HIPAA FAQ- Plan Sponsors
What does HIPAA privacy protect?
The HIPAA Privacy Regulation creates national standards to protect an individual's personal health information and gives patients and insureds increased access to their medical information.
It has always been Guardian's goal to ensure the protection and integrity of our members' personal and health information. We will comply with the privacy requirements of the HIPAA as well as other laws aimed at safeguarding privacy. We also have our own privacy policies and procedures in place. These are designed to protect customer privacy. We will continue to make this a priority.
What is PHI?
Protected health information (PHI) is health information that is created or received by a covered entity and relates to the past, present or future medical or mental condition of an individual and the provision or payment of that health condition. In order to be PHI, the information must identify the individual or provide a reasonable basis for identifying the individual. Information acquired or maintained in connection with Life and Disability Income coverage is not considered PHI.
How will HIPAA affect Guardian members?
As a covered entity, Guardian will be fully compliant with all aspects of the HIPAA Privacy Regulation. An important part of our compliance initiative includes fulfilling our obligations to enable our members to exercise certain rights assured them under the Privacy Rule. These rights include:
- The right to have access to designated records that contain protected health information (PHI).
- The right to request an amendment to PHI contained in designated records.
- The right to request restrictions on the use and disclosure of PHI.
- The right to appoint personal representatives.
- The right to receive confidential communications at an alternate address or location.
- The right to request a disclosure accounting.
- The right to request amendment of PHI.
- The right to file a complaint.
- The right to receive a Privacy Notice.
While we will administer these rights for our fully insured members, as a general rule, we will look to our self-funded group health plans (ASO & SPAG) to administer their own members' rights.
What is covered Entity?
Covered entities that must comply with the HIPAA Privacy Rule are health plans, health care clearinghouses and those health care providers that submit or maintain certain health information in electronic format.
What is the definition of a Health Plan?
The definition of a health plan under the regulation includes health insurers that provide treatment for medical, dental, vision and/or prescription drug services or reimbursement for these health benefits. Group Health Plans include employer sponsored ERISA plans - both insured and self-insured, as well as non-ERISA plans such as church plans.
What coverages are affected?
The HIPAA Privacy Rule affects health information provided under a Medical, Dental, Vision and/or Prescription Drug plan.
How can someone get a copy of Guardian's privacy notice?
We are asking fully insured plans to hand out the Guardian Notice of Privacy at the time a new hire enrolls in a health plan. They can make copies of the Notice if they have one in their office or order a supply by calling the Customer Response Unit that services your plan. Also, electronic version is located on this website. To view it, please click here. Self-Insured plans are required to create their own Notice of Privacy Practices.
Is the Notice of Privacy available in Spanish?
Yes. An electronic version is located on this website. To view it please click here, or you can request a paper copy by contacting us using the Customer Response Unit that services your plan.
How does the individual file a complaint?
An individual will not be penalized for filing a complaint.
A person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with Office of Civil Rights a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312
New York, New York 10278
In addition, individuals have a right to file a complaint directly with the Guardian at the address below or by contacting us using the Customer Service/Requesting Customer Service page of this website:
Attention: Guardian Corporate Privacy Officer National Operations
The Guardian Life Insurance Company of America
Group Quality Assurance - WRO
P.O. Box 2457
Spokane. WA 99210-2457
What is a person wants a copy f their PHI?
The request to inspect and copy protected health information should be submitted in writing. The letter should include:
- Specifics of the requested information
- The covered time frame
- The name, address and telephone number of the individual who is to receive the PHI.
The letter should be directed to the following address:
Attention: Guardian Corporate Privacy Officer National Operations
Address: The Guardian Life Insurance Company of America
Group Quality Assurance - WRO
P.O. Box 2457
Spokane, WA 99210-2457
What can Guardian use PHI without an individual's authorization?
Guardian may use and disclose protected health information (PHI) without a member's specific authorization when such use is permitted or required by law. Authorization is not required for the purposes of treatment, payment and health care operations. Please keep in mind that is has always been our policy to protect the health information of our members.
What are treatment activities?
Treatment activities are those performed by a health care provider related to the provision, coordination or management of health care for a patient. Guardian does not provide treatment. However, Guardian may disclose protected health information (PHI) to a member's health care provider so that provider can render treatment, i.e., health care services or procedures to a patient.
What are payment activities?
Payment activities are undertaken to obtain premiums, or to determine or to fulfill Guardian's responsibilities for coverage and provision of plan benefits. These activities include determining eligibility for coverage, utilization review activities, claims management and collection activities. Guardian may disclose protected health information (PHI) to health care providers, its business associates or other covered entities for the conduction of payment activities.
What are health care operation activities?
Health care operation activities include-but are not limited to-credentialing, business planning and development, quality assessment and improvement, premium rating, enrollment, underwriting, claims processing, customer service, medical management, fraud and abuse detection, obtaining legal and auditing services, and business management. Making members aware of these health care options as well as other treatment alternatives or other health-related benefits and services that may interest the member, are examples of Guardian's permitted use of protected health information (PHI).
Will Guardian still release PHI to a self-insured plan?
Guardian can continue to release employee claim data, providing the plan has taken steps to comply with HIPAA. Some of the steps needed are:
- Training of employees on HIPAA provisions;
- Appointing a privacy officer to receive and protect employee claim information;
- Modifying the plan documents (which are documents the plan would keep in their office on file not our certificate booklets or rider), etc.
What are the requirements of the fully insured employer under the Privacy Regulations?
The employer/plan sponsor is not a covered entity and technically is outside the direct scope of the Privacy Regulations. However, employers and plan sponsors will be impacted greatly. Of significant impact to employers are the rules regarding what PHI a group health plan, or its insurer or business associate, can provide to the employer. The group health plan or its insurer or business associate, may not disclose PHI to the employer unless certain conditions are met.
For example, the employer will have to provide a certification to the Guardian, that its plan documents (which are documents the plan would keep in their office on file not our certificate booklets or rider) have been amended, and the disclosure must be necessary for the employer to carry out plan administration functions. Then access to PHI must be restricted to only those employees performing these administrative functions.
What kind of information can Guardian share with it's fully insured plans?
We are able to share summary health information to our fully insured plans. Fully insured plans including MPP & HDD plans. The Claims by Patient, Claims Analysis and Claims by Division/Department reports will no longer be sent nor will they be available via Benefits Manager.
What/Who is a Business Associate?
Under the HIPAA Privacy Rules, a business associate is a person or organization that performs certain functions or activities on behalf of the covered entity, but is not part of the covered entity's workforce.
Examples of activities or functions that may be performed by a business associate of a covered entity include:
- Claims processing or administration
- Utilization review
- Data analysis, processing or administration
- Quality Assurance
- Benefit Management
Guardian is considering parties with whom we share health information (e.g. PPO networks and other managed care vendors) to be our business associates.
What is a Business Associate Agreement?
Before a covered entity may share protected health information with a business associate, it must obtain satisfactory assurances that the business associate will appropriately safeguard the information. This would be done through the business contract with that associate (a/k/a business associate agreement).
Is a Fully Insured plan a Guardian Business Associate?
No. Guardian's relationship with its fully insured group health plans is defined as an "Organized Health Care Arrangement" (OHCA) in the HIPAA Privacy Rules. Covered Entities who participate in OHCA do not have to have a business associate agreement. Therefore we are not required to enter into a business associate agreement with a fully insured plan.
Is a Self-insured plan (ASO & SPAG) a Guardian Business Associate?
No. Guardian is a business associate of a self-insured plan. Therefore a self-insured plan must have Guardian sign a Business Associate Agreement since we provide services that involve PHI on their behalf. A self-Insured plan can send a business associate agreement to the following address:
Alternate Funded Administration - Mail Station 3N
PO Box 26070
Lehigh Valley PA 18002-6070