To provide you with a basic understanding of HIPAA and its effect on VSP, we have prepared the following answers to frequently asked questions about the legislation.

This is intended only as an overview, and is not legal advice. We encourage you to make your own evaluation of how HIPAA may impact your business. If you have any additional questions about the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at hipaa@vsp.com or 800.852.7600, ext. 5437.

General

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect health insurance coverage for individuals and their families. The law covers many aspects of healthcare, ranging from portability of health coverage from one job to another to the tax codes dealing with healthcare. Title II, Administrative Simplification, contains the provisions that will have the most significant impact upon VSP. The Administrative Simplification provisions of the law affect healthcare providers, health plans and healthcare information clearinghouses. The provisions seek to improve the efficiency and effectiveness of the healthcare system by:


Complete information on the electronic data interchange (EDI) rules is available from the Department of Health and Human Services (HHS) Web site.

 

Who is covered by HIPAA Rules?

The HIPAA Rules apply to covered entities and business associates. In order to protect the privacy and security of health information, a covered entity under HIPAA must comply with the Rules' requirements.

An entity that is one or more of the following types of entities is referred to as a "covered entity" in the Administrative Simplification standards adopted by Health and Human Services (HHS) under HIPAA:

If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. More information is available from HHS.

Describe the actions your organization has taken to be compliant with the HIPAA regulations.

Outlined below are some of VSP's activities with regard to the entire HIPAA compliance effort:

Does VSP have staff members assigned to assuring its HIPAA EDI, Privacy, and Security compliance?

Yes. If you have specific questions about VSP's HIPAA compliance status, please contact our Regulatory Department at hipaa@vsp.com.

What is a HIPAA certificate?

A HIPAA certificate is part of the “portability” piece, or Title I, of HIPAA. The certificate provides evidence of health coverage, should an individual become ineligible for health insurance coverage due to a job change, etc. The certificate is used to establish the individual's right to buy coverage, from another insurer, with no exclusion for previous medical conditions.

Does VSP provide HIPAA certificates?

VSP does not routinely issue HIPAA certificates. VSP is exempt from this requirement as a limited scope insurer.

Where can I get more information?

If you have additional questions or would like to receive clarification on the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at hipaa@vsp.com or 800.852.7600, ext. 5437.

Standard Transactions and Code Sets

Are VSP's systems capable of sending and receiving X12N transaction standards?

Yes. VSP's systems are capable of exchanging all HIPAA-mandated standard transactions.

Which of the following transaction types will VSP be exchanging?

VSP will exchange the HIPAA-mandated standard transactions with clients and providers as defined in the following chart:

 

Transaction

Current Status

Enrollment and Disenrollment (834)

VSP is currently trading the 834 version 4010. Please contact your membership coordinator to set up the 834 transaction. If a membership coordinator has not been assigned, contact Cynthia Smith, Membership Supervisor, at ext. 7576.

Premium Payment (820)

VSP will accept the 820 Premium Payment/Remittance Advice electronic transaction as a payment option for our clients.

Encounter Reporting (837)

VSP is currently trading 837 Encounter Reporting transactions with interested clients. All clients receiving encounter reporting have been notified they can schedule testing and subsequent transition to the 837.

 

Will VSP require that clients submit enrollment in the 834 format?

Although VSP would like to receive 834 standard transactions, we acknowledge that employers are not HIPAA-covered entities and thus are not required to use the standard format.

Does VSP use the medical data code sets mandated by HIPAA?

Yes. VSP currently uses CPT and HCPCS codes as applicable.

Is VSP utilizing a clearinghouse to accept the Transaction Standards?

VSP's wholly owned subsidiary, Eyefinity, will be facilitating the translation of all doctor originated standard transactions. All client transactions will be submitted directly to and translated by VSP.

Does VSP require Trading Partner Agreements?

VSP does not require a standard trading partner agreement but will provide companion documents to facilitate effective trading.

Privacy Standards

How does VSP provide a Notice of Privacy Practices to VSP members?

A Notice of Privacy Practices is available to all VSP members on our Web. In addition, VSP provided a copy of the Notice of Privacy Practices to all fully insured clients during March 2006.

What is included in the Notice of Privacy Practices?

The Notice of Privacy Practices includes information about VSP's use and disclosure of protected health information for the purposes of treatment, payment and healthcare operations. The notice also reviews the additional disclosures allowed by the law as well as describes the rights that a member has to their protected health information, including right to access, amend and request restriction. Lastly, the notice provides VSP members with individual contact information for further information about privacy rights and protections as well as information on how to complain to the Secretary of Health and Human Services if they believe their privacy rights have been violated.

How does VSP use and disclose PHI?

VSP will only use and disclose member Protected Health Information without your authorization when necessary for:

Our current Notice of Privacy Practices is available to members on our Web site at vsp.com.

Have VSP employees received training on its privacy practices?

Yes. VSP employees received basic Privacy Training, and all new employees are provided basic Privacy Training. In addition, more comprehensive training sessions are provided to those Divisions and individuals that use PHI as part of their business processes.

Will VSP be requesting authorizations from members for PHI use and disclosures?

VSP only uses and discloses PHI for purposes of treatment, payment and healthcare operations, or as required by law. Patient authorization is only required for disclosures that are for purposes other than treatment, payment, and healthcare operations.

How can VSP members access their PHI?

Members who wish to receive a copy of their protected health information (PHI) in VSP's designated medical record set may request a PHI report by accessing vsp.com, or by calling our Member Services Department at 800.877.7195.

Does VSP consider its clients to be business associates?

VSP also can be the business associate of other covered entities when it performs functions on their behalf while using PHI. We have concluded that VSP is probably the business associate of its ASP self-funded clients because VSP performs activities on their behalf, utilizing PHI.

We have concluded that VSP is not the business associate of its “risk” clients. VSP does not perform any activities on their behalf. Rather, VSP is, in those instances, performing activities for itself, not for the client.

How will VSP members be informed of the process for complaining about VSP Privacy Practices?

The Notice of Privacy Practices provides information on how to contact VSP with questions or complaints about VSP's privacy practices. In addition, VSP members are provided with information on how to contact the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated.

Security Standards

Has VSP appointed a Security Officer?

VSP's Security Officer is Guy Turner, Chief Information Security Officer, IT Infrastructure Division.

Does VSP have an action plan for HIPAA Security compliance?

Yes. VSP has developed a Security and Information Protection Plan (SIPP) which contains all of VSP's security and privacy policies.

Does VSP have procedures in place to ensure that the officers, workforce members, and vendors comply with security policies?

Yes. VSP has a comprehensive Security and Information Protection Plan (SIPP). All members of VSP's workforce, including employees, contingent workers, vendors, Board Members, and medical consultants receive VSP SIPP training upon employment. Periodic security awareness topics are trained as necessary and appropriate.

Will VSP provide its security and privacy policies to clients?

VSP will provide a copy of its Security and Information Protection Plan to clients upon request.

Does VSP have entity authentication capability?

Yes. VSP employs authentication functionality on all networks and systems to confirm the identification of each individual or entity attempting to access VSP information. In addition, VSP requires that logon Ids and passwords meet or exceed six alpha-numeric characters in length. VSP workforce members are required to change passwords every 60 days.

Does VSP control access to work areas and equipment based on business requirements?

Yes. VSP controls access to sensitive locations within each facility by requiring programmed badges. These badges limit entry based on job function. In addition, equipment is assigned, to individuals or business units, based on business need. All equipment is periodically audited to ensure proper ownership and location.

Does VSP offer secure transmission options?

VSP offers several methods for securing electronic transactions. Currently, VSP employs a secure email system to protect email messages sent between VSP and its clients. This functionality does require the use of specific email client software and a digital certificate. Additional information about our secure email system is available at http://www.client.vsp.com/secure-mailbox.html/.

In addition, VSP offers several forms of secure communication for those clients who routinely send electronic enrollment, and other information, to VSP. These secure transmission options include AT&T Global Network, Connect Direct and Connect: Enterprise for UNIX.

To ensure that other, less formal email messages between VSP associates and its various publics are secure, VSP implemented user friendly encryption functionality.

Does VSP have a Business Continuity Plan and/or a Disaster Recovery Plan?

VSP has a business continuity plan in place. The plan is routinely tested and revised as necessary.