New HIPAA Privacy Rules Take Effect April 14

Congress recently amended the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to include what has become known as the 'Privacy Rule,' a statutory provision addressing the privacy of health information. The Rule covers health care providers, health care clearinghouses and health plans, including employer-sponsored group health plans. Those plans that have fewer than 50 participants and are self-administered are exempt. This is the only HIPAA exemption for health plans. The compliance date for most providers and health plans is April 14, 2003. 'Small' health plans ' that is, those with annual receipts of $5 million or less ' have until April 14, 2004 to achieve compliance. Penalties for noncompliance include civil penalties of up to $25,000 per person, and criminal penalties of up to 10 years in prison and fines of up to $250,000.

As a practical matter, insured health plans will have a lighter compliance burden than self-funded plans because the insurance company or HMO will have the most exposure to, and interaction with, employees and their health information, and will therefore have the greatest compliance responsibilities. Self-funded group health plans, for the most part, have access to the information that an insurer or HMO would have, and will therefore have corresponding compliance requirements.

Employer Responsibilities Under the Privacy Rule

Sponsors of group health plans must do the following, although the degree of compliance varies depending on the scope of the health information about employees and dependents the employer receives as a plan sponsor:

' Follow detailed rules governing access to, use of, and disclosure of employee and dependent health information.

• Implement policies affording employees and dependents certain rights regarding their health information.

• Adopt a variety of other requirements, including:
  Creation of a health information policy and procedure manual;
  Training the workforce on the new policies and procedures;
  Designation of a Privacy Official; and
  Distribution of a Privacy Notice to employees.
  

Contents of the Privacy Notice

The required Privacy Notice is a detailed document that explains to employees and their dependents how the group health plan uses their health information, and outlines any external disclosures that are routinely made. It must be distributed to all current employees enrolled in the employer's group health plan by April 14, 2003, except that 'small' plans have until April 14, 2004. The Privacy Notice must also be given to new enrollees.

Review of Service Agreements

Employers should review their service agreements with service providers who have access to employee and/or dependent health information. Those that create or have access to such information, such as the third-party administrator for a self-funded group health plan, are called 'business associates' in the HIPAA amendments. A health insurer or HMO is not a 'business associate.' Employers must require than any 'business associate' contractually agrees to provide the same level of protection for the employee/dependent health information as does the group health plan itself. There are two ways to comply with the requirement: the current provider agreement can be amended, or a separate 'business associate' agreement can be created by the employer and the provider.

Conclusion

This article provides a thumbnail sketch of the new HIPAA privacy requirements. These requirements are voluminous and technical, and cannot be discussed in depth in a newsletter. The development of appropriate policies and manuals, the structure of the required training, and the contents of the Privacy Notice are best overseen by experts in the field who are familiar with the statute.  

Congress recently amended the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to include what has become known as the 'Privacy Rule,' a statutory provision addressing the privacy of health information. The Rule covers health care providers, health care clearinghouses and health plans, including employer-sponsored group health plans. Those plans that have fewer than 50 participants and are self-administered are exempt. This is the only HIPAA exemption for health plans. The compliance date for most providers and health plans is April 14, 2003. 'Small' health plans ' that is, those with annual receipts of $5 million or less ' have until April 14, 2004 to achieve compliance. Penalties for noncompliance include civil penalties of up to $25,000 per person, and criminal penalties of up to 10 years in prison and fines of up to $250,000.

As a practical matter, insured health plans will have a lighter compliance burden than self-funded plans because the insurance company or HMO will have the most exposure to, and interaction with, employees and their health information, and will therefore have the greatest compliance responsibilities. Self-funded group health plans, for the most part, have access to the information that an insurer or HMO would have, and will therefore have corresponding compliance requirements.

Employer Responsibilities Under the Privacy Rule

Sponsors of group health plans must do the following, although the degree of compliance varies depending on the scope of the health information about employees and dependents the employer receives as a plan sponsor:

' Follow detailed rules governing access to, use of, and disclosure of employee and dependent health information.

• Implement policies affording employees and dependents certain rights regarding their health information.

• Adopt a variety of other requirements, including:
  Creation of a health information policy and procedure manual;
  Training the workforce on the new policies and procedures;
  Designation of a Privacy Official; and
  Distribution of a Privacy Notice to employees.
  

Contents of the Privacy Notice

The required Privacy Notice is a detailed document that explains to employees and their dependents how the group health plan uses their health information, and outlines any external disclosures that are routinely made. It must be distributed to all current employees enrolled in the employer's group health plan by April 14, 2003, except that 'small' plans have until April 14, 2004. The Privacy Notice must also be given to new enrollees.

Review of Service Agreements

Employers should review their service agreements with service providers who have access to employee and/or dependent health information. Those that create or have access to such information, such as the third-party administrator for a self-funded group health plan, are called 'business associates' in the HIPAA amendments. A health insurer or HMO is not a 'business associate.' Employers must require than any 'business associate' contractually agrees to provide the same level of protection for the employee/dependent health information as does the group health plan itself. There are two ways to comply with the requirement: the current provider agreement can be amended, or a separate 'business associate' agreement can be created by the employer and the provider.

Conclusion

This article provides a thumbnail sketch of the new HIPAA privacy requirements. These requirements are voluminous and technical, and cannot be discussed in depth in a newsletter. The development of appropriate policies and manuals, the structure of the required training, and the contents of the Privacy Notice are best overseen by experts in the field who are familiar with the statute.