Discover More About...

Resources | Providers | Newsroom | Carriers

Newsroom

THE HIPAA PRIVACY RULE

By now you all know about HIPAA or the Health Insurance Portability and Accountability Act of 1996. As you may also know, in August, 2002, the federal government published a final Privacy Rule at 45 C.F.R. Parts 160-164 for the purpose of satisfying the privacy requirements of HIPAA (the Privacy Rule). Because a major deadline for compliance with HIPAA is approaching, we chose this as our first Newsroom topic. Unfortunately, the requirements under HIPAA regarding employers that sponsor group health plans are among the most complicated, so we hope that by providing you with this information you will be able to more easily understand what you need to do to comply.

The core of the Privacy Rule is a set of provisions governing the use and disclosure by covered entities of protected health information or PHI. Included as a covered entity is a plan sponsor  the employer or other entity who is sponsoring the group health plan. Therefore, you as the employer have certain obligations and responsibilities relating to PHI under HIPAA, and if you are a small health plan, you must be in compliance by April 14, 2004. A small health plan is a health plan with annual receipts of not more than $5 million.

A major goal of the Privacy Rule is to ensure the protection of individual health information while allowing health information to be available when necessary in order to assure quality health care and to protect public health. Such a goal requires careful use of PHI to achieve an appropriate balance. The Privacy Rule is designed to be flexible and intended to allow a covered entity to analyze its own needs and implement solutions appropriate to its surroundings.Basically, a covered entity must

1. Develop and implement written privacy policies and procedures consistent with the Privacy Rule.
2. Designate a privacy official responsible for developing and implementing its privacy policies and procedures and a contact person responsible for receiving complaints and providing information on the covered entity's privacy practices.
3. Train all workforce members on its privacy policies and procedures as necessary for them to carry out their functions. The covered entity must have and apply appropriate sanctions against workforce members who violate privacy policies in place under the Privacy Rule.
4. Mitigate any harmful effect it learns was caused by use or disclosure of PHI by its workforce or business associates in violation of its privacy practices in place under the Privacy Rule.
5. Maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI and to limit its use.
6. Have procedures for individuals to complain about its compliance with its privacy policies in place under the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice.
7. May not retaliate against a person for exercising rights under the Privacy Rule.
8. Maintain its privacy policies and procedures, notices, disposition of complaints, and other documentation required under the Privacy Rule until 6 years after the later of the date of their creation or last effective date.

EXCEPTION: The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply with are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of PHI to the plan sponsor by a health insurance issuer or HMO that services the group health plan.

If you are a fully insured company, you need to determine if your group health plan creates, receives or maintains any PHI. If not, here are some guidelines for you to follow to avoid falling into the strict compliance mandates of HIPAA:

• Continue to refrain from creating or receiving PHI other than summary health information or enrollment information;
• Refrain from intimidating or retaliatory acts against any individual for the exercise of his or her rights under the Privacy Rule;
• Refrain from requiring individuals to waive their rights under the Privacy Rule as a condition of the provision of treatment, payment, enrollment or eligibility.

A comprehensive summary of the HIPAA Privacy Rule provided by the United States Department of Health & Human Services can be found, in downloadable form, at http://www.hhs.gov/ocr/privacysummary.pdf.

Please contact us for assistance with HIPAA compliance.

 

Get a Quote...

To obtain an insurance quote, fill out the quote form below to get started. Please fill out as much information as possible and a representative will contact you shortly.

Company Name:

First Name:

Last Name:

Email:

Phone: