|
The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) took effect on April 14, 2001. The Privacy Rule creates national standards to protect individuals’ personal health information and gives patients increased access to their medical records. As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004, to comply with the Rule.
The following sources are available for more information about the Privacy Rule:
- Read about HIPAA Privacy Rule Business Associate Provisions as they pertain to Medicare fee-for-service contractors.
- Find the Final Privacy Rule, as well as background and general information, technical support, and other relevant sites at www.hhs.gov/ocr/hipaa/.
- All Department of Health and Human Services’ press releases, fact sheets, and other press materials regarding the Final Privacy Rule are available at http://www.hhs.gov/news.
- The following toll-free number has been implemented for providers’/suppliers’ use: 866-627-7748.
For information on all other HIPAA issues regarding Electronic Data Interchange, visit the EDI - General News section of our Web site. Use this page to link to the Centers for Medicare & Medicaid Services (CMS’) Web site to file a HIPAA Model Compliance Extension Plan.
HIPAA Privacy Rule Business Associate Provisions
The following information provides guidance regarding the business associate provisions of the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule").
Medicare fee-for-service (FFS) contractors that perform health care activities involving the use of protected health information on behalf of the Medicare FFS health plan (i.e., claims processing functions) are business associates of the Medicare FFS health plan (the covered entity). By definition, a business associate is a person or entity that performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information on behalf of a covered entity (45 CFR §164.103).
Medicare contractors that perform health care activities involving the use of protected health information on behalf of the Medicare FFS health plan are not business associates of providers, physicians, suppliers, or other health plans. Likewise, providers, physicians, suppliers, or other health plans are not business associates of the Medicare contractor, unless the provider, physician, supplier, or other health plan is doing work on behalf of the Medicare contractor. For these reasons, Medicare FFS contractors should not sign business associate agreements with any provider, physician, supplier, or other plan unless the provider, physician, supplier, or other health plan is doing work on the contractor’s behalf.
Questions have been raised about whether there is a business associate relationship between Medicare contractors and the trading partners that receive crossover claims data from them. Currently, Medicare contractors execute trading partner agreements (TPAs) with a host of payers, including Medigap insurers, Medicare supplemental/employee retiree health plans, multiple employer welfare trusts, as well as state Medicaid agencies, for the purpose of exchanging adjudicated Medicare claims for secondary liability determination by those partners. This exchange of data is commonly referred to as the "claims crossover process." For coordination of benefits (COB) purposes, Medicare contractors and trading partners are not business associates, since neither entity is doing work on the other’s behalf; therefore, the Medicare FFS contractors should not sign business associate agreements with supplemental insurers (trading partners). |
 |
