RISKVUE ARCHIVE | FEATURE STORIES

HIPAA Is Here—Ready Or Not

By Robert M. Elconin
Lindquist & Vennum PLLP

On April 14, 2003, the long awaited HIPAA rules took effect, establishing a sweeping federal law guarding protected health information. By now, employers should be operating their health plans in compliance with this complex new law, but many may still be wondering what exactly they must do, or may still be in the process of rolling out new procedures.

HIPAA—the Health Insurance Portability and Accountability Act of 1996—sets standards on how health information may be used or disclosed by health care plans and providers. Although these new requirements come at a difficult time for many businesses struggling with rising health care costs and a weakened economy, compliance with HIPAA is not an option. HIPAA’s requirements are mandatory and complicated. Companies that have not yet developed compliance protocols are at substantial risk, potentially exposing themselves to lawsuits by employees or regulatory action by enforcement agencies for failure to adequately guard protected health information.

Compliance may be especially challenging for medium-sized businesses, since smaller health plans have another year to comply, and larger health plans typically have greater resources to address HIPAA requirements. However, for businesses of all sizes, risk managers must understand HIPAA and ensure their respective companies are meeting HIPAA requirements on an on-going basis, even after initial compliance systems and procedures are established.

What Is Covered By HIPAA

Group health plans offered by employers are “covered entities” under HIPAA. Thus, employers that offer group health benefits must comply with HIPAA in their role as a plan sponsor.

Specifically, plans covered by HIPAA include employer-sponsored plans, HMOs, health insurance companies, and a variety of governmental insurance programs. Employer-sponsored plans covered by HIPAA include insured and self-insured medical benefit plans, long-term care programs, and dental and vision care plans.

Excluded from coverage are long- and short-term disability insurance plans, life insurance programs, workers’ compensation insurance, and self-administered plans that cover fewer than 50 participants. “Small health plans” (annual receipts of $5 million or less) have a delayed effective date of April 14, 2004. Federal regulators have not yet ruled whether health flexible spending arrangements (FSAs), offered as part of a benefit plan, are covered by HIPAA.

What Is Required By HIPAA

The basic requirements under HIPAA are straightforward. However, HIPAA privacy rules contain many specific requirements that may not be intuitive or easy to satisfy.

• HIPAA privacy rules apply to health plans, health care clearinghouses, and health care providers who transmit health information electronically, referred to under HIPAA as “covered entities.”
  
• Covered entities are prohibited from using or disclosing any individually identifiable health information (“protected health information”), except as otherwise permitted by the regulations. Employment records are exempt from HIPAA; but health information obtained by an employer from its health plan may not be used for employment purposes.
  
• HIPAA contains exceptions that allow protected information to be used or disclosed in the ordinary course of business. Covered entities may use or disclose protected health information for “treatment, payment, or health care operations” without obtaining an individual’s consent or authorization. Additionally, covered entities may disclose protected health information:
  
  • To public health authorities;
  • To governmental authorities about an incident of domestic violence;
  • For health oversight and regulatory activities;
  • For judicial and administrative proceedings pursuant to court orders and subpoenas;
  • To law enforcement officials for crime prevention purposes;
  • For organ donation purposes;
  • For medical research under specific guidelines;
  • To avert a serious threat to health or safety.
    
• For uses not otherwise permitted by HIPAA, a covered entity must obtain specific written authorization from the individual who is the subject of the health information. Verbal consent is permissible in certain limited circumstances.
  
• Covered entities must provide a notice of privacy practices to their patients or plan participants. The notice must explain the covered entity’s privacy procedures and describe an individual’s rights with respect to his or her own information, including the right to inspect and copy records, amend incorrect information, receive an accounting of any disclosures made to third parties, receive health information in a confidential manner, and request special restrictions on use or disclosure of health information.
  
• Covered entities have many administrative obligations under the law, including appointing a privacy officer, providing training for personnel who handle protected health information, creating a complaint system, and ensuring appropriate technical and physical safeguards are in place to protect the security of health information. If covered entities disclose protected health information to “business associates” who act on their behalf (such as third party administrators, utilization review or quality assurance providers, and data processors), or who provide professional or consulting services, the covered entity must obtain “satisfactory assurance” the third party will safeguard the information.
  
• More restrictive state privacy laws must still be satisfied; HIPAA only preempts state laws that conflict with federal requirements.

What Employers Must Do

The impact of HIPAA on an employer is determined by the size of the employer’s health plan, whether coverage is provided through standard health insurance or an HMO, and the extent of the employer’s involvement in plan administration.

For HIPAA purposes, employers will generally fall into one of three broad categories.

• Employers that administer their own health plans are subject to the full panoply of HIPAA requirements. Among other things, self-administered plans must provide the Notice of Privacy Practices to employees, appoint a Privacy Officer, establish internal procedures for guarding information, amend plan ERISA documents to permit sharing of information between the health plan and plan sponsor, enter into business associate contracts with any third-party vendors, and establish procedures for employees to see and amend their own protected health information. A self-administered plan must also establish a “firewall” to ensure only employees involved in plan administration have access to protected health information and that there is “adequate separation” between the health plan and the plan sponsor.
  
• Employers that provide health coverage through insurance or HMO programs may avoid many HIPAA requirements. In these situations, HIPAA compliance can largely be laid off on the insurer or HMO, including administrative duties such as issuing privacy notices and appointing a privacy officer.
  
• Employers that provide coverage through an insurance or HMO arrangement, but engage in certain aspects of administration of plan benefits, generally need to comply with HIPAA privacy requirements. Employers that receive any protected health information, beyond just enrollment data and summary health information, subject themselves to the full scope of HIPAA rules and requirements. For example, an employer that administers its health plan through an insurance company, but allows its own human resources personnel to review claim appeals, must comply with HIPAA if the personnel are privy to protected health information.

With HIPAA now in effect, each employer should have already evaluated the impact of HIPAA on its health plans and implemented its new privacy procedures. From a risk management standpoint, however, HIPAA compliance should not be viewed as a one-time event, but as a continuous effort to ensure employees are trained and systems are in place to protect the company against violations.

HIPAA promises significant privacy protection for consumers of health care. But that protection comes with a heavy price: the cost of compliance for providers and payers of health care, including the many businesses that provide health plans for their employees. In time, compliance may become routine, but for now risk managers and compliance officials in American businesses have their work cut out for them. 

ABOUT THE AUTHOR

Robert M. Elconin, a partner in the Health and Insurance Law Group of Lindquist & Vennum, assists insurance and financial services companies with regulatory and compliance issues. He can be contacted in the firm’s Minneapolis office at 612-371-3930; e-mail relconin@lindquist.com.

riskVue | The webzine for risk management professionals
May 2003