HIPAA Privacy:
Implementing Privacy
for Government
Health Plans
Roberta M. Ward
Senior Counsel, Privacy Officer
California Department
of Health Services
Tuesday, September 16, 2003 * 11:00 am-Noon
What types of
health plans are
covered by the
Privacy Rule?
Specifically mentioned:
ERISA employee plans
Medicare, Parts A and B
Employee health benefits plans
Indian Health Service program
Federal Employees Health Benefits Program
State Child Health Plans under Title XXI
Medicare + Choice Program
State high risk pools to provide coverage to eligible
General Catch-all Category:
A group plan that provides, or pays the cost of
medical care
Not equivalent to a “group health plan” which is an
employee plan under ERISA
Comes under 45 CFR 160.103 Health Plan (xvii):
“Any other individual or group plan,… that provides
or pays for the cost of medical care”
Any policy, plan or program which pays for the cost
of excepted benefits listed in 42 U.S.C. 300gg91(c)(1)
A government funded program whose principal
purpose is other than providing or paying the cost
of health care or
Whose principal activity is the direct provision of
health care or
The making of grants to fund the direct provision of
health care
Continuing Confusion About
Catch-all Category
“Any other group plan that provides or pays
for the cost of medical care”
“Group plan” is not defined and is not restricted to ERISA
plans, which are “group health plans” under the definition at
45 CFR 160.103
Intent of the Privacy Rule coverage of government health
plans is to be very expansive
Commenters on the Privacy Rule argued that many
government “payment programs” should not be included in the
definition of a health plan, such as the AIDS Drug Assistance
Program and Breast and Cervical Cancer Screening
In the Final Rule, OCR excepts out only
government programs that have a
principal purpose other than providing or
paying for cost of health care
Or . . .
Those which have as their principle
activity the direct provision of health care
or making of grants to fund the direct
provision of health care
Specifically Mentioned in
Preamble as Excluded:
WIC Program
Health care services for INS
Title X Public Health Service Act
grantees for family planning programs
“To the extent that a certain benefits
plan or program otherwise meets the
definition of “health plan” and is not
explicitly excepted, that program or
plan is considered a “health plan”
under paragraph (1)(xvii) of the final
“Where a public program meets the
definition of “health plan”, the
government agency that administers
the program is the covered entity
Preamble to Privacy Rule: 65 Fed. Reg.
82578 (December 28, 2000)
Department of Health Services (DHS) is
a “hybrid entity” under HIPAA
Hybrid entity is a single legal entity which contains
both covered and non-covered functions
Hybrid must ensure that covered health care
components of the entity comply with HIPAA, and
Do not disclose PHI to another component of the
covered entity when the Privacy Rule would prohibit
disclosure if the health care component and other
component were separate and distinct legal entities
Rules for Hybrid
Employees of hybrid entity must not use or disclose
PHI created or received in the course of work for
the covered health care component in a way
prohibited by Privacy Rule when they work for both
covered and noncovered components of the hybrid.
Hybrid must document designations of covered
health care components and must include any
component that would meet the definition of a
covered entity if it were a separate legal entity.
The advantage of being a hybrid entity
is that strict HIPAA rules apply only to
covered components and their internal
business associates.
DHS Covered Components
County Medical Services
Program (DHS runs program on
behalf of counties)
Children’s Treatment Program
Physicians’ Services Contract
Back/Emergency Medical
Services Appropriation
Refugee Health Services
California Children’s Services
Child Health and Disability
Prevention Program
Genetically Handicapped
Persons Program
Medical Therapy Program
Family PACT
Newborn & Prenatal Screening
Aids Drug Assistance Program
Aids Medi-Cal Waiver
HIV Diagnostic Assay Program
Cancer Detection—Prostate
Breast and Cervical Cancer
Detection Program
Long Term Care – SCAN
Long Term Care – PACE
Federal Preemption
Federal Preemption is when another federal
statute or regulation is contrary to and more
stringent than the provisions of the Privacy
If the Federal statute or regulation relating to
the privacy of PHI, is more stringent, in
comparison to a standard, requirement or
implementation specification of the HIPAA
Privacy Rule, the provision of the Federal law
More Stringent Means:
With respect to a use or disclosure, the Federal law prohibits
or restricts a use or disclosure in circumstances where the use
or disclosure would be permitted under HIPAA,
Except to the Secretary for determining compliance, or
To the individual who is the subject of the PHI, or
Permits greater rights of access or amendment to the
individual, who is the subject of the PHI
What Does This Mean for the
Medicaid Program?
Medicaid rules on use and disclosure are much more
restrictive than HIPAA
The Federal Medicaid statute and regulations restrict the use
or disclosure of information concerning applicants and
recipients to purposes directly connected with the
administration of the state Medicaid program. (Section
1902(a)(7) of the Social Security Act and 42 CFR 431.300
States are required to have statutes that provide legal
safeguards against uses or disclosures of Medicaid
information for purposes not directly connected with the
administration of Medicaid and which impose sanctions for
Purposes directly connected with
Medicaid Administration are narrowly
defined as:
Establishing eligibility, determining the
amount of medical assistance,
providing services for recipients, and
conducting or assisting an
investigation, prosecution, or civil or
criminal proceeding related to Medicaid
program administration.
Medicaid agencies must safeguard
information about applicants and
recipients, including:
Names and addresses; medical services provided; social and
economic conditions or circumstances; agency evaluation of
personal information; medical data including diagnosis and
past history of disease or disability; any information received
for verifying income eligibility and amount of medical
assistance; any third party liability information.
Medicaid agencies must inform the court of the restrictions on
use and disclosures in response to a subpoena for a case
record or for an agency representative to testify concerning an
applicant or recipient.
Allowable Distributions
Medicaid agencies may only distribute materials to
applicants, recipients, or medical providers which
directly relate to the administration of Medicaid.
Medicaid agencies must not distribute holiday
greetings, general public announcements,partisan
voting information and alien registration notices.
Medicaid agencies may distribute materials directly
related to the health and welfare of applicants and
recipients, such as announcements of free medical
examinations, availability of surplus food, and
consumer protection information.
How do the Medicaid restrictions on use and
disclosure intersect with the HIPAA Privacy Rule?
HIPAA permissible disclosures are generally not allowed
under Medicaid:
The Medicaid agency may not disclose PHI:
– To public health authorities
– To researchers, unless research is related to operation of the
Medicaid program
– In response to a subpoena, unless subpoena is for criminal or
civil case related to Medicaid program, such as fraud and abuse
– In response to beneficiary’s own authorization, unless purpose is
directly related to administration of the Medicaid program
– To coroners, medical examiners, and funeral directors
– To law enforcement, unless Medicaid fraud investigation or
– For public safety or security reasons
– In response to a court order, without informing the court first of
the restrictive Medicaid rules on use and disclosures
What about the right of Medicaid
beneficiaries to access
their own records?
Prior to HIPAA, information could only be released
to beneficiaries for purposes directly connected with
Medicaid operations.
Post HIPAA, contrary laws may not restrict health
plan beneficiaries’ rights to access or amend their
own records.
This has been acknowledged in conversations with
federal attorneys, but CMS has not issued written
What are the Requirements for a Medicaid
Notice of Privacy Practices? (NPP)
Plain language—short sentences in active voice, use
common everyday words, divide material into short
Uses and disclosures must reflect the more stringent
law: in this case, the Medicaid law (45 CFR
Laundry list of HIPAA permissible disclosures should
not be included as Medicaid agency is not permitted
to make these disclosures by law.
Should be translated into threshold languages for
limited English proficiency beneficiaries
Should be available in braille or on audiotape for
sight impaired to comply with ADA
NPP’s Must be Translated
Title VI of the Civil Rights Act of 1964 prohibits
discrimination on the basis of race, color, or national
origin in any program or activity that receives
Federal Financial Assistance
The Office for Civil Rights (OCR) in the Department
of Health and Human Services (HHS) has published
Guidance to Federal Financial Assistance
Recipients Regarding Title VI Prohibition Against
National Origin Discrimination Affecting Limited
English Proficient (LEP) Persons
OCR’s Guidance requires the translation of written
materials which are considered vital documents
NPP is a Vital Document
Vital documents include consent and complaint forms, intake
forms, written notices of eligibility criteria, rights, etc.
HIPAA Notices of Privacy Practices (NPP’s) are written
notices of rights and thus should be considered “vital
Safe Harbor rule is strong evidence of compliance with the
recipient’s written-translation obligations:
– The recipient of HHS federal financial assistance must provide
written translation of vital documents for each LEP language
group that constitutes 5 percent or 1,000, whichever is less, of
the population of persons eligible to be served or likely to be
affected or encountered by the program or provider
Entities Covered by
OCR Guidance
Entities covered by the OCR Guidance include any state or
local agency, private institution or organization that (1)
operates, provides, or engages in health, or social service
programs and activities and (2) receives Federal financial
assistance from HHS directly or through another covered
Covered entities with LEP obligations include: health care
providers; managed care organizations; universities and other
entities with health research programs; state, county and local
health agencies; State Medicaid agencies.
Title VI HIPAA Obligations
The Preamble to the Privacy Rule notes: “(A)ny covered
entity that is a recipient of federal financial assistance is
generally obligated under Title VI of the Civil Rights Act of
1964 to provide material ordinarily distributed to the public in
the primary languages of persons with limited English
proficiency in the recipients’ service areas. Specifically, this
Title VI obligation provides that, where a significant number or
proportion of the population eligible to be served …by a
federally assisted program needs service or information in a
language other than English in order to be effectively informed
of or participate in the program, the recipient shall take
reasonable steps, considering the scope of the program and
the size and concentration of such population, to provide
information in languages appropriate to such persons.” 65
Fed. Reg. 82547 (December 28, 2000)
Medi-Cal Threshold
California’s Medicaid NPP was
translated into 13 threshold languages,
including English and Spanish
Distribution of NPP’s
Health plans must distribute to individuals
“covered by the health plan” (enrollees):
As of the compliance date;
After enrollment, within 60 days of a material revision
to the content of the NPP; notify enrollees of the
availability of the NPP every three years; and make it
available upon request to any person.
After the compliance date, at enrollment in the health
plan to new enrollees;
Only need to send to named insured, or head of
household, not every dependent
Problems in Distributing NPP’s
Challenge with DHS health plans in which there is no stable
enrollment, where coverage is episodic, and plans are the
payors of last resort
Patient identifying information is sent to the fiscal intermediary
with the claim and not easily retrievable
Family PACT program where adolescents receive family
planning services, without parental notification
Actions Taken by DHS
DHS asked providers to distribute NPP’s for these
health plans and preserve documentation of
Privacy Rule Preamble allows health plans to
arrange for others to distribute NPP’s on their
behalf, such as health care providers affiliated with
the health plan.
Covered providers are required to distribute only
their own NPP. If the other entity fails to distribute
the NPP, health plan may be in violation of the
Privacy Rule.
Preamble on
Distribution by Others
Preamble states: “We require covered
providers to distribute only their own
notices, and neither require nor prohibit
health plans and health care providers from
devising whatever arrangements they find
suitable to meet the requirements of this
rule.” 65 Fed. Reg. 82720 (December 28,
Many State Medicaid programs have contracted out the
operations of Medicaid to private HMO’s
California’s Medi-Cal program is about 50/50 fee-for-service
and managed care
Issues: Is the managed care organization (MCO) the
business associate of the State Medicaid agency?
What set of rules apply to uses and disclosures of Medicaid
PHI by the MCO?
Business Associates
Business associate performs a function or activity
involving PHI on behalf of covered entity, including
claims processing or administration, data analysis,
processing or administration, utilization review,
quality assurance, billing, benefit management,
practice management and/or provides
management, administrative, or financial services
to or for such covered entity
What Are MCO’s?
Could argue that MCO’s are business associates of
state Medicaid agencies
Would require business associate agreements
MCO’s would be restricted to same uses and
disclosures of PHI as the state Medicaid agency
Medicaid agency would assume some liability for
privacy breaches of MCO’s
MCO’s Not Medicaid
Business Associates
Because MCO’s are generally full risk
HMO’s who are covered entities in
their own right and don’t like being
considered business associates,
prevailing view is that they are not
business associates of state Medicaid
MCO’s Could be OHCA’s
Could be participants in “Organized Health Care
Arrangements” (OHCA’S) with the state Medicaid agency if
they agree
OHCA is an organized system of health care in which more
than one covered entity participates and where the covered
entities hold themselves out to the public as participating in a
joint arrangement and participate in joint health care activities,
such as UR, QA, or payment activities
Advantages of
Being an OHCA
OHCA’s are formed by participating covered entities
which share PHI to manage and benefit their
common enterprise
Covered entities in an OHCA can share PHI with
each other for the arrangement’s joint health care
Covered entities in an OHCA may issue a joint NPP
Joint Operation
Most common interpretation is that MCO’s and
state Medicaid agency are jointly operating a
government health plan
Where a public agency is required or authorized by
law to administer a health plan jointly with another
entity, public or private, OCR considers each
agency to be a covered entity
Examples of joint administration include:
– State and Federal Medicaid and SCHIP
– Medicare +Choice Plan and CMS
Contractual Obligations
of MCO’s
State Medicaid agency allowed to limit uses and
disclosures of PHI under MCO contract to only
those restrictive uses and disclosures permitted by
federal law for the single state Medicaid agency
State Medicaid agency can put business associate
protections in its contracts with MCO’s
Under the Balanced Budget Act, state Medicaid
agency has obligation to ensure HIPAA compliance
by its MCO’s
Other State Agencies
Other state agencies work in partnership with the
state Medicaid program to implement certain
Medicaid benefits
An agency that does not administer a program, but
which provides services for the program is not a
covered entity
Parts of these agencies may be a business
associate of the state Medicaid program. 65 Fed.
Reg. 82578 (December 28, 2000)
Business associate language may be incorporated
into Inter-Agency Agreements or into regulations.
Eligibility & Enrollment
But there is an exception for government agencies
that are authorized by law to collect eligibility or
enrollment information for covered government
health plans.
These agencies are not considered business
associates of the covered government health plans
but the covered entity health plan is allowed to
make disclosures of PHI to them. 45 CFR
Providers are Not BA’s
Treating providers which are paid by
the health plan are not thereby
business associates of the health plan
Business Associate
Business associate agreements should include
timely notification to the covered entity of breach of
security of PHI
California law requires immediate notification by
contractor of breach to the covered entity and
subsequent notification of persons whose PHI has
been acquired by an unauthorized person
FI Contracts
Other important provisions in fiscal intermediary
business associate agreements:
• Written privacy and security policies, duty to
assist in defense,
• Time deadlines on duty to provide access to
records and amend records,
• Access to internal practices, books and records
by covered entity to audit compliance with
Medicaid and other government health plans audit
and oversee their providers and contracted health
plans for compliance with program rules and
standards and to discover fraud and abuse
Several sections of the Privacy Rule may be relied
upon to allow the providers or other health plans to
disclose the PHI to the auditors
Disclosure may be required by state laws or
regulations (and thus may be a “required by law”
permissible disclosure under 45 CFR 164.512(a)
Disclosures for
A covered entity may disclose PHI to another covered entity
for health care operations of the entity that receives the
information, if each entity has or had a relationship with the
individual who is the subject of the PHI, the PHI pertains to the
relationship, and the disclosure is for the purpose of health
care fraud and abuse detection or compliance. 45 CFR
If the disclosure is not required by law, and does not fit into the
operations disclosure exception above, then argue that the
disclosure is to a health oversight agency
Health Oversight
Health oversight agencies are state or local
agencies, or their agents, authorized by law
to oversee the health care system or
government programs in which health
information is necessary to determine
eligibility or compliance. 45 CFR 164.501.
Health Oversight
Covered entities may disclose PHI to health oversight
agencies for oversight activities authorized by law, including
audits and civil, administrative, or criminal proceedings or
Auditors are entitled to see records of beneficiaries from other
programs or who are private pay, if necessary for health care
oversight and auditing
A covered entity may rely, if such reliance is reasonable, on a
requested disclosure as the minimum necessary for the stated
purpose when making disclosures to public officials under
164.512, if the public official represents that the information
requested is the minimum necessary for the stated purpose.
45 CFR 164.514(d)(3)(iii)(A).
By the Federal Government
— Are You Kidding?

The HIPAA Privacy Rule and Governmental Programs