Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

Employers Share Strategies for Organizational HIPAA Compliance

At a recent conference, the representatives of several major employers discussed their strategies and experiences in structuring the administration of their group health plans to comply with HIPAA's privacy rules.

Food-service company Yum! Brands Inc. boiled the process down to three steps, according to Mark Stember, an attorney who advised the company: (1) determining the plan administration functions; (2) identifying the types of employees who perform these functions; and (3) communicating the proper procedure to these employees.

Yum!'s employee health care program is structured as a single ERISA plan that encompasses medical, dental, vision and health flexible spending account (FSA) benefits, said Stember, of Kilpatrick Stockton LLP in Washington, D.C., who noted that the opinions expressed were solely his own.

Complicating the picture, however, was the company's participation in a Texas "non-subscriber" workers' compensation program, Stember said. This program, for companies that opt out of the state's regular workers' compensation system, is structured as an ERISA group health plan, and therefore is a covered entity for HIPAA purposes, he said. "Because it was not a typical group health plan, it presented some challenges." For example, this plan requires additional paperwork from participants, so in-house benefits staff assume some claims processing duties that normally are assigned entirely to a third-party administrator (TPA).

For the regular group health plan, helping participants with claims turned out to be one of Yum!'s principal plan administration functions, Stember said. "Yum! has a long history of being proactive in this area." The company also gets TPA reports on benefits utilization, and handles claims appeals and audits, he said.

The company next identified the employees who perform these plan administration functions and thus would be within the privacy firewall. Among these were employees of the Employee Services Center (ESC), who use software to track benefits and other inquiries. To safeguard the PHI that flows through this call center, the company installed a special secure folder in the system for health plan information, Stember said.

Other employees who needed PHI included document management, information technology and finance personnel, Stember said. For the company's legal department, which handles both benefits and employment litigation, access to PHI was restricted; these attorneys must subpoena the health plan to obtain plan records, he said.

In the communication phase of the process, employees within the firewall were informed that the ESC would be the official headquarters for employee contact regarding health plan issues, Stember said. Other employees who had previously performed quasi-health plan functions, but now were placed outside the firewall, were instructed to redirect all plan inquiries henceforth to the ESC, he said.

"The employees involved here were basically store managers" or staff of the employee relations hotline, Stember said. Store managers were instructed to have employees call the ESC directly, and not to accept anything in writing from them. This step may have been "overkill," Stember said, but Yum! did not want to give its employees the impression that store managers were involved in health plan administration.

Juggling Plan, Provider Compliance

Andrea Romisher, corporate director of benefits for Kindred Healthcare, discussed the company's experience juggling its HIPAA compliance obligations as a health care provider and an employer. At first, the compliance efforts of the group health plan lagged behind the "operational" HIPAA compliance program at Kindred's hospitals, nursing centers and other provider functions, she said. Field employees had to understand that "this was a separate aspect of the law we needed to implement quickly."

Other challenges Kindred faced included its sheer number of facilities and the absence of a strong human resources (HR) infrastructure in its operating units, Romisher said. In Kindred's decentralized structure, the corporate benefits office consists of 17 employees and a five-person help desk, and each facility has a payroll/benefits coordinator (PBC). "We have a very difficult time identifying these people," who often have other responsibilities, she said.

Kindred's health benefits include a self-funded PPO, fully insured HMOs, a dental plan, a voluntary vision plan and health FSAs, Romisher said. Kindred had an employee assistance program but is terminating it, in part because the vendor could not decide whether it was a HIPAA-covered entity, she said.

It proved operationally infeasible to centralize benefits, so Kindred had to focus its HIPAA compliance efforts at the facility level, Romisher said. Challenges included simply identifying the job titles of staff with access to PHI, and training PBCs -- who often process both PHI and employment-related paperwork, such as Family and Medical Leave Act requests -- to distinguish between the employer and the group health plan, she said.

"Our employees would not necessarily go to the right place to get their issues resolved," Romisher continued. "We had to do a lot of education there, starting with senior management," to ensure that even these employees would not attempt to get PHI if they were outside the firewall, she said.

For example, about 30 claims appeals have been filed regarding the plan's refusal to cover gastric bypass surgery, Romisher said. Kindred's CEO asked her about these appeals and she instructed him to get an authorization. Inquiries by labor unions, which are accustomed to helping their members with claims, get the same response, she said. The unions presumably will realize they need to distribute a blank authorization to their members in order to continue having a role in the process, she added.

Kindred also implemented physical safeguards at its corporate HR office, including higher cubicle walls, white noise and secure access, Romisher said. The company abandoned a plan to put a long-term finance consultant in an empty office in HR, she said.

Kindred prepared a 100-page policies and procedures manual, along with a 10-page training guide and five pages of frequently asked questions that drew on "real-life situations," Romisher said. Work practice changes included finding a private place to talk to participants, and not leaving explanations of benefits on the photocopier, she said. "Through outsourcing disability functions, we eliminated a lot of dilemmas."

Kellogg Refers Employees to Vendors

Kellogg Co., which sponsors self-funded group health plans for 25,000 employees and retirees, tries to avoid handling PHI to the extent possible, according to Catherine Wood, the company's HIPAA compliance officer. "Our employees were encouraged to make contact with the vendors" even before HIPAA and especially now, she said. "We're quite happy to have our suppliers retain [PHI] for us."

Since 1993, Kellogg's benefits functions have been centralized in its People Services Center (PSC), Wood said. As a result, "we have a limited number of folks with contact with PHI," which the company does need to perform the second level of ERISA appeals as well as enrollment and premium payment functions, she said.

One challenge was posed by Kellogg's recent acquisition of Keebler Co., which had a decentralized benefits system, Wood said. Kellogg has worked to bring the new subsidiary's benefits operations into the centralized PSC framework, but there are "still a couple of remote locations where the PHI is handled by the facility," she said.

Although Kellogg's access to PHI is limited, the company has trained its staff so that "on the off chance someone does come into contact with it, they know how to deal with it appropriately," Wood said.

Romisher, Stember and Wood spoke July 29 in New Orleans at a conference on HIPAA compliance for employers, which was cosponsored by the Workgroup for Electronic Data Interchange and the Society for Human Resources Management.

Reprinted with permission from the September 2003 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.