New Federal Rules on the Privacy of Health Information Take Effect
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law meant to safeguard the privacy of protected health information of patients and employees. On April 14, 2003, covered entities were required to comply with a broad range of privacy and security mandates (the “Privacy Rule”).
To the great surprise of many companies, the Privacy Rule extends beyond the hospital and doctor’s office. Your company is likely impacted by HIPAA if:
- It sponsors a self-funded health plan;
- It sponsors a Flexible Spending Plan for employees; or
- It performs services on behalf of other covered entities.
From disclosures used to process workers’ compensation claims, to the use of drug testing results, to the storage and access of medical records, to the processing of medical and flexible spending account claims, HIPAA poses numerous traps for those organizations unaware of its breadth. Now that HIPAA is in effect, it is imperative that organizations identify whether and how the Privacy Rule regulations apply to them. Even where an organization is not classified as a “covered entity” by HIPAA, its classification as a “business associate” of a covered entity may require it to comply with parts of the Privacy Rule.
HIPAA Covered Entities
The Privacy Rule most directly impacts health plans, health care clearinghouses and health care providers (collectively, “Covered Entities”). A health plan under HIPAA includes a self-insured employee welfare benefit plan. Accordingly, a business that pays for medical care services for its employees or their dependents and has 50 or more participants is a Covered Entity subject to the Privacy Rule. In some cases, a Flexible Spending Plan that allows employees to pay uncovered medical expenses with pre-tax dollars may also constitute a Covered Entity under HIPAA. The U.S. Department of Health and Human Services has created a flow chart that provides additional guidance to determine whether your organization is a Covered Entity. See www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/CoveredEntityFlowcharts.pdf
HIPAA Privacy Rule Requirements
The Privacy Rule is composed of privacy and security procedures and safeguards meant to protect patient and employee protected health information. Its primary requirements include:
Designation of a privacy officer. All Covered Entities must designate a person to develop and implement the Privacy Rule and other HIPAA regulations.
Distribution of a privacy notice. All Covered Entities must develop and distribute a notice describing how medical information about the patient or employee may be used and disclosed, and how to access such information.
Development of “minimum necessary” policies. HIPAA’s key standard for privacy protection requires that Covered Entities evaluate their practices and implement safeguards as needed to limit access and disclosure of an employee’s protected health information to that “minimally necessary” to satisfy a legitimate purpose or function.
Contracting with vendors to limit disclosure of health information. Covered Entities that use vendors to perform a function or activity and that have access to patient or employee protected health information on behalf of a Covered Entity must implement a written business associate agreement with the vendors that governs the use, disclosure and security of the protected health information.
Policy Development. Implementation of policies to respond to patient requests and respond to privacy infractions.
Implications for Vendors and Subcontractors
Vendors and subcontractors that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provide services to, a Covered Entity, are referred to as “business associates” under HIPAA. While business associates are not directly covered by the HIPAA regulations, they become subject to the HIPAA Privacy Rules indirectly by the requirement that Covered Entities contract in writing with them to comply with certain duties under the Privacy Rule. Examples of business associates include an accounting firm whose services involve access to protected health information, a consultant that performs utilization review for a hospital, and a third party administrator that assists a health plan with claims processing. In the event that a contract for services existed between a Covered Entity and a business associate on October 14, 2002, and the contract is not renewed or modified between that date and April 14, 2003, a Covered Entity need not comply with the business associate agreement requirement until April 14, 2004. If a Covered Entity had an existing contract with a business associate on October 14, 2002, but the contract was renewed or modified between then and April 14, 2003, the Covered Entity must enter into a business associate agreement with the associate by the April 14, 2003 deadline. Likewise, if a Covered Entity enters into an agreement after April 14, 2003 with a business associate not previously under contract, the Covered Entity must enter into a business associate agreement with the associate when the relationship begins.
With the approaching compliance deadline of April 14, 2003, now is the time to work with your legal counsel to ensure your organization is “hip to HIPAA.”
About the Author:
Minnesota employment attorney James C. MacGillis practices extensively in the area of employment law, and regularly advises and represents businesses in employment law matters. Contact Jim for more information on HIPAA and complimentary samples of the required privacy notice and business associate agreement. Jim may be reached at 612.455.0503 or firstname.lastname@example.org. Trepanier MacGillis Battina P.A. is a Minnesota employment law firm located in Minneapolis, Minnesota.