HIPAA FAQs

General

What is the Health Insurance Portability and Accountability Act of 1996?

The HIPAA is legislation enacted by the federal government to:

  • Ensure health insurance portability
  • Reduce health care fraud and abuse
  • Guarantee the integrity and confidentiality of health information
  • Improve the operations of health care systems.

Who must comply with HIPAA?

Although HIPAA applies to health insurance carriers, group-sponsored health plans, health care providers, and health-care clearing houses, HIPAA also affects plan sponsors, billing agencies, agents, information systems vendors and service organizations.

Who do the limitations on exclusions for pre-existing conditions apply to under HIPAA?

The limitations on exclusions for pre-existing conditions apply to employees and dependents covered by any group health plan.

When do BCBSM and BCN have to be HIPAA compliant?

As a covered entity, BCBSM and BCN will be fully compliant with the final HIPAA rules no later than the following mandatory compliance dates:

  • April 14, 2003 — Privacy Rule
  • October 16, 2003 — Standard Transactions and Code Sets Rule
  • July 30, 2004 — National Employer Identification Rule
  • April 20, 2005 — Security Rule

What is a plan sponsor?

A plan sponsor is an employer or organization that offers a group health plan to its employees or members.

How does crediting for a BCBSM pre-existing condition waiting period work under HIPAA?

Previous coverage under a prior carrier is credited against a BCBSM pre-existing condition exclusion period if the gap between when coverage ended and the new coverage does not exceed 63 days. Any coverage occurring prior to a break in coverage of 63 days or more is not credited against a pre-existing condition exclusion period.

How does a new a new employer or insurance carrier know that an employee had prior group coverage?

Proof of prior coverage will be necessary; the member should contact his/her prior health plan to request a certificate of creditable coverage.

Privacy

What does privacy protect?

HIPAA specifically addresses protecting the privacy of protected health information. As part of the HIPAA regulations, the government has established controls, which limit, how and when PHI can be shared.

What information can be released to a plan sponsor?

BCBSM and BCN do not release PHI to area and industry underwritten groups or their plan sponsors, other than enrollment information about their employees.


BCBSM experience-rated underwritten group health plans and their plan sponsors do not generally receive PHI from us, other than enrollment information about their employees. BCBSM experience-rated groups and their plan sponsors may request and receive summary health information to obtain premium bids for providing health insurance coverage for the group health plan, or to modify, amend, or terminate the group health plan. BCBSM experience-rated group health plans and their plan sponsors may receive PHI from us if they provide us with a written certification in the form we require: 1) indicating that the plan documents have been amended to enable these disclosures and to impose specific restrictive safeguards on the plan sponsor's use and disclosure of the PHI in accordance with applicable law; and 2) identifying the plan administration functions for which the PHI has been requested.


BCBSM self-funded group health plans and their plan sponsors may receive summary health information under the same conditions imposed on experience-rated groups and may receive PHI if they provide us with a written certification in the form we require.

What information is contained in reports, such as claims listings, that BCBSM or BCN releases?

BCBSM and BCN may provide aggregate health information showing how the plan members have utilized the health plan. Individual identifiers (e.g., names, dates, diagnoses, Social Security numbers, etc.) will only be provided if the group is eligible and has submitted the required Plan Sponsor Certification and Business Associate Agreement (for ASC Customers). De-identified reports, where there is no reasonable basis to believe that an individual could be identified, may be used or disclosed without restrictions.

Do BCBSM and BCN have privacy officers?

Yes. The Privacy and Security Official for BCBSM is Kim Winnik and Rob Hopper for BCN.

Has BCBSM and BCN published its policies and procedures regarding HIPAA privacy compliance? Is it available upon request?

Yes. Please see Notice of Privacy Practice at www.bcbsm.com or www.mibcn.com for additional information.

Does the HIPAA Privacy rule affect only covered entities?

HIPAA requires that covered entities make their business associates, like agents, also comply with the Privacy Regulations. Accordingly, BCBSM and BCN included HIPAA privacy provisions in our Agent Agreement that safeguard PHI communicated in any form and which detail the permitted uses and disclosures of PHI.

Do members of a self-funded group have the same privacy rights as members of a fully insured group?

Yes. The only difference is BCBSM is considered a business associate of a self-funded group health plan.

Do BCBSM and BCN have policies and procedures for ensuring the privacy of PHI and compliance with HIPAA privacy regulations?

Yes. BCBSM and BCN have long been committed to handling member PHI with the utmost care and highest standards for maintaining privacy and confidentiality. These policies and procedures are outlined in our Notice of Privacy Practices. These notices are available on our web sites www.bcbsm.com and www.mibcn.com.

Do BCBSM and BCN consider premium statements (that include data such as name, coverage level, premium) to contain PHI as defined by HIPAA?

Yes. BCBSM and BCN consider premium statements to contain PHI.

Do BCBSM or BCN limit discussion for third-party inquiries in any manner?

Yes. All disclosures to third parties are conditioned on verification of the requestor's identity and authority to access the member's PHI. We follow the minimum necessary guidelines as required by HIPAA.

Security

How are the Security Standards different from the HIPAA Privacy rule?

The Security Rule (effective for BCBSM and BCN on 4/20/05) addresses specific administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic PHI. The HIPAA Privacy Rule (effective for BCBSM and BCN on April 14, 2003) addresses what PHI is and the ways and circumstances in which it must be protected.

Do BCBSM and BCN intend to eliminate the use of the Social Security Number as an identifier?

BCBSM and BCN started to eliminate the use of Social Security numbers in 2004 for those states with an early compliance law. The Blue Cross Blue Shield Association has mandated that all Blue Plans remove Social Security numbers from ID cards by 1/1/06. BCBSM/BCN is currently working to provide de-identified contract numbers by 1/1/06.

Business Associates

How can an agent or consultant acting on behalf of a group receive PHI?

An agent or consultant acting on behalf of an ERS/ASC group can receive reports containing PHI if the group completes the following:

  • Signs Business Associate Agreement (ASC only)
  • Provides Plan Sponsor Certification on our required form
  • Provides BCBSM with an authorization on business letterhead indicating that the agent or consultant is the group's business associate and specifically identifying the requested information/reports that the agent or consultant may receive

If BCBSM is a Business Associate of a Plan, is BCBSM willing to execute the business associate contract or a similar contract?

For most BCBSM underwritten contracts, we operate as an Organized Health Care Arrangement (OHCA), so a business associate agreement is not required. For groups in which BCBSM is the business associate of the plan, our corporate standard business language is incorporated into the ASC contract.


For BCN groups, BCN operates as an Organized Health Care Arrangement (OHCA), so a business associate agreement is not required.