained in the covered entities designated record set (DRS). A covered entity is required to identify the records, which will comprise its DRS. The DRS is defined as a group of records maintained by the covered entity which includes but is not limited to, enrollment, payment, claims, case or medical management record systems, that are used whole or in part to make decisions about members.This could mean any item, collection, or grouping of information that includes PHI, which is maintained, collected, used or disseminated by or for the covered entity.Additionally, there is a ”down-stream” impact when business associates handle member PHI on behalf of the covered entity.
All of the member records identified, as part of the DRS, will need to be tracked by the covered entity and made available to members who choose to exercise one of more of their rights. For many health plans, the designated record set includes PHI that is located in a variety of different departments, applications, systems, and locations (sometimes in offices in different geographic locations).Health plans will need to develop extensive tracking systems that will enable them to link or centralize all of a member’s PHI in the designated record set and to make amendments as appropriate.
AMERIGROUP and other health plans are also undertaking comprehensive outreach efforts with employers and health care providers to educate them on the requirements of the privacy rule.This outreach includes providing or participating in educational seminars, provider and employer newsletters, and the development of business associate agreements and information on use and disclosure regarding contract provisions. When health plans change policies and procedures, this impacts provider and facility manuals and contracts that in turn result in changes to front and back office operations for providers. Changing processes requires a joint effort of outreach and education.For example, AMERIGROUP is providing educational sessions for its provider community and sending out information on the privacy rule through newsletters and “blast” faxes.
In addition, plans are drafting all of the necessary documentation needed to carry out the provisions of the privacy rule. Plans are developing member notices, authorization forms, business associate agreements, policies and procedures, training manuals, data use agreements, and other materials that will be used to implement the rule. Health plans and providers are developing and implementing policies and procedures based upon their own interpretation of the privacy rule and modeled on their own specific business processes.The risk here is that without guidance the result could be a lack of the very standardization we are trying to achieve.
There are a number of efforts underway by industry associations and business groups to assist covered entities in complying with the HIPAA privacy rule.Over the past two years, AAHP has sponsored a series of educational seminars and audio conferences to highlight various aspects of the rule.In addition, AAHP has a regularly scheduled conference call two times each month for its member health plans to discuss the impact of the privacy rule on health plan business operations. These calls typically involve approximately 90 health plan representatives.The association has also published a series of Regulatory Briefs on privacy rule compliance issues and is developing a model notice form that plans can use to inform members of the plan’s privacy practices and the member’s rights.
AMERIGROUP has been involved in a local partnership of providers and payers through active involvement in the Mid-Atlantic Health Initiative (MAHI), Southern HIPAA Administrative Regional Process (SHARP), and NJ SHORE WEDI/SNIP Regional Initiatives.These groups serve an important role by conducting a series of regional seminars (in-person, audio conferences and online) to educate health plans and health care provider hospitals, physicians and their office staff on compliance issues.
MAHI, SHARP and NJ SHORE are part of a number of groups that were formed as part of the Strategic National Implementation Process (SNIP) through the efforts of the Work Group for Electronic Data Interchange (WEDI).WEDI/SNIP involves health care providers, health plans, clearinghouses, and vendors who work together to provide educational materials, “best practices” white papers, discussion forums, and other programs to bring together interested parties on implementation issues.Currently, there are 25 regional SNIP affiliates in operation.
As an example of the these types of industry efforts, I would like to briefly highlight the work of the Oregon Payers Cooperative that is developing an authorization form for the release of PHI that will be used by providers and health plans ( Attachments A, B, and C). [1] The group has also drafted a matrix template to help health care providers and health plan staffs in determining if and when PHI can be shared without prior written authorization ( Attachment D).The authorization form and template are currently being reviewed by the Oregon Medical Association and Oregon Hospital and Health System Association for use by their members.
The Office for Civil Rights (OCR) has been given a monumental task to interpret, and enforce a rule that will protect the confidentiality of PHI maintained by hundreds of thousands (if not millions) of covered entities.The entities subject to the privacy rule cover a broad spectrum from solo health care practitioners in rural communities to large, multi-company health care organizations.Over the past few years the Department of Health and Human Services has worked to draft a comprehensive set of standards for the use and disclosure of PHI and the “final” modifications to that rule were announced this August.The next task for OCR is to work with covered entities to help them prepare to implement the privacy rule on April 14, 2003.
There are two ways that OCR can best accomplish this goal – first, through providing more guidance and technical assistance regarding the rule's application to the business operations of health plans and health care providers and, second, by expanding the work they have already done with interested parties on educational and outreach efforts.I would like to discuss each of these issues in turn.
The OCR needs to assist health care providers and health plans in working through the regulatory “gray areas” of the privacy rule.OCR has released very helpful guidance through a series of“frequently asked questions and answers.” This guidance, however, does not address a number of the significant questions about compliance with the rule.These issues include but are limited to the following:
These are but a few of the issues that have surfaced as health plans work to implement the privacy rule.OCR needs to be able to quickly respond to questions as they arise and provide guidance and technical assistance on these types of issues.
The Office for Civil Rights should engage in the same types of outreach and educational efforts that are currently being undertaken by health plans and by business, professional, state and industry groups. One approach is to work with the regional WEDI/SNIP affiliates to help develop “best practices” and to educate covered entities on how to successfully implement the rule. An advisory board, which incorporates business, industry groups and professional groups, has been proven an effective means of education and outreach.In addition, OCR should review the forms and model documents (such as business associate agreements) that are being developed by these groups and indicate when such materials meet the minimum standards of the privacy rule.
OCR should also revise its web site to be a more effective teaching tool.The web site could provide links to other organizations that offer supporting educational information or implementation resources.It is also suggested that the agency establish a email “listserv” that would allow for the dissemination of new information from OCR on a more effective basis.
Finally, OCR needs to develop a series of brochures and other educational materials that will help covered entities understand how the privacy rule works in the “real world.” For example, even a very simple consumer brochure that informs individuals of the privacy rule and their rights and responsibilities would be very useful.
AMERIGROUP and AAHP’s member health plans are deeply committed to protecting the privacy of its members.When compared to other covered entities, health plans are out in front in terms of implementation of the privacy rule.Nevertheless, outreach, education, and technical assistance is greatly needed for health plans and all covered entities, and OCR is best positioned to undertake this critical task.Therefore, we strongly urge the government to provide any and all necessary resources to support OCR so that it may develop the implementation tools so needed by the entities it serves. Additionally, we ask that this subcommittee consider its role in the outreach and education of covered entities and urge it to develop best practices that may be uniformly used by covered entities. Thank you.
| AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION |
I, _____________________________________, ID number, _____________________ authorize PAYER (health plan) and/or my healthcare providers, including physicians and hospitals, to disclose my protected health information to _________________________ for the purpose of _______________________________________________________ Information obtained with this authorization will be used solely for the purpose defined above.
My protected health information may include medical records, emergency and urgent care records, billing statements, diagnostic imaging reports, transcribed hospital reports, clinician office chart notes, laboratory reports, dental records, pathology reports, physical therapy records, hospital records (including nursing records and progress notes), and any personal or medical information related to the purpose of this authorization.
I understand that PAYER needs my specific authorization to release my protected health information pertaining to the items listed below. By initialing, I authorize release of the information pertinent to my case:
| Chemical dependency(includes Alcohol/drug treatment) | __________ (Initials) |
|
| HIV/AIDS | __________ (Initials) |
|
| Genetic information | __________ (Initials) |
|
| Mental Health information (excludes psychotherapy notes) | __________ (Initials) |
I may cancel this authorization at any time by sending a written request to PAYER.My cancellation of this authorization will not affect any action PAYER took before it received my request.If I do not revoke this authorization, it will automatically expire upon termination of my coverage with PAYER or 24 months from the date below, whichever comes first.
Federal Law requires PAYER to tell me that, if the party to whom PAYER discloses my personal information shares it with anyone else, some state and federal laws may no longer protect it.
I understand that I am not legally obligated to sign this authorization and that if PAYER is unable to obtain information necessary to provide health benefits to me, my benefits may be denied.
SIGNATURE:_____________________________ DATE: ________________________
(If signature by a personal representative of the member, please complete the following)
Personal representative’s name: ____________________________________________
Relationship to member: Parent Legal guardian* Holder of Power of Attorney*
____________________
* Please attach legal documentation if you are the legal guardian or Holder of Power of Attorney
| AUTHORIZATION FOR USE AND DISCLOSURE OF PSYCHOTHERAPY NOTES |
I, _____________________________________, ID number_____________________ authorize PAYER (health plan) and/or my healthcare providers, including physicians and hospitals, to disclose my psychotherapy notes to _______________________________ for the purpose of _______________________________________________________
Information obtained with this authorization will be used solely for the purpose defined above.
Psychotherapy notes are defined as Notes recorded in any medium by a mental health professional documenting or analyzing the contents of conversation during a counseling session that are separated from the rest of the individual’s medical record.Psychotherapy notes do not include: medication prescriptions; counseling session start and stop times; modalities and frequencies of treatment rendered; results of clinical tests; or summaries of diagnosis, functional status, treatment plans, symptoms, prognosis, and progress.
I may cancel this authorization at any time by sending a written request to PAYER NAME AND ADDRESS.My cancellation of this authorization will not affect any action PAYER took before it received my request.If I do not revoke this authorization, it will automatically expire upon termination of my coverage with PAYER or 24 months from the date below, whichever comes first.
Federal Law requires PAYER to tell me that, if the party to whom PAYER discloses my personal information shares it with anyone else, some state and federal laws may no longer protect it.
I understand that I am not legally obligated to sign this authorization and that if PAYER is unable to obtain information necessary to provide health benefits to me, my benefits may be denied.
SIGNATURE:____________________________DATE: ________________________
(If signature by a personal representative of the member, please complete the following)
Personal representative’s name: ____________________________________________
Relationship to member: Parent Legal guardian* Holder of Power of Attorney*
____________________
* Please attach legal documentation if you are the legal guardian or Holder of Power of Attorney
| INDIVIDUAL APPLICATION AUTHORIZATION FOR USE AND DISCLOSURE |
On behalf of ourselves and the listed family member(s) below, we authorize, any physician, health care provider, hospital, insurance or reinsurance company, or other insurance information exchange to disclose to Regence or its representatives our health information (including alcohol, chemical dependency, mental treatment, genetic testing or HIV treatment).We acknowledge and understand that this information will only be used for the purpose of determining enrollment in the health plan, eligibility for benefits or payment of claims. Health information may include claims records, correspondence, medical records, billing statements, diagnostic imaging reports, laboratory reports, dental records, or hospital records (including nursing records and progress notes).
If you choose to not sign this authorization, we may be unable to enroll you in our health plan or to pay claims that were incurred while you had insurance coverage with us.
I may cancel this authorization at any time by sending a written request to PAYER.My cancellation of this authorization will not affect any action PAYER took before it received my request.If I do not revoke this authorization, it will automatically expire upon termination of my coverage with PAYER or 24 months from the date below, whichever comes first.
Federal Law requires PAYER to tell me that, if the party to whom PAYER discloses my personal information shares it with anyone else, some state and federal laws may no longer protect it.
SIGNATURE*:
__________________ DATE:
___________
*If signature by a personal representative of the member/enrollee please
complete the following:
Personal Representative’s Name: ___________________________________
Relationship to Individual: Parent Legal Guardian Holder of Power of Attorney
Attach legal documentation if legal guardian or Holder of Power of Attorney
APPLICANT SPOUSE SIGNATURE:__________________________DATE_____________
THIS AUTHORIZATION MAY NOT BE USED FOR PSYCHOTHERAPY NOTES
(Notes recorded and separately maintained by a mental health professional documenting or analyzing the contents of conversation during a counseling session.)
* Please attach legal documentation if you are the legal guardian or Holder of Power of Attorney
|
|
Health Plan Activity [conducted by payer or payers contracted business associate (BA)]* |
Health Plan or BA can use or disclose without authorization |
Health Plan or BA can receive from another without authorization |
State laws require specific authorization to request and disclose1 |
|
|
|
|
|
|
| Treatment |
Provision of healthcare |
X |
X |
|
|
|
Coordination of healthcare (includes referrals) |
X |
X |
|
|
|
Management of healthcare |
X |
X |
|
|
|
|
|
|
|
| Payment |
Obtaining premiums |
X |
X |
|
|
|
Obtain or provide reimbursement for healthcare |
X |
X |
|
|
|
Eligibility determinations |
X |
X |
|
|
|
Coordination of benefits |
X |
X |
|
|
|
Determination of cost sharing amounts |
X |
X |
|
|
|
Adjudication of claims |
X |
X |
|
|
|
Subrogation of claims |
X |
X |
|
|
|
Risk adjusting |
X |
X |
|
|
|
Billing |
X |
X |
|
|
|
Claims management |
X |
X |
|
|
|
Collection activities |
X |
X |
|
|
|
Obtaining payments under reinsurance (stop-loss, excess of loss) |
X |
X |
|
|
|
Medical necessity review |
X |
X |
|
|
|
Utilization review |
X |
X |
|
|
|
Pre-certification review |
X |
X |
|
|
|
|
|
|
|
| Health Care Operations |
Quality Assessment & Improvement Activities |
X |
X |
|
|
|
Health Plan Activity [conducted by payer or payers contracted business associate (BA)] |
Health Plan or BA can use or disclose without authorization |
Health Plan or BA can receive from another without authorization |
State laws require specific authorization to request and disclose1 |
|
|
Outcomes evaluation |
X |
X |
|
|
|
Population based activities |
X |
X |
|
|
|
Protocol development |
X |
X |
|
|
|
Case Management |
X |
X |
|
|
|
Care Coordination |
X |
X |
|
|
|
Communicating Treatment Alternatives |
X |
X |
|
|
|
Disease Management |
X |
X |
|
|
|
Reviewing Health Care Performance |
X |
X |
|
|
|
Training |
X |
X |
|
|
|
Accreditation |
X |
X |
|
|
|
Certification |
X |
X |
|
|
|
Licensing |
X |
X |
|
|
|
Credentialing |
X |
X |
|
|
|
Underwriting, premium rating |
X |
X |
X |
|
|
Enrollment |
X |
X |
X |
|
|
Medical Review |
X |
X |
|
|
|
Legal Services & auditing functions |
X |
X |
|
|
|
Fraud & abuse activities |
X |
X |
|
|
|
Business management & General administrative activities |
X |
X |
|
|
|
HIPAA compliance efforts |
X |
X |
|
|
|
Customer service |
X |
X |
|
|
|
Resolution of internal grievances |
X |
X |
|
|
|
Due diligence in asset transfer or sale |
X |
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Health Plan Activity [conducted by payer or payers contracted business associate (BA)] |
Health Plan or BA can use or disclose without authorization |
Health Plan or BA can receive from another without authorization |
State laws require specific authorization to request and disclose1 |
| As allowed / required by law |
Health oversight |
X |
X |
|
|
|
Law enforcement |
X |
X |
|
|
|
EDI (related to standard transactions |
X |
X |
|
*Shaded area=exchange may not be allowed without consent; to be determined after Privacy Rule amendment NPRM finalized.
[1] The Oregon Payers Cooperative includes Family Care, Health Net of Oregon, Kaiser Foundation Health Plan,LifeWise, PacificSource, Primera Blue Cross, The Regence Group, and SAIF Corporation (a workers compensation carrier) representing small to large payers.