Human Resources: HIPAA Compliance Deadline For Employers Who Sponsor Group Health Plans Is Fast Approaching

Last summer, the Department of Health and Human Services adopted its final Privacy Rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These rules provide guidelines for safeguarding the use and disclosure of individually identifiable health information, and impose certain obligations on "covered entities" that use or disclose "protected health information." If you are an employer who sponsors a group health plan, you may be required to comply with certain HIPAA privacy requirements as early as April 14, 2003.

Who is a Covered Entity?

HIPAA is generally applicable to all "health plans," including any individual or group plan that provides, or pays the cost of, medical care. This definition includes employer-sponsored insured group health plans, self-funded group health plans, vision plans, dental plans and health care flexible spending accounts. Certain types of plans are specifically excluded from the definition of health plan, including life insurance, workers compensation coverage and short-term and long-term disability coverage. Additionally, employer-administered, self-funded group health plans with 49 or fewer participants are excluded from HIPAA coverage.

While a group health plan sponsored by an employer is generally a covered entity for purposes of HIPAA compliance, the employer itself is not a covered entity under HIPAA. However, certain compliance obligations are imposed indirectly on such employer because of the direct regulation of its group health plan under the Privacy Rules. The compliance obligations imposed on a group health plan and its sponsor vary greatly depending upon the role of the employer in administration of the group health plan, whether the group health plan is insured, and whether the employer receives protected health information.

What is Protected Health Information?

Protected health information ("PHI") is information relating to an individual''s medical condition, the provision of medical care for that individual or the payment for that individual''s medical care, which is individually identifiable (i.e., the information identifies the individual to whom it relates), controlled by or in the possession of a covered entity (i.e., a group health plan) and received by a provider, group health plan or employer. An employer/sponsor receiving the following types of health information will not be treated as receiving PHI: (i) summary health information received from an insurer for the purpose of obtaining premium bids or modifying or terminating the group health plan, (ii) receipt of health information for the purposes of performing enrollment and dis-enrollment functions, and (iii) receipt of de-identified health information. Given that the purpose of HIPAA is to prevent the improper disclosure and use of PHI, the requirements imposed upon the group health plan and the employer/plan sponsor depend largely on whether and to what extent the employer/plan sponsor receives PHI from the group health plan.

What Requirements May Be Imposed on a Covered Entity?

All covered entities are required to refrain from intimidating, threatening, coercing, discriminating against or taking other retaliatory action against individuals for (i) exercising their rights, (ii) filing a complaint, (iii) participating in an investigation, or (iv) opposing any improper practice under HIPAA. Additionally, individuals cannot be required to waive their rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

If a group health plan is fully insured and the employer/sponsor does not receive PHI, no privacy requirements are imposed on the group health plan or the employer/sponsor except the prohibitions on retaliation and waiver discussed above. However, where a group health plan is (i) self-funded or (ii) fully-insured and the employer/sponsor receives PHI, numerous requirements are imposed under the Privacy Rules, including the following:

Distribution of Privacy Notice. The group health plan must prepare and distribute a notice of the plan''s privacy practices, which describes (i) the uses and disclosures of PHI that may be made by the plan, (ii) the participant''s rights under HIPAA, and (iii) the plan''s legal duties with respect to the PHI.
Provision of Individual Rights. Each individual must be provided with certain rights with respect to his or her own PHI, including (i) the right to inspect and copy his or her own PHI within certain periods of time, (ii) the right to amend or correct PHI that is inaccurate or incomplete, and (iii) the right to obtain an accounting of certain disclosures of his or her own PHI made within the last six years.
Establish Administrative Safeguards. Various administrative safeguards must be established, including (i) the appointment of a privacy officer to develop and implement the plan''s privacy policies and procedures and to receive complaints and answer questions regarding the privacy notice, (ii) the training of employees performing plan functions regarding the plan''s privacy rules and procedures, and (iii) the development of a system for tracking uses and disclosures of PHI.
Amend Plan Documents. The employer/sponsor must amend the plan documents to establish the permitted uses and disclosures of PHI by the employer. Additionally, the employer/sponsor must certify to the plan sponsor that it (i) will not use or further disclose PHI other than as permitted by the plan documents or as required by law, (ii) will ensure that any agents or subcontractors to whom it provides PHI which it received from the plan will agree to the same restrictions and conditions that apply to the sponsor, and (iii) will not use or disclose PHI for employment-related actions or in connection with any other employee benefit plan.
Create Firewalls. The employer/sponsor must determine which employees will have access to PHI, and must implement a procedure to ensure that only these designated employees have access to PHI and that such employees do not use or disclose PHI in any way that is prohibited.
Review Business Associate Agreements. If the employer/sponsor will disclose any PHI to a third-party plan administrator, attorney, accountant, consultant or other similar third-party to assist the employer in performing plan functions, the employer must enter into a business associate agreement with such individuals or entities which requires them to comply with certain terms of HIPAA''s privacy requirements.

What is the Effective Date of the HIPAA Privacy Rules?

If the total amount paid in your last full fiscal year for health care claims or insurance premiums with respect to your group health plan was $5,000,000 or more, the deadline for HIPAA compliance is April 14, 2003. However, if the total amount paid for health care claims or insurance premiums was less than $5,000,000, the HIPAA compliance deadline has been extended to April 14, 2004.

What Penalties May Be Imposed For Failure to Comply?

Both civil and criminal penalties may be imposed for HIPAA noncompliance. A civil penalty of $100 may be assessed for each provision of the Privacy Rules violated, with an annual cap of $25,000 per person, per provision violated. Knowing violations of the Privacy Rules may result in criminal penalties, including monetary fines and imprisonment ranging from $50,000 and one year of imprisonment to up to $250,000 and 10 years imprisonment.

Mary E. Smith is a member of the Member of Securities, Taxation practice areas of Luce, Forward, Hamilton, & Scripps, LLP in the San Diego Office, and can be reached at 619.699.2498 or msmith[at]luce.com.