To provide you with a basic understanding of HIPAA and its effect on VSP, we have prepared the following answers to frequently asked questions about the legislation.

This is intended only as an overview, and is not legal advice. We encourage you to make your own evaluation of how HIPAA may impact your business. If you have any additional questions about the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at hipaa@vsp.com.

General

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect health insurance coverage for individuals and their families. The law covers many aspects of healthcare, ranging from portability of health coverage from one job to another to the tax codes dealing with healthcare. Title II, Administrative Simplification, contains the provisions that will have the most significant impact upon VSP. The Administrative Simplification provisions of the law affect healthcare providers, health plans and healthcare information clearinghouses. The provisions seek to improve the efficiency and effectiveness of the healthcare system by:


Complete information on the electronic data interchange (EDI) rules is available from the Department of Health and Human Services (HHS) Web site.

 

Who is covered by HIPAA Rules?

The HIPAA Rules apply to covered entities and business associates. In order to protect the privacy and security of health information, a covered entity under HIPAA must comply with the Rules' requirements.

An entity that is one or more of the following types of entities is referred to as a "covered entity" in the Administrative Simplification standards adopted by Health and Human Services (HHS) under HIPAA:

If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. More information is available from HHS.

Describe the actions your organization has taken to be compliant with the HIPAA regulations.

Outlined below are some of VSP's activities with regard to the entire HIPAA compliance effort:

Does VSP have staff members assigned to assuring its HIPAA EDI, Privacy, and Security compliance?

Yes. If you have specific questions about VSP's HIPAA compliance status, please contact our Regulatory Department at hipaa@vsp.com.

What is a HIPAA certificate?

A HIPAA certificate is part of the “portability” piece, or Title I, of HIPAA. The certificate provides evidence of health coverage, should an individual become ineligible for health insurance coverage due to a job change, etc. The certificate is used to establish the individual's right to buy coverage, from another insurer, with no exclusion for previous medical conditions.

Does VSP provide HIPAA certificates?

VSP does not routinely issue HIPAA certificates. VSP is exempt from this requirement as a limited scope insurer.

Where can I get more information?

If you have additional questions or would like to receive clarification on the steps VSP is taking to comply with HIPAA regulations, please contact our HIPAA specialist at hipaa@vsp.com.

Standard Transactions and Code Sets

Are VSP's systems capable of sending and receiving X12N transaction standards?

Yes. VSP's systems are capable of exchanging all HIPAA-mandated standard transactions.

Which of the following transaction types will VSP be exchanging?

VSP will exchange the HIPAA-mandated standard transactions with clients and providers as defined in the following chart:

 

Transaction

Current Status

Enrollment and Disenrollment (834)

VSP is currently trading the 834 version 4010. Please contact your membership coordinator to set up the 834 transaction. If a membership coordinator has not been assigned, contact Cynthia Smith, Membership Supervisor, at ext. 7576.

Premium Payment (820)

VSP will accept the 820 Premium Payment/Remittance Advice electronic transaction as a payment option for our clients.

Encounter Reporting (837)

VSP is currently trading 837 Encounter Reporting transactions with interested clients. All clients receiving encounter reporting have been notified they can schedule testing and subsequent transition to the 837.

 

Will VSP require that clients submit enrollment in the 834 format?

Although VSP would like to receive 834 standard transactions, we acknowledge that employers are not HIPAA-covered entities and thus are not required to use the standard format.

Does VSP use the medical data code sets mandated by HIPAA?

Yes. VSP currently uses CPT and HCPCS codes as applicable.

Is VSP utilizing a clearinghouse to accept the Transaction Standards?

VSP's wholly owned subsidiary, Eyefinity, will be facilitating the translation of all doctor originated standard transactions. All client transactions will be submitted directly to and translated by VSP.

Does VSP require Trading Partner Agreements?

VSP does not require a standard trading partner agreement but will provide companion documents to facilitate effective trading.

Privacy Standards

How does VSP provide a Notice of Privacy Practices to VSP members?

A Notice of Privacy Practices is available to all VSP members on our Web. In addition, VSP provided a copy of the Notice of Privacy Practices to all fully insured clients during March 2006.

What is included in the Notice of Privacy Practices?

The Notice of Privacy Practices includes information about VSP's use and disclosure of protected health information for the purposes of treatment, payment and healthcare operations. The notice also reviews the additional disclosures allowed by the law as well as describes the rights that a member has to their protected health information, including right to access, amend and request restriction. Lastly, the notice provides VSP members with individual contact information for further information about privacy rights and protections as well as information on how to complain to the Secretary of Health and Human Services if they believe their privacy rights have been violated.

How does VSP use and disclose PHI?

VSP will only use and disclose member Protected Health Information without your authorization when necessary for:

Our current Notice of Privacy Practices is available to members on our Web site at vsp.com.

Have VSP employees received training on its privacy practices?

Yes. VSP employees received basic Privacy Training, and all new employees are provided basic Privacy Training. In addition, more comprehensive training sessions are provided to those Divisions and individuals that use PHI as part of their business processes.

Will VSP be requesting authorizations from members for PHI use and disclosures?

VSP only uses and discloses PHI for purposes of treatment, payment and healthcare operations, or as required by law. Patient authorization is only required for disclosures that are for purposes other than treatment, payment, and healthcare operations.

How can VSP members access their PHI?

Members who wish to receive a copy of their protected health information (PHI) in VSP's designated medical record set may request a PHI report by accessing vsp.com, or contact our HIPAA specialist at hipaa@vsp.com.

Does VSP consider its clients to be business associates?

VSP also can be the business associate of other covered entities when it performs functions on their behalf while using PHI. We have concluded that VSP is probably the business associate of its ASP self-funded clients because VSP performs activities on their behalf, utilizing PHI.

We have concluded that VSP is not the business associate of its “risk” clients. VSP does not perform any activities on their behalf. Rather, VSP is, in those instances, performing activities for itself, not for the client.

How will VSP members be informed of the process for complaining about VSP Privacy Practices?

The Notice of Privacy Practices provides information on how to contact VSP with questions or complaints about VSP's privacy practices. In addition, VSP members are provided with information on how to contact the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated.

Security Standards

Does VSP have an appointed Security Officer?

Yes. We have a dedicated, full-time Chief Information Security Officer (CISO) responsible for the development and implementation of the security program.

How does VSP ensure adherence to HIPAA compliance?

VSP has a comprehensive security and compliance program which is managed to meet all regulatory compliance obligations, including HIPAA.

How does VSP ensure all employees and vendors comply with security policies?

All members of VSP's workforce, including employees, contingent workers, vendors, Board Members, and medical consultants receive VSP security training upon employment. Periodic security awareness topics are administered as necessary.

How does VSP manage access to systems and data?

We enforce strict access control to all VSP assets.

How does VSP control access to work areas and equipment?

VSP controls access to all locations within each facility by requiring programed badges. These badges limit entry based on job function. In addition, equipment is assigned, to individuals or business units, based on business need. All equipment is periodically audited to ensure proper ownership and location.

Does VSP offer secure transmission options?

Yes. VSP secures all communications across public or untrusted networks.

Does VSP have a Business Continuity Plan and/or a Disaster Recovery Plan?

Yes. VSP has Business Continuity and Disaster Recovery plans in place that are tested routinely and revised as necessary.