Post Call Summary
Medicare Network Conference Call
May 21, 2003
The HIPAA Privacy Rule and Its Implications on SHIPs

I.  Introduction

The topic of the call was the HIPAA privacy rule, which went into effect on April 14, 2003, and related privacy issues.  In order to understand the complexities of the privacy rule it is important to keep in mind the two linked purposes of the HIPAA privacy rule.  They are to

·         Safeguard the privacy of patient-identifiable health information and

·         Enhance to access of individuals to their own health information.

Congress mandated the development of the rule because of past abuses. Patients had been barred from access to their own health records, while at the same time, sensitive medical information was widely and inappropriately made available to parties who had no need to see it.

The HIPAA privacy rule applies to health information, including medical records that are patient-identifiable.  In the HIPAA rule terminology, this information is called protected health information. The privacy of such information must be protected by those who create, maintain, and use patient-identifiable health information. These parties are called covered entities.  Covered entities include health care providers, but only if they transmit such data electronically.  Most providers are required by insurers to transmit claims electronically.  The HIPAA privacy rule also defines as covered entities health insurers, fiscal intermediaries and carriers, managed care organizations, and governmental entities that administer health benefits, such as Medicaid, Medicare and Veterans Administration (VA) health benefits.

The HIPAA privacy rule also addresses the access of health oversight agencies to patient-identifiable protected health information.  Health oversight agencies are governmental regulatory and enforcement agencies, such as departments of health or insurance that need to see patient-identifiable records in order to carry out their regulatory or enforcement duties.

The HIPAA privacy rule is intended to bind covered entities to protect the privacy of protected health information and to govern the circumstances under which protected health information may or must be disclosed by covered entities.  SHIPs regularly need to look at the medical records created and/or maintained by their clients’ medical providers, or other covered entities that are subject to the HIPAA privacy rule.  Moreover, they need to obtain information from Medicare contractors, such as fiscal intermediaries and carriers that are also covered entities.  This conference call addresses how the HIPAA privacy rule will affect SHIP information-gathering functions.  

The Health Assistance Partnership is monitoring HIPAA developments, particularly as pertains to consumer health assistance programs. We are available to respond to requests for technical assistance and training.

HAP Materials on HIPAA Privacy

HAP has developed two issue briefs addressing HIPAA issues, available at: www.hapnetwork.org They are Issue Brief on Health Insurance Portability and Accountability Act (HIPAA) Privacy Regulation:  Questions and Answers For Consumer Health Assistance Programs   (April, 2003) and Issue Brief on Health Insurance   Portability and Accountability Act (HIPAA) Privacy Regulation:  Questions and Answers For Consumer Health Assistance Programs. (May, 2003.)   Our HIPAA Issue Briefs link to model HIPAA authorization forms and sample HIPAA complaint forms.

How HIPAA Applies to SHIPs: Bob Adams, CMS

Bob spoke to the questions raised from time to time as to how the HIPAA rule applies to the SHIPs as grantees of CMS.  He began with an overview of how CMS is impacted by the HIPAA privacy rule.  Beginning on April 14, 2003, compliance was mandatory with the first nationally applicable privacy standards.  The privacy rule protects patient health information provided to physicians and other health care providers, as well as to CMS and various contractors. 

Neither the HIPAA administrative simplification standards, nor the 1994 Privacy Act apply to the SHIPs with respect to their being grantees of CMS under OBRA 1990, the SHIP enabling legislation.  Individual state laws are still applicable and CMS grant terms and conditions contain safeguards for the privacy of client information maintained by the SHIPs.  SHIPs have duties to protect privacy, but not because of HIPAA or the federal Privacy Act.  Concise, written guidance, based upon Bob's presentation will be released by CMS, perhaps within a month.

Question: How would CMS disclose protected health information to a SHIP? 

Answer:    CMS does not disclose any protected information to SHIPs.  Rather, Medicare beneficiaries authorize the fiscal intermediaries and carriers to release protected claims-related information to the SHIP counselor.  The CSR procedure helps SHIPs obtain that information from Medicare carriers and fiscal intermediaries in real time. 

Question:  What information is available about the CSR process?

Answer:     The CSR procedure will provide a special authorization that will enable SHIPs, with verbal beneficiary authorization to the SHIP counselor, to get claims information from the Medicare fiscal intermediary and carrier when the SHIP is not able to arrange for the contractor’s CSR to see a written authorization or hear an expression of consent from the SHIP client on the telephone.  The SHIP State Directors participated in a CMS conference call on May 28, 2003, to learn more about this process and will receive written policy describing the procedure.  The procedure features a special unique identifier number that will be issued to key SHIP personnel, both staff and volunteer, in each state. 

Question:  Does the CSR procedure make SHIPs business partner of CMS?

Answer:     No.  The procedure has been scrutinized vis-à-vis HIPAA and it meets the requirements HIPAA imposes on CMS and its contractors.  It does not make SHIPs business associates, because a SHIP is not a person, agency or entity that furnishes bills for or receives payment for health services.  

IV. How Will SHIPs Obtain Protected Health Information from Covered Entities?

SHIPs need to access clients’ medical record in many situations.  A typical SHIP counseling scenario involves working with a Medicare beneficiary and her caring family to assess entitlement to Medicare coverage.  In order to appropriately counsel and assist in this case, the SHIP would need to review records from a hospital, skilled nursing facility and home health agency.

A.  HIPAA Compliant Authorization Forms: Sonya Schwartz

A SHIP will generally need to obtain a HIPAA-compliant authorization from the client in order to obtain disclosure of medical records from health care providers, such as a nursing home or home health agency.  The regulations set forth the requirements for a HIPAA-compliant authorization.  The authorization must:

• Be separate from any other authorization or retainer agreement;
• Be in writing;
• Identify specifically what information the patient wants to access;
• List the name and organization to which the patient wishes the information disclosed;

Note: that the regulations permit an authorization to designate a class of parties from or to whom disclosure is authorized, such as “from my physicians” or “to any SHIP counselor.” 

• Identify the covered entity from which disclosure of protected health information is authorized;
• State the purpose of the disclosure;

Note: that it is sufficient for a patient to state “at my request;”

• Include an expiration date or event such as “one year from the date I signed this authorization,” or “until my appeal is concluded.”
• Contain the dated signature of the patient.

The HIPAA-compliant authorization form must also include mandated statements notifying the patient of the following:

• The patient’s right to revoke the authorization.  However a patient may not retroactively revoke an authorization.  A revocation will never apply to disclosures made by a covered entity before it knows of a revocation.

• A warning that disclosures to any party that is not a HIPAA covered entity may be re-disclosed without any further authorization from the patient. 

Note: It is permissible to include in the statement information about any state law or contractual obligation that binds a party that is not a covered entity, such a SHIP, to keep information confidential.

Psychotherapy notes are treated differently than other medical records, due to their sensitivity.  The regulations require that the authorization form for psychotherapy notes must be separate from the authorization form used to obtain disclosure of other protected health information. 

State law or regulations that are more protective of the privacy of protected health information, or that make it easier for patients to gain access to their own protected health information generally are still applicable.  A good resource to find applicable state privacy laws is the website of the Health Privacy Project. www.healthprivacy.org   However, the compilation of state laws found on this web site was completed in 1999 and state laws and regulations may have changed since then. Research must therefore be done to check for subsequent amendments.  The Health Assistance Partnership staff is available to help with such research 

Some states have enacted laws that specify the rules for disclosure of HIV or AIDS information or might direct that certain records are available to certain categories of patients at no charge, or minimal cost.  Such state laws are not over-ridden by the HIPAA privacy rule.

In a time-sensitive situation, such as an emergency, when there is no time to obtain a written authorization, and the advocate needs to obtain protected health information over the phone in order to assist a patient, a number of strategies might help. 

• An advocate can arrange a three-way phone conversation among the patient, the advocate and the covered entity.  During such a phone call, the patient may articulate her consent to the disclosure.
  
• An advocate can use a discussion about coverage criteria, or a request for general information pertaining to coverage criteria to obtain valuable information that is not patient-identifiable. 
  
• An advocate can give information to the covered entity in order to present the patient’s case for coverage without requesting disclosure from the covered entity of any protected health information. 

B.  Other Factors: The “May Versus Must Dilemma” Cheryl Fish-Parcham

Covered entities must disclose protected health information to:

• The individual about herself. 
  
• A personal representative.

A personal representative is an individual who is authorized by the patient (or sometimes authorized by operation of the law) to make health decisions on behalf of the patient.  Generally, parents are the personal representatives of their minor children.  Additionally, a health care power of attorney or similar legal document may be used by an adult to confer personal representative status upon another adult.  The Department of Health and Human Services’ (H.H.S.) Office of Civil Rights has informally informed HAP that in order to be a personal representative the person must be authorized to make treatment decisions.  An authorization to represent or assist a patient by advocating to obtain payment for health care services is not sufficient, according to the HHS Office of Civil Rights, to confer personal representative status on someone. 

A personal representative “steps into the shoes of” the patient.  Hence, personal representatives, like patients, are entitled to disclosure of protected health information without the need for a written authorization.  

• A health oversight agency such as, according to the Administration on Aging and the H.H.S. Office of Civil Rights, the Long Term Care Ombudsman, may obtain disclosure of protected health information. 
  With an authorization, a covered entity may disclose protected health information to an advocate such as a SHIP that is not a covered entity.  However, disclosure is not required. If a covered entity declines to disclose protected health information, a SHIP, may

• Remind the covered entity that it is not prohibited from disclosing protected health information;
  
• Ask the individual to request disclosure and then give it to the SHIP;
  
• Ask the individual to request disclosure and to direct the covered entity to send the protected health information to the SHIP.

Note: This informal suggestion offered to HAP by the H.H.S. Office of Civil Rights

·    Have the patient make the request to the covered entity for disclosure orally in the presence of SHIP staff;

·    Have the family ask for disclosure of such protected health information as is necessary and relevant to their involvement in the care of the patient.  The regulation expressly permits covered entities to make such disclosures to a family member or close friend

·    Arrange for disclosure to another covered entity with which the patient has a relationship and which could help advocate for coverage of a disputed treatment option.

Some exceptions apply to the obligation of covered entities to disclose protected health information to a patient.  These are:

• Psychotherapy notes;
• Records compiled in anticipation of a judicial or administrative proceeding;
• Clinical Laboratory Information Act (CLIA) records.  (Generally, consumer health assistance programs, such as SHIPs, won’t need to know much about these are lab records.)

While covered entities are not compelled to disclose these types of protected health information to a patient, they are not prohibited from disclosing it.  However, no argument can be mounted that they must disclose these categories of protected health information to the patient, or to a personal representative.

Question: A developmentally disabled client with an IQ of 90 was in the office verbalizing consent to disclosure yet the health care provider declined to make the disclosure.  In another case, a provider refused to accept a faxed HIPAA-compliant authorization form.

Answer: These are part of a developing pattern of HIPAA rules being used as a barrier to disclosures that are permissible under the HIPAA privacy rule.   In some cases, covered entities are interfering with individuals’ rights to allow an advocate access to protected health information.  SHIPs will need to advocate for the rights of clients to see their own medical records, using their knowledge of the HIPAA privacy rule. HAP is working towards further clarifications and systemic answers to these kinds of obstacles to full compliance with the goals of the HIPAA rule. 

Question: A SHIP was told that a durable Power of Attorney was required for disclosure of protected health information. 

Answer: Many legal documents and relationships create a personal representative status, including any Health Care Power of Attorney.  A Power of Attorney need not be durable to confer the personal representative status.  Additionally, a guardian or conservator who has the power to make health care treatment decisions is a personal representative. 

A health oversight agency is entitled to disclosure in many situations and covered entities may disclose protected health information  to whomever the individuals designates.

Question: How can a SHIP obtain disclosure from a Coordination of Benefits (COB) Office at a Medicare carrier or fiscal intermediary?

Answer: The CSR procedure that CMS will soon implement will not apply to COB offices.  Written authorization will be necessary to obtain disclosure of protected health information from a COB office to a SHIP.  It was reported by a participant on the call that in one instance, a COB office was cooperative when presented with an authorization from a beneficiary consenting to disclosure to a SHIP.

Question: A state Medicaid agency declined to disclose the date of a Medicaid denial or discontinuance of Medicaid eligibility.  The agency said its own HIPAA form would be required for disclosure.

Answer: Eligibility information is protected health information and the Medicaid state agency is a covered entity.    However, any HIPAA-compliant authorization form should suffice to allow disclosure.  This matter should be brought to the attention of the state Medicaid agency’s HIPAA privacy officer or the state’s Attorney General for resolution.  A complaint may be filed with the state Medicaid agency and/or the H.H.S. Office of Civil Rights.  Model complaint forms may be found in HAP’s Issue Brief on Health Insurance   Portability and Accountability Act (HIPAA) Privacy Regulation:  Questions and Answers For Consumer Health Assistance Programs.

C.  Costs of Disclosure: Sonya Schwartz

HIPAA allows covered entities to charge patients reasonable cost-based fees.  They may charge fees for photocopying but not for searching for and retrieving records.  Many states limit costs.

D.  Long Term Care Ombudsman Program Status Under HIPAA

The Administration on Aging, (AOA) has determined that the Long Term Care Ombudsman are health oversight agencies and have greater rights of mandated access to protected health information, even in the absence of a HIPAA-compliant authorization.   The memorandum is available through HAP, or at http://www.aoa.gov/prof/agingnet/Info%20Memorandum%20HIPAA.pdf

V.  Announcements

A. The next Medicare Network conference call will be held on June 18, 2003at 3:00 P.M. EDT.  The topic will be mental health services and coverage for Medicare beneficiaries.  The call in number is 1-800- and the ID is Hilary is the moderator. An announcement, with links to background materials will be posted the first week in June, 2003. 

We are asking for RSVPs for our calls in order to assure that we have sufficient lines open to accommodate all who wish to participate.  We appreciate your RSVP, as it is helps us to plan, but it is not necessary to reserve a line in order to join our calls.

B. Topics planned for future HAP Medicare Network conference calls include

• The Medicare hospice benefit,
• Planning, counseling and advocacy for Medicare beneficiaries around hospital discharges,
• Medicare eligibility and enrollment,
• Medigap rights,
• Dual-eligibility for Medicare and Medicaid. 

Please let Hilary or Astrid know of your ideas for conference call topics.

C.  The HAP 2004 Annual Conference will be held on January 20-21, 2004 at the Mayflower Hotel in Washington, D.C. Please let Hilary or Astrid know of your ideas for workshop or plenary sessions, speakers you would like to hear from, or other ideas to help us make our second conference even better than the first one.  Stay tuned for more exciting information about our conference.

D.  HAP Story Bank initiative: HAP is developing a story bank to collect stories about the value of consumer health assistance programs.  These stories may show the successes of consumer health assistance programs or they may illustrate systemic issues encountered frequently by consumer health assistance programs.  The story bank will collect these stories, which will be useful in promoting consumer health assistance programs and in illustrating systemic issues encountered by consumer health assistance programs to inform decision makers and opinion leaders.    The HAP story bank is open to the same case studies SHIPs submit to CMS with their N.P.R data.  HAP works with other organizations, such as the Medicare Rights Center, which also collect stories for related purposes.

VI. State Roll Call

The following states participated in this call:

Alaska

Arizona

California

Colorado

Connecticut

Delaware

District of Columbia

Georgia

Hawaii

Illinois

Iowa

Kansas

Maryland

Massachusetts

Minnesota

Missouri

Nebraska

Nevada

New Mexico

New York

North Dakota

Ohio

Oklahoma

Oregon

Texas

Virginia

CMS

SHIP Resource Center

Thank you all for participating.  Please contact Hilary at hdalin@healthassistancepartnership.org with your questions, comments, suggestions and ideas.

5/31/03

revd 6/12/03