Blue Cross and Blue Shield of Illinois

 

September 20, 2013

Legislative Update
Revised HIPAA Notice of Privacy Practices Will Be Available on BCBSIL Website by Sept. 23

Blue Cross and Blue Shield of Illinois (BCBSIL) will post its updated Notice of Privacy Practices (NoPP) on its public website under the Important Information link by Sept. 23, 2013.

As communicated previously, the U.S. Department of Health and Human Services finalized some of the regulations required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. A significant part of the regulation, known as the Omnibus Rule, impacted our Health Insurance Portability and Accountability Act of 1996 (HIPAA) Notice of Privacy Practices (NoPP). Specifically, insurers were required to:   

  1. Revise their NoPP;
  2. Post the revised NoPP to their websites by Sept. 23, 2013; and
  3. Notify fully insured subscribers of the material changes in the next annual mailing.

We will be informing our existing fully insured subscribers of these changes by providing a notice in the next annual mailing. The date of this mailing has not been determined, but most likely will be early next year. You will be notified of the date. 

Specific changes that we made to the notice due to the Omnibus Rule are in italics and include:

Page 1, Paragraph 1

  • Added the words “safeguard” and "electronic" to address digital privacy and the effective date of "9/23/2013."

Page 2, On Your Authorization

  • Added the following paragraph:
    Unless you give us written authorization, we cannot use or disclose your PHI [Protected Health Information] for any reason including marketing and sale of your PHI except those described in this notice or as permitted by law.

Page 2, Fundraising

  • Added the following paragraph: 
    We may contact you or disclose a limited amount of your PHI to a Business Associate or to an institutionally related foundation for the purpose of raising funds for our own benefit. If we do so, you will have the right to opt out of receiving such fundraising communications. Your decision will have no impact on the payment for services.

Page 2, Use and Disclosure of Certain Types of Medical Information

  • Added the following paragraph to comply with state law and for consistency across all plans:
    Use and Disclosure of Certain Types of Medical Information. For certain types of PHI, state laws may provide greater protection for your privacy. For example, use and/or disclosure of PHI including, but not limited to HIV/AIDS, genetic information, mental health information, alcohol and substance abuse information may need to be specifically authorized by you or be required by law. In such instances, we will follow the provisions of that state law.
  • Added the following paragraph:
    We are prohibited from using or disclosing your genetic information for underwriting purposes unless your policy is a long-term care policy.

Page 3, Breach Notification

  • Added the following paragraph: 
    Breach Notification: You have the right to be notified when it has been determined that a breach of your unsecured PHI has occurred.

Page 4, Tagline

  • The U.S. Department of Health and Human Services’ Office of Civil Rights requested we add a specific phone number. The portion in italics was added to comply with their request: You may also contact us using the toll-free number located on the back of your member identification card or the Privacy Office toll-free number, 1-877-361-7594.

Reminder: We also completed our review of the standard BCBSIL Business Associate Agreement (BAA) and Addendum template.

  • For existing ASO customers who have executed a BCBSIL standard Business Associate Agreement or Addendum, no changes or amendments are needed. However, we want to reassure customers that we have implemented the new objective, four-factor test that the Omnibus Rule requires for determining whether or not PHI was compromised and if breach notification is necessary.
  • For existing ASO customers who have executed a non-standard Business Associate Agreement or Addendum with BCBSIL and believe that changes are required, account representatives can submit the BAA for review. ASO groups should consult their legal counsel for guidance on complying with the changes as applicable.
  • For new ASO customers, a new BCBSIL template has been finalized.

ASO groups should consult their legal counsel for guidance on complying with the Omnibus Rule changes as applicable.

This communication is intended for informational purposes only. It is not intended to provide, does not constitute, and cannot be relied upon as legal, tax or compliance advice. The inform

 
.

A Division of Health Care Service Corporation, a Mutual Legal Reserve Company,
an Independent Licensee of the Blue Cross and Blue Shield Association.