HealthLink and NCPPO worked with payor clients to complete contract amendments addressing the HIPAA business associate requirements and the Gramm-Leach-Bliley Act. The HIPAA privacy regulations, which became effective on April 14, 2001 and had a compliance date for covered entities of April 14, 2003, require the contracts of covered entities (e.g., HealthLink's contracted insurance carrier clients) and their business associates to contain certain provisions relating to the disclosure and use of protected health information ("PHI"). The compliance transition period allowed for contracts which have not been recently changed to be amended before April 14, 2004. After April 14, 2004 all contracted parties must have business associate agreements executed. All new contracts include BA language.

On August 9, 2002, the Department of Health and Human Services released final revisions to the HIPAA privacy regulations. The regulations were officially published in the Federal Register on August 14, 2002. The contract amendments address the business associate contract requirements contained in the final HIPAA privacy regulations. The security provisions were effective April 20, 2005. Security language is included in our standard BA agreements.

PPOs, as the business associate of their contracted payors that are covered entities, must limit their use and disclosure of PHI as required by HIPAA. When completing business associate contract amendments, it is important for covered entities that are "payors" to remember that PPOs may:

• Receive member eligibility from payors;
• Send provider claims information onto payors for claims processing;
• Send utilization review information to payors for benefit determinations; and
• Use aggregated claims and utilization review data for the PPO's business purposes (e.g., accreditation, member surveys, quality assurance initiatives, provider credentialing and other related administrative purposes).

It is also important for payors to remember that providers are also covered entities under HIPAA. In many instances, PPOs will also be the business associate of their contracted providers. As such, the information contained on claims and claims data submitted by providers must be used and disclosed by the PPO in a manner that complies with HIPAA. PPOs must protect the PHI received from or for providers and payors, as well as use and disclose the same claims and eligibility information for their own operations, licensure and accreditation.

Payors, providers and PPOs have addressed compliance with the HIPAA privacy and security requirements by the following (not limited to this list):

• Educate their respective employees, associates and representatives on permitted uses and disclosures of PHI;
• Identify the internal and external business processes under which PHI is created, used, or disclosed;
• Identify the least amount of PHI that must be disclosed or used in order for an employee or associate to perform his or her job duties;
• Develop and implement processes for the minimal use and disclosure of PHI within the organization;
• Identify PHI that requires a member's authorization for release or disclosure;
• Develop and implement processes to assure that any required member authorization for the release or use of PHI is obtained and maintained; and
• Ensure that all applicable contracts include, or are amended to include, the provisions required for compliance with HIPAA and the state and federal "Gramm-Leach-Bliley" laws; and
• Ensure physical safeguards are in place to protect heath information.