What does HIPAA privacy protect?
HIPAA specifically addresses protecting the privacy of protected health information (PHI). As part of the HIPAA regulations, the government has established controls, which will limit how, when and where protected health information is shared.
What is PHI?
Medical information, as well as demographic information about you that we collect as part of administering your health care benefits, is “Protected Health Information” or PHI.
PHI contains "individually identifiable health information." This is information that includes both health care information and demographic details such as an individual’s address, gender, Social Security number, or date-of-birth. Insurance applications with medical histories, for example, contain individually identifiable health information. PHI is individually identifiable health information communicated in any form—electronic, written, or spoken.
What is Anthem's commitment to privacy?
Anthem is committed to protecting confidential information about our customers, especially the confidential nature of our members’ protected health information (PHI). We will comply with the privacy requirements of HIPAA, as well as other laws aimed at safeguarding privacy. We also have our own privacy policies and procedures in place. These are designed to protect customer privacy. We will continue to make this a priority.
Is Anthem compliant with the HIPAA Privacy Regulations?
Anthem met its compliance obligations with respect to the HIPAA Privacy Rule prior to the April 14, 2003, compliance date.
What about state versus federal laws on privacy?
Anthem performed a state-by-state preemption analysis to uncover the discrepancies between the federal Privacy Rule and the laws of the 50 states that may further restrict the amount of information a health plan may disclose. The results of this analysis have been integrated into Anthem’s state/regional desktop guides.
Has Anthem designated a privacy officer and defined the role of this individual?
Anthem has designated Jim Bixler as its Privacy and Security Officer. Mr. Bixler’s responsibilities include oversight of all Anthem activities concerned with the development, implementation, maintenance, dissemination, and adherence to Anthem’s information privacy and security policies and procedures. Anthem’s Privacy and Security Officer is not only responsible for HIPAA regulations, but also overseeing any other federal and state privacy laws that apply.
Have Anthem associates received HIPAA privacy training?
Anthem started HIPAA training its associates in November 2001, and has continued varying levels of training to date. Mandatory privacy training for all associates started February 17, 2003, and was completed on April 13, 2003.
Has Anthem put in place a written disciplinary policy that includes sanctions for violations?
As required of covered entities by HIPAA privacy, Anthem has sanctions in place for its associates who violate these regulations.
Does the HIPAA Privacy Rule affect only covered entities?
HIPAA requires that covered entities make certain their business associates also comply with the Privacy Regulations. Business associates are parties that perform a function or service for a covered entity that involves protected health information (PHI), or receive PHI from, or create it for a covered entity. For example, certain vendors, brokers, consultants, and third-party administrators (TPAs) can be business associates. The Privacy Rule specifies that covered entities may not disclose PHI to business associates without reasonable assurance that the business associate has met all HIPAA requirements and relevant standards. Accordingly, covered entities need to include HIPAA privacy provisions in agreements with its business associates beginning April 14, 2003. This can be an amendment to a current agreement, or a separate “free-standing” agreement. Such provisions will include the business associates’ specific obligations to safeguard PHI communicated in any form and to enumerate the permitted uses and disclosures of PHI.
Self-insured plans need to enter into business associate agreements with all of their service entities that have access to PHI beginning April 14, 2003, unless the organization is a small health plan. In that instance, the small health plan has a compliance date of April 14, 2004.
What if a group health plan does not create or receive protected health information (PHI)?
One of the most confusing aspects of the Privacy Rule is its effect on group health plans (GHPs) and employers. A fully insured GHP that neither creates nor receives PHI is exempt from most of the privacy administrative requirements. Regardless of whether they have PHI or not, self-insured GHPs are subject to all of the privacy administrative requirements such as implementing safeguards to protect PHI from unauthorized use or disclosure, privacy notice requirements, appointment of a privacy officer, compliance documentation and six-year retention requirements.
What are the requirements of the employer?
The employer/plan sponsor is not a covered entity and technically does not have to directly comply with the Privacy Regulations. However, employers and plan sponsors will indirectly be impacted. Of significant impact to employers are the rules regarding what protected health information (PHI) a group health plan or its insurer or business associate can provide to the employer. The GHP or its insurer or business associate may not disclose PHI to the employer unless certain conditions are met. For example, the employer will have to provide a certification to the GHP, the plan documents will have to be amended, and the disclosure must be necessary for the employer to carry out plan administration functions. Access to PHI then must be restricted to only those employees performing certain administrative functions.
For a general overview of HIPAA Title II, please review Anthem’s HIPAA Title II Blue Book that is available here
What are the requirements of the broker/producer?
According to the HIPAA mandate, brokers are not covered entities and technically are outside the direct scope of the Privacy Regulations. However, brokers will be impacted greatly. Of significant impact to brokers are the rules regarding what protected health information (PHI) a group health plan (GHP) — or its insurer or business associate — can provide to the broker. The GHP — or its insurer or business associate — may not disclose PHI to a broker unless certain conditions are met, i.e., an Anthem Business Associate Agreement is in place and signed by the broker. Without this signed agreement, Anthem will not be able to continue its current business relationship with a broker beginning April 14, 2003.
Do the privacy requirements apply to summary health information (SHI)?
Yes, the privacy requirements apply to summary health information (SHI). However, there are certain provisions that allow a group health plan or its insurer or business associate to share SHI with the employer/plan sponsor, without the necessity of the employer/plan sponsor providing a certification to the GHP, or amending plan documents. This SHI only may be disclosed to the employer/plan sponsor if it has been requested for the purpose of obtaining premium bids from health plans, or modifying, amending, or terminating the group health plan.
What is de-identified information (DII), and do the privacy requirements apply to DII?
The Privacy Rule has a provision for a category of information called de-identified information. De-identified information requires the removal of a number of key data elements (including, but not limited to, name, address, Social Security number, date-of-birth, etc.). However, before information may be classified as “de-identified,” all identifiers as mandated by the rule must be removed, or a statistician must certify that the information cannot be linked to a person. If information is truly DII, then none of the privacy requirements apply to that data.
What is a business associate?
A business associate performs a function or a service for an entity covered by HIPAA, that involves protected health information (PHI), or receives PHI from, or creates it for, an entity covered by HIPAA. The HIPAA Privacy Rule specifies that covered entities may not disclose PHI to business associates without contractual language that requires that the business associates meet all the listed HIPAA requirements and standards relevant to business associates.
What is a business associate agreement?
A business associate agreement is required between a covered entity and its service entities that have access to, or create protected health information (PHI). This agreement or contract sets forth requirements the business associate must follow with regard to confidentiality, security, and the use and disclosure of PHI. In the event that a business associate, acting on behalf of a covered entity, is disclosing PHI to another entity, it must enter into a “sub” business associate agreement with that entity as well, or otherwise obtain reasonable assurances that such “sub” business associate will comply with the business associate’s obligations, so that the same requirements are imposed for all that share PHI. For example, if Anthem is serving as the third-party administrator (TPA) for a self-funded account, Anthem is the self-funded account’s business associate. Anthem, in its capacity as a TPA, may have a contract with a behavioral health vendor to perform utilization management for mental health services for that account. In that event, the group will have a business associate agreement with Anthem and Anthem will have a “sub” business associate agreement with the behavioral health vendor.
How is Anthem contracting with its business associates?
As a covered entity, Anthem has prepared a standard Business Associate Agreement. Business associates, including brokers and producers, are expected to sign these agreements and to comply with them. Additionally, Anthem has prepared an agreement that applies when Anthem is a business associate of a covered entity, i.e., when we are the administrators of a self-funded group health plan. We are asking our customers who we serve in that capacity to sign this agreement.
Will brokers be required to sign Anthem’s Business Associate Agreement?
Yes, all brokers doing business with Anthem beginning April 14, 2003, will need to have signed Anthem’s Business Associate Agreement.
Will fully insured groups be required to sign Anthem’s Business Associate Agreement?
The business associate relationship is not created when Anthem contracts with fully insured groups solely to underwrite and administer the group’s health benefit plans. Therefore, these groups do not have to enter into a business associate agreement with Anthem.
How will Anthem log all disclosures of protected health information (PHI) as required by the Accounting of Disclosures Section?
Because individual Anthem members are entitled to an accounting of PHI, we have developed a computerized tracking system that will enable us to follow disclosures and to provide this information.
Does Anthem require its subcontractor(s) to maintain privacy policies regarding protected health information (PHI)? Will Anthem be including HIPAA privacy compliance as a contract requirement beginning April 14, 2003?
As set forth in the Privacy Rule, we require our business associates to provide us with reasonable assurance that their conduct will not be in violation of the Privacy Rule. This does not necessarily mean that they have to “maintain” privacy policies, but they do have to provide the same level of protection to the PHI as we do.
How will HIPAA privacy affect Anthem’s members?
As a covered entity, Anthem is fully compliant with the HIPAA Privacy Regulations. An important part of our compliance initiative includes fulfilling our obligations to enable our members to exercise certain rights assured them under the Privacy Regulations. These rights include:
| The right to have access to designated records that contain protected health information (PHI).|
| The right to request an amendment to PHI contained in designated records.|
| The right to request restrictions on the use and disclosure of PHI for treatment, payment and health care operations.|
| The right to appoint personal representatives.|
| The right to "opt-in" before receiving certain marketing materials (e.g., the member gives us permission to send them marketing materials).|
| The right to receive confidential communications at an alternate address or location.|
| The right to request a disclosure accounting.|
| The right to request amendment of PHI.|
| The right to file a complaint.|
| The right to receive a Privacy Notice.|
I am a member of a self-funded group. Do I have the same rights as the member of a fully insured group?
Yes. The only difference is that self-funded group members must ultimately look to their own group health plan as Anthem is a business associate of the group health plan.
Did Anthem distribute a Privacy Notice as required under HIPAA privacy?
As a covered entity, Anthem distributed its Privacy Notice to all applicable parties in the first quarter of 2003. Anthem also provides its Privacy Notice with all enrollment materials that it issues to fully insured customers.
Anthem, as the administrator of self-funded group health plans, will not be creating the self-funded group health plan's Privacy Notice, nor will Anthem (as a general rule) distribute the group's Privacy Notice to its members. A template Privacy Notice is available for our self-insured customers here
Did Anthem mail the privacy notice to the policyholder/subscriber, or to each adult member?
Anthem mailed its HIPAA Privacy Notice to each fully insured policyholder/subscriber as required by the HIPAA regulations.
What happens if Anthem decides to change the Privacy Notice? How will members be notified?
Anthem reserves the right to change the terms of the Privacy Notice. Anthem may make the new notice provisions effective for all protected health information (PHI) that we maintain. This includes information that we created or received before we made the changes. We must notify members 60 days prior to the effective date of any revisions to the Privacy Notice. Notification of changes will be provided either:
| by mail to the named insured under terms of his or her coverage, or |
| by delivery of the notice by the named insured's employer, if the member is enrolled in employer-sponsored group insurance coverage.|
Anthem also must post a revised notice on its web site at anthem.com. You can request a copy of the current Privacy Notice
by calling the telephone number listed on the back of your ID card.
Why did Anthem send me a Notice of Privacy Practices?
Anthem is required by HIPAA to send our members a copy of our Notice of Privacy Practices which describes our privacy practices, our legal duties, and your rights concerning your Protected Health Information.
I received a Notice last year. Why are you sending me another Notice?
Other state and federal laws require Anthem to send our members Notices about their Privacy, so you may have received a Notice in the past. The Notice you recently received is a requirement of HIPAA. Anthem also was required under HIPAA regulations to provide a Notice containing the HIPAA privacy provisions by April 14, 2003.
This Notice is a waste of my time and paper. It is also an unnecessary expense.
We appreciate your comments; however, please understand that we are required by law to send this to you. We also wanted you to know how strongly we are committed to protecting the confidentiality of your protected health information.
What rights does the Anthem Privacy Notice outline and can you explain them to me?
As a member of a fully insured group, you have the right to:
| Request restrictions on release of your protected health information (PHI) - You have the right to request that Anthem restrict the disclosure of PHI to carry out Treatment, Payment and Health Care Operations. |
| Receive confidential communications - You can request that we send correspondence such as letters and Explanation of Benefits (EOBs) to a location other than your home address if you believe such correspondence will endanger your well being.|
| Inspect and copy PHI records - You can request to read and obtain copies of your medical records at any time, for as long as it is maintained by Anthem.|
| Request amendment of PHI records - If you believe that your PHI contains an error, you may request that an amendment be entered into the record to correct the error.|
| Receive an accounting of certain non-routine external releases of PHI - You may request an Accounting of Non-Treatment, Payment and Health Care Operations Disclosures of PHI. An example of this might be where we are required by law to supply information to an entity or disclosure about decedents to medical examiners or funeral directors. |
| Request or authorize personal representatives to discuss your PHI - You may give Anthem written authorization to discuss your health care matters with a spouse or family member.|
| Obtain a paper copy of the Notice of Privacy Practices on request. |
PLEASE NOTE: There are some instances in which Anthem is not obligated to approve your request.
Does HIPAA allow Anthem to use protected health information (PHI) without my express authorization? When is Anthem allowed to use my PHI without my permission?
Anthem may use and disclose PHI without your specific authorization, when such use is permitted or required by law, such as for the purposes of treatment, payment and health care operations.
What are treatment activities?
Treatment activities are those performed by a health care provider related to the provision, coordination or management of health care for a patient. Anthem does not provide treatment. However, Anthem may disclose protected health information (PHI) to a member's health care provider so that provider can render treatment, i.e., health care services or procedures to a patient.
What are payment activities?
Payment activities are undertaken to obtain premiums, or to determine or to fulfill Anthem's responsibilities for coverage and provision of plan benefits. These activities include determining eligibility or coverage, utilization review activities, claims management and collection activities. Anthem may disclose protected health information (PHI) to health care providers or other health plans for the conduction of payment activities.
What are health care operation activities?
Health care operation activities cover a wide range of possibilities. These include but are not limited to credentialing, business planning and development, quality assessment and improvement, premium rating, enrollment, underwriting, claims processing, customer service, medical management, fraud and abuse detection, obtaining legal and auditing services, and business management. As part of its routine operations, Anthem may send a member information about its disease/care management programs, or continuation of benefits. Making members aware of these health care options as well as other treatment alternatives or other health-related benefits and services that may interest the member, are other examples of Anthem’s permitted use of protected health information (PHI).
Will HIPAA impact how Anthem handles protected health information (PHI) that is extremely sensitive such as HIV or AIDS, mental health, substance abuse, chemical dependency, genetic testing, reproductive rights, etc.?
Anthem will comply with HIPAA requirements to safeguard PHI. Anthem will comply with applicable state and other federal laws regarding the protection of member information. If these state and other federal laws are more stringent than those specified in HIPAA, then Anthem will adhere to these higher privacy standards. Accordingly, Anthem will follow more stringent state privacy laws that relate to use and/or disclosure of PHI about HIV or AIDs, mental health, substance abuse, chemical dependency, genetic testing, reproductive rights and other similar issues.
Can a member authorize release of his or her protected health information (PHI)?
Yes. A member may give Anthem written authorization to use or to disclose his or her PHI to anyone for any purpose. Members also have the right to revoke authorization to use or to disclose PHI. Members may revoke this authorization at any time by providing us with a written statement to that effect. Such a revocation will not affect any use or disclosures permitted by the authorization while it was in effect.
Do I need to complete an authorization form to grant access to my protected health information (PHI)?
You do not need to sign an authorization for your own access. In some instances, you may need to complete an authorization form to grant access to your PHI for someone else. To obtain an Authorization Form, please call the telephone number listed on the back of your ID card.
How can I obtain an authorization form?
You may obtain an authorization form by contacting our customer service unit. Please call the telephone number listed on the back of your ID card.
Can I obtain access to information for my minor children?
Most information about your minor children may be available without restriction; however, under certain circumstances, an authorization may be needed. Please call the telephone number listed on the back of your ID card for specific information about your minor child.
Can Anthem release protected health information (PHI) without a member's permission?
Yes, under certain specific situations to certain people. Generally, such permitted and required uses and disclosures include: (Note that these are provided only as examples, and state laws may require an authorization in these situations. See Anthem's Notice of Privacy Practices for more detail.)
| Family and friends. Family and friends may receive PHI when a situation would be in the member's best interest and the member is unable to agree to release of PHI. These situations include medical emergencies and disaster relief.|
| Research, death and organ donation. Anthem may use or disclose PHI for research purposes in limited circumstances specified in the HIPAA Privacy Regulations. Anthem may disclose PHI about a dead person to a coroner, medical examiner, funeral director, or organ procurement organization for certain purposes.|
| Public health and safety. Anthem may disclose some PHI permitted by state law to the extent necessary to avert a serious and imminent threat to the member’s health or safety, or the health or safety of others. Anthem may disclose PHI to a government agency that oversees the health care system or government programs, or its contractors and to public health authorities for public health purposes. Additionally, Anthem may disclose a member's PHI to appropriate authorities, if that member is reasonably believed to be the possible victim of abuse, neglect, domestic violence, or other types of crimes.|
| Required by law. Anthem may use or disclose PHI when required by law. For example, the U.S. Department of Health and Human Services may request PHI to determine if Anthem is complying with federal law. Disclosures also may be required to comply with Workers' Compensation or similar laws.|
| Legal process and proceedings. PHI may be released in response to a court or administrative order, subpoena, discovery request or other lawful processes. These disclosures are subject to certain administrative requirements imposed by HIPAA Privacy Regulations and permitted by state law.|
| Law enforcement. Anthem may disclose limited information to a law enforcement official concerning the PHI of a suspect, fugitive, material witness, crime victim or missing person subject to certain administrative requirements approved under HIPAA Regulations and state law. Anthem also may disclose PHI of an inmate or other person in lawful custody to a law enforcement official or correctional institution under certain circumstances specified by the HIPAA Privacy Regulations. Finally, Anthem may disclose PHI to assist law enforcement officials in the capture of an individual who has admitted to participating in a crime, or who has escaped from lawful custody.|
| Military and national security. Anthem may disclose the PHI of members of the Armed Forces to military authorities under certain circumstances specified by the HIPAA Privacy Regulations. Anthem also may disclose PHI to federal officials requiring it for lawful intelligence, counterintelligence and other types of national security activities. |
What does the right of access grant a member?
The right of access gives a member the right to inspect and to obtain copies of his or her protected health information (PHI) as long as the information is maintained in Anthem's designated record set. That set includes records from enrollment, billing, claims, medical management systems and other records Anthem keeps to make decisions about a member’s health care.
Does the right of access extend to everything in the member’s protected health information (PHI)?
No. The right of access does not extend to certain information. For example, this includes information contained in psychotherapy notes, or information compiled in reasonable anticipation of, or use in a civil, criminal or administrative proceeding. Members do not have a right of access to information outside of their designated record set.
How does a member gain access to his or her protected health information (PHI)?
Anthem requires certain requests to be in writing using an Access Request Form. Anthem promptly will respond to the requestor. If all or part of the request is denied, then the company's response will include instructions on appeal procedures. Anthem will provide copies of the information in any format requested, as long as that format is practical for us. A reasonable copying fee may apply as well. To obtain an Access Request Form, please call the telephone number listed on the back of your ID card.
Can a member request amendments to his or her protected health information (PHI) and if so, what is the process for seeking an amendment to PHI?
Yes. Certain requests must be in writing. Amendment Request Forms are available from Anthem. Anthem promptly will respond to a request. If a request is accepted, the requestor will be notified. If the request is denied, then the requestor will be informed by Anthem of the appeal procedure. To obtain an Amendment Request Form, please call the telephone number listed on the back of your ID card.
Can a member get information on disclosures of his or her protected health information (PHI) and if so, how can a member request a disclosure accounting?
Yes. All requests for disclosure accounting must be written. Accounting of Disclosure Request Forms are available from Anthem. Beginning April 14, 2003, a member may request that the accounting cover up to a six-year period of reportable disclosures from the date of the request for information. To obtain an Accounting of Disclosure Request Form, please call the telephone number listed on the back of your ID card.
Must Anthem reveal every type of disclosure when a disclosure accounting request is made?
No. Under HIPAA, the following disclosures do not have to be revealed:
| Disclosures made before April 14, 2003|
| Disclosures for treatment, payment or health care operation activities|
| Disclosures to the member or following a member’s authorization|
| Disclosures to persons involved in the member’s care|
| Disclosures for disaster relief, national security or intelligence purposes|
| Disclosures that are incidental to a permitted use or disclosure|
How long will it take to get a response to a request for a disclosure accounting? Are there any fees connected with a request?
Members may request one disclosure accounting a year without paying any fees. Anthem can impose reasonable fees for more frequent requests. Generally, Anthem will respond to any request within 60 days.
Can a member request that Anthem communicate with him or her at an address different from that of the policyholder?
Yes. If a member tells us that he or she could be harmed if communications about their health care or health care payment are sent to our address of record, Anthem will use reasonable means to send future communications to an alternate location or through alternate means. These types of requests are called "confidential communications." To request confidential communications, please call the telephone number listed on the back of your ID card.
Can members have use of or disclosure of protected health information (PHI) restricted?
Members can request restrictions on the use or disclosure of PHI for treatment, payment or health care operations. Customers may request restricting disclosures to relatives, friends or other individuals involved in their care, or payment for their health care. Anthem is not required to agree to such requests. A restriction request can be made by calling the telephone number listed on the back of your ID card.
With HIPAA compliance effective April 14, 2003, why is Anthem using social security numbers as certificate numbers on health insurance cards and dental insurance cards? Doesn't this violate the protection of Protected Health Information (PHI)?
There is no prohibition against using the Social Security number (SSN) in the HIPAA statute or regulations. The HIPAA statute, which was enacted in 1996, does specify a national identifier for patients in lieu of the SSN. However, Congress indefinitely postponed the implementation of this portion of the law.
California has passed a law that makes the publication of the SSN on the identification card unlawful, except for the last four digits. Ultimately, health plans or providers will not allow the use of the SSN in California. Anthem will comply with the California law for our members residing in that state.
We have created a project team to examine alternatives to the SSN identifier. Additionally, the Blue Cross and Blue Shield Association has a group of plans examining alternative numbering systems.
Whether the numbering system is the SSN or an alternative, any patient identifier has some inherent risk for misuse and subsequent inappropriate access to PHI. Real protection of PHI comes from several other sources. Key among these are data security via computer firewalls, locked files, controlled access to work areas with PHI in plain view, password protected desktop and laptop computer screens, and member authentication protocols for telephone inquiries.