HIPAA COW Fall Conference

1
BA Contracting Issues Contracting with a PBM
Carol Rubin Associate General Counsel Director,
HIPAA Compliance WEA Trust HIPAA COW Fall
Conference September 27, 2002
2
WHAT KIND OF ENTITY IS A PBM?

• Is a PBM and/or its subsidiaries
•  
• A Covered Entity?
• If so, an OCHA? An Affiliated Entity?
• Business Associate?
• Trading Partner?
• None of these?
• All of these?
• Some of these?

3
WHAT KIND OF ENTITY IS A PBM? The ANSWER . . .

• It depends
•  

• Services provided by PBMs vary adjudicating
  claims, paying benefits, performing disease
  management, monitoring prescription drug claims
  for safety issues, mailing, ID cards, sending out
  various notices. What exactly is your
  arrangement with your PBM?

• Is your PBM one or several legal corporate
  entities?

• How do these corporate components share
  information internally?

• What sort of entity does your PBM think it is?

4
OTHER QUESTIONS

• How do each of these components share information
  with pharmacies? Pharmaceutical companies?
  Various vendors?
•  
• Do these corporate components have the correct
  protections/walls/BA contracts in place?
•  
• Is any of your insureds PHI being shared with
  pharmaceutical companies?
•  
• If so, is it being used for direct (e.g., letters
  to your insureds about switching brands) or
  indirect (e.g., physician profiling) marketing
  purposes?

5
ONE EXAMPLE OF AN ATTEMPT TO FIND ANSWERS

• Sample letter to PBM (see handout).
•  
• Included a detailed notice reflecting our
  understanding of how the various PBM components
  worked.
• Concern PBM/pharmacies/pharmaceutical companies
  are areas of potentially significant abuse of PHI
  due to
• Broad scope of health information available
• Value of PBM information for marketing
• Fact of Automation

6
Information/Opinions Provided to Date by Medco
Health

• Medco Health Pharmacy
• Companies (18)
• (formerly Merck-Medco RX Services)
• Covered Entities
• 18 are an Affiliated Entity
• Are not a BA of payers

• Medco Health
• Prescriptions Solutions
• (formerly PAID Prescriptions)
• BA of payer

Payers CEs
BA
BA
?
BA sometimes?

• Medco Health Solutions, Inc.
• (formerly Merck-Medco Managed Care, L.L.C)
• Not a CE
• Is a BA of payers
• Sometimes is a BA of 18 pharmacies

BA?
BA?

• Thousands of Medcos Participating Pharmacies
• CEs
• Are NOT BAs of Medco because
• Neither performs a service for the other?
• OR, because Medco isnt a CE?

• Various unidentified vendors subcontractors
• BAs of parent Medco
• BAs of 18 pharmacies

Pharmaceutical Companies, including Merck
7
MEDCO RESPONSE, JULY 30, 2002

• Yes, will work toward a BA agreement for April
  2003 (i.e., not extension).
•  
• Yes, plans to be compliant with Transactions
  Standards, NCPDP Version 5, Release 1, by
  September 28, 2002.
•  
• Current view is that Medco Health, the parent,
  is not a Covered Entity because does not perform
  any covered entity functions. It and
  Prescription Solutions, the retail network
  management subsidiary, are both BAs for the plans
  and in some instances to the Pharmacy
  Companies. (Import?)
• Prescription Solutions (in providing prescription
  management services management of the retail
  pharmacy network) BA of health plan clients.

8
MEDCO RESPONSE, JULY 30, 2002(continued)

• Pharmacy Companies (18 home delivery pharmacy
  operations) Covered Entities because acting as
  providers. The 18 licensed Pharmacy Companies
  will consider themselves an Affiliated Entity
  under HIPAA. (Import?)
•  
• As such, will draft and deliver its own privacy
  notice and give to home delivery users directly.
•  
• This notice is sufficient, payers need not do
  anything more. (accurate?)
• Is in process of doing inventory and assessment
  of PHI flow Has no single flow chart capturing
  all PHI flow.

9
MEDCO RESPONSE, JULY 30, 2002(continued)

• Is in process of reviewing all contracts with
  vendors and subcontractors, for TPA issues (what
  about BA issues?).
•  
• Problem If Medco Health parent is not a CE,
  then various vendors cannot be BAs? Just TPAs?
  Just BAs of 18 pharmacies?
• Will have TPA language drafted by end of 2002.
•  
• Per 80 completed privacy assessment, Merck finds
  no activities that are marketing activities under
  either the old rules definition of marketing,
  nor the March proposed revision of the definition
  of marketing.

10
SHARING OF PHI WITH PHARMACEUTICAL COMPANIES TO
CALCULATE REBATE

• Issue Is sharing non-aggregated PHI with
  pharmaceutical companies, or sharing it only
  internally at Medco Health, for purposes of
  calculating rebates, within the scope of the BA
  provision allowing use for Business Associates
  proper management and administration as long as
  PBM gets written confidentiality assurance from
  the pharmaceutical company?
•  
• If so, is that acceptable to payers?

11
SHARING OF PHI WITH PHARMACEUTICAL COMPANIES TO
CALCULATE REBATE (continued)

• Medco Response
•  
• We do not share any PHI with pharmaceutical
  manufacturers in order to calculate rebates. PHI
  is used by Medco internally to develop reports
  used to calculate rebates. . . We have not yet
  determined whether the activity can be
  accomplished using only de-identified data, or if
  we will find that the internal use of PHI is
  justifiable as a payment or healthcare
  operation.
•  
• Query If Medco Health parent is not a CE, is
  use of PHI for payment or healthcare operations
  an option?

12
NEXT STEPS FOR WEA AND POSSIBLY FOR ALL HIPAA
COW PAYERS?

• Determine what corporate unit performs other
  functions, such as Rational Med, Disease
  Management programs, and what ramifications?
•  
• Should Wisconsin payers all use the HIPAA COW BA
  template (perhaps with expanded language
  prohibiting use of PHI for any aspect of
  marketing) with PBMs so that PBMs conclude this
  is a condition of doing business in Wisconsin?

13
NEXT STEPS (continued)

• Get copy of PBMs privacy notice to be used for
  mail-order pharmacies.
•  
• Do we need to communicate with our insureds about
  this?
•  
• Demand copy of PBMs internal inventory and
  assessment of uses of PHI?
•  
• Demand complete list of all uses that do and do
  not constitute TPO?
•  
• What if our claims info is being used to profile
  prescribers to pharmaceutical companies without
  disclosures of any PHI? Does HIPAA permit this?
  Can we stop it by contract? Do we care?

14
NEXT STEPS (continued)

• Given past misuse by PBMs, pharmaceutical
  companies, and/or pharmacies, demand indemnity
  provision from any PBM, even though not required
  under HIPAA.
•  
• Given size and scope of PBMs, chain of trust
  concepts must be spelled out in BA agreement and
  possibly monitored.

15
NEXT STEPS (continued)

• If our insureds use PBMs mail order service, what
  responsibility, if any, do we have for abusive
  use of PHI obtained through that practice? Is it
  clear that the 18 mail-order pharmacies are not
  our BAs?
• If we provide financial incentives to use mail
  order?
• If we encourage mail order use in non-financial
  ways?
• If we provide website link to PBMs mail order
  service?
•  
• Will PBMs violate their BA Agreements? Should we
  actively monitor this category of BAs?
•  
• Others?

16
Discussion/Questions?