robintek

The economic stimulus package enacted earlier this year includes provisions that extend and strengthen the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These changes affect employer health plans significantly, together with the various vendors and contractors that provide services to these plans.

HIPAA regulates the use and disclosure of an individual’s protected health information held by health care providers, health plans, and health care clearinghouses (referred to under HIPAA as covered entities).

Vendors and contractors to health plans — such as those providing legal services, accounting services, consulting services, information technology and the like — are considered business associates and previously were not subject to the HIPAA privacy and security rules directly. They did, however, sign business associate agreements to maintain the privacy and security of protected health information, so as to enable the covered entities they contracted with to comply with HIPAA.

In a significant change to this approach, the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009 (ARRA), extends HIPAA’s privacy and security provisions to business associates that provide services to health plans, thus making them directly subject to these provisions in the same way that covered entities are, and also subject to the same direct government penalties as covered entities in the event of a breach. In another significant change, HITECH specifies breach notification procedures that must be followed when there is an unauthorized disclosure of unsecured protected health information. Under regulations issued by the Department of Health and Human Services, these provisions require both the covered entity and business associate to notify each affected individual directly (including any individual whose unsecured protected health information “is reasonably believed” to have been compromised) of a breach “without unreasonable delay but in no case later than 60 calendar days after discovery of the breach.” The regulations specify methods of notice, including use of prominent media outlets if the breach is believed to involve more than 500 individuals. They also specify the information that should be included in a breach notification.

The regulations also define the technologies and methodologies that can be used to secure protected health information. Because the breach notification requirements apply only to unsecured protected health information, when health information is secured in the ways outlined in the regulations, the breach notification requirements do not come into play.

HITECH also directs that penalties collected in enforcement proceedings will be channeled back for additional enforcement efforts. Some commentators have noted that this might indicate more aggressive enforcement of HIPAA’s privacy and security efforts down the road.

Employer health plans and other covered entities will need to review and amend their contracts with health plan service providers to reflect these changes. HITECH states specifically that HIPAA requirements that relate to security and that are applicable to covered entities, in addition to now being applicable to business associates, “shall be incorporated into the business associate agreement between the business associate and the covered entity.”

The Department of Health and Human Services has issued initial guidance on HITECH provisions, but more will be forthcoming. The timetable for implementation of HITECH provisions affecting the HIPAA privacy and security requirements varies. Given the complexity of these new rules, and their potential impact if not followed, companies with health plans subject to HIPAA should take steps now to ensure they are up to speed with compliance.

Just as employers that match employees’ 401(k) plan contributions see higher employee participation in the plan, employers that contribute to employees’ health savings accounts (HSAs) are more likely to see eligible employees open an HSA.

An examination by UnitedHealthcare of HSA-eligible participants found that when an employer made an HSA contribution on its employees’ behalf, 86% of eligible employees chose to open an account, compared with 27% who opened an account when the employer did not provide “seed money.” Account adoption was highest among employees who earned less than $25,000 annually, with 64% of employees at this income level having an account. The percentage of employees who opened an account then steadily dropped as income level rose: 56% of those in the $25,000-$49,999 earnings range, 52% of those in the $50,000-$99,999 earnings range and 50% of those earning $100,000 or more. However, as might be expected, the average employee HSA contribution rose as income level rose: $1,166 for employees earning less than $25,000 annually, $1,422 for those earning $25,000-$49,999, $1,823 for those earning $50,000-$99,999 and $2,290 for those earning $100,000 or more.

Neither age nor marital status drove or deterred an employee’s likelihood to open an account, according to the survey. More than half of young singles (62%), singles over age 40 (52%), young couples (58%), young families (59%) and mature families (55%) opened an HSA. However, the highest contribution rate was seen among families, both young and mature. Also, employees of small companies were more likely to open an HSA if eligible, with 74% of small company employees taking this step, compared with 67% of employees at mid-size companies and 45% of employees at large companies.

The vast majority of HSA-participating employees had account balances at the end of the year, a testament to the usefulness of HSAs as a savings tool for future health care expenses, including retiree health care expenses.

As this survey suggests, HSAs have application across all income groups, life stages and employer environments, making it an appropriate health plan offering for just about any company to consider.

College students covered under a parent’s health plan will be able to keep that coverage while taking a medically necessary leave of absence from school, under a new law.

Under H.R. 2851 — also known as Michelle’s law — group health plans or insurers may not terminate coverage of a dependent child who is eligible for coverage under a parent’s plan on the basis of being enrolled in a post-secondary educational institution, when that dependent takes a medically necessary leave of absence from school due to a serious illness or injury. Coverage must remain in place for one year after the medically necessary leave of absence begins, or the date coverage would otherwise have terminated under the plan, whichever occurs first. So, for example, if the plan by its terms will cover a college student enrolled on a full-time basis until the end of the year in which the student turns age 22, a student beginning a medically necessary leave of absence could not have coverage terminated until the earlier of that date, or one year after beginning the leave.

Plans and insurers may require a written certification by a treating physician verifying that the covered dependent is suffering from a serious illness or injury, and that the leave is medically necessary.

Also, if the health plan under which the dependent is covered changes, the dependent must be allowed to continue coverage under the new plan.

According to estimates from the Congressional Budget Office, less than 1% of students go on medical leave of absence annually, and about half of these are covered as dependents under employer-sponsored health insurance.

The new law is effective for plan years beginning on or after October 9, 2009.

The cost of preventable medical errors exceeds $17 billion annually, with nearly half of these expenditures representing direct health care costs. Medical errors, by some estimates, are the eighth leading cause of death in the United States. In addition to health care expenses and the costs associated with untimely mortality, the cost of medical mistakes includes lowered workplace productivity, unnecessary absences, and an increased incidence of disability.

The scope of “medical errors” is broad. According to a report from the Institute of Medicine (IOM), medical errors fall into these categories:

• Diagnostic errors — Mistaken or delayed diagnosis; failure to use an indicated diagnostic test; use of an outmoded test or therapy; failure to take action as a result of patient monitoring or test results.
• Treatment errors — Mistakes made during an operation, procedure or test; mistakes in administering a treatment; incorrect prescribing or dosing of medication; delaying treatment in response to an abnormal test result; providing care that is not indicated.
• Preventive errors — Failing to provide prophylactic treatment; inadequately monitoring or following up.
• Other errors — failing to communicate; equipment failure; other system failure.

Most data on medical mistakes centers on errors that occur in the hospital setting. For example, the IOM estimates that 44,000 to 98,000 people die each year in hospitals as a result of medical mistakes, and a report from HealthGrades found that Medicare patient safety events and deaths resulting from hospital errors cost approximately $2.0 billion from 2005 through 2007. In contrast, little data exists on the extent of medical mistakes made in physicians’ offices, nursing homes, pharmacies and urgent care centers, and in the course of home health care.

Though much of the cause of medical errors is systemic, employers can play a role in reducing the incidence of such errors. According to the IOM report, by raising expectations for improvements in safety and for health care providers’ performance, purchasers of health care — including employers — can impact patient safety positively and thereby lessen the chances of errors occurring. One way employers can do this is by making safety a primary factor in the contracting decision process.

Employers can also contribute toward lowering the rate of medical errors by communicating actively the importance of the issue to employees. With employer group health plans being a major purchaser of health care in the United States, this puts employees and dependents who use this care on the front lines of battling medical mistakes. The IOM notes that, for example, in the case of errors involving medications, patients can provide a major safety check in hospitals, clinics and physicians’ offices. Patients should know which medications they’re taking, what their medications look like, what their usual dose is, and what possible side effects can result, and notify their doctor immediately if they notice anything seemingly wrong with their prescription or any side effects. Resources on patient safety are available on the Web site of the Agency for Healthcare Research and Quality, http://www.ahrq.gov/qual/errorsix.htm.

Talking to employees about the role they can play in this regard — in a company newsletter article, in benefits communications materials, or during a lunchtime presentation — can impress on them that by being an active participant in their health care, they can lessen the chance that they will be a victim of a medical mistake. Reducing the incidence of mistakes can help to control costs for both an employer and employees, and can improve employee patient safety substantially.