17 Mar Time for health plans to comply with HIPAA privacy rules
Effective April 14, 2004, the privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally apply to all “health plans,” including “small” plans with annual receipts under $5,000,000.
What is a “health plan?”
A health plan is any insured or self-insured plan that provides medical care. Examples of health plans include major medical plans, dental plans, vision plans, employee assistance plans (EAPs) that provide mental health care, health flexible spending accounts (FSAs), medical expense reimbursement plans (MERPs), health reimbursement accounts (HRAs), or the new health savings accounts (HSAs).
There is an exception for some small, self-administered plans.
The HIPAA privacy rules do not apply to health plans with fewer than 50 participants that are self-administered. Thus, a self-insured health plan that has fewer than 50 participants but uses a TPA would not qualify for this exception. Similarly, an insured plan with fewer than 50 participants would not qualify because it is not self-administered.
Caution: Flexible spending accounts are health plans!
Remember that FSAs are considered health plans for purposes of the HIPAA privacy rules. Therefore, if you have an insured plan but also sponsor a cafeteria plan with FSAs, you will likely be subject to many of the privacy rules with respect to the FSAs, even though the insurer bears most of the compliance burden with respect to your major medical plan. For example, any determination by the employer that a particular expense is a reimbursable medical expense would involve the employer’s use of “protected health information” (see below).
Who’s affected, and how?
The HIPAA privacy rules are directed at the health plans themselves (and treats them as “covered entities”). The HIPAA privacy rules affect an employer who sponsors a health plan only to the extent that the employer receives “protected health information” (PHI) from the health plan. Protected health information is any individually identifiable information that relates to: (i) the past, present or future physical or mental health condition of an individual; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for the provision of health care to the individual.
Employers who sponsor fully insured plans (through an insurer or HMO) are generally free from most HIPAA privacy obligations. This assumes, however, that the sponsor receives only “summary health information” from the insured group health plan. Summary health information (SHI) is PHI that is stripped of certain identifiers – such as name, Social Security number and geographical information – and that summarizes claims history, claims experience or claims expenses. If an employer/sponsor agrees to use SHI only for obtaining premium bids or in order to modify, amend or terminate its health plan, the employer must comply with the following:
· Refrain from intimidating or retaliating against individuals who exercise their privacy rights;
· Plan documents must restrict the use of PHI (see below) and specify the permitted uses of SHI.
Employers who receive PHI other than simply SHI are subject to a greater array of HIPAA privacy administrative and documentation requirements. Under the administrative requirements:
· The plan (not just the insurer) must maintain a privacy notice and provide it upon request;
· The plan must designate a privacy officer;
· The plan must designate a contact officer to receive complaints;
· Employees must be trained on privacy policies and procedures;
· Effective “fire walls” must be established to protect the privacy of PHI (this may involve a combination of physical, administrative and technical safeguards);
· There must be a process for handling privacy complaints;
· Sanctions must be developed for employees who violate privacy procedures;
· Plan must mitigate any violation of privacy procedures to the extent possible;
· Plan must refrain from retaliatory or intimidating acts against persons who exercise their privacy rights under HIPAA;
· Plan may not require people to waive their HIPAA rights in order to apply for benefits under the plan;
· Effective HIPAA policies and procedures must be in place and must be maintained in writing or electronic form for at least 6 years.
Under the plan document requirements, health plan documents (including summary plan descriptions) must lay out the employer’s permitted uses of PHI, including the sharing of PHI with third parties known as “business associates,” and employees’ privacy rights. The employer/sponsor must certify to the plan insurer that the plan documentation complies with HIPAA.
Self-insured plans are subject to all of the above rules. In addition, they must provide privacy notices to individuals covered by the health plan by April 14, 2004 (if they are small health plans). After April 14, 2004 self-insured plans must provide notices to new enrollees and at least once every three years. They must also furnish participants with a new notice if it has been significantly modified.
Don’t forget that if you deal with organizations such as third-party administrators, utilization reviewers, COBRA administrators, actuaries and even attorneys, you will probably need a “business associate contract” if your relationship involves the use or disclosure of PHI. Business associate contracts are basically HIPAA’s way of indirectly regulating third parties, even though they are not “covered entities” under HIPAA. Such contracts must incorporate provisions insuring HIPAA-compliant use of PHI by the April 14, 2004 deadline.
Susan J. Erickson ( firstname.lastname@example.org) and Brian L. Anderson (email@example.com) are both attorneys at DeWitt Ross & Stevens S.C..