As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services (HHS) released final federal regulations that govern the use and disclosure of personally identifiable health information in December 2000 (HIPAA Privacy Rules). Final changes to the regulations were published on August 14, 2002. In most cases, the deadline for compliance with the HIPAA Privacy Rules is April 14, 2003.
Vanasek Insurance Services as a Business Associate
The HIPAA Privacy Rules require that group health plans enter into a Business Associate Contract where a third party will be provided access to Protected Health Information (PHI) when assisting or performing a function on behalf of the group health plan. The HIPAA Privacy Rules directly regulate health plans, health care clearinghouses and health care providers (Covered Entities). The rules indirectly regulate plan sponsors and other third parties that have access to PHI. The HIPAA Privacy Rules allow a Covered Entity to disclose PHI to a third party that performs or assists in performing a function or activity, including those regulated by the HIPAA Privacy Rules where a Business Associate Contract exists with the Covered Entity. Third party administrators, pharmacy benefit managers, and brokers are examples of organizations that will typically enter into a Business Associate Contract with a group health plan. In order for Vanasek Insurance Services (VIS) to continue to receive claims data needed to perform claims analysis services, the HIPAA Privacy Rules require the group health plans enter into a Business Associate Contract with Vanasek Insurance Services.
Vanasek Insurance Service’s Compliance Efforts
In response to the HIPAA Privacy Rules, VIS has established a HIPAA Privacy Work Group which includes our Privacy Officer. VIS has taken this opportunity to not only enhance our policies and procedures with regard to use and disclosure of PHI, but also to streamline our internal practices in order that we may serve our clients more efficiently.
- Our HIPAA Privacy Work Group has implemented and will continue to develop our Information Security Program, which includes:
- Formal Privacy Policies & Procedures outlining the use and disclosure of PHI
- An Information Security Program that addresses organizational practices, security of physical facilities and electronic data, and staff training
- Ensuring that all Third Party Providers have an equivalent program
As part of that Program, we are providing our clients with a Business Associate Contract and asking that they enter into the Contract with us.
April, 2003