HIPAA Compliance and What It Means for Your Group Health Plan
This article is reprinted with permission from the Pittsburgh Business Times.
No matter where you’ve been in the last year, you have undoubtedly heard about a looming regulatory deadline for many group health plans. As of April 14, 2003, many group health plans must begin to comply with the final regulations regarding the privacy of individual health information under the Health Insurance Portability and Accountability Act (“Privacy Regulations”).
What you may not know, however, is that this April 14, 2003, deadline does not apply for all group health plans. For instance, the pending deadline of April 14, 2003, applies only to those group health plans with annual receipts of more than $5 million. Group health plans with annual receipts of $5 million or less are not required to comply with the Privacy Regulations until April 14, 2004. More importantly, those group health plans with less than 50 participants that are administered by an employer that both established and maintained the plan are not required to comply with the Privacy Regulations at all.
Assuming your group health plan is required to comply with the Privacy Regulations, it is important for you to understand what is required of a group health plan under the Privacy Regulations. If your group health plan has a compliance deadline of April 14, 2003, and is unable to comply by that date, the group health plan must nonetheless work toward compliance. If your group health plan has a compliance deadline of April 14, 2004, you can reduce potential chaos by working toward compliance throughout this year.
Whatever your group health plan’s current situation, following are answers to some of the most common questions asked by group health plans:
As an employer who is a sponsor of a Group Health Plan, am I subject to the Privacy Regulations?
Employers are not directly subject to the Privacy Regulations. However, group health plan sponsors are indirectly subject to the Privacy Regulations. This is done by the Privacy Regulations restricting the information that a group health plan (and/or the insurer or other entity involved in administering or insuring the plan) can share with the plan sponsor of the group health plan.
Specifically, the group health plan is prohibited from sharing Protected Health Information with plan sponsors unless the plan sponsor meets certain requirements set forth in the Privacy Regulations. One goal of this requirement is to protect employees from having their Protected Health Information used by employers in employment decisions.
What is a Group Health Plan?
For purposes of the Privacy Regulations, a group health plan is any plan that provides medical care to employees or their dependents directly or through insurance, reimbursement or otherwise. The plan can be insured or self-insured. Some examples of group health plans include medical, dental, vision and health flexible spending arrangements. Generally, it is the responsibility of the plan administrator of the group health plan to ensure that the plan complies with the Privacy Regulations.
What needs to be done?
In order to comply with the Privacy Regulations, group health plans must take action to prevent the misuse of individually identifiable health information (“Protected Health Information”). Specifically, group health plans may not use or disclose Protected Health Information unless they are authorized by the specific individual or allowed under the Privacy Regulations.
The actual steps which a group health plan must take to comply with the Privacy Regulations depend upon the specific facts and circumstances of each plan. Following are some of the general requirements that may apply to a group health plan:
Recently, the U.S. Department of Health and Human Services (the agency enforcing the Privacy Regulations) announced that it will focus its investigations on those group health plans for which they receive complaints, rather than through random audits. Nonetheless, if they have not already done so, group health plans should begin the process of complying with the Privacy Regulations.- Drafting and providing a legally compliant notice for participants to notify them about their privacy rights and how their Protected Health Information can be used; Preparing and implementing legally required privacy procedures and plan amendments which are specific to the group health plan;
- Preparing and presenting a training program to educate employees on the legal requirements of the Privacy Regulations and the privacy procedures adopted by the group health plan;
- Selecting and appointing a qualified individual to be responsible for seeing that the privacy procedures are adopted and followed; and
- Creating and maintaining a system which secures participant records containing Protected Health Information from being readily available to those who do not have rights to them.
What is Protected Health Information?
Protected Health Information includes a broad category of information. Generally, it includes, but is not limited to, any information created or received by entities such as health plans and employers that relates to the existence of a physical or mental health condition, or the provision of or payment for health care to an individual.
What are the consequences for not complying?
If a group health plan does not comply with the Privacy Regulations, it may face new civil or criminal penalties.