Managed Care Organization/Payor Survey

Managed Care Organization/Payor Survey

Does your organization obtain a written consent from enrollees/members prior to releasing PHI to Business Associates or others for purposes of Treatment, Payment or Health Care Operations (TPO)? (Note: Although HIPAA would not require consent in this situation, some state laws might.)

(check the response that most closely applies to your situation)

We never obtain enrollee/member consent prior to releases for TPO. We do obtain written authorization prior to releases for non-TPO activities.

90%

We do obtain enrollee/member consent prior to releases for TPO because state law requires it.

We do obtain enrollee/member consent prior to releases for TPO because we think it’s the right thing to do.

We obtain enrollee/member consent prior to releases for TPO, but only when it is administratively feasible (for example, when individuals enroll directly with the health plan, but not through their employer).

100%

Under what circumstances would you directly notify an enrollee/member that there has been an unauthorized disclosure of his/her PHI?

(pick as many as apply)

We would directly notify the enrollee/member if the release could result in obvious harm to the person (for example, information related to a claim for pregnancy services was erroneously released to a person’s estranged husband).

43%

We would directly notify the enrollee/member if the release could result in foreseeable harm to the person (for example, social security numbers of all enrollees/members was erroneously posted on the company’s website, but only for a couple of hours).

52%

We would directly notify the enrollee/member regardless of the “severity” of the release (for example, a person’s plan ID was mailed to the wrong subscriber).

19%

We would never directly notify an enrollee/member that there has been an unauthorized disclosure of his/her PHI. We would provide this information to the enrollee/member when they requested an accounting of disclosures.

24%

What is your organization’s approach to reporting claims and other information to self-insured employers (where the employer’s plan is the “covered entity” and your organization is the “business associate”)?

(pick as many as apply)

Our view is that as the “covered entity” the employer is entitled to all of the PHI it wants, regardless of type or purpose. We give them whatever they want.

47%

Our view is that we only provide de-identified or aggregated information to self-insured employers.

29%

We provide PHI, but only with appropriate assurances from the employer, such as a representation that it has appropriate firewalls in place.

35%

We negotiate this with each employer on a case-by-case basis.

Do you have a formal compliance risk management plan by which to measure and report risks to your compliance steering committee and/or board?

Yes

73%

27%

100%

How long has this compliance risk monitoring process been in place?

4+ years

24%

2-3 years

43%

1 year or less

n/a

29%

100%

What department is the owner of compliance risk monitoring?

(Check all that apply)

Compliance

95%

Internal Audit

10%

Legal

14%

Regulatory/Government Affairs

Other (please specify)

What are your biggest challenges in doing risk monitoring?

(Check all that apply)

Surveying the entire company

55%

Getting managers to respond to inquiries regarding risks

68%

Establishing controls for identified risks

36%

Getting senior leadership support

Identifying new risks on an ongoing basis

50%

Other, Please Specify

How often does your Board Audit and Compliance Committee review the compliance risk management plan?

1x/year

60%

2 or more times/year

25%

Not at all

Other, Please Specify

10%

100%

Does your company have a person/team of people coordinate all market conduct exams and regulatory reviews?

Yes

95%

100%

10.

Does your company check documents/files/policies/other information for accuracy before providing to an examiner for a market conduct exam or other regulatory review?

Yes

86%

14%

100%

11.

Does your company audit the corrective actions implemented as a result of a market conduct exam or other regulatory review?

Yes

95%

100%