Small Employer Obligations Under HIPAA Privacy Rules: Part II

 
Sunday, February 1, 2004
 
Part II: What Is the Extent of the HIPAA Obligations and What Is Necessary to Comply?
by Jackson Lewis

As most health plans will be subject to the privacy regulations r ecently issued under the Health Insurance Portability and Accountability Act of 1996 (Privacy Rules), the question becomes what is the scope of the plan's compliance obligations. As mentioned in Part I of this article, plan design and operation will guide that determination. Part II outlines the different levels of compliance for plans subject to the Privacy Rules in a question and answer format.

In addition to the Privacy Rules, do the HIPAA regulations dealing with Electronic Transaction Code Sets and Security also apply to our plan?

If the plan is subject to the Privacy Rules, it would also be subject to the HIPAA regulations dealing with Electronic Transaction Code Sets and Security. As discussed below, however, a detailed discussion of these regulations is beyond the scope of this article.

The Electronic Transaction Code Set regulations apply to certain transactions (such as claims payment) that are made electronically and involve the transfer of protected health information. In the case of insured plans, the insurance company, also subject to these regulations, carries out the transactions on behalf of the health plan. In the case of a self-funded plan, a third-party administrator (TPA) is typically engaged to do so. For plans that engage a TPA, the heath plans must obtain written assurances, in the form of a business associate agreement, that the TPA will carry out these transactions in accordance with the Electronic Transaction Code Set regulations.

Because the Security regulations are not effective until 2005 (2006 for small health plans), they are not discussed in this article.

The Privacy Rules contain an exception to certain administrative requirements for fully-insured health plans. Does that exception apply to our plan?

It is true that while the Privacy Rules apply to all covered health plans, certain fully-insured health plans are excluded from many of the administrative requirements. In order for this exception to apply, the plan must (1) be fully-insured and (2) except for certain summary and enrollment information, not create or receive protected health information.

Plans should examine closely whether they satisfy the above requirements, especially number (2). For example, employees who, in the course of administering the plan, assist other employees in furthering claims with the insurance company may be creating or receiving protected health information. Doing so may cause this administrative exception to not apply.

Even if this exception applies to your plan, all covered plans must have a policy that prevents retaliation against any participant for exercising his or her rights under the Privacy Rules. In addition, no plan may require a person, as a condition to plan participation, to waive his or her rights under the Privacy Rules.

What is "protected health information"?

In general, the term "protected health information" refers to individually identifiable health information created or received by an entity subject to the Privacy Rules that relates to the past, present or future physical or mental health or condition of an individual, including information regarding the provision of and payment for health care, that is transmitted or maintained in any form or medium. The information must either identify the individual or provide a reasonable basis to believe that the information can be used to identify the individual.

Our company maintains a fully-insured health plan to which the administrative exception described above applies. However, we also maintain health flexible spending accounts (i.e., a health flexible spending arrangement (HFSA)) for our employees which are administered by a third party administrator. Is the HFSA such to the Privacy Rules as well and, if so, would the administrative exception apply?

Yes, as mentioned in Part I of this article, the HFSA is subject to the Privacy Rules. The reason is that HFSAs are self-funded health plans under ERISA. Because of their self-funded status, the administrative exception would not apply.

The administrative exception described above does not apply to my company's health plan. What should I do first?

The key to compliance with the Privacy Rules is establishing and implementing policies and procedures to protect certain health information handled in connection with the covered plans.

Designing these policies and procedures requires that you first understand how health information is handled by your plan, by conducting a form of "self-audit." That is, with respect to this information, you should first ask, for example, who receives it, who makes decisions with respect to it, where is it kept, who has access to it, under what conditions is it disclosed and does anyone provide services to the plan involving such information. Answers to these and other questions will put you in a better position to determine the extent and scope of the policies and procedures necessary for your plan to comply with the Privacy Rules.

The administrative exception described above does not apply to my company's health plan. What are some of the policies and procedures the plan must adopt to be in compliance with the Privacy Rules?

This list below includes some of the policies and procedures a covered plan will likely need to adopt under the Privacy Rules. The policies and procedures must be reasonably designed, taking into account the size and type of activities that the plan takes with respect to protected health information.
  • Privacy Officer. The privacy officer must oversee the process of ensuring the health plan complies with the Privacy Rules. The plan should consider how the first and successor privacy officers will be appointed, as well as the duties of this position. Note, the responsibilities of the privacy officer may be assigned to an existing employee, such as the human resources manager.
  • Training. If it is necessary for an employee to handle protected health information to perform his or her duties, that employee must be trained with respect to these policies and procedures. Note by limiting the number of people who handle protected health information, the plan can limit the burden of the training requirement.
  • Administrative, Technical, and Physical Safeguards. These policies and procedures deal directly with protecting the privacy of certain health information. Their design will depend in large part on the self-audit described above. Examples of such safeguards include: requiring passwords to access desktops and certain electronic files, locking file cabinets where protected health information is stored, minimizing the size of the group with access to the information, monitoring the flow of information throughout the company and requiring approval for disclosure of certain information.
  • Complaint Process. The plan must provide a process for participants to make a complaint regarding their rights under the Privacy Rules.
  • Sanctions. A plan must have and apply appropriate sanctions against employees who fail to comply with its privacy policies and procedures. The plan may apply the company's current disciplinary policies.
  • Mitigation. In the event there is a breach of the Privacy Rules or the plan's policies and procedures, the plan should have procedures in place to mitigate the harmful effects of the breach.
  • Documentation. In addition to keeping its privacy policies and procedures in written or electronic form, the plan must also document actions and designations made under the Privacy Rules. For example, the plan must document the appointment of the privacy officer and certain disclosures of protected health information.
  • Providing the Notice of Privacy Practices. If a plan is required to maintain and distribute a Notice, it should consider how it will comply with that requirement under the Privacy Rules and adopt appropriate policies to do so.
  • Amending the Plan's Policies and Procedures. The plan should have a procedure for amending its policies and procedures both with respect to the company's changing needs and changes in the law.
  • Dealing with Business Associates. For business associates of the plan, as discussed below, the plan should have policies and procedures for dealing with these individuals or entities, including negotiating the terms of a business associate agreement.
  • Record Retention. The Privacy Rules require plans to maintain records for a certain period of time. The plan should have policies to address this requirement.
  • Coordinating the Exercise of a Participant's Rights Under the Privacy Rules. Plan participants have certain rights under the Privacy Rules such as the right to request access to their health information or to request that their health information be amended. The plans should have procedures for responding to such requests in the time and manner required under the Privacy Rules.
Does the plan have to distribute a Notice of Privacy Practices?

In general, a health plan subject to the Privacy Rules must distribute to participants a Notice of Privacy Practices (Notice). This Notice describes generally the privacy policies adopted by the plan regarding protected health information. Whether a plan must distribute the Notice depends on the nature of the plan:
  • A fully-insured plan that does not create or receive protected health information is not required to maintain or distribute a Notice. The insurance company will instead make the distribution.
  • For fully-insured plans that create or receive protected health information, although the insurance company will distribute the Notice, the plan must maintain a Notice and provide it upon request.
  • Self-funded plans must maintain and distribute a Notice to its participants. If a TPA administers the plan, the plan may contract with the TPA to distribute the Notice on its behalf.
Caution - The Privacy Rules must be applied separately to each health plan you sponsor. For example, assume a company sponsors a fully-insured health plan that does not create or receive protected health information and a health flexible spending arrangement (HFSA), both subject to the Privacy Rules. As described above, the fully-insured health plan is not required to maintain or distribute a Notice. The HFSA is, however, considered a self-funded plan and, therefore, the company would be required to maintain and distribute a Notice to participants in that plan.

Under what circumstances may a plan sponsor receive protected health information from the plan?

In general, a plan is only permitted to disclose to its plan sponsor enrollment and certain summary health information.

As a practical matter, however, unless a group health plan (as defined under ERISA) satisfies the administrative exception described above, its plan sponsor will be receiving more information than would otherwise be permitted because the employees of the plan sponsor are, for example, handling participants' requests for assistance with claims. These disclosures are permitted provided:
  • the plan documents are amended to restrict uses and disclosures of protected health information by the plan sponsor consistent the Privacy Rules; and
  • the plan sponsor certifies that the plan documents have been so amended.
Do the Privacy Rules also apply to health information the company may receive, for example, in the course of an FMLA certification or to support an employee's request for a sick day?

Individual health information properly obtained by an employer in carrying out its "employer" functions, such as administration of the Family and Medical Leave Act, workers compensation or leave time benefits, is not protected health information. In contrast, individual health information obtained by an employer as administrator of a health plan (e.g., to carry out fiduciary obligations or make a claims determination) is protected health information to which the health plan's privacy policies and procedures would apply. The focus in determining whether the information is protected health information or "employment information" is on the reason the information is obtained, not the nature of the information.

Does our plan have any business associates?

If an individual or entity, excluding employees of the plan or plan sponsor, performs services to, or on behalf of, the health plan involving individually identifiable health information, that individual or entity is a business associate of the plan. In contrast, two entities each performing functions on their own behalf are not business associates of each other.

For example, if your company hires another company to administer continuation coverage under COBRA for its health plan, that company is a business associate of that health plan because it is providing services to the plan involving the use of individually identifiable health information. Similarly, a TPA that administers the company's HFSA is a business associate of the HFSA.

As explained above, plans having business associates must obtain from them written assurances that they will use and disclose protected health information solely in accordance with the Privacy Rules. Although the plan (or plan sponsor) is not required to monitor its business associates' compliance with the Privacy Rules and, therefore, the terms of the business associate agreement, upon obtaining actual knowledge of a violation, it must take steps to cure the violation, including terminating the business associate relationship.

Please provide us with a practical example of compliance with the Privacy Rules: How should a company proceed under the Privacy Rules assuming the company sponsors (1) a fully-insured health plan with respect to which certain employees assist other employees in furthering claims with the insurance company, (2) a health flexible spending arrangement administered (HFSA) by a TPA, and (3) a self-administered executive medical reimbursement plan, all of which have more than 50 participants?
  • Determine the extent and scope of compliance with the Privacy Rules for each of the plans: All the plans are health plans subject to the Privacy Rules. Although fully-insured, plan (1) has access to protected health information. Plans (2) and (3) are self-funded. Thus, the administrative exception does not apply to any of these plans.
  • Audit the flow of health information throughout the company with respect to each plan.
  • Develop policies and procedures. The policies and procedures must be reasonably designed to comply with the Privacy Rules and take into account the size and type of activities each plan takes with respect to protected health information.
  • Address disclosures to the plan sponsor. The plans are "group health plans" under ERISA. Thus, the plans must obtain certifications from the plan sponsor (i.e., the company) that the plan documents have been amended to provide that the protected health information received by the plan sponsor would be used and disclosed in accordance with the Privacy Rules.
  • Identify and contract with business associates. Here, the TPA for the HFSA would be a business associate, from which the HFSA must obtain the required written assurances.
  • Adopt and implement the policies and procedures. This would include for example, documenting the adoption of the policies and training those employees who will be handling protected information on behalf of the applicable plans.
Login to read more.
 

HR CARE®
MEMBER LOGIN

Username: *

Password: *
Accept terms *
Login failed.
 
copyright 2000 - 2018 Curtis Communications, Inc. All rights reserved. | Access to the HR Care publications is subject to certain terms and conditions.
Learn about our online compliance training at www.hrclassroom.com