General Policy
All records that have confidential medical and insurance information must be handled and discarded in a way that ensures the privacy and security of the records.

• Delivery of health care
• Payment of doctors and other providers
• Measurement and improvement of care and service
• Preventive health and disease management programs
• Member surveys
• Investigation of complaints and appeals
• Other purposes needed to administer benefits

Consent for Release of Information for Other Purposes (Special)
The following uses of your member information requires a special consent from you:

• Data requested for a worker's compensation or auto insurance claim
• Release of information to a lawyer
• Release of information that could result in another company contacting for marketing purposes
• Release of information from behavioral health care practitioners (mental health and substance abuse providers) to your primary care physician or specialist.

Your Access to Medical Records
You may access your medical records by contacting your doctor's office or the provider of care (such as a hospital). You must follow the doctor's or provider's procedures for accessing medical information. Family members or other authorized representatives may have access to your medical information only when you give written permission.

Disclosure of Information to Employers
Disclosure of information to employers is limited to the information the employer needs to administer the health plan. Your employer must agree to protect your information from being used for any decisions affecting you. The employer must identify persons or positions that may have access to the information and must ensure there are measures in place to prevent unauthorized access.

Treatment Setting
Practitioners and providers are expected to implement confidentiality policies that address the disclosure of medical information, patient access to medical information, and the storage/protection of medical information. The Plan reviews practitioner confidentiality processes during pre-contractual site visits for primary care physicians.

Quality Improvement Measurement
Data for quality improvement measures are collected from administrative sources (such as claims and pharmacy data) and/or from member medical records. The Plan protects your member information by ensuring that medical records are reviewed in non-public areas, and that reports do not include member-identifiable information.

NCAS HIPAA Position Statement
July 2002

NCAS is in the process of developing and implementing our Readiness Plan for compliance with the Administrative Simplification provisions outlined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The electronic healthcare transaction and code sets are generally scheduled to become effective October 16, 2002 for all covered entities. An extension form may be filed with the Department of Health and Human Services prior to this date for a one-year extension. Small health plans, defined as having a maximum of $5 million in annual receipts, already have a compliance deadline of October 16, 2003. The Privacy provisions of HIPAA are effective April 14, 2003 (April 14, 2004 for small plans). The prevailing thought among HIPAA experts is that Congress will not extend the deadline for compliance with the Privacy rules. The final rules on the HIPAA Security requirements have not yet been published.

To date NCAS has conducted a HIPAA orientation program for our management team and an awareness campaign for our employees. Our HIPAA leadership/implementation team has been appointed and we have support from our parent company to guide our compliance initiatives. We participate in industry conferences and seek expert advice and counsel as required.

NCAS is defined as a “Business Associate” of Covered Entities which includes health plans. We are in the process of finalizing our Business Associate Agreement to outline the uses and disclosures of individually identifiable health information. We expect to distribute this agreement to our clients beginning in September 2002.

Transactions and Code Set Standards:

NCAS is committed to enabling our clients to become HIPAA compliant with the Standard Transactions and Code Sets Rule. The system used by NCAS to administer eligibility and claims is on track to have all transaction and code set standards in production by October 1, 2002. The standard 837 format, Version 4010, for Institutional, Professional, and Dental claims is currently in production and has been certified by Claredi, an independent testing and certification service, for HIPAA transaction compliance. The Claredi testing and certification for the 834 - Benefits Enrollment/Maintenance and the 835 – Electronic Remittance/Advice formats are both in progress. The remaining code sets are in the development or beta testing stages. There is data mapping and testing involved with each trading partner that plans to submit information electronically.

NCAS periodically receives compliance readiness statements from key vendors that currently send and receive electronic claim and/or utilization review information (i.e. PPO’s, Facilities, and Utilization Review vendors). These vendors are in varying stages of compliance and some will not be ready by October 2002. As a result, NCAS will electronically submit our compliance plan with the Department of Health and Human Services in August 2002 to qualify for the one-year extension. Please complete and return the attached authorization form by August 16, 2002. If you authorize NCAS to file the extension on your behalf, you will receive a communication after the submission to confirm that the extension has been filed.

Privacy

The TPA has always worked under the premise that individually identifiable health care information (IIHI) is confidential and only disclosed for the purpose of normal business operations. All associates participate in an annual ‘Code of Conduct’ training and testing to ensure a thorough understanding of their employment obligations to maintain the confidentiality of data. NCAS’ initial privacy assessment and basic HIPAA awareness campaign for employees are complete. The gap analysis is underway to target processes that need to be modified and to identify areas to focus documentation and training efforts. Education and training will be conducted at all applicable levels of the organization. NCAS is committed to taking reasonable steps to limit the use and disclosure of protected health information to the minimum necessary to accomplish our business needs. We will provide reasonable safeguards to protect health information from improper use and disclosure.

NCAS will make a good faith effort to ensure that its processes, procedures and critical systems will be HIPAA ready on or before the effective dates of the applicable Regulations. I will provide you with periodic updates on our progress as we reach implementation milestones. Due to the many unknowns related to the implementation of the Regulations, we do not assume any risk associated with reliance upon the information provided in this statement and we reserve the right to amend this statement as needed.

Sincerely,

Karen McDonald
Vice President, Administration and
System Support

Privacy Statement
NCAS & CareFirst Copyright 2001