Article - Another HIPAA Deadline Looming

Although one important deadline related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has already passed, another even more significant deadline is fast approaching. While it is true that HIPAA’s Privacy Rule does not directly cover employers, an employer who sponsors a group health plan will probably be affected nonetheless. This article is intended to provide you with some information to help you begin determining your obligations as a health plan sponsor.

Which Plans Are Covered, And When Are They Covered?

Almost all group health plans are covered. (The only plans which are exempt are those with fewer than 50 participants administered entirely by the employer.) HIPAA’s definition of a health plan is broad enough to encompass not only medical plans, but also other benefit plans such as dental, vision, prescription drug plans and flexible spending accounts. Unless the plan sponsor chooses to designate them collectively as an Organized Health Care Arrangement, each plan stands on its own with respect to meeting its HIPAA obligations.

“Small plans” automatically have an extra year to comply with the April 14, 2003 Privacy Rule deadline. A small plan is one with annual receipts of $5 million or less. Even small plans may have to comply with many requirements of the Privacy Rule before April 14, 2004, but determining whether or not your plan qualifies as a small plan is the first critical step in your analysis. The key is to determine your health plan’s receipts.

Fully insured plans should use the amount of total premiums paid for health insurance benefits during the plan’s last fiscal year. Self-insured plans should use the total amount paid for health care claims by the employer, plan sponsor or benefit fund on behalf of the plan during the last full fiscal year. Plans that provide benefits through a mix of insurance and self-insurance should combine these measures to determine their total annual receipts. If the plan’s annual receipts are $5 million or less, then the plan automatically qualifies for one-year extensions of both deadlines described above.

If your plan does not qualify as a small plan and you have not already filed for an extension of the October 16, 2002 deadline for compliance with HIPAA’s new Standards For Electronic Transactions, you should begin working now toward compliance. Statistics suggest that many covered plans did not meet the October deadline.

Preparing For Compliance With The Privacy Rule

Regardless of which category your plan fits into, you should consider the requirements of HIPAA’s Privacy Rule. These issues are discussed below.

The Rule will affect employers who sponsor group health plans, as well as those who operate on-site medical clinics and/or EAPs. The Privacy Rule imposes numerous requirements that safeguard individually identifiable health information and provides employees with notices of their privacy rights and access to their records. It also requires establishment of additional physical and procedural safeguards. Many of these requirements vary, depending upon the kind of information employers receive, who receives it, how it is used and whether your plan is insured or self-insured.

To begin preparing to meet the requirements, you should conduct an assessment of exactly what areas of your organization handle individually identifiable health information. If you operate an on-site medical clinic, your obligations will be greater than those imposed upon employers who do not operate such services, at least for that portion of your organization. You should determine:

what types of individually identifiable health information you currently receive;
who sees it;
how they use it;
where it is retained; and
whether such access and use is necessary to accomplish your purposes.

This analysis is the starting point for establishing a HIPAA compliance plan.

You should also begin to identify your plan’s “business associates” who receive protected health information (“PHI”) from or on behalf of the plan. A TPA, broker or an attorney could be a business associate, but whoever your business associates are, the plan must execute a “business associate contract” with each of them before it can disclose PHI to them. Although written business associate contracts in effect before October 15, 2002 can extend the compliance deadline for this specific requirement, it is important to identify your plan’s business associates soon.

The HIPAA Privacy Rule will certainly impose additional administrative burdens on employers, but by beginning now to assess your relevant operations, you will be able to comply while avoiding cost and inconvenience. Although the Privacy Rule includes no authority for private lawsuits, significant penalties may be imposed for violations, including criminal sanctions. Rule violations may also be used against Plan Sponsors in ERISA lawsuits or in state law invasion of privacy actions.

Since the plan amendments and/or policy changes that you have to make will vary depending upon your particular circumstances, we urge you to begin preparing to meet the April 14, 2003 deadline soon. A last-minute, one-size-fits-all solution is unlikely to be satisfactory, particularly since you will have to comply with any language changes that you incorporate into your plan. We will of course be happy to assist you in your compliance efforts, but by making these preliminary inventories, you will significantly aide those efforts.