Aetna 2011 Annual Report Download - page 37

Download and view the complete annual report

Please find page 37 of the 2011 Aetna annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 132

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132

Annual Report- Page 31
HIPAA Administrative Simplification, GLBA and Other Privacy, Security and Confidentiality Requirements
The regulations under the administrative simplification provisions of HIPAA, as further modified by the American
Recovery and Reinvestment Act of 2009 (“ARRA”) and Health Care Reform, also impose a number of additional
obligations on issuers of health insurance coverage and health benefit plan sponsors. The "Administrative
Simplification" provisions of HIPAA and those regulations authorize HHS to issue standards for electronic
transactions, as well as privacy and security of medical records and other individually identifiable health
information.
Administrative Simplification requirements apply to self-funded group health plans, health insurers and HMOs,
health care clearinghouses and health care providers who transmit health information electronically (“Covered
Entities”). Regulations adopted to implement Administrative Simplification also require that "business associates"
acting for or on behalf of these Covered Entities be contractually obligated to meet HIPAA standards. The
Administrative Simplification regulations establish significant criminal penalties and civil sanctions for
noncompliance.
Under Administrative Simplification, HHS has released rules mandating the use of standard formats in electronic
health care transactions (for example, health care claims submission and payment, plan eligibility, precertification,
claims status, plan enrollment and disenrollment, payment and remittance advice, plan premium payments and
coordination of benefits). HHS also has published rules requiring the use of standardized code sets and unique
identifiers for employers and providers. The federal government has mandated that by October 2013 the health and
related benefits industry, including health insurers, providers and laboratories, upgrade to an updated and expanded
set of standardized diagnosis and procedure codes used for describing health conditions, known as ICD-10. HHS
has announced that it will initiate a process to postpone the effective date for use of ICD-10 by certain health care
entities. Implementing ICD-10 will require substantial investments from the health and related benefits industry,
including us, over the next several years. We currently estimate that our ICD-10 project expenses will be between
$20 million and $40 million each year for 2012 and 2013.
The HIPAA privacy regulations adopted by HHS establish limits on the use and disclosure of medical records and
other individually identifiable health information (protected health information or “PHI”) by Covered
Entities. Further, ARRA requires us and other Covered Entities to report any unauthorized release of, use of, or
access to PHI to any impacted individuals and to HHS in those instances where the unauthorized activity poses a
significant risk of financial, reputational or other harm to the individuals, and to notify the media in any states
where 500 or more people are impacted by any unauthorized release or use of or access to PHI. Business associates
(e.g., entities that provide services to health plans, such as electronic claims clearinghouses, print and fulfillment
vendors, consultants, and us for the administrative services we provide to our ASC customers) must also comply
with certain HIPAA provisions. In addition, ARRA establishes greater civil and criminal penalties for
Covered Entities and business associates who fail to comply with HIPAA's provisions, gives new enforcement
rights to state attorneys general and requires HHS to issue regulations implementing its privacy and security
enhancements. We will continue to assess the impact of these regulations on our business as they are issued. In
addition, the HIPAA privacy regulations provide patients with new rights to understand and control how their health
information is used.
The HIPAA privacy regulations do not preempt more stringent state laws and regulations that may apply to us and
other Covered Entities, including laws that place stricter controls on the release of information relating to specific
diseases or conditions and requirements to notify members of unauthorized release or use of or access to PHI.
Complying with additional state requirements could require us to make additional investments beyond those we
have made to comply with the HIPAA regulations. HHS also has adopted security regulations designed to protect
member health information from unauthorized use or disclosure.
In addition, states have adopted regulations to implement provisions of the Financial Modernization Act of 1999
(also known as Gramm-Leach-Bliley Act (“GLBA”)) which generally require insurers to provide customers with
notice regarding how their non-public personal health and financial information is used and the opportunity to “opt
out” of certain disclosures before the insurer shares such information with a non-affiliated third party. The GLBA