Updated Guidance Precedes Upcoming Deadline For HIPAA Privacy Compliance

Saturday, February 1, 2003
by Jackson Lewis

On December 3, 2002, the Department of Health and Human Services issued a compilation of new and existing guidance about key elements of the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"). The HHS guidance precedes the impending April 14, 2003 (April 14, 2004 for small health plans) deadline for compliance with the Privacy Rule.

In two previously published articles on HIPAA privacy compliance, Jackson Lewis, discussed who is a covered entity, what is protected health information, and what control patients have over such information; and conditions allowing and\or requiring disclosure of protected health information and the penalties for noncompliance with the HIPAA privacy requirements.

What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule generally prevents the disclosure of protected health information ("PHI") by covered entities (which includes most group health plans and health care providers) to non-covered entities without authorization from the subject of the PHI (i.e., the patient). To comply with these requirements, covered entities must implement policies and standards to protect and guard against the misuse of PHI. Failure to timely implement these policies and standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

Are employers subject to the HIPAA Privacy Rule?
The Privacy Rule applies to covered entities. Since HIPAA does not give HHS the authority to regulate private businesses, employers and other plan sponsors are technically not "covered entities" subject to the Privacy Rule solely by virtue of acting as a plan sponsor and offering benefit plans to their employees. Nonetheless, plan sponsors that either require access to PHI to carry out administrative functions or that become involved in the administration and operation of a group health plan will have to comply with the HIPAA Privacy Rule on behalf of their group health plans.

What group health plans are subject to the HIPAA Privacy Rule?
HIPAA applies to any group health plan that has more than 50 participants or that is administered by an entity other than the plan sponsor. The only group health plans not subject to the Privacy Rule are plans administered by the plan sponsor with fewer than 50 participants.

Does the size of my group health plan matter?
Yes, the size of the plan affects the compliance deadline. HIPAA distinguishes between group health plans and small health plans. A small health plan is defined as a plan with less than $5 million dollars of annual receipts. Annual receipts are measured by premiums (for an insured plan) or contributions (for a self-insured plan). The compliance deadline for small health plans is April 14, 2004.

Does it matter if our plan is insured or self-insured?
Yes. Fully-insured plans that do not engage in administrative activities and that do not receive PHI generally have a minimal compliance burden. Self-insured plans, however, are presumed to receive PHI and will have a significant compliance burden.

How are my company's HIPAA compliance obligations determined?
If your company is a health care provider or clearinghouse, it is a covered entity subject to the myriad of HIPAA compliance requirements.

If your company is not a health care provider or clearinghouse, is not involved in claims processing or other plan administrative activity, and does not receive PHI, your health insurer or HMO may bear the brunt of the compliance burden.

Does the Privacy Rule apply to our health FSA?
Yes, it does. Although HHS has been asked to exempt health flexible spending arrangements ("FSA's") from the Privacy Rule, it has not yet done so. Accordingly, under current law health FSA's are group health plans covered by HIPAA. Further, health FSA's are almost always self-insured. Therefore, if your health FSA is administered 'in-house' and has 50 or more participants, it is a covered entity under the Privacy Rule, even if all of your other group health plans are fully-insured.

What can we do to avoid having our health FSA treated as a covered entity?
One possible solution would be to 'outsource' the administration of the health FSA. This could take the FSA out of HIPAA's definition of group health plan. Another, albeit temporary, solution would be treat the FSA as a separate plan. This would take advantage of the delayed compliance date if the health FSA would qualify as a small health plan. This strategy may also be advantageous as HIPAA regulators are believed to be reviewing the status of FSA's and may issue guidance in the future.

Are all employee medical records PHI?
No, some medical records are considered "employment records" which are exempt from the Privacy Rule. In determining what medical information is PHI, the focus should be on the basis for obtaining the information, not the nature of the information. In this regard, information obtained by a company in its role as 'employer' is generally not considered PHI. For example, if an employee submits medical records for the purpose of FMLA leave certification or workers' compensation benefits, those records are employment records, not PHI. Please note, however, that employment records may be subject to other laws regarding use and disclosure.

To what extent, if any, does compliance with the Privacy Rule require significant restructuring, such as redesigning office space or upgrading computer systems?
The Privacy Rule generally requires that covered entities take reasonable steps to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. This includes making reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity. Based on this reasonableness standard, HHS does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses.

However, covered entities may need to make certain adjustments to their facilities to minimize access, such as isolating and locking file cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information. The steps a company takes in this regard may depend on the nature and size of the organization. For example, it may not be reasonable for a small, solo practitioner who has largely a paper-based records system to limit access of employees with certain functions to only limited fields in a patient record, while other employees have access to the complete record. In this case, appropriate training of employees may be sufficient.

If you have any questions, or would like to discuss the issue of HIPAA compliance further, the following are members of the Jackson Lewis Employee Benefits Practice Group:
Login to read more.


Username: *

Password: *
Accept terms *
Login failed.
copyright 2000 - 2019 Curtis Communications, Inc. All rights reserved. | Access to the HR Care publications is subject to certain terms and conditions.
Learn about our online compliance training at www.hrclassroom.com