LIVERPOOL - Privacy regulations that are part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 went into effect April 14. While HIPAA mostly affects healthcare providers and healthcare 'clearinghouses' that manage billing services for health plans, employers need to comply with the regulations as well.
Jeff Andrews, vice president of Aon Consulting and manager of the company's upstate New York office in Liverpool, has been working with local businesses to ensure HIPAA compliance. According to Aon, there are 23 companies (employing more than 23,000 people) in Syracuse that must comply with the new privacy requirements.
'In this day of electronic information, there's a substantial amount of information floating around ... the Internet - [from] credit-card companies and everywhere... on individuals,' Andrews says. 'It's important that it should be private information; therefore, health plans need to take steps to protect [that] information.'
Andrews urges every employee to look for a privacy statement from his employer-that shows the organization is in compliance with HIPAA.
'The most important thing is for the employer, as sponsor of a health plan, to sit down - it does not take a lot of time - and examine the issues and take an organizational approach to compliance and implement that approach,' he says. 'There are a lot of tools out there that make it a pretty easy process.'
Health-care companies with annual receipts of more than $5 million were required to comply with HIPAA on April 14 of this year. Companies with receipts less than $5 million need to comply by April 14, 2004.
One of the main focuses of HIPAA is the privacy of 'protected health information'. or PHI. The United States Department of Health and Human Services defines PHI as 'individually identifiable health information transmitted or maintained in any form or medium, which is held by a covered entity or its business associate.'
According to Andrews, a health plan cannot use or disclose PHI other than for treatment of a medical condition or payment of a claim through the operation of the health plan.
'You could have a very small employer or a very large employer, [but the focus is on] how the health plan is financed and how it is administered,' Andrews says. 'That will determine how they comply.'
Andrews says that employers are going to have different compliance strategies depending on AC what kind of health plan they use. Fully insured plans, where the employer only needs to send information to the insurance company about who is covered and the employee's eligibility, have a very different strategy than self-insured plans - where the employer is involved in the day-to-day administration of the plan, Andrews says.
'What employer[s] need to do is to look at how they use PHI and how they interact with the [health-plan] administrator, so that they minimize the use of protected health information,' Andrews says. 'They need to understand PHI and have the documents in place, but the reality is that they're probably not in a position where they could be in violation [of the HIPAA regulations].'
Andrews has outlined a nine-step program for compliance: designate a privacy officer and make sure the information is protected; establish a compliance team to implement the procedures; inventory and identify how and where PHI resides in the organization; work to limit access and disclosure; adopt privacy policy and procedures; identify business associates who might have access to PHI; train staff who might be working with PHI; talk to your health-care provider that deals with PHI and confirm compliance; and develop an employeecommunication program that lets the employees knows that you're taking steps to protect the information.
Additionally, Aon has created an online assessment that companies can use to ensure compliance. It is located at www.aon-hipaa.com. Aon also has a Power Point presentation that is designed to educate senior management about HIPAA, a do-it-yourself privacy kit that addresses all of the key issues and comes with a compact disk full of the required documents, and a module that helps companies train their employees about the regulations.
'Some employers are very on-the-ball, some are getting to it late and are really going through the process now, and some employers that don't need to be in compliance [have already complied],' Andrews says.
