HIPAA Frequently Asked Questions
To provide you with a basic understanding of HIPAA and its effect on VSP, we have prepared the following answers to frequently asked questions about the legislation.
This is intended only as an overview, and is not legal advice. We encourage you to make your own evaluation of how HIPAA may impact your business. If you have any additional questions about the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at
hipaa@vsp.com or (800) 852-7600 extension 5437.
General
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect health insurance coverage for individuals and their families. The law covers many aspects of healthcare, ranging from portability of health coverage from one job to another to the tax codes dealing with healthcare. Title II, Administrative Simplification, contains the provisions that will have the most significant impact upon VSP. The Administrative Simplification provisions of the law affect healthcare providers, health plans and healthcare information clearinghouses. The provisions seek to improve the efficiency and effectiveness of the healthcare system by:
- standardizing the electronic data interchange (EDI) of many administrative and financial transactions; and
- protecting the security and privacy of health information in electronic or paper formats.
Complete information on the Administrative Simplification provisions is available from the Department of Health and Human Services (HHS) Web site.
Top of page
Who is covered by the Administrative Simplification rules?
Information is available from HHS. Scroll down to "Covered Entities."This information may be of assistance to you in determining whether your business is a "Covered Entity" required to comply with HIPAA.
Top of page
Is VSP a covered entity?
Because VSP's business meets the HIPAA definition of a health plan, it is a covered entity. (See the definition of a health plan below.)
Health plan: HIPAA Section 1171(5) defines a “health plan” as an individual plan or group health plan that provides, or pays the cost of, medical care (see section 2791(a) of the Public Health Service Act).
Top of page
Describe the actions your organization has taken to be compliant with the HIPAA regulations.
Outlined below are some of VSP's activities with regard to the entire HIPAA compliance effort:
- Evaluated client and provider Transaction standards
- Trading client transactions
- Implemented Patient Rights processes and procedures
- Developed and distributed VSP's Notice of Privacy Practices
- Developed and implemented Member Rights procedures to support a member's right to access
- Trained all workforce members on VSP's Privacy Practices
- Implemented technical security upgrades
- Trained workforce on HIPAA policies and procedures
- Completed Initial review of Unique Identifier Rules
Top of page
Does VSP have staff members assigned to assuring its HIPAA EDI, Privacy, and Security compliance?
Yes. If you have specific questions about VSP's HIPAA compliance status, please contact our Regulatory Department at hipaa@vsp.com
Top of page
Has VSP contracted with any third-party organizations to certify HIPAA Standard Transactions?
VSP has contracted with Claredi to certify all HIPAA-mandated standard transactions as compliant with HIPAA.
Top of page
Is VSP willing to sign a contract with its clients indicating that it will pay fines assessed as a result of any non-compliance findings of an official Federal compliance auditor?
VSP is willing to agree to contract provisions indemnifying its clients from fines or penalties resulting from VSP's failure, in the event that one were to occur, to comply with HIPAA regulations.
Top of page
What is a HIPAA certificate?
A HIPAA certificate is part of the “portability” piece, or Title I, of HIPAA. The certificate provides evidence of health coverage, should an individual become ineligible for health insurance coverage due to a job change, etc. The certificate is used to establish the individual's right to buy coverage, from another insurer, with no exclusion for previous medical conditions.
Top of page
Will VSP amend its plan documents to support compliance with the HIPAA Rule?
The term "group health plan" is one of the 17 types of entities that fall within the definition of "health plan" defined in Section 160.103. Although VSP is a "health plan," as defined in this section, VSP is not a "group health plan," and thus is not subject to the requirements set forth in Section 164.504(f)(2) that apply specifically to group health plans and is not subject to amend plan documents. VSP is compliant with the HIPAA Privacy Rule as a "health plan"/covered entity.
Top of page
Does VSP provide HIPAA certificates?
VSP does not routinely issue HIPAA certificates. VSP is exempt from this requirement as a limited scope insurer.
Top of page
Where can I get more information?
For more information about the Administrative Simplification provisions of HIPAA, please see the document entitled “HIPAA Administrative Simplification Provisions.”
For any other questions, please e-mail hipaa@vsp.com.
Top of page
Is VSP helping its providers comply with HIPAA?
Although VSP provides online resources for our doctors to learn about HIPAA regulations and policies, each doctor is considered to be a covered entity and therefore responsible for their own compliance efforts. Clearinghouse services are also provided to doctors through our subsidiary, Eyefinity.
Top of page
Does VSP require a Business Associate Agreement (BAA) for clients TPAs?
Because the TPAs are providing a service on behalf of the client, VSP is not required to have a signed BAA. The BAA relationship would be between the client and the TPA.
Top of page
Standard Transactions and Code Sets
Did VSP file for the extension on behalf of its employer clients?
Employers are not covered entities and therefore do not need an extension. VSP has obtained an extension on its own behalf that covers all vision care benefit plans administered by VSP for its clients.
Top of page
Are VSP's systems capable of sending and receiving X12N transaction standards?
Yes. VSP's systems are capable of exchanging all HIPAA-mandated standard transactions.
Top of page
Which of the following transaction types will VSP be exchanging?
VSP will exchange the HIPAA-mandated standard transactions with clients and providers as defined in the following chart:
|
Transaction
|
Current Status
|
|
Enrollment and Disenrollment (834)
|
VSP is currently trading the 834 version 4010. Please contact your membership coordinator to set up the 834 transaction. If a membership coordinator has not been assigned, contact Cynthia Smith, Membership Supervisor, at ext. 7576.
|
|
Premium Payment (820)
|
VSP will accept the 820 Premium Payment/Remittance Advice electronic transaction as a payment option for our clients.
|
|
Encounter Reporting (837)
|
VSP is currently trading 837 Encounter Reporting transactions with interested clients. All clients receiving encounter reporting have been notified they can schedule testing and subsequent transition to the 837.
|
Top of page
How did VSP achieve compliance with the HIPAA Transaction Standards?
VSP has electronic data processing expertise to achieve compliance with the Transaction Standard as identified in the following chart:
|
EDI Compliance Activity
|
VSP Plans
|
|
Modify existing computer system.
|
VSP made modifications necessary to process electronic data.
|
|
Purchasing software.
|
VSP purchased a new translator software.
|
|
Purchasing new computer system.
|
VSP will not purchase new systems to house or process electronic data.
|
|
Subcontracting with a clearinghouse.
|
Eyefinity, a wholly owned VSP subsidiary, facilitates the incoming and outgoing provider transactions.
|
Top of page
Will VSP require that clients submit enrollment in the 834 format?
Although VSP would like to receive 834 standard transactions, we acknowledge that employers are not HIPAA-covered entities and thus are not required to use the standard format.
Top of page
Does VSP use the medical data code sets mandated by HIPAA?
Yes. VSP currently uses CPT and HCPCS codes as applicable.
Top of page
Is VSP utilizing a clearinghouse to accept the Transaction Standards?
VSP's wholly owned subsidiary, Eyefinity, will be facilitating the translation of all doctor originated standard transactions. All client transactions will be submitted directly to and translated by VSP.
Top of page
Does VSP require Trading Partner Agreements?
VSP does not require a standard trading partner agreement but will provide companion documents to facilitate effective trading.
Top of page
Will VSP be sending the electronic Remittance Advice (835) to both in network and out-of-network providers?
VSP is currently assessing the best approach for distributing electronic Remittance Advice to in- and out-of-network providers.
Top of page
Privacy Standards
Has VSP designated a Privacy Officer?
VSP's Privacy Officer is Cheryl Johnson, Vice President, Health Care Services.
Top of page
How does VSP provide a Notice of Privacy Practices to VSP members?
A Notice of Privacy Practices is available to all VSP members on our Web. In addition, VSP provided a copy of the Notice of Privacy Practices to all fully insured clients during March 2006.
Top of page
Is VSP capable of displaying its Notice of Privacy Practices?
A Notice of Privacy Practices is available to all VSP members on our Web, vsp.com. In addition, members may contact VSP directly at 800-877-7195 to request a copy of our Notice.
Top of page
What is included in the Notice of Privacy Practices?
The Notice of Privacy Practices includes information about VSP's use and disclosure of protected health information for the purposes of treatment, payment and healthcare operations. The notice also reviews the additional disclosures allowed by the law as well as describes the rights that a member has to their protected health information, including right to access, amend and request restriction. Lastly, the notice provides VSP members with individual contact information for further information about privacy rights and protections as well as information on how to complain to the Secretary of Health and Human Services if they believe their privacy rights have been violated.
Top of page
Will VSP request to review its clients' Notice of Privacy Practices?
No. As a HIPAA covered entity, VSP expects that you have developed, distributed, and trained your privacy policies and procedures in accordance with 45 CFR 160 and 164.
Top of page
How does VSP use and disclose PHI?
VSP will only use and disclose member Protected Health Information without your authorization when necessary for:
- coordination of member vision care treatment
- disclosure to plan sponsors to the extent permitted by law
- payment
- health care operations, or
- as required or permitted by law
Our current Notice of Privacy Practices is available to members on our Web site at vsp.com.
Top of page
Has VSP satisfied all applicable privacy requirements of HIPAA Privacy Rule including creation of a process for individuals to lodge complaints / resolutions?
Yes. The Notice of Privacy Practices provides information on how to contact VSP with questions or complaints about VSP's privacy practices. In addition, VSP members are provided with information on how to contact the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated.
Top of page
Will VSP add HIPAA Privacy language to its client contracts?
No. VSP will not be adding HIPAA specific language to client contracts as compliance with all State and federal laws is implied in the existing language. However, VSP has implemented and will continue to maintain Business Associate Agreements (BAA) with those clients for whom VSP administers payment and healthcare operations activities.
Top of page
Does VSP conduct internal Privacy audits?
Each division within VSP has its own security and privacy auditing procedures. VSP is currently developing a process by which all divisions will be consistently and routinely audited regarding security and privacy practices using standardized criteria.
Top of page
Have VSP employees received training on its privacy practices?
Yes. VSP employees received basic Privacy Training, and all new employees are provided basic Privacy Training. In addition, more comprehensive training sessions are provided to those Divisions and individuals that use PHI as part of their business processes.
Top of page
Will VSP allow its clients to contact VSP on behalf of a member?
VSP's Member Services Representatives will verify the identify of our client's representative and will require the member's identification number prior to releasing any protected health information to an individual who contacts VSP on behalf of a member.
Top of page
Will VSP provide PHI to a member's spouse?
VSP will provide a spouse with benefit, eligibility and claim information about a member with proper identification.
Top of page
Will VSP be requesting authorizations from members for PHI use and disclosures?
VSP only uses and discloses PHI for purposes of treatment, payment and healthcare operations, or as required by law. Patient authorization is only required for disclosures that are for purposes other than treatment, payment, and healthcare operations.
Top of page
Are you willing to use our corporation Protected Health Information (PHI) release form, or will you require us to utilize your form?
VSP is a covered entity and health plan under the HIPAA Privacy Rule. The Rule allows covered entities to use and disclose Protected Health Information (PHI) for treatment, payment, health care operations or as otherwise required by law.
VSP does not disclose PHI for purposes other than those permissible under the Rule. Therefore, VSP is not required to obtain signed authorizations to use and disclose PHI for such purposes.
If you have independently determined that you must obtain a signed authorization for disclosure of PHI, VSP will not object to your obtaining and retaining signed authorizations in your files.
Top of page
Will VSP maintain a disclosure log and provide an accounting of PHI use and disclosure?
VSP only uses Protected Health Information (PHI) for those permissible disclosures under the HIPAA Privacy Rule. However, if a disclosure of your PHI was made for a reason other than Treatment, Payment or Healthcare Operations, you have a right to receive an accounting of the information that was disclosed.
Top of page
Will VSP provide reporting that identifies the number of requests for access to PHI, amendment of PHI, and/or an accounting of disclosure?
VSP is a covered entity under the HIPAA regulations and will be providing information, upon request, directly to members. VSP will not be routinely reporting request type or quantity to our clients.
Top of page
How can VSP members access their PHI?
Members who wish to receive a copy of their protected health information (PHI) in VSP's designated medical record set may request a PHI report by accessing vsp.com, or by calling our Member Services Department at 800-877-7195.
Top of page
Will VSP notify clients when a request for PHI/amendments has been received?
Because VSP is a covered entity, it is not required that notification be provided when a request has been received. VSP does not routinely provide this reporting to our clients: however, VSP can provide a PHI access summary report upon request.
Top of page
Will VSP provide a monthly report to its clients identifying the PHI Reports that have mailed to its members?
As a covered entity, VSP is required to provide access to members regarding their own PHI. VSP is not routinely providing this reporting to our clients: however, VSP can provide a PHI access summary report upon request.
Top of page
Has VSP identified all of its Business Associates?
VSP has identified all of its Business Associates and has obtained Business Associate Agreements from each of these business partners.
Top of page
Does VSP consider its clients to be business associates?
VSP also can be the business associate of other covered entities when it performs functions on their behalf while using PHI. We have concluded that VSP is probably the business associate of its ASP self-funded clients because VSP performs activities on their behalf, utilizing PHI.
We have concluded that VSP is not the business associate of its “risk” clients. VSP does not perform any activities on their behalf. Rather, VSP is, in those instances, performing activities for itself, not for the client.
Top of page
Will VSP initiate business associate agreements with its self-funded clients?
Most, if not all, of VSP's self-funded clients are covered entities and will likely ask VSP to sign a BAA as their business associate. VSP has developed a BAA that complies in all respects to HIPAA and it has been signed. It can be provided to any self-funded client that requests a BAA from VSP. If that client insists that VSP execute its own BAA, the agreement should be forward to VSP's Legal Division for review.
Top of page
Will VSP modify reports provided to its clients?
HPAA does allow for the exchange of information between a sponsor and a health plan, so VSP does not anticipate a change to the information our clients currently receive. However, we will ensure that all reports are transmitted to clients via secure and private transmission modes.
Top of page
How is VSP determining that its uses and disclosure of PHI are the minimum necessary to perform the desired function?
VSP has evaluated all uses and disclosures of PHI for purposes of treatment, payment and healthcare operations to confirm the specific purpose for each and to ensure that each use and disclosure is made only to the minimum necessary extent.
Top of page
How will VSP members be informed of the process for complaining about VSP Privacy Practices?
The Notice of Privacy Practices provides information on how to contact VSP with questions or complaints about VSP's privacy practices. In addition, VSP members are provided with information on how to contact the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated.
Top of page
Will VSP be making changes to its Customer Service functions?
VSP has not made any changes to its online Customer Services offering as all transmissions are secure. In addition, all VSP Customer Service Representatives, both online, phone and live chat, have received extensive Privacy and Security training, including a Confidential Information Disclosure Chart that clearly defines what information can and can not be shared and with whom.
Top of page
Does VSP use any PHI for purposes of Marketing as defined by the legislation?
VSP does not use PHI for marketing purposes. VSP has identified that all uses and disclosures of PHI are for purposes of treatment, payment and healthcare operations.
Top of page
Has VSP provided privacy training to its workforce?
VSP provides online privacy training to its workforce. In addition, the workforce remains continually informed of privacy and security awareness topics via periodic intranet articles.
Top of page
Will VSP implement procedures and/or functionality to comply with other Federal and State Privacy laws?
VSP will comply with all applicable State and Federal Privacy laws.
Top of page
Security Standards
Has VSP appointed a Security Officer?
VSP's Security Officer is Steve Scott, Vice President, Information Systems Division.
Top of page
Does VSP have an action plan for HIPAA Security compliance?
Yes. VSP has developed a Security and Information Protection Plan (SIPP) which contains all of VSP's security and privacy policies.
Top of page
Has VSP performed, or had an outside agency perform, a Security Risk Assessment?
VSP had a review by a contracted consulting firm to assess system and facility risk. VSP's information systems which are exposed to public access have all non-essential services locked down or disabled, and are monitored regularly for integrity, intrusion attempts, and intrusion detection.
Top of page
Does VSP have Security policies and procedures?
Yes. VSP has a comprehensive Security and Information Protection Plan.
Top of page
Does VSP have procedures in place to ensure that the officers, workforce members, and vendors comply with security policies?
Yes. VSP has a comprehensive Security and Information Protection Plan (SIPP). All members of VSP's workforce, including employees, contingent workers, vendors, Board Members, and medical consultants receive VSP SIPP training upon employment. Periodic security awareness topics are trained as necessary and appropriate.
Top of page
Will VSP provide its security and privacy policies to clients?
VSP will provide a copy of its Security and Information Protection Plan to clients upon request.
Top of page
Does VSP have entity authentication capability?
Yes. VSP employs authentication functionality on all networks and systems to confirm the identification of each individual or entity attempting to access VSP information. In addition, VSP requires that logon Ids and passwords meet or exceed six alpha-numeric characters in length. VSP workforce members are required to change passwords every 60 days.
Top of page
Does VSP control access to work areas and equipment based on business requirements?
Yes. VSP controls access to sensitive locations within each facility by requiring programmed badges. These badges limit entry based on job function. In addition, equipment is assigned, to individuals or business units, based on business need. All equipment is periodically audited to ensure proper ownership and location.
Top of page
Does VSP offer secure transmission options?
VSP offers several methods for securing electronic transactions. Currently, VSP employs a secure email system to protect email messages sent between VSP and its clients. This functionality does require the use of specific email client software and a digital certificate. Additional information about our secure email system is available at http://www-group.vsp.com/secureemail/.
In addition, VSP offers several forms of secure communication for those clients who routinely send electronic enrollment, and other information, to VSP. These secure transmission options include AT&T Global Network, Connect Direct and Connect: Enterprise for UNIX.
To ensure that other, less formal email messages between VSP associates and its various publics are secure, VSP implemented user friendly encryption functionality.
Top of page
Does VSP have a Business Continuity Plan and/or a Disaster Recovery Plan?
VSP has a business continuity plan in place. The plan is routinely tested and revised as necessary.
Top of page
