Builders and Contractors Exchange
Weekly Bulletin: 28 Jun 2004
The New HIPAA Privacy Regulations - Did The Deadline Pass You By?
By: Geoffrey Hemphill
On April 14, 2004, the new HIPAA privacy regulations came into effect for all small health plans. Small health plans include employers with plans with less than $5,000,000.00 annually in claims or premiums. There is an abundance of information currently in the marketplace regarding the HIPAA privacy regulations, and some of it is even accurate. We have found, however, that many employers have relied upon advice that is incomplete at best or, in some cases, erroneous. It is important that human resource managers evaluate whether they have properly implemented HIPAA compliance procedures.
An employer's HIPAA compliance obligations depend upon the type of health plan it sponsors. If it is a self-funded plan (i.e., a VEBA), the plan must fully comply with all aspects of HIPAA. If the plan is fully-insured (i.e., coverage is provided through an insurer to whom the employer pays premiums), employers usually can escape with minimal HIPAA compliance requirements.
Fully-insured plans in which the employer only receives summary health information from the health insurer must:
1) Certify that the plan only uses the summary health information for amending or terminating the plan or for pricing new policies;
2) Refrain from conditioning coverage on waiver of HIPAA rights;
3) Refrain from retaliating against a participant who exercises HIPAA rights; and
4) Amend the plan documents to comply with HIPAA.
We have seen a lot of confusion with employers who sponsor a flexible spending account ("FSA"). Unfortunately, the Department of Labor considers an FSA to be a self-insured health plan. Therefore, employers must fully comply with HIPAA for their FSAs. Full compliance requires, among other things:
1) Appointing a privacy official;
2) Training all persons involved with administration of the plan;
3) Amending plan documents;
4) Implementing various procedures designed to protect health information;
5) Sending out a notice to all participants in the plan; and
6) Ensuring that physical security of health information is adequate, etc.
While the deadline for HIPAA compliance has passed, it is still necessary for employers, especially those who sponsor FSAs, to evaluate their HIPAA compliance procedures. Our firm has prepared a turnkey manual designed to bring FSAs into HIPAA compliance with minimal pain. Please contact Geoffrey Hemphill if you have any questions regarding HIPAA compliance.
Questions?
If you have any questions about this article or any other related matters, please contact:
This article is meant to bring awareness to this topic and is not intended to be used as legal advice.