The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect health insurance coverage for individuals and their families. The law covers many aspects of healthcare, ranging from portability of health coverage from one job to another to the tax codes dealing with healthcare. Title II, Administrative Simplification, contains the provisions that will have the most significant impact upon VSP. The Administrative Simplification provisions of the law affect healthcare providers, health plans and healthcare information clearinghouses. The provisions seek to improve the efficiency and effectiveness of the healthcare system by:

• Standardizing the electronic data interchange (EDI) of many administrative and financial transactions; and
• Protecting the security and privacy of health information in electronic or paper formats.

Complete information on the electronic data interchange (EDI) rules is available from the Department of Health and Human Services (HHS) Web site.

 

The HIPAA Rules apply to covered entities and business associates. In order to protect the privacy and security of health information, a covered entity under HIPAA must comply with the Rules' requirements.

An entity that is one or more of the following types of entities is referred to as a "covered entity" in the Administrative Simplification standards adopted by Health and Human Services (HHS) under HIPAA:

• A health care provider that conducts transactions in electronic form that are in connection with transactions for which HHS has adopted a standard electronic format.
• A health plan such as health insurance companies, HMOs, company health plans and government programs that pay for health care.
• A health care clearinghouse that processes nonstandard health information received from another entity into a standard electronic format or vice versa.

If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. More information is available from HHS.

Outlined below are some of VSP's activities with regard to the entire HIPAA compliance effort:

• Evaluated client and provider Transaction standards
• Trading client transactions
• Implemented Patient Rights processes and procedures
• Developed and distributed VSP's Notice of Privacy Practices
• Developed and implemented Member Rights procedures to support a member's right to access
• Trained all workforce members on VSP's Privacy Practices
• Implemented technical security upgrades
• Trained workforce on HIPAA policies and procedures

Yes. If you have specific questions about VSP's HIPAA compliance status, please contact our Regulatory Department at hipaa@vsp.com.

A HIPAA certificate is part of the “portability” piece, or Title I, of HIPAA. The certificate provides evidence of health coverage, should an individual become ineligible for health insurance coverage due to a job change, etc. The certificate is used to establish the individual's right to buy coverage, from another insurer, with no exclusion for previous medical conditions.

VSP does not routinely issue HIPAA certificates. VSP is exempt from this requirement as a limited scope insurer.

If you have additional questions or would like to receive clarification on the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at hipaa@vsp.com.

Yes. VSP's systems are capable of exchanging all HIPAA-mandated standard transactions.

VSP will exchange the HIPAA-mandated standard transactions with clients and providers as defined in the following chart:

 

Transaction	Current Status
Enrollment and Disenrollment (834)	VSP is currently trading the 834 version 4010. Please contact your membership coordinator to set up the 834 transaction. If a membership coordinator has not been assigned, contact Cynthia Smith, Membership Supervisor, at ext. 7576.
Premium Payment (820)	VSP will accept the 820 Premium Payment/Remittance Advice electronic transaction as a payment option for our clients.
Encounter Reporting (837)	VSP is currently trading 837 Encounter Reporting transactions with interested clients. All clients receiving encounter reporting have been notified they can schedule testing and subsequent transition to the 837.

 

Although VSP would like to receive 834 standard transactions, we acknowledge that employers are not HIPAA-covered entities and thus are not required to use the standard format.

Yes. VSP currently uses CPT and HCPCS codes as applicable.

VSP's wholly owned subsidiary, Eyefinity, will be facilitating the translation of all doctor originated standard transactions. All client transactions will be submitted directly to and translated by VSP.

VSP does not require a standard trading partner agreement but will provide companion documents to facilitate effective trading.

A Notice of Privacy Practices is available to all VSP members on our Web. In addition, VSP provided a copy of the Notice of Privacy Practices to all fully insured clients during March 2006.

The Notice of Privacy Practices includes information about VSP's use and disclosure of protected health information for the purposes of treatment, payment and healthcare operations. The notice also reviews the additional disclosures allowed by the law as well as describes the rights that a member has to their protected health information, including right to access, amend and request restriction. Lastly, the notice provides VSP members with individual contact information for further information about privacy rights and protections as well as information on how to complain to the Secretary of Health and Human Services if they believe their privacy rights have been violated.

VSP will only use and disclose member Protected Health Information without your authorization when necessary for:

• coordination of member vision care treatment
• disclosure to plan sponsors to the extent permitted by law
• payment
• health care operations, or
• as required or permitted by law

Our current Notice of Privacy Practices is available to members on our Web site at vsp.com.

Yes. VSP employees received basic Privacy Training, and all new employees are provided basic Privacy Training. In addition, more comprehensive training sessions are provided to those Divisions and individuals that use PHI as part of their business processes.

VSP only uses and discloses PHI for purposes of treatment, payment and healthcare operations, or as required by law. Patient authorization is only required for disclosures that are for purposes other than treatment, payment, and healthcare operations.

Members who wish to receive a copy of their protected health information (PHI) in VSP's designated medical record set may request a PHI report by accessing vsp.com, or contact our HIPAA specialist at hipaa@vsp.com.

VSP also can be the business associate of other covered entities when it performs functions on their behalf while using PHI. We have concluded that VSP is probably the business associate of its ASP self-funded clients because VSP performs activities on their behalf, utilizing PHI.

We have concluded that VSP is not the business associate of its “risk” clients. VSP does not perform any activities on their behalf. Rather, VSP is, in those instances, performing activities for itself, not for the client.

The Notice of Privacy Practices provides information on how to contact VSP with questions or complaints about VSP's privacy practices. In addition, VSP members are provided with information on how to contact the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated.

Yes. We have a dedicated, full-time Chief Information Security Officer (CISO) responsible for the development and implementation of the security program.

VSP has a comprehensive security and compliance program which is managed to meet all regulatory compliance obligations, including HIPAA.

All members of VSP's workforce, including employees, contingent workers, vendors, Board Members, and medical consultants receive VSP security training upon employment. Periodic security awareness topics are administered as necessary.

We enforce strict access control to all VSP assets.

VSP controls access to all locations within each facility by requiring programed badges. These badges limit entry based on job function. In addition, equipment is assigned, to individuals or business units, based on business need. All equipment is periodically audited to ensure proper ownership and location.

Yes. VSP secures all communications across public or untrusted networks.

Yes. VSP has Business Continuity and Disaster Recovery plans in place that are tested routinely and revised as necessary.