Indiana Health Coverage Programs - HIPAA

On March 27, 2002, the Department of Health and Human Services (HHS) proposed modifications to some of the standards in the Rule entitled Standards for Privacy of Individually Identifiable Health Information. Public comment was solicited for only 30 days. During this comment period, the Department received over 11,400 comments.

The Department modified certain standards and published the final Privacy Rule August 14, 2002. The final rule is effective on October 15, 2002, and April 14, 2003 remains the compliance date for most covered entities.

As stated in the final Rule summary, "The purpose of these modifications is to maintain strong protections for the privacy of individually identifiable health information while clarifying certain of the Privacy Rule's provisions, addressing the unintended negative effects of the Privacy Rule on health care quality or access to health care, and relieving unintended administrative burdens created by the Privacy Rule."

Complete information on the August 14, 2002 final Privacy Rule can be found at www.hhs.gov/ocr/hipaa

The HHS Office for Civil Rights (OCR) released an updated guidance document for the Privacy regulations on December 4, 2002. The document can be found at http://www.hhs.gov/ocr/hipaa/whatsnew.html under the What's New section.

IHCP Notice of Privacy Practices

Pursuant to the HIPAA Privacy Rule that goes into effect April 14, 2003, the Indiana Health Coverage Programs (IHCP) started mailing the IHCP Notice of Privacy Practices to all active IHCP members March 19, 2003. All active members will receive a copy of the notice prior to the required compliance date and on an ongoing basis, new IHCP members will receive a copy of the notice shortly after program enrollment.

A copy of the IHCP Notice of Privacy Practices is available for reference and can be found at http://www.indianamedicaid.com/ihcp/Bulletins/BT200316.pdf. The IHCP will not be mailing or faxing copies of the notice to providers; however, a copy can be printed from the Web site.

Business Associate

The Office of Medicaid Policy and Planning (OMPP) received inquiries about the need for a business associate agreement between providers and the Indiana Health Coverage Programs (IHCP). According to the HHS OCR guidance published, December 4, 2002, for the Privacy Rule, providers are not generally considered business associates of health plans. If the only relationship between the provider and the health plan is submission and payment of claims, the provider is not considered a business associate of the health plan.

An accounting firm, which provides accounting services to a health care provider and must access protected health information, is considered a provider’s business associate. Also, accreditation agencies, such as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), are considered business associates of accredited entities. For additional information about the requirements for a business associate relationship, please refer to 45 CFR 160.103 or the OCR HIPAA Web site at http://www.hhs.gov/ocr/hipaa/whatsnew.html.