Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Environment

FERPA

GLB/Security

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links

HIPAA GAP ANALYSIS QUESTIONNAIRE

FOR

COLLEGE OR UNIVERSITY WITHOUT AN ACADEMIC MEDICAL CENTER

by Bettye S. Elkins, Esq.

© Miller, Canfield, Paddock and Stone, P.L.C.

February 2003

101 North Main Street, Seventh Floor

Ann Arbor, MI 48104

www.millercanfield.com

 

Definitions   Part 1   Part 2  Part 3  

 

Part I               Health Plans Information

 

HIPAA requires amendments to Health Plan documents.  Depending on the answers to or underlying facts about the questions we ask about below, amendments may be required for Plan documents, forms like Enrollment and Claims Forms, and Claims procedures.  HIPAA may impose additional requirements as well, depending on whether the individual Health Plan is fully insured or not, and whether it nonetheless receives PHI.

 

1.                  Tell us the type of plans you offer that would involve PHI, for example, health, vision, dental or prescription drug and the total number of participants in each for a typical recent month. 

 

2.         Please identify each plan listed above if the Plan has annual receipts of less than $5 million.[1] (“Small” Health Plans have until April 2004 to come into compliance.)

 

3.         Tell us whether each plan is insured or self-insured.

 

4.         If insured, identify the carrier or group Health Plan such as an HMO, PPO, Point of Sale plan, or insurance company.

 

5.         Identify the Third Party administrator or administrative services organization you use, if any, for each plan.

 

6.         Regarding claims for benefits and appeals of denied claims, please state:

 

(a)               Which entity handles initial claims under each Health Plan.

(b)               Which entity handles appeals of denied claims.

(c)                Does the employer retain any discretionary authority with respect to final appeal of denied ERISA claims?  If so, has the employer established an in-house ERISA appeals committee?

(i)     Who are the members of the committee?

(ii)    How is information presented to the committee?

(iii)   Where is claims and appeals information stored?

(iv)   Who has access to such information?

(v)   Are there any policies or procedures for the safeguarding of such information?

 

7.        The HIPAA Privacy Rules require “separation” between a Health Plan and its sponsor, i.e. the employer.  Please provide the following information:

(a)               Describe those employees or classes of employees who have access to PHI.  Is access to PHI limited to employees who work for the employer in its capacity as plan administrator?

(b)               Is PHI obtained by the members of the employer’s workforce acting as plan administrator ever disclosed to the plan sponsor?  Is it disclosed for purposes of employment-related actions or decisions or in connection with any other benefit plan of the plan sponsor, such as disability or workers’ compensation?  If so, describe the information flow from the plan to the employer. 

8.         How is PHI used for payment?

(a)        Does the employer facilitate the reimbursement of participants for treatment under the medical plan?

(b)        Does the employer ever discuss participants’ claims or treatment with gatekeepers, utilization review bodies or Third Party administrators to authorize treatment of the patient under the medical plan?

(c)        Does the employer ever discuss participants’ claims or treatment with gatekeepers, utilization review bodies or Third Party administrators to obtain payment after the treatment?

(d)        Is any record kept of these discussions?  If so, state whether it is by hard copy or Electronically.

(e)        Does the employer transfer bills or other documents to payors to receive reimbursement?

(f)         Does the employer ever disclose any other types of PHI to payor sources – such as typical experiences with other participants?

 

9.         How is PHI used for the Plan’s operations?

(a)               How is PHI disclosed to risk management personnel?

(b)               How is PHI disclosed to legal personnel/outside law firms?

(c)               How is PHI disclosed to auditing personnel?

(d)               How is PHI disclosed for auditing functions?

(e)                How is PHI disclosed for business planning and development functions, such as conducting cost-management and planning related analysis related to managing and operating the plan or obtaining premium bids for health insurance?

(f)                 Are there other uses of PHI that do not meet one of these criteria?

(g)                Are these practices memorialized in a policy?

 

10.       What safeguards are in place to protect the privacy of PHI from intentional and unintentional  
            disclosures?

(a)               Where are hard copies/Electronic copies of PHI stored?

(b)               Who has access to the area/or the PHI?

(c)               Please describe the Security in the location where hard copies/Electronic copies are
                        stored.

(d)               Is PHI ever faxed?  If so, what policies and procedures are used in faxing? Are all faxes that may receive PHI located where access is limited and secure?  If so, how?  If not, where are they and what changes should be made in order to limit access to secure locations and to authorized individuals?

(e)        Is PHI ever e-mailed? If so, what policies and procedures identify who may send e-mail PHI and who may receive it? For what purposes PHI may be e-mailed? What Security measures apply to the P.C.s or workstations involved in sending/receiving PHI?

(f)         Do individuals handling PHI information telecommute and obtain access to information remotely?  If so, what Security features are associated with these activities?

(g)        If the employer handles appeals in-house, what is done with the appeals files? what Security is in place?  Tell us who has access to these files by job description and when?  How long are they stored?  What happens then?

 

[1] This issue itself may require careful examination.  Health Plans that do not report receipts, e.g., ERISA group Health Plans exempt from filing income tax returns, should use “proxy measures” to determine their annual receipts.  Fully insured Health Plans should use the amount of total premiums, which they paid for insurance benefits during the plan’s last full fiscal year.  Self-insured plans, both funded and unfunded, should use the total amount paid for health care claims by the employer, plan sponsor or benefit fund, as applicable to their circumstances, on behalf of the plan during the plan’s last full fiscal year.  Those plans that provide health benefits through a mix of purchased insurance and self-insurance should combined proxy measures to determine their total receipts.



links updated 6/9/08 rab



Last Revised 09-Jun-08 04:57 PM.