Last Chance for Compliance HIPAA Privacy for Small Health Plans

April 14, 2004 is the approaching deadline for small health plans ' plans that have annual total premiums (both employer and employee contributions) of $5,000,000 or less ' to comply with the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA).

The deadline will have its greatest impact on mid-size and small law firms who did not have to comply with last year's deadline that applied to large health plans. The amount of work required for a mid-size or small firm to comply will depend on whether the employer has any self-funded plans and the extent to which the firm receives protected health information.

The April 14, 2004 deadline, however, will also impact many large firms. Many large firms sponsor small health plans (eg, dental plans, vision plans, health flexible spending arrangements, and employee assistance plans) that are not yet compliant. All firms, regardless of size, should review all of their health plans to determine compliance with the HIPAA privacy regulations.

HIPAA Privacy Requirements

HIPAA regulations impose numerous requirements concerning the use and disclosure of protected health information (PHI) by health plans. PHI is broadly defined as any information in electronic, paper, or oral form that is created or received by a health care provider, health plan, or employer that relates to “the past, present, or future physical or mental health or condition of an individual … or the past, present, or future payment for the provision of health care” and that identifies or could be used to identify an individual.

The Department of Health and Human Services (HHS), which enforces HIPAA, has clarified that the employer acts in its capacity as employer, rather than as health plan sponsor, in doing enrollment and payroll processing. In fact, any information that an employer receives in its capacity as employer ' rather than on behalf of a health plan ' is not protected health information under HIPAA. This would also include, for example, information submitted in connection with a workers' compensation or disability claim or a doctor's back-to-work note. However, COBRA processing and HIPAA certificates are inherently health plan administration functions, rather than employer functions, since they normally apply when the individual has left employment ' these activities would be covered by HIPAA privacy requirements.

What You Have to do Now!

Law firms sponsoring group health plans should review and address the following:

• Analyze data collected concerning the flow of PHI internally at the law firm, from its plan to vendors, from vendors to the firm, and from vendors to other third parties.
• Determine who are considered to be the employer's business associates under the HIPAA privacy regulations (eg, third party administrators (TPAs), FSA administrators, utilization review vendors, provider networks).
• Develop and implement a strategy for bringing business associate agreements into compliance with the HIPAA privacy regulations (eg, develop addendum to agreements; develop a form business associate agreement, etc.).
• Amend the plan document for the employer's plans (which may consist of separate benefits booklets/certificates). The plan document will need to specify when the employer will be receiving information, for what purpose, that it will not be used for employment decisions, and that the employer will comply with requirements such as access and amendment.
• Develop authorizations for times (if any) when the plan needs to disclose PHI for reasons other than treatment, payment or health care operations (TPO) or where psychotherapy notes may be used for TPO (eg, if a mental health claim is appealed and the plan uses an outside medical reviewer).
• Develop the employer's Notice of Privacy Practices, which must be provided to those currently covered no later than April 14, 2004, and to new enrollees thereafter within 60 days. The notice must also be provided once every 3 years after that.
• Develop certifications for Insurers and HMOs (if appropriate) regarding the plan's use of PHI (this is commonly built into the plan amendment mentioned above).
• Develop policies and procedures for:
• Permitting an individual to request a restriction on the uses and disclosure of PHI to carry out payment or healthcare operations.
• Accommodating reasonable requests from individuals to receive communication of PHI from the plan by alternative means or at alternative locations.
• Providing individuals with a right of access to inspect and obtain copies of their PHI. If access is denied, the plan must provide the individual with an opportunity for review of denial in certain circumstances. Review must be by a licensed health care professional who did not participate in the original denial.
• Providing individuals with right to amend their PHI. (The plan can deny amendment if it did not create the PHI.)
• Giving individuals, on request, an accounting of disclosures of their PHI over the last 6 years.
• Giving individuals a process for lodging complaints concerning privacy (eg, designate a contact person or office who is responsible for receiving complaints).

The firm will need to separate plan administration functions from HR functions, if necessary, and train employees who work on plan administration functions regarding the privacy policies and procedures.

What do the EDI Rules Require?

The EDI (electronic data interchange) rules require the electronic transfer of information in a standard format between covered entities (which include health plans and providers). The EDI rules cover a variety of electronic transactions, including enrollment, submission of premium payments, claims, and coordination of benefits. The EDI rules also include standard diagnostic and procedural code sets and identifiers to be used in the standard transactions. Firms most likely to be affected by the EDI rules are those that self-administer health benefits (including health flexible spending accounts) or maintain on-site clinics or pharmacies. Other firms will probably be able to rely on their vendors to develop the required standard electronic formats. Business associate agreements should obligate vendors to comply with the EDI rules.

HIPAA Privacy Exemption

HIPAA provides an exemption for self-funded, self-administered group health plans with fewer than 50 participants (for smaller employers, this may cover health flexible spending accounts, if maintained as a separate plan). These plans are not required to comply with HIPAA's privacy regulations. This exemption, however, does not apply to a plan if the employer has hired a third party administrator (TPA) to administer the plan.

Enforcement, Penalties and Cost of Compliance

The costs of ignoring the HIPAA privacy rules can be high, given the significant sanctions and other legal risks associated with improperly released medical information. At the same time, firms may be able to take steps to reduce the costs of compliance. Potential liabilities for noncompliance include:

• Severe civil penalties of up to $25,000 per year for violation of each standard or requirement in the privacy, security, or EDI rules;
• Criminal penalties that apply if a person violates the rules with malicious intent or for personal gain, and
• Risk of being sued by individuals over improperly released PHI.

For insured benefits, compliance costs are low if the firm has no access to PHI. For self-insured benefits, the compliance burden (and legal risks for violations) can be reduced significantly if outside vendors are used for plan administration.

Conclusion

Affected law firms should take action now to ensure compliance with HIPAA privacy requirements by the rapidly approaching deadline of April 14, 2004.

April 14, 2004 is the approaching deadline for small health plans ' plans that have annual total premiums (both employer and employee contributions) of $5,000,000 or less ' to comply with the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA).

The deadline will have its greatest impact on mid-size and small law firms who did not have to comply with last year's deadline that applied to large health plans. The amount of work required for a mid-size or small firm to comply will depend on whether the employer has any self-funded plans and the extent to which the firm receives protected health information.

The April 14, 2004 deadline, however, will also impact many large firms. Many large firms sponsor small health plans (eg, dental plans, vision plans, health flexible spending arrangements, and employee assistance plans) that are not yet compliant. All firms, regardless of size, should review all of their health plans to determine compliance with the HIPAA privacy regulations.

HIPAA Privacy Requirements

HIPAA regulations impose numerous requirements concerning the use and disclosure of protected health information (PHI) by health plans. PHI is broadly defined as any information in electronic, paper, or oral form that is created or received by a health care provider, health plan, or employer that relates to “the past, present, or future physical or mental health or condition of an individual … or the past, present, or future payment for the provision of health care” and that identifies or could be used to identify an individual.

The Department of Health and Human Services (HHS), which enforces HIPAA, has clarified that the employer acts in its capacity as employer, rather than as health plan sponsor, in doing enrollment and payroll processing. In fact, any information that an employer receives in its capacity as employer ' rather than on behalf of a health plan ' is not protected health information under HIPAA. This would also include, for example, information submitted in connection with a workers' compensation or disability claim or a doctor's back-to-work note. However, COBRA processing and HIPAA certificates are inherently health plan administration functions, rather than employer functions, since they normally apply when the individual has left employment ' these activities would be covered by HIPAA privacy requirements.

What You Have to do Now!

Law firms sponsoring group health plans should review and address the following:

• Analyze data collected concerning the flow of PHI internally at the law firm, from its plan to vendors, from vendors to the firm, and from vendors to other third parties.
• Determine who are considered to be the employer's business associates under the HIPAA privacy regulations (eg, third party administrators (TPAs), FSA administrators, utilization review vendors, provider networks).
• Develop and implement a strategy for bringing business associate agreements into compliance with the HIPAA privacy regulations (eg, develop addendum to agreements; develop a form business associate agreement, etc.).
• Amend the plan document for the employer's plans (which may consist of separate benefits booklets/certificates). The plan document will need to specify when the employer will be receiving information, for what purpose, that it will not be used for employment decisions, and that the employer will comply with requirements such as access and amendment.
• Develop authorizations for times (if any) when the plan needs to disclose PHI for reasons other than treatment, payment or health care operations (TPO) or where psychotherapy notes may be used for TPO (eg, if a mental health claim is appealed and the plan uses an outside medical reviewer).
• Develop the employer's Notice of Privacy Practices, which must be provided to those currently covered no later than April 14, 2004, and to new enrollees thereafter within 60 days. The notice must also be provided once every 3 years after that.
• Develop certifications for Insurers and HMOs (if appropriate) regarding the plan's use of PHI (this is commonly built into the plan amendment mentioned above).
• Develop policies and procedures for:
• Permitting an individual to request a restriction on the uses and disclosure of PHI to carry out payment or healthcare operations.
• Accommodating reasonable requests from individuals to receive communication of PHI from the plan by alternative means or at alternative locations.
• Providing individuals with a right of access to inspect and obtain copies of their PHI. If access is denied, the plan must provide the individual with an opportunity for review of denial in certain circumstances. Review must be by a licensed health care professional who did not participate in the original denial.
• Providing individuals with right to amend their PHI. (The plan can deny amendment if it did not create the PHI.)
• Giving individuals, on request, an accounting of disclosures of their PHI over the last 6 years.
• Giving individuals a process for lodging complaints concerning privacy (eg, designate a contact person or office who is responsible for receiving complaints).

The firm will need to separate plan administration functions from HR functions, if necessary, and train employees who work on plan administration functions regarding the privacy policies and procedures.

What do the EDI Rules Require?

The EDI (electronic data interchange) rules require the electronic transfer of information in a standard format between covered entities (which include health plans and providers). The EDI rules cover a variety of electronic transactions, including enrollment, submission of premium payments, claims, and coordination of benefits. The EDI rules also include standard diagnostic and procedural code sets and identifiers to be used in the standard transactions. Firms most likely to be affected by the EDI rules are those that self-administer health benefits (including health flexible spending accounts) or maintain on-site clinics or pharmacies. Other firms will probably be able to rely on their vendors to develop the required standard electronic formats. Business associate agreements should obligate vendors to comply with the EDI rules.

HIPAA Privacy Exemption

HIPAA provides an exemption for self-funded, self-administered group health plans with fewer than 50 participants (for smaller employers, this may cover health flexible spending accounts, if maintained as a separate plan). These plans are not required to comply with HIPAA's privacy regulations. This exemption, however, does not apply to a plan if the employer has hired a third party administrator (TPA) to administer the plan.

Enforcement, Penalties and Cost of Compliance

The costs of ignoring the HIPAA privacy rules can be high, given the significant sanctions and other legal risks associated with improperly released medical information. At the same time, firms may be able to take steps to reduce the costs of compliance. Potential liabilities for noncompliance include:

• Severe civil penalties of up to $25,000 per year for violation of each standard or requirement in the privacy, security, or EDI rules;
• Criminal penalties that apply if a person violates the rules with malicious intent or for personal gain, and
• Risk of being sued by individuals over improperly released PHI.

For insured benefits, compliance costs are low if the firm has no access to PHI. For self-insured benefits, the compliance burden (and legal risks for violations) can be reduced significantly if outside vendors are used for plan administration.

Conclusion

Affected law firms should take action now to ensure compliance with HIPAA privacy requirements by the rapidly approaching deadline of April 14, 2004.