HIPAA compliance continues, with several new requirements and deadlines looming.  Group health plans (except for "small" health plans) face an April 20, 2005, deadline for compliance with HIPAA's security standards.  Proper compliance will include adoption and implementation of security policies, as well as the amendment of business associate contracts.  In addition, plans should review their practices and documents for compliance with the recently finalized portability regulations.

The security standards and final regulations will generally require the following action steps:  1) adoption of procedures that address security; 2) amendment of business associate contracts; 3) implementation of new forms for certificates of creditable coverage; 4) adoption of written procedures for requesting certificates; and 5) ensuring HIPAA compliance in retiree medical plans.

I.  Security Standards.
Group health plans that are not small health plans must now comply with HIPAA's security standards (the " Security Rule").  Small health plans have until April 2006 to comply.  A small group health plan is one that paid less than five million dollars in premiums (if insured) or benefits (if self-insured).

The objective of the Security Rule is to safeguard electronic systems that contain personal health information. The required safeguards are defined and organized in three categories, which are administrative, physical and technical.  A general description of each category is as follows:

1. Administrative.  Implementation will include policies and practices that address security management, information access, contingency planning and training.  Typical measures will include analysis and management of risk to electronic systems, log in processes, data backup plans, disaster recovery plans and emergency operations plans.

2. Physical.  The Security Rule requires group health plans to implement physical safeguard standards for their electronic information systems, whether such systems are housed on the covered entity's premises or at another location. These safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.  The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. 


3. Technical. These safeguards limit access to electronic information to particular users or user groups.  Generally, technical safeguards will include different levels of software access rights, and will track access with appropriate audit controls.

The Security Rule is not a rigid set of procedures. It does contain certain items that are required to be addressed, but many items are merely "addressable."  It is a more workable standard that provides covered entities with flexibility to adopt implementing measures that are appropriate for that particular covered entity. In deciding which security measures to adopt, a covered entity must consider the following factors:

  1. The size, complexity and capabilities of the covered entity - this generally means that a small plan will not need to take the same measures to comply with the Security Rule as will a large plan.
  2. The covered entity's technical infrastructure, hardware and software security capabilities.
  3. The costs of security measures.
  4. The probability and degree of potential harm from potential risks to electronic confidential information.

One particular item of note is that all business associates contracts must be amended to take the Security Rule into account.  These amendments will likely not be lengthy, but will require the business associate to comply with the Security Rule.


II.  Final HIPAA Portability Regulations

The IRS, DOL and HHS recently issued final HIPAA regulations.  The final regulations essentially follow the interim regulations that were issued in 1997.  There were, however, several interesting modifications and clarifications to the prior regulations.  The regulations are generally effective the first plan year beginning on or after July 1, 2005.  Some of the more important modifications and clarifications are as follows:

Certificates of Creditable Coverage
Under the final regulations, certificates of creditable coverage must contain an informational statement regarding certain HIPAA portability rights.  This requirement is in addition to the information required under the interim regulations.  A model statement is provided in the regulations.

Group health plans must now have written procedures for individuals to request and receive certificates.  The prior regulations required the procedures, and the final regulations clarified that the procedures must be written.

Special Enrollment Periods
Individuals who are eligible for coverage under a plan but have coverage elsewhere, have certain special enrollment rights if they lose the other coverage.  The final regulations expand the list of circumstances in which special enrollment rights are available to include the following losses of coverage:  upon reaching the lifetime maximum in another plan; if HMO coverage is lost because of a change in the service areas or moving out of the service area, as long as no other coverage is available under the plan; if a dependent loses dependent status; or if the plan no longer offers benefits to a class of individuals (such as part time).  Group health plans should consider plan amendments to take these new events into account. In any event, plans should operate in compliance with the new events.

The final regulations also clarify that special enrollees must be treated the same as those who enroll for the first time under the plan.  Thus, for example, a participant may change options if the participant adds a dependent.  Again, this will likely be an operational issue for most plans.

Other Special Rules
A group health plan is one that covers employees.  The final regulations clarify that "employee" means both current and former employees.  Thus, to the extent that a retiree only plan did not previously comply with HIPAA, it should now.

In addition, health-spending accounts will generally be considered "excepted benefits" under HIPAA.  This has the effect of excluding HSAs from HIPAA portability coverage in many circumstances.  Limited scope health benefits (such as vision and dental) are also generally excluded from the portability requirements.  This will be operative when a participant does not have to elect the benefits, and the benefits require an additional contribution or premium.

Finally, the preamble to the regulations clarifies that the portability rules do not apply to health savings accounts.  However, the rules will generally apply to the associated high deductible health plan.

Buchanan Ingersoll & Rooney has significant experience in the application of HIPAA rules and can assist you in complying with those requirements. 

THE ABOVE ADVICE WAS NOT INTENDED OR WRITTEN TO BE USED, AND IT CANNOT BE USED, BY YOU FOR THE PURPOSE OF (1) AVOIDING ANY PENALTY THAT MAY BE IMPOSED BY THE INTERNAL REVENUE SERVICE OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TRANSACTION OR MATTER ADDRESSED HEREIN.  IF YOU DESIRE SUCH AN OPINION, PLEASE SO ADVISE.