On April 14 the privacy rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into effect for all small group health plans (group health plans with annual premiums less than $5 million). This act was created to protect employees from employers using their medical history information in any sort of negative way.
[ILLUSTRATION OMITTED]
HIPAA covers the uses and disclosure of protected health information (PHI), individuals' rights regarding PHI, and special rules for plan sponsors, employers, and service providers to plans. Virtually every employer will have some responsibility for HIPAA compliance, and lack of compliance could be significantly risky. This month I'd like to describe what it takes for your firm to be compliant and what kinds of penalties you can expect if it is not. The bulk of this discussion will be merely descriptions of the rules; but once you get to the end, take note of how HIPAA relates to workers' compensation, pre-employment physicals and drug testing, and work-related injuries.
Protected health information (PHI) is personally identifiable health information that is created or received by a health plan, employer, healthcare provider, or healthcare clearing-house. The health plan is allowed to release PHI to employers so that employers may administer their group health plan. This information may only be used for group health plan administration and may not be used in connection with any other benefit or benefit plan of the employer.
The group health plan is allowed to use or disclose PHI:
* To the individual
* To carry out treatment, payment, or healthcare operations
* With valid authorization
* For defined 'public good functions' and for limited marketing purposes
* To business associates (service providers such as brokers) if they obtain satisfactory assurance that the business associate will adequately safeguard the information
Note that the group health plan is not allowed to disclose PHI to the employer for employment-related purposes or in connection with other employee benefits or benefit plans. The employer may not use PHI without written authorization from the individual (unless disclosure is already permitted by the regulation).
There are also some instances in which the group health plan is required to disclose PHI. Those instances include an individual seeking to access their PHI, an individual seeking a record of disclosures of their PHI, or the secretary of the Dept. of Health & Human Services (HHS) during an investigation of the group health plan's compliance with HIPAA.
What are my responsibilities as an employer?
If you have a fully-insured plan and only use PHI in summary information for enrollment or plan termination purposes, then your responsibilities are minimal. You do not have to select a privacy officer, maintain a HIPAA privacy notice (but confirm that your insurer does), or provide employee training. However, you must:
* Refrain from retaliatory acts or intimidation against individuals who submit a complaint, assist in an investigation, or exercise a privacy right
* Refrain from requiring individuals to waive their privacy rights under HIPAA or their rights to file a complaint with the HSS as a condition of enrollment in the health plan
* Identify business associates and prepare and incorporate privacy provisions in business associate contracts
* Verify the identity and authority of an individual requesting PHI disclosure
If you have a self-insured plan (partially or fully) or a fully-insured plan and create or receive PHI on a non-summary basis, then you should be prepared to implement the following:
* Follow all the basic requirements previously listed
* Select a privacy officer
* Develop an employee training program for those who perform functions for the group health plan
* Create a privacy standards discipline policy
* Create a mechanism that allows individuals to file a complaint if they believe the group health plan is not HIPAA compliant or if their privacy rights have been violated
* Create appropriate safeguards to protect the privacy of PHI and a policy for confidential communications
* Require the use of the minimum necessary amount of information when disclosing or using PHI
* Ensure that only those individuals who must use PHI to per form their duties within the group health plan have access to PHI
* Develop a notice of privacy practices and provide to any person who requests it
* Allow individuals to amend their PHI
* Create an authorization form for the use and disclosure of PHI
* Ensure that all of your HIPAA Privacy policies and procedures are documented, regularly followed, and communicated to your employees.
Considering that compliance with these federal regulations started on April 14 of this year, it remains to be seen how effective regulating and enforcing them will be. But, according to the regulation, lack of compliance will bring about significant penalties. Civil penalties can be $100 per violation with a cap of $25,000. Criminal sanctions include up to $50,000 and/or one year in prison for obtaining or disclosing PHI, up to $100,000 and/or five years in prison for obtaining PHI under false pretenses, and up to $250,000 and/or 10 years in prison for instances when PHI is obtained, used, or disclosed for personal gain, commercial advantage, or malicious harm.
Other employer-related issues of interest regarding HIPAA involve workers' compensation, pre-employment physicals and drug testing, and workplace injuries. In regards to workers' compensation, the plan can disclose PHI to comply with workers' compensation laws, no authorization from the individual is required, and the 'minimum necessary' standard applies. For pre-employment physicals or drug testing, the employer receives information not in capacity as plan sponsor, the individual must authorize disclosure by provider, and employers may condition employment if the prospective employee signs an authorization. As for workplace injuries, continue to log all injuries (the log is not considered PHI), and employees cannot access plan records relating to injuries unless required by law or pursuant to an authorization.
Compliance with HIPAA regulations can be confusing, to say the least. Be sure that you are clear on whether your firm is subject to all of the HIPAA privacy requirements or just the minimal requirements. Please note that this article merely touches on the HIPAA privacy regulations. The employer responsibilities listed are guidelines and are not all inclusive. For further information visit HHS at www.hhs.gov/ocr/hipaa.
Eric R. Hallinan is the director of finance and technology at Benefit Partners, a dba of 4B Insurance Services, Inc. in Newport Beach, Calif. He earned a BS from UCLA and an MBA from the Peter F. Drucker School of Management at Claremont Graduate University. Involved in the plumbing industry since childhood, Eric now works for Steve Lathrop, where he specializes in financial analysis and strategic technology planning.
