HIPAA Privacy
The HIPAA privacy rule governs the confidentiality and privacy of protected health information, also referred to as PHI. These regulations apply to covered entities, which are:
- Health Plans (such as health insurance companies, HMOs, or employer-sponsored group health plans)
- Health care clearinghouses (such as our electronic data interchange operation)
- Health care providers that transmit information electronically in connection with any standard transaction (such as physicians, hospitals, and the BCN Family Health Centers)
Effect on Blue Cross Blue Shield and Blue Care Network of Michigan
BCBSM and BCN follow strict policies as required by Michigan Public Acts 350 and 218. Although we have always protected the privacy of our members' information in accordance with these state regulations, the HIPAA rules set forth additional requirements to safeguard PHI. As a result, the federal HIPAA privacy regulations do not significantly change how we use and disclose member information except for some new administrative requirements. For example we now have a privacy official; we prepare and distribute to all members a notice of our privacy practices, and have safeguards in place that involve the access, use and disclosure of member protected health information.
Effect on BCBSM and BCN underwritten groups
Group health plans that provide health benefits only through an insurance contract and do not create, maintain or receive PHI do not have to meet the notice requirements or the administrative requirements. These requirements will be satisfied by the insurer or HMO that is providing benefits under the group health plan. For those groups, BCBSM and BCN will comply with HIPAA's administrative requirements, including preparation and distribution of required privacy notices for the group.
The relation between BCBS/BCN and an underwritten group is as follows:
| Relationship | Area/Industry | Experience (BCBSM only) |
|---|---|---|
| Covered Entity Status | BCBSM/BCN is the covered entity | BCBSM is the covered entity |
| Business Associate Status | None | None |
| Notice of Privacy Practices |
|
BCBSM sends its Notice to members |
| Disclosure of protected health information (PHI) to the group |
|
Enrollment data and Summary Health Information may be shared with these groups. If the group wants PHI from BCBSM, their plan documents must be amended to incorporate HIPAA safeguards and they must sign and return the Plan Sponsor Certification. |
If you are uncertain how the HIPAA privacy rule applies to a fully insured group health plan, please read the privacy rule and seek legal counsel as necessary. The rule can be accessed at www.hhs.gov/ocr/hipaa.
Effect on BCBSM self-funded groups
Because self-funded group health plans administer their own plans and benefits, they are subject to the same HIPAA requirements as other covered entities. BCBSM can help self-funded group plans meet their obligations in the following ways:
- Provide access to member records (records will be retained for six years)
- Coordinate amending of member records created by BCBSM
- Coordinate amending of member records created by BCBSM
- Handle confidential communication requests
- De-identify information
- Provide authorization forms
The relationship between BCBSM and a self-funded (ASC) groups is as follows:
| Relationship | Self-funded ASC Contract |
|---|---|
| Covered Entity Status | The group is the covered entity |
| Business Associate Status | BCBSM is the Business Associate of the plan |
| Notice of Privacy Practices | Plan sends its Notices to members but can use BCBSM's as a guide |
| Disclosure of protected health information to the group | If the group wants PHI from BCBSM, its plan documents must be amended to incorporate HIPAA safeguards and it must sign and return an ASC, a Business Associates Agreement, and initial the Plan Sponsor Certification. |
Member-specific information for groups
For a group health plan to continue receiving member-specific information from BCBSM, such as monthly claims listings identifying the member and the procedure, the plan sponsor must provide BCBSM with certification that its plan documents have been amended to include the following provisions and that it agrees to:
- Not use or further disclose protected health information other than as permitted or required by the plan documents or as required by law
- Ensure that any subcontractors to whom the plan sponsor provides PHI agree to the same restrictions
- Not use or disclose the PHI information for employment-related actions
- Report to the group health plan any use or disclosure that is inconsistent with the plan documents or this regulation
- Make protected health information accessible to individuals
- Allow individuals to amend their information
- Provide accounting of its disclosures
- Make its practices available to the Secretary of U.S. Health and Human Services for determining compliance
- Return and destroy all PHI when no longer needed. If this is not feasible, the PHI must be protected consistent with HIPAA provisions.
- Ensure adequate separation between the group health plan and the plan sponsor
BCBSM and BCN's notices of privacy to members
BCBSM and BCN will issue its notices or privacy practices to new members when they enroll. In addition, members may access this information at www.bcbsm.com or www.mibcn.com.
Penalties if BCBSM, BCN or a self-funded plan violate the privacy rules
The Office of Civil Rights may impose civil (monetary), criminal (imprisonment) or both penalties depending on the violation. BCBSM and BCN employees could face sanctions or other discipline for violating privacy policies and procedures, including termination of employment, depending on the violation.
