To provide you with a basic understanding of HIPAA and its effect on VSP, we have prepared the following answers to frequently asked questions about the legislation.
This is intended only as an overview, and is not legal advice. We encourage you to make your own evaluation of how HIPAA may impact your business. If you have any additional questions about the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at firstname.lastname@example.org or 800.852.7600, ext. 5437.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect health insurance coverage for individuals and their families. The law covers many aspects of healthcare, ranging from portability of health coverage from one job to another to the tax codes dealing with healthcare. Title II, Administrative Simplification, contains the provisions that will have the most significant impact upon VSP. The Administrative Simplification provisions of the law affect healthcare providers, health plans and healthcare information clearinghouses. The provisions seek to improve the efficiency and effectiveness of the healthcare system by:
The HIPAA Rules apply to covered entities and business associates. In order to protect the privacy and security of health information, a covered entity under HIPAA must comply with the Rules' requirements.
An entity that is one or more of the following types of entities is referred to as a "covered entity" in the Administrative Simplification standards adopted by Health and Human Services (HHS) under HIPAA:
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. More information is available from HHS.
Outlined below are some of VSP's activities with regard to the entire HIPAA compliance effort:
Yes. If you have specific questions about VSP's HIPAA compliance status, please contact our Regulatory Department at email@example.com.
A HIPAA certificate is part of the “portability” piece, or Title I, of HIPAA. The certificate provides evidence of health coverage, should an individual become ineligible for health insurance coverage due to a job change, etc. The certificate is used to establish the individual's right to buy coverage, from another insurer, with no exclusion for previous medical conditions.
VSP does not routinely issue HIPAA certificates. VSP is exempt from this requirement as a limited scope insurer.
If you have additional questions or would like to receive clarification on the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at firstname.lastname@example.org or 800.852.7600, ext. 5437.
Yes. VSP's systems are capable of exchanging all HIPAA-mandated standard transactions.
VSP will exchange the HIPAA-mandated standard transactions with clients and providers as defined in the following chart:
Enrollment and Disenrollment (834)
VSP is currently trading the 834 version 4010. Please contact your membership coordinator to set up the 834 transaction. If a membership coordinator has not been assigned, contact Cynthia Smith, Membership Supervisor, at ext. 7576.
Premium Payment (820)
VSP will accept the 820 Premium Payment/Remittance Advice electronic transaction as a payment option for our clients.
Encounter Reporting (837)
VSP is currently trading 837 Encounter Reporting transactions with interested clients. All clients receiving encounter reporting have been notified they can schedule testing and subsequent transition to the 837.
Although VSP would like to receive 834 standard transactions, we acknowledge that employers are not HIPAA-covered entities and thus are not required to use the standard format.
Yes. VSP currently uses CPT and HCPCS codes as applicable.
VSP's wholly owned subsidiary, Eyefinity, will be facilitating the translation of all doctor originated standard transactions. All client transactions will be submitted directly to and translated by VSP.
VSP does not require a standard trading partner agreement but will provide companion documents to facilitate effective trading.
A Notice of Privacy Practices is available to all VSP members on our Web. In addition, VSP provided a copy of the Notice of Privacy Practices to all fully insured clients during March 2006.
The Notice of Privacy Practices includes information about VSP's use and disclosure of protected health information for the purposes of treatment, payment and healthcare operations. The notice also reviews the additional disclosures allowed by the law as well as describes the rights that a member has to their protected health information, including right to access, amend and request restriction. Lastly, the notice provides VSP members with individual contact information for further information about privacy rights and protections as well as information on how to complain to the Secretary of Health and Human Services if they believe their privacy rights have been violated.
VSP will only use and disclose member Protected Health Information without your authorization when necessary for:
Our current Notice of Privacy Practices is available to members on our Web site at vsp.com.
Yes. VSP employees received basic Privacy Training, and all new employees are provided basic Privacy Training. In addition, more comprehensive training sessions are provided to those Divisions and individuals that use PHI as part of their business processes.
VSP only uses and discloses PHI for purposes of treatment, payment and healthcare operations, or as required by law. Patient authorization is only required for disclosures that are for purposes other than treatment, payment, and healthcare operations.
Members who wish to receive a copy of their protected health information (PHI) in VSP's designated medical record set may request a PHI report by accessing vsp.com, or by calling our Member Services Department at 800.877.7195.
VSP also can be the business associate of other covered entities when it performs functions on their behalf while using PHI. We have concluded that VSP is probably the business associate of its ASP self-funded clients because VSP performs activities on their behalf, utilizing PHI.
We have concluded that VSP is not the business associate of its “risk” clients. VSP does not perform any activities on their behalf. Rather, VSP is, in those instances, performing activities for itself, not for the client.
The Notice of Privacy Practices provides information on how to contact VSP with questions or complaints about VSP's privacy practices. In addition, VSP members are provided with information on how to contact the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated.
VSP's Security Officer is Guy Turner, Chief Information Security Officer, IT Infrastructure Division.
Yes. VSP has developed a Security and Information Protection Plan (SIPP) which contains all of VSP's security and privacy policies.
Yes. VSP has a comprehensive Security and Information Protection Plan (SIPP). All members of VSP's workforce, including employees, contingent workers, vendors, Board Members, and medical consultants receive VSP SIPP training upon employment. Periodic security awareness topics are trained as necessary and appropriate.
VSP will provide a copy of its Security and Information Protection Plan to clients upon request.
Yes. VSP employs authentication functionality on all networks and systems to confirm the identification of each individual or entity attempting to access VSP information. In addition, VSP requires that logon Ids and passwords meet or exceed six alpha-numeric characters in length. VSP workforce members are required to change passwords every 60 days.
Yes. VSP controls access to sensitive locations within each facility by requiring programmed badges. These badges limit entry based on job function. In addition, equipment is assigned, to individuals or business units, based on business need. All equipment is periodically audited to ensure proper ownership and location.
VSP offers several methods for securing electronic transactions. Currently, VSP employs a secure email system to protect email messages sent between VSP and its clients. This functionality does require the use of specific email client software and a digital certificate. Additional information about our secure email system is available at http://www.client.vsp.com/secure-mailbox.html/.
In addition, VSP offers several forms of secure communication for those clients who routinely send electronic enrollment, and other information, to VSP. These secure transmission options include AT&T Global Network, Connect Direct and Connect: Enterprise for UNIX.
To ensure that other, less formal email messages between VSP associates and its various publics are secure, VSP implemented user friendly encryption functionality.
VSP has a business continuity plan in place. The plan is routinely tested and revised as necessary.