This article is reprinted with permission from the Pittsburgh Business Times.

No matter where you’ve been in the last year, you have undoubtedly heard about a looming regulatory deadline for many group health plans. As of April 14, 2003, many group health  plans must begin to comply with the final  regulations regarding the privacy of individual health information under the Health Insurance Portability and Accountability Act (“Privacy  Regulations”).     

What you may not know, however, is that this  April 14, 2003, deadline does not apply for all group health plans.  For instance, the pending deadline of April 14, 2003, applies only to those group health plans with annual receipts of more than $5 million. Group health plans with annual receipts of $5 million or less are not required to  comply with the Privacy Regulations until April 14, 2004. More importantly, those group health plans with less than 50 participants that are  administered by an employer that both established and maintained the plan are not required to comply with the Privacy Regulations at all.   

Assuming your group health plan is required to comply with the Privacy Regulations, it is important for you to understand what is required of a group health plan under the Privacy Regulations. If your group health plan has a  compliance deadline of April 14, 2003, and is unable to comply by that date, the group health plan must nonetheless work toward compliance. If your group health plan has a compliance deadline of April 14, 2004, you can reduce potential chaos by working toward compliance throughout this year.     

Whatever your group health plan’s current situation, following are answers to some of the most common questions asked by group health  plans:   

As an employer who is a sponsor of a Group  Health Plan, am I subject to the Privacy Regulations?

Employers are not directly subject to the Privacy Regulations. However, group health plan sponsors are indirectly subject to the Privacy Regulations. This is done by the Privacy Regulations restricting the information that a group health plan (and/or the insurer or other entity involved in administering or insuring the plan) can share with the plan sponsor of the group health plan.

Specifically, the group health plan is prohibited from sharing Protected Health Information with plan sponsors unless the plan sponsor meets certain requirements set forth in the Privacy Regulations. One goal of this requirement is to protect employees from having their Protected Health Information used by employers in  employment decisions.     

What is a Group Health Plan? 

For purposes of the Privacy Regulations, a group health plan is any plan that provides medical care to employees or their dependents directly or through insurance, reimbursement or otherwise. The plan can be insured or self-insured. Some examples of group health plans include medical, dental, vision and health flexible spending arrangements. Generally, it is the responsibility of the plan administrator of  the group health plan to ensure that the plan complies with the Privacy Regulations.

What needs to be done?   

In order to comply with the Privacy Regulations, group health plans must take action to prevent the misuse of individually identifiable health information (“Protected Health  Information”). Specifically, group health plans may not use or disclose Protected Health Information unless they are authorized by the specific individual or allowed under the Privacy Regulations.

The actual steps which a group health plan must take to comply with the Privacy Regulations depend upon the specific facts and circumstances of each plan. Following are some  of the general requirements that may apply to a group health plan:

Recently, the U.S. Department of Health and Human Services (the agency enforcing the Privacy Regulations) announced that it will focus its investigations on those group health plans for which they receive complaints, rather than through random audits. Nonetheless, if they have not already done so, group health plans should begin the process of complying with the Privacy Regulations.
  • Drafting and providing a legally compliant notice for participants to notify them about their privacy rights  and how their Protected Health  Information can be used;
  • Preparing and implementing legally  required privacy procedures and plan  amendments which are specific to the  group health plan; 
  • Preparing and presenting a training program to educate employees on the legal requirements of the Privacy Regulations and the privacy procedures adopted by the group health plan;
  • Selecting and appointing a qualified individual to be responsible for seeing that the privacy procedures are adopted and followed; and   
  • Creating and maintaining a system which secures participant records containing Protected Health Information from being readily available to those who do not have rights to them.   

What is Protected Health Information?   

Protected Health Information includes a broad category of information. Generally, it includes, but is not limited to, any information created or received by entities such as health plans and employers that relates to the existence of a physical or mental health condition, or the provision of or payment for health care to an  individual.   

What are the consequences for not complying?   

If a group health plan does not comply with the Privacy Regulations, it may face new civil or  criminal penalties.