|
|
HIPAA/LAW:
June 2004
"And Then There Were Four – HIPAA Covered Entities, That Is"
By Steve Fox & Rebekah A.Z. Monson, Esqs., Pepper Hamilton LLP
When asked how many general categories of covered entities currently exist under the HIPAA regulations, most people knowledgeable about HIPAA would answer three: health plans, clearinghouses, and certain healthcare providers. However, the correct answer is now four.
With the passage of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (the "Act"), signed into law on December 8, 2003, a fourth category of HIPAA covered entity was created - namely, Prescription Drug Card Sponsors. In a landmark piece of legislation, the Act adopts numerous changes to the Medicare program including detailed prescription drug benefits. As the Medicare Part D prescription drug benefits will not begin until January 1, 2006, the Act directs the Centers for Medicare and Medicaid Services ("CMS") to develop and begin to operate by May 2004 a prescription drug discount program designed to provide Medicare beneficiaries (without prescription drug insurance) discounts on drugs for the interim period. The Medicare Prescription Drug Discount Card and Transitional Assistance Program (the "Program") provides Medicare beneficiaries with discounts of 10% to 25% on prescription drugs and the poorest beneficiaries will receive $600 credits (if they do not have certain other drug ccoverage). CMS estimated that 7.3 million people are expected to enroll in the Program which was effective on June 1, 2004.
The Medicare-approved Program discount cards are marketed to Medicare beneficiaries by organizations that have been selected by CMS (referred to as "Prescription Drug Card Sponsors" or "Sponsors"). As of March 2004, 28 general Sponsors have been selected and they are listed on the CMS website. The sections of the Act addressing the Program detail the qualifications of Prescription Drug Card Sponsors. In general, the Sponsors are to be non-governmental entities endorsed by the Secretary of the US Department of Health and Human Services ("HHS") and may include: pharmaceutical benefit management companies, wholesale or retail pharmacy delivery systems, insurers, or Medicare + Choice Organizations.
One of the Program protections for beneficiaries is the requirements that Sponsors maintain the confidentiality of enrollee records in accordance with HIPAA. Specifically, the Act provides that the "operations of an endorsed program are covered functions and a prescription drug card sponsor is a covered entity" for purposes of applying the Administrative Simplification Requirements of HIPAA and all regulatory provisions promulgated under HIPAA. 42 U.S.C. § 1395w-141(h)(6)(A). This requirement creates the fourth general category of HIPAA covered entity, i.e., Prescription Drug Card Sponsors. The Act also provides the Secretary of the DHHS with authority to waive "relevant portions" of the HIPAA privacy regulations where appropriate in order to promote participation of endorsed sponsors in the Program.
On December 15, 2003, CMS issued an interim final rule with comment period (the "CMS Rule") regarding the Program. The provisions of the CMS Rule were effective on December 15, 2003, and the comment period ended on January 14, 2004. Several pages of the commentary to this rule are dedicated to addressing the interaction of the HIPAA Administrative Simplification and other provisions with the Program and its Sponsors. Most importantly, CMS has added a regulatory provision (codified at 42 C.F.R. § 403.812) providing that Sponsors are HIPAA covered entities and must comply with the standards, implementation specifications and requirements of the various HIPAA regulations (including privacy, security, electronic transactions, and unique identifiers). Additionally, the CMS Rule states that the functions of Sponsors which are "necessary or directly related" to the operations of the Program are HIPAA covered functions. In comments to the CMS Rule, CMS clarified that functions of Sponsors outside the scope of the PProgram would not be HIPAA covered functions. However, if those other activities would make a Sponsor a health plan, clearinghouse or covered healthcare provider, then the Sponsor may otherwise be a HIPAA covered entity and subject to the HIPAA standards and requirements.
Most of CMS' comments on the new regulatory provision focus on Sponsors' compliance with the HIPAA privacy rule (the "Privacy Rule").
General; Sponsors Treated as Health Plans
In general, the standards and requirements of the Privacy Rule do not apply to all covered entities in the same manner. The new regulation states that the Privacy Rule applies to Sponsors in the same manner as health plans, although CMS is quick to point out (in comments to the CMS Rule) that Sponsors are not, by virtue of their sponsorship, health plans. However, due to the similarity in the operations of health plans and the activities of Sponsors of the Program, CMS has decided to treat them in the same manner, for purposes of the Privacy Rule, despite the fact that Sponsors technically constitute their own category of covered entity.
Administration of the Program; NOPP
Under the Privacy Rule, covered entities are permitted to use or disclose protected health information ("PHI") without individual authorization for healthcare treatment, payment, and operations. In comments to the CMS Rule, CMS wrote that the activities of Sponsors in connection with the products and services offered under the Program generally fall into the categories of "payment" and "operations." Therefore, enrollee PHI may be used or disclosed, for these purposes, without authorization. Prior to, or upon, enrollment in the Program, Sponsors are required to provide enrollees with a Notice of Privacy Practices in accordance with the Privacy Rule standards.
Marketing Restrictions
As part of the Program, Sponsors are required to provide information and outreach about Program products and services offered by the Sponsor. The Act and another new regulation (codified at 42 C.F.R. § 403.813) provides that Sponsors may only market products and services related to its sponsorship in the Program (i.e., related to a covered discount card drug and discounts for non-prescription drugs). Under the Privacy Rule, use and disclosure of an individual's PHI for marketing generally requires an authorization. However, with respect to marketing of Program products and services, CMS has written that "using or disclosing beneficiary [PHI] to provide information and outreach is not marketing under the privacy rule," but rather is considered part of the Sponsor's healthcare operations and therefore a beneficiary authorization is not required. 68 Fed. Reg. 69840, 69872 (Dec. 15, 2003). CMS is taking the position that these outreach efforts fall within the Privacy Rule definition of marketing exception for ddescribing health-related products or services provided by a covered entity. Sponsors may not ask potential or current enrollees to authorize the Sponsor to use or disclose individually identifiable health information (the CMS Rule specifically does not use the term "PHI" but uses the broader category of individually identifiable health information) for purposes of marketing any product or service outside of the Program.
Furthermore, Sponsors may not "commingle" or include information on such products and services in the Program-related outreach and information materials (regardless of whether the marketing effort involves the use or disclosure of PHI). CMS, in the CMS Rule, distinguishes between Sponsors acting in their capacity as Sponsors and Sponsors acting in another capacity (such as a Medicare + Choice Organization) for purposes of applying the commingling restriction. Finally, after termination of a Sponsor's endorsement or after termination of the Program, an enrollee's individually identifiable health information collected or maintained by the Sponsor may not be used or disclosed to market "any" products or services. The marketing limitations just described are not enforceable by the HHS Office for Civil Rights under HIPAA, but will be enforced by CMS as part of the Program.
Sponsors as Business Associates
For purposes of administering transitional assistance under the Program, Sponsors are business associates of CMS and will be required to execute a business associate agreement with CMS. In general, the Privacy Rule requirements do not directly apply to business associates, but rather through the contractual requirements of a business associate agreement. CMS, in comments to the CMS Rule, has stated that the application of the Privacy Rule to Sponsors under the new Program-related regulations does not affect business associate arrangements between Sponsors and other covered entities for activities outside of the Program. However, as Sponsors now are also covered entities, if a Sponsor violates a business associate agreement with another covered entity for activities outside of the Program, the Sponsor will be in violation of the Privacy Rule.
As Sponsors are HIPAA covered entities, they are required to comply with the assorted HIPAA standards, including requirements to safeguard the PHI of Program enrollees as well as to provide enrollees with rights to access and amend their information, comply with the electronic transaction standards and security standards and the unique provider identifiers. For those Sponsors who already are required to comply with HIPAA in connection with their other non-Program activities, this will be one more aspect of their sponsorship. However, for those organizations who have thus far escaped the complexities of complying with HIPAA, they will now be faced with an added challenge in connection with their Program sponsorship.
Read
past HIPAA Legal articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP, www.pepperlaw.com  .
This article was co-authored by Rebekah A.Z. Monson, Esq., an associate
of Pepper Hamilton LLP. They may be reached at foxsj@pepperlaw.com.
Disclaimer: This information is general in nature and should
not be relied upon as legal advice.
|
 |
 |
