Travis County Commssioners Court
March 25, 2003
The Closed Caption log for this Commissioners Court agenda item is provided by Travis County Internet Services. Since this file is derived from the Closed Captions created during live cablecasts, there are occasional spelling and grammatical errors. This Closed Caption log is not an official record the Commissioners Court Meeting and cannot be relied on for official purposes. For official records please contact the County Clerk at (512) 854-4722.
Item 15
Good morning.
>> good morning.
>> judge, commissioners, [inaudible] scoot it manager for administrative operations. Today we are here before to you discuss the health insurance, affordability and accountability act and take appropriate action. This was a federal act pass understand 1996. Local governments were given a deadline to comply and the technical rules for this act go into effect April the 14th of this year. So what you have before you are the policies which is the training, it includes privacy notice to our employ ears, it includes complaint forms and also names a privacy officer. The individuals that have been working on this project are dan, as I understand puri attachment n, and we also had to hire a consultant. The court authorized us to hire kevin f. Chapman, he's the president of boon chapman, and they are considered experts in this particular field. I'm happy to report that if you approve these today, we will readily achieve the deadline of April the 14th and have training already scheduled with all employees on these particular policies and rules.
>> April 14th is the deadline?
>> yes.
>> we're getting feedback from employees to the recommended policies?
>> cindy, hrmd. When I went to the different departments with our consultant, we talked with the various different departments about the type of information they handled and the origin of that information and also what they did with it, and it was very interesting. There was a lot of misinformation, a lot of people are confused about what is really is protected health information and what is just medical information they may come into contact with on a daily basis. The training that we're going to hold on the -- that's scheduled for the 10th will be for the people that have been identified that do handle protected health information. And then we'll offer subsequent training after that for employees in general that want to know more about what this is. Just because something that you handle maybe is not considered protected health information doesn't mean you should handle it properly. There has been confusion about what I do does it apply to this. So the consultant narrowed it down for us about what -- who in Travis County that this law applies to and what is it that they do that comes under the auspices of this law. It was determined that the health plan was an entity, the sheriff's office had components that made them have to comply with the law, and the public health clinic that we operate in conjunction with the city of Austin. Those were the three areas that were identified that came under this law. The health plan information has a lot of hipaa material embedded in it. So the policies and procedures that you see in pront of you are basically the Travis County health plan, policies and procedures for hipaa. The sheriff's office had their own policies and procedures and they are reviewing them now. Those do not need to come before the court. The clinics, city of Austin is going to be the lead in the compliance with hipaa since they are the ones that handle the billing for the clinics. We will execute a business associate agreement with the city of Austin as a business associate in the clinics, but the actual part that comes under hipaa is the city's part. So what you have before you is basically the hipaa policies and procedures for the health plan.
>> do we expect this to affect county employees, though?
>> yes, sir, it will affect -- not every county employee, but county employees in very different areas. Mostly the people that deal with the benefit plan on a daily basis as part of their job functions.
>> there are two parts to that answer.
>> can I go back the my question? My question really is do county employees know what the being proposed today and have they had a chance to respond to the proposal. Now, the training occurs after we've adopted policies and procedures. My question is have we considered recommended policies and procedures, I mean, can we rest assured that affected county employees know what they are and have had a chance to say what they think about it?
>> these particular policies will have a really -- really guidelines for people who administer and handle any of this sort of information and may not be -- it's in their -- to maintain the privacy of the employee. Barbara?
>> that's what we have to deal with first, then later will we be training employees or will we be letting employees know about this new law and the fact that people are being trained on how to handle their confidential information?
>> there's two parts to this policy and procedure. One is the policy that governs how employees handle other employees' protected health information, must treat that information. The second part is the privacy notice that does affect every employee that participates in the health plan. That privacy notice is what goes out to all employees. You know, with policy, we submit a policy draft form to the various departments for their response, and we do get some response back. Barbara.
>> those are the people who handle the information, and that's the first level that we will train.
>> that's correct.
>> it's actually the only level we'll train.
>> there's sort of two aspects to the judge's question. As it relates to all county employees, what the policy does is give them greater protection for the privacy of their health information. And what it says is consistent with what the law requires us to say in terms of the protections that we have to give them. So even if we distribute it to every single county employee and ask their input, unless we wanted to give them greater protection than the law requires, and the law is pretty stringent in terms of what it does require, what they said, we wouldn't really be able to act on because we still have to comply with what the law requires us to put in or protect in relation to their health information. The employees who --
>> the rank and file employees should know that [inaudible] the proposed policies really simply contain -- these are requirements imposed on us.
>> that protect their health information. And they will get a copy of the privacy notice because that is required by the law that will tell them what protections we're creating by the policy. In response to my question, no, because it would have been sue per flu us. Unnecessary.
>> yes.
>> this is the law, no matter what you think about it, this is the law.
>> and as it relates to the group of people who have access to other people's information and who will be governed by what is in the policy, I think that all of those people have had an opportunity to look at what is in there. I know this there were some significant changes made in reels to the wording that relates to the i.t. Function to clean up the language so it was more technically correct from a i.t. Perspective. And the people who deal with the information in h.r. Were the ones who were writing it so of course they didn't need to review it because they had put stuff in it that was consistent with the -- what was needed.
>> so barbara, each one of our offices ought to have someone who handles that information, or I mean is it totally necessary si -- could it be my office is so small that I will send all of them to h.r. So someone in h.r. Will handle that part of confident at?
>> actually, your office will probably not need to ever need to have any protected health information because that would be the sort of thing like constituent or employee comes to your office and says I'm not getting what I want from the health plan, but I don't want to tell you anything, you have to get the information from the health plan. Then that -- what their -- what they are talking about is protected health information that they would have to give us a release to give thaw information. But if they come in and say these are all my problems, can you help me, then that information isn't protected because you didn't get it from a provider or a health care plan or -- I mean, we can each talk about our own information to anybody we want to.
>> oh, okay.
>> and the policy, the federal law actually requires a series of releases before information can be divulged. So in the second scenario barbara gave that is correct information can be given to h.r., But once we determine what the answers are, we would need a release from that employee before we could divulge that to the inquiring office.
>> okay.
>> it's very restrictive on how health information is handled.
>> okay?
>> are we doing anything currently now that may come outside of the realm of the policies and procedures, the privacy notices, the authorizations and some of these steps that we're going through now. Now, as far as the new policies are concerned, is there anything that we're doing now that may not allow us to come into compliance? I'm bringing up maybe an example of how we handle our enrollment, in other words, some of those enrollment opportunities can be now electronically done. If that is the case, does that fall maybe within the realm of let's say privacy or notice or something like that? I really don't know, but maybe just pose another question since this will have to be brought into effect in April. Is there anything we're doing currently that maybe not allow us to be in compliance as far as what's being proposed?
>> commissioner Davis, if we're talking about demographic-type information that does not include information about treatment, diagnosis or dollars paid for health care, or even health care treatment, just, you know, name, social, d.o.b., That is fine. That's not protected health information. Taken transmission of it electronically, i've talked to cindy about whether that needs to be encripted and no it doesn't. Privacy regulations don't require that. The security regulations which are effective in two years, the proposed ones would have required it to be encripted if it went over the internet, but however the final security regulations encourage encryption but don't specifically require it. That's not spelled smelled phi, so it doesn't have to --
>> my final question, who would be responsible -- I guess the policing mechanism that would be employed to ensure that Travis County is in compliance with what the proposal -- well, as the proposal is being presented to us this morning?
>> this policy requests the court appoint dan [inaudible] privacy officer.
>> but there's someone debeyond dan mansue. To make sure the law is complied with.
>> it is the responsibility of the privacy officer within the office he is appointed to. Dan would be in relation to the health plan. If the sheriff wants to ask dan to do it, I suspect the court would not object to him doing it for the sheriff's office, but the sheriff can appoint her own privacy officer in relation to the jail medical situation so we may have more than one privacy officer. But the privacy officer is the one who is legally the policeman. [multiple voices]
>> the federal government --
>> but beyond dan there's another level.
>> you mean if dan doesn't do his job?
>> then it's the federal government.
>> the federal government, right. Somewhere along the line, I guess they will come and check with us on complaints or whatever else we may be having if any of these procedures and policies are violated thraw complaint through a complaint mechanism. I'm just trying to get the steps in my mind before the policy and procedures if we fall out of compliance, then who has the upper hamer to say, well, you are not in compliance, and that's basically I'm just trying to get the step process.
>> the department of health and human services, but I asked kevin to address that further.
>> there are penalties for failure to comply and it is h.h.s. That has the regulatory authority. I think the initial -- eventually they will probable come and do audits and they will come say, well, what do your policies say that you do and do your policies comply with the law. Then they are going to say do you do what your policies say that you do. But initially I think regulatory portion will be driven by complaints.
>> and if you will look on page 3 of your memorandum, the non-compliance with hipaa requirements do have some penalties.
>> thank you all for your presentation. I thought it would be real simple. Make your presentation and if we have questions we can make those. In my view, we need to another week to look at this. There's a lot of information. But i'll let you all present what you have.
>> cindy, h.r. The first thing I want to note is that the Travis County hipaa policies and procedures will be an amendment of chapter 17 and we're going to be adding a subchapter d. As you know, chapter 17 deals with the health plan. So it will be a subchapter of chapter 17 t. Policies and procedures that you have before you have in them the policies and procedures, the privacy notice in its entirety, and the two complaint forms in its entirety embedded in the policies and procedures. We didn't want to just refer to them. We wanted the whole thing in there so there's no mistaking what we're talking about. The policy and procedure has a couple of definitions that make it easier to understand what we're talking about. The first definition that everyone probable really needs to understand is what is p.h.i. It means protected health information. That is information that is developed by a health plan, a provider, a medical clearinghouse, or in some cases an employer. Okay, and what does that mean? That means that when -- in the health plan's case, because the covered entity that we're talking about for Travis County is the health plan. So in the health plan's case, it's health plan information. So if someone calls in sick with a cold, that is not p.h.i. If they have to get something for family to be out sick or if they are out on disability, those do not come under had hipaa law. The only information that's considered protected health information is health plan information. So it's information that comes to us as part of the health plan. We are very luck any that our organization has never had access to any detailed health plan information so no one is in the habit of ever accessing that information except for the immediate people in h.r. Normally that deal with this under our self-funded plan.
>> are we rule I talking about specific information about -- rule I talking about specific information about an employee's health?
>> yes, sir, anything that is identifiable to an employee. Whether it be a diagnosis or a social security number, something that's connected with their health information, that makes it protected health information. And that must be maintained under these privacy regulations. This information can relate to the past, present or future, physical or mental health or condition of an individual. And it has to identify that individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. So let's say that we came into court and we were reporting to the court about our high stop loss claims. Perhaps there was only one, and perhaps, a., That would probably maig it pretty identifiable right there, or maybe we mentioned that somebody maybe had lost a limb due to diabetes. Well, that would identify that person even though there was no particulars other than that given. Those are the kinds of things we're going to be have to be very careful not to do. We don't want to identify anyone's information that came to us through the health plan.
>> well, it sounds like that other law that kind of says we can't ask certain questions about certain people, and this sounds like it's one more thing that is protected.
>> it's the type of law we saw for the credit industry, for the employment, the h.r. -- you know, when you are doing employment interviews and that kind of things, it's a law designed to protect the individual's medical information.
>> okay.
>> but we do have some of that information and we have to make sure that it is protected. If I'm following up for someone trying to help them get a bill paid or something, my e-mails will not be encripted or benefit e-mails will be encripted to the carrier and the responses will be encripted back to the carrier. Within our internal county system, encryption will not be necessary, but when it goes outside the county on these types of issues will have to be done. We've talked a little bit about the privacy officer. The policy designation dan mansure as the risk manager as the privacy officer. The privacy officer has overall responsibility for administering the subchapter to assure compliance with the privacy regulations. Additionally the privacy officer the the designated authority to receive and process the complaints, the requests for copies, the requests for alternative confidential communications. If someone is maybe has a protective order out there and they -- it endangers them to have contact through the normal avenues, they can request an alternative communication methodology and we need to comply with that if we can. However, it will be the privacy officer that will deal with the complaints taken authorizations and the requests under hipaa. It also is the privacy officer who is the recipient of jail time for violation. In addition, the county would be liable for the substantial fines for non-compliance, and those are shown on page 3 of the agenda item. The county is subject to compliance audit by the department of health and human services. Again, there's not a lot of information out there about how that's going to take place or it will probably be complaint driven, as kevin mentioned. Complaints must be filed. So if an employee has a complaint, if they think their privacy has been breached, they need to make a complaint in writing to the privacy officer. And then the privacy officer will deal with it. They can also make their complaint in writing to the department of health and human services if they want to go that route. There can be no receipt tri bugs, no --
>> retaliation.
>> .
>> -- retaliation for someone making a complaint. Hipaa also requires the privacy officer keep a log of all of these complaints, any violations that are brought to his attention, any authorizations and whatnot that are issued so that we can at a moment's notice -- and we're going to keep this electronically in a database, so if we get audited, we punch a button and there's our whole log of what's tran spierd. The privacy notice came up a few moments ago. We are required by the law to distribute to all members of the health plan a privacy notice. This will tell our employees what is hipaa, what the law provides for them, what are their rights under the law, what we're trying to do with this law. I've also devised a cofnl page on the suggestion of charles vaughn in the auditor's office to break it down, to understand what p.h.i. Is. We've also got a paragraph in there in spanish for our spanish speaking employees that advise them to call h.r. If they want someone to explain it all to them in spanish. We want to make sure our employees do understand what their rights are under the law, because I think the more we educate our employees, the better everything will go with this. And they may need to understand if we can't tell them something right away, if we can't verify who they are on the phone, or let's say a lot of spouses call for information, maybe the wife in if family calls to get the information on the health claims while the husband is working or whatnot, we can accommodate these people, but we need to make sure who we're talking to and we need to have the authorization of the employee be it verbal or in writing so that we can proceed with this because otherwise we would be in violation of the law. It will help the employees understand when we maybe ask some questions we haven't asked in the past trying to identify and make sure who we're talking to. As you go through the policies and procedures, it does tell you that the health plan has the right to use and disclose spelled peld p.h.i. In certain circumstances in furtherance of the plan administration t. Disclosure in use is regulated by this law. Anyone who is authorized to receive phi must agree to treat it according to law. We're going to have business associate agreements with vendors like united health care or safeguard, anyone out there that has access also to the phi, maybe being a payer, we have to amend our contract to complu business associate agreement that they in turn will treat the spelled p.h.i. The way it is required under the law. We're going to sign an agreement with the city of Austin for the clinics that will basically tell them the same thing. All p.h.i. E-mails, faxs, written material will need to contain specific confidentiality wording and be encripted if necessary. And on page 18 and page 20 are the suggested wordingings, and we got with i.t.s. And kind of combined the wording that we wanted to use with the wording that they want to use in the i.t.s. Technical policies that are coming forward so that we won't have something out here that's contrary to what they are trying to do. Their stuff has not been brought forward yet to the court, though. The most common -- the reason that we have p.h.i., We wouldn't normally have a lot of p.h.i. If we were fully insured. If we're self-funded, we do get a little more p.h.i. So we can get the data we're needing to get to administer the plan. That is the use we use of the p.h.i. We help people get payments. We process the requests for payments. We respond to inquiries on benefit and eligibility from employees and providers. The plan administration including the funding and maintaining viability of the plan. The oversight of the plan requires not maybe an indepth drilling down to one particular person's p.h.i., But the overall view of maybe we're having a lot of heart attacks or maybe we have a high asthma population or high diabetic population.
>> for anybody that tuned in late, p.h.i. Is protected health information.
>> it's too easy to go sometimes with the acronym. We also on occasion have to provide some p.h.i. To insurance and stop loss companies in course of developing proposals. Like we have to go out for bid on our stop loss coverage this year. So the stop loss carriers are going to ask do you have any high claimants, and they may want some limited information on those high claimants so they know thousand rate the proposal. One of the most important things to remember that is under no circumstances can the employer make employment decisions based on p.h.i. Obtained from the benefit plan. And that anyone who has access to p.h.i. Is bound by the law to keep it confidential unless it is specifally allowed to be disclosed. So under no circumstances can employment action be taken on information gleaned from the health plan. The employee has a variety of rights. They can request certain restrictions on certain uses and disclosures of p.h.i. The health plan is not obligated to agree to those requests. They can request to receive alternative confidential communication. They can also inspect and copy their p.h.i. And request a copy, and that has to be in a designated record set. If it's available in a designated record set, which would mean a format report. And that normally would just have claims hear payments, eligibility. There's other various rights and authorizations you will see, but it basically gives the employee access to their own information or they can designate someone else to deal with that information for them if they have someone trying to help them.
>> this is not in our possession, this is stuff united health care would have?
>> we do have possession of some of it in the benefits area. Very limited. People have access probably no more than three people have access to plan p.h.i. Unless it's stoant us from a provider on the request of an employee or the employee might give it to us.
>> and why would you want to access that information any?
>> that information provides us with details to be able to manage the plan, to identify cost drivers, to identify utilization patterns, things of that nature. And it goes back to getting the information that we explain in court when we recommended being self-funded that we would have access to the information need to do manage a program. And I want to emphasize --
>> do we need detailed information about individuals or do we just need the information in total?
>> sometimes we need the detailed information because we're dealing with that individual on their claims.
>> I understand that. If you are dealing with an individual on an individual claim, I can see. Tha. But I guess if I'm on medication, county may want to know what the medication is and how much it's costing because the other employees may be in same category. We need to see the total information to figure out the plan costs, whether we can approve it, et cetera. But i've thought that the information that we really needed was of a bigger nature. Realty money, the kinds of medicines that we're paying for, how many individuals are getting it, I don't know that we thought it mattered that john doe was taking a certain medication other than cost.
>> well, to obtain a stop loss insurance policy, you are going to have to have that because when you all go out to shop for new excess loss coverage, they are going to want to know -- they are going to ask about people with claims over a certain amount and people with certain diagnoses. Then they are going to need to know who those people are so they can underwrite it. They may talk to their doctor, they may ask for the authorization to do that. So for you to get competitive stop loss information, you are certainly going to have to have access to that information. And that's on whole -- excuse me.
>> just a few people at the county have access?
>> right.
>> very limited.
>> there's three people, principally two people in the h.r. Department who have access to that data. And they use it for auditing purposes. As we audit every week, we bring our recommendation for reimbursement to you. The audits that we conduct with conducted on that data that comes in to us and it's restricted two two people. I may once in a great while have access if I'm surveying what's being done in the audit process, but it's not disseminated outside of our department.
>> and the purpose of those policies and procedures is to protect that information and make sure that it's only used for legitimate purposes. I mean, that's --
>> am I incorrect in thinking that 95% of this we have been doing since I have been with the county anyway?
>> yes, we have. We have.
>> on some scale, that's correct.
>> [inaudible] grief us procedures, other stuff -- but I would think as to individual claims, I thought we had been doing this anyway.
>> well, to some degree we have. I think what this -- what the hipaa policy does is bring some uniformity as to how it's protected, and we strive to protect that information anyway. As some of you may know, we're very guarded what we talk about.
>> before hipaa, there wasn't an overriding federal statute that said you couldn't use health information for employment-related purposes. You had the a.d.a. And you can't -- you can't violate that, but hipaa said if it comes from the health plan, you can't use it for employment purposes, which I think everybody would agree is good policy. And hopefully most employers live by it even though it wasn't the law. But now it is, and in that -- and that's good, I think.
>> barbara?
>> the one thing that I would like to go back, you said most of the time we don't need to have specific information about specific people, and that's true. The way that hipaa ties in and makes it a little bit different is you can sit out here and not ever mention somebody's name and be talking like cindy example about somebody who lost a limb due to diabetes. You've never mentioned their name and you've never done what we've done in the past, but now we'll be careful even about that because that's the kind of condition that is going to be identifiable by a large portion of our workforce, anybody who knew the person. And so we wouldn't want to disclose that. It's not the -- the identifying the individual who is getting the particular medication, but if there -- I don't know of any medication that fall ins this category, but if there were some medication that were so unique only one person in our population got it and we were discussing that and there was significance to their diagnosis, we wouldn't want to discuss it because they are then identifiable. Other than that, it comes down to what you were saying before, we wouldn't be discussing it anyway, just that potential for identifiability we haven't been [inaudible] previously.
>> so we think that if we are discussing the stop gap coverage and somebody asks, well, how many heart attacks have we paid for and you say ten, and there was one amputation that cost more than we thought, that person is probably walking around visibly amputated, but do we think that's a violation?
>> could be.
>> it could be. Depending on who was doing the interpreting.
>> that is the sort of thing I guess that we are with this particular law even more cautious about. We know that there were five cases that reached 125,000. I would be hesitant to name each of those, you know, each of those cases because there are so few of them. We can tell you perhaps the major categories in the 16 that reached the 50,000. So I think it's just -- provides an extra legal of caution in identifying that particular information that could be then tied to an individual.
>> what I would like to do now is go on to the staff recommendations. The staff is asking the court to name the risk manager as the hipaa privacy officer. To the court approval of the above hipaa policies and procedures and the various forms. And approve distribution of the privacy notice to employees as required by hipaa.
>> so the distribution needs to be made how far in advance of the effective date of the policies?
>> well --
>> we scheduled it to go out, if I'm not mistaken, the first part of April.
>> so if we take action next week, we're in good shape?
>> yes, sir.
>> do we need to increase dan's bond as a result of this new and different responsibility?
>> well, I had a bond, I probably would want that, but no, I don't think sovment I think any -- so. I think any violation would certainly fall under our self-insured fund. If the court would approve that.
>> I assume we need to read this one more -- spend a little more time reading this between now and next week. It would help me to view protected health information, I guess if the employee -- you say exactly what you mean.
>> yes. We gave ourselves a week, judge, just in case.
>> but in the meantime, I think I'm in agreement with what is here and that should tell you, you know, to keep moving in that same direction. But I would do everything to not violate anything.
>> I would like to say -- boon chapman, from the standpoint we've worked with a lot of employers sponsoring self-funded plans in an attempt to get into compliance and you've got an excellent staff.
>> thank you.
>> thank you.
>> thank you.
>> we need a one-page their says -- sort of sets forth examples of what is permissible and what is not. Do's or don't's.
>> I think as part of the training that -- that's included.
>> the policy -- this is 54 pages. How long is the training?
>> I believe the training is two hours.
>> two hours.
>> and we would also have some executive level training that we would want to conduct.
>> give some thought to the simple do's and don't's. I have been rejected before, so if it's not a good idea, don't do it.
>> I think it's an excellent idea. I think with our privacy notice, the cover sheet that goes out is going to break down some of the technical language so that a non-insurance person can understand it. It will be clear language hopefully. That's one of the things vaughn had recommended so we're going to work on some of these things.
>> and for us, sometimes when we see the amount of coverage, cost of coverage increasing, first is to try to figure out what kinds of cases resulted in such increases, and sometime before thinking you kind of ask, you know, maybe the wrong question.
>> exactly.
>> we want to guard against that, I take it.
>> sometimes answers are pretty vague, we know. And alicia explained that sometimes is the reason because it may be one individual with maybe two that are identifiable.
>> so you are not always hiding the ball sometimes, you are trying to protect us.
>> uh-huh.
>> in some cases. [laughter]
>> very good.
>> kind of like that question I asked the work session today where everybody kind of kept looking at each other. Don't need an answer to that. [laughter]
>> any additional comments, we'll just reach between now and next week and plan to move on it next week.
>> thank you.
>> did you all say what you needed to today?
>> yes, sir, I did.
>> thank you.
>> thank you all very much. We've been looking forward to this for some time.
>> thank you.
Last Modified: Wednesday, April 2, 2003 10:25 AM