HIPAA Compliance Statement

Magellan Health (Magellan) is fully compliant with the HIPAA Standards for Privacy, Electronic Transactions and Security.

Magellan’s Corporate Compliance Department works in conjunction with each of Magellan’s business units, departments, and regional offices to monitor on-going compliance efforts and maintain various reporting mechanisms that are required by law or requested by Magellan’s health plan customers. Magellan recognizes that it is a key business partner with its customers and will continue to provide all of its various Managed Care and EAP services in accordance with the relevant requirements of all state and federal laws and regulations, including, as applicable, HIPAA.

Privacy

Magellan has historically held the privacy of patient information as a key tenet of our operations and processes. Magellan has always implemented policies and procedures for confidentiality that have met or exceeded existing state and federal regulations. Our many existing policies detailing compliance with HIPAA and all its implementing regulations (including the HITECH Act and the Omnibus Rule of 2013 as well) and other privacy-related requirements include:

  • Authorization to Use and Disclose PHI (Protected Health Information)
  • General Rules for Uses & Disclosures of PHI
  • Uses & Disclosures of PHI for Treatment, Payment, & Health Care Operations
  • Oral & Written Transmission of PHI
  • Member Right to Request Privacy Protection of PHI
  • Member Right to Request Access to PHI
  • Member Right to Request Amendment of PHI
  • Member Right to Request an Accounting of Disclosure of PHI
  • Verification Policy
  • Member Representation
  • Notice of Privacy Practices
  • Minimum Necessary Uses and Disclosures of PHI
  • Uses & Disclosures of PHI Requiring No Permission From the Member
  • Uses & Disclosures of PHI for Marketing, Fundraising, and Underwriting
  • Uses & Disclosures for Specialized Government Functions
  • Uses & Disclosures of PHI Requiring Prior Internal Approval
  • Uses & Disclosures of PHI for Judicial & Administrative Proceedings
  • Limited Data Set and De-Identification of PHI
  • Unauthorized Uses & Disclosures of PHI

For example, these policies touch on some of the following areas:

Confidential Communications

Magellan has developed policies, procedures, and workflows to address confidential communications. We also work with our clients to implement procedures to coordinate member requests for alternative addresses or methods of communicating PHI.

Accounting of Disclosures

Through HIPAA, members have the right to receive an accounting of certain disclosures of their PHI made by covered entities in the six years prior to the date on which the accounting was requested. Magellan has developed and implemented a database to manage the tracking of all disclosures for which members have a right to an accounting. We will also perform routine audits conducted by our Corporate Compliance Department.

Right of Access and Amendment

Members have a right to inspect and copy PHI about themselves, which allows them to understand the nature of their health information and ask that we amend or correct any perceived errors. Magellan has procedures in place to protect these member rights.

In sum, Magellan currently complies with all applicable federal and state laws regarding the confidentiality of PHI. Magellan provides HIPAA training to its staff with an emphasis on patient privacy and confidentiality. In cases where the clinical staff believes that HIPAA may be pre-empted by state law or where HIPAA pre-empts state law, they refer their questions to the company’s Legal Department. The Legal Department answers the questions based on a pre-emption analysis to ensure we are in compliance with the more stringent of the two laws.

Transactions and code sets

Magellan is in full compliance with the HIPAA Transactions and Code Sets regulation and has taken a leadership position within the industry by working to establish the accepted code sets for managed behavioral health care with the national standard-setting groups.

Magellan is compliant with ANSI X12N, Version 5010 with the Addenda. In meeting the challenge of complying with the Transaction and Code Sets requirements, we have completed the development of a new Electronic Data Interchange (EDI) strategy. We have implemented EDIFEC’s software products: XEngine (version 9.2.2.10000), XEServer (version 9.2.2.10000), and Transaction Management (version 9.2.06) for message exchange between software applications, computing platforms, and communications protocols. Magellan will use XEngine to validate that the messages are X12-compliant and then parses the X12 into individual elements for mapping information to our host systems for processing. This product suite includes
the templates for the HIPAA standard transactions.

Security

Magellan’s Cyber Security, Personnel Security and Physical Security have the task of ensuring that members’ health information is protected as it rests in our systems and when it is exchanged via electronic means. To address this, we have implemented technical, physical, and administrative safeguards to enhance:

  • Physical Security
  • Personnel Security
  • Cyber Security

Magellan has taken a multi-layered approach to security, providing perimeter protection, segregated operations, business, and administrative architectures along with extra protective measures associated with our external, cloud and website presence. Magellan also monitors all of these interfaces to identify inappropriate or unauthorized traffic, access, e-mail, and/or attempts to connect to Magellan systems.

Magellan has drafted and ratified security policies and procedures to meet compliance standards, as well as solidify best security business practices. Procedures have been implemented to support these policies in a manner which complements and follows each policy for standardization. Policies that have been ratified to date are:

  • Acceptable Use
  • Access Control
  • Asset Management
  • Audit Logging & Monitoring
  • Change Management
  • Cloud Security
  • Configuration Management
  • Data Protection
  • Data Retention Schedule
  • Disaster Recovery & Business Continuity
  • Email Security
  • Encryption Management
  • Endpoint Protection
  • Enterprise Cyber Security Program
  • Identity & Password Management
  • Incident Response
  • Information Governance
  • Information Technology Risk Management
  • Information Sensitivity
  • Media Protection
  • Mobile Device
  • Network Security
  • Patch and Vulnerability Management
  • Security Assessment and Authorization
  • Security Awareness and Training
  • Secure Software Development Lifecycle
  • Vendor Risk Management

Firewalls/Intrusion Detection Services (IDS)

Magellan employs the latest technology standards and equipment regarding the protection of the critical internal infrastructure. All firewalls are deployed, monitored, and managed by qualified, dedicated Magellan personnel. All perimeter protection equipment is installed, patched, and maintained in accordance with manufacturer standards and best security practices to ensure best possible protection.

A traditional DMZ (de-militarized zone) structure is in place to support our e-commerce needs and is monitored and managed by qualified Magellan personnel via a state-of-the-art intrusion detection and prevention system (IDS/IPS). The IDS/IPS is monitored 24 hours a day, seven days a week, 365 days a year via an automated security alerting and log correlation system. Magellan’s Incident Response Team is engaged to review and respond to detection alerts based on a scheduled personnel rotation.

Systems Activity Audit/Monitor

All systems activity, including user activity, is monitored in accordance with policy. All deviations from accepted practices outlined in policy will be investigated and risks associated with these events will be mitigated accordingly.

Encryption Capabilities

E-mail

The security of Magellan e-mail communications requires a blending of several (three) technologies to provide a diverse and flexible method of delivery. The method will involve the use of Virtual Private Networks (VPN) or dedicated links, an encrypting e-mail gateway, and a Web-based secure e-mail portal.

Wide Area Network (WAN)

All WAN connections are encrypted to industry standards. All WAN connections are managed by qualified, dedicated Magellan personnel.

World Wide Web (Internet)

All of the Magellan Internet facing Web sites incorporates the usage of Transport Layer Security (TLS) protocol versions 1.3 to protect sensitive information.

Release of Magellan Proprietary Network/System Specific Information

It is Magellan’s policy not to disclose specifics regarding the detailed flowcharts and technical specifications of the software, hardware, and networks Magellan uses to construct its technical infrastructure. Specific details may be provided if appropriate non-disclosure agreements are executed between Magellan and the requesting party.

Vulnerability Assessments

Magellan routinely conducts security assessments and vulnerability testing and mitigates any issues or risks found in a timely manner. It is our policy not to disclose specifics regarding details or results of testing due to the proprietary and sensitive nature of the data. Magellan uses industry standard testing toolsets and engages third-party, independent agencies to verify security infrastructure.

Data Center Facilities

Magellan’s systems are housed in a secured data center located in Maryland Heights, Missouri. Access to the Data Center is controlled through a variety of physical security processes. Physical access is controlled by door, time of day, and day of the week, including holidays and weekends. System operators staff the Data Center 24 hours a day, seven days a week, 365 days a year.

Magellan leverages real-time data replication for backups of systems. Backups are replicated to our offsite disaster recovery site. The backups are kept offsite for up to a month. We send monthly backups to AWS to be archived indefinitely.

The Information Technology system provides short-term back-up power through Uninterrupted Power Supply (UPS). A back-up diesel generator provides long-term power supply back-up. Tests are performed periodically to provide proficiency and assess effectiveness of these systems.

Data Centers are protected against fire by a fire protection and alarm system. The detection systems are connected to a building alarm panel and the local fire department for immediate notification. Data Centers use a gas fire suppression system, a dry pipe sprinkler system, and are constructed with highly rated fire-resistant walls.

Disaster Recovery

Magellan has contracted with SunGard Availability Services to provide a pre-configured hot site with data replicated real-time located in Philadelphia, Pennsylvania to facilitate the continuation of data processing services performed on the computer systems in the event of a catastrophic disaster. Our approach addresses the following items:

  • Potential types of disasters, risks, and probabilities of occurrence that would result in a significant disruption to successful operations
  • Contingency plans to ensure continued operations and minimize impact
  • A recovery strategy and process that defines roles and responsibilities during the period
  • Critical business functions and the maximum tolerable interruption period
  • Resources required to implement a successful recovery

On-going compliance

Magellan’s Corporate Compliance Department is charged with overseeing ongoing compliance with the HIPAA regulations. This department is staffed by attorneys, compliance directors, and research analysts who work together to monitor any new developments and coordinate any necessary implementation of updated compliance requirements. Our HIPAA Training Program consists of initial training for all new hires, annual training refreshers for all employees, in-depth training for targeted areas, and remedial training on an “as-needed” basis. An internal auditing department audits corporate departments and regional offices to ensure appropriate compliance measures and procedures are in place.