• Home
• |
• Professionals
  • Attorneys
  • Management
• |
• Practice Areas
• |
• News
  • Firm News
  • Recent Cases
  • Upcoming Events
• |
• Resources
  • Publications
  • HIPAA Resources
  • Practice Technology
• |
• Diversity
• |
• Contact
  • Offices
  • Directions
• |
• Search

Publications

Print

• Publications
• Health Care Updates
• HIPAA Resources
• Practice Technology

Did you know that if you sponsor a group health plan for your employees that your group health plan may be subject to the HIPAA Privacy Rule? A group health plan is a covered entity under HIPAA if it has more than 50 participants or is administered by an entity other than the employer that established and maintains the plan. Group health plans subject to HIPAA include any medical, dental, vision or health care flexible spending account benefits that are offered to employees, whether through insurance or otherwise. The HIPAA Privacy Rule creates rights for group health plan participants regarding their health information and creates administrative procedures that must be followed by employers.

Many group health plans are considered "small health plans" under HIPAA. Small health plans must comply with the requirements of the HIPAA Privacy Rule by April 14, 2004. (Group health plans that are not "small health plans" were required to comply with the Privacy Rule on April 14, 2003.) A group health plan is a small health plan if it has annual receipts of $5 million or less during the most recent full, fiscal year of the plan. For fully insured group health plans, "receipts" means premiums. For self-funded group health plans, "receipts" means claims paid (administrative fees paid to a third party administrator and stop loss insurance premiums and reimbursements may be disregarded in the calculation). If your plan is entirely provided through insurance, your plan is exempted from most, but not all, of the requirements of the Privacy Rule. However, you lose this exemption if you create or receive any protected health information on behalf of the plan (other than enrollment information and de-identified summary information). To the extent your plan is not provided through insurance (e.g., self-insured medical plans and certain health care flexible spending accounts), it is fully subject to the Privacy Rule.

Action Plan

You should do the following as part of your HIPAA group health plan compliance program:

• Appoint a Privacy Official*
• Appoint a Contact Person (an individual or office) to handle privacy complaints from plan participants*
• Prepare and distribute a "Notice of Privacy Practices" to all employees and their spouses and dependents (provided by insurer if fully insured, and employer if self-insured)*
• Train employees who provide services to the plan, such as human resources personnel*
• Develop written policies and procedures regarding the handling of protected health information by employees who provide services to the plan, the use and disclosure of protected health information, access to protected health information by participants, and the mitigation of any violations of the Privacy Rule*
• Amend plan documents to include certain HIPAA provisions*
• Adopt an "Employer Certification" certifying that the employer will comply with the Privacy Rule with respect to any protected health information received from the group health plan*
• Enter into Business Associate Contracts with any entity (e.g., third party administrator, broker, benefit consultant or other vendor) that handles employee protected heath information on behalf of the employer*
• Implement a policy that prohibits any employee from engaging in intimidating or retaliatory acts against any individual for exercising their rights under the Privacy Rule
• Implement a policy that prohibits requiring individuals to waive their rights under the Privacy Rule as a condition of treatment, payment, eligibility, or enrollment in the plan
• Implement a policy regarding documentation of policies and communications required under the Privacy Rule

* Items identified by an asterisk do not apply to insured plans where the employer receives no protected health information other than enrollment information and de-identified summary information. The remaining items are applicable to all group health plans.

After complying with the initial HIPAA Privacy Rule requirements, a group health plan must, on an ongoing basis:

• Follow its policies, procedures and safeguards
• Respond to individual rights requests
• Impose sanctions for noncompliance and mitigate wrongful disclosures
• Provide training to new workforce members

Third-party administrators or benefits consultants may have assured you that they will handle or assist you with group health plan HIPAA compliance; however, you cannot assume that they will handle all HIPAA compliance issues for you. In general, the employer, as plan administrator, is the fiduciary that is obligated to insure HIPAA group health plan compliance. Even inadvertent violations can lead to civil penalties of up to $25,000 per year per violation. Malicious violations can be punished by up to ten years in prison and a fine of up to $250,000.

If you require our assistance or have any questions please contact Michael Dowell at mdowell@tocounsel.com or the lawyer in the firm who generally handles your health care legal matters.