Unique, Powerful Values-Based Ethics Programs! Bauer Ethics Seminars focus on core values and how your employees can clarify and harness those values to reduce their risk of ethics problems. Move your ethics training program to the next level with great skills for making better decisions!
In April, HIPAA's privacy rules go into effect. If your company isn't well on its way to compliance, HR will have to jump-start the effort.
By Gillian Flynn Comments 0 | Recommend 0
he clock is officially ticking. If your company has at least 50 employees,
and you offer health benefits to them, you’re required to comply with HIPAA,
the Health Insurance Portability and Accountability Act of 1996. On April 14,
2003, HIPAA’s privacy rules regarding Protected Health Information go into effect--and if your company
isn’t well on its way to compliance, HR should jump-start the effort. John A.
Knapp, a senior member of the health law group at Cozen O’Connor in
Philadelphia, offers advice.
What should HR professionals know about HIPAA?
It came out of the failed health-care reform effort of the Clinton
administration. In the early 1990s there was a lot of concern about people who
were restrained in moving from one employer to another because they were afraid
of losing their health insurance due to pre-existing conditions. So although the
overall health-reform efforts failed, one of the things that came out of those
efforts was this bill, which was aimed at allowing the portability of health
insurance by preventing insurers from imposing requirements about pre-existing
conditions when you move from one employer to another. At the time, employers
were concerned that this was going to lead to an increase in health insurance
costs. So there was an effort made to reduce costs in the health-care system as
a way of offsetting the increased costs caused by these portability
requirements.
How was this done?
People quickly identified the amount of administrative expense throughout the
health-care system caused by inefficient communications. For example, there are
more than 400 different formats in use throughout the country by which
health-care providers and insurers exchange information related to services
provided and payments made. So HIPAA contained within it a set of provisions
under its administrative simplification section. The goal was to simplify the
process by which health-care providers and health-care payors communicate with
each other. This will have a very dramatic effect. It’s going to standardize
in one electronic format all of the information that gets exchanged. Now,
Congress recognized that this was going to result in enhanced flow of
individually identifiable health information in electronic format. There was
concern that this would increase the risk of private health information being
improperly disclosed. So part of the administrative simplification rules deal
with protective measures that health-care providers and payors have to take in
order to protect the privacy and security of this individually identifiable
health information.
What do employers need to do regarding the privacy and security of health
information?
Since the plan has to deal with protected health information, HIPAA insists
there be a firewall established. That can be established physically through use
of things like security measures, computer passwords, firewalls, etc. Or it can
be implemented through policies, procedures, and training for people who handle
protected health information, to ensure that the HIPAA requirements are
understood and followed. Organizations that have any form of self-insurance are
required to appoint a privacy officer; oftentimes the privacy officer for the
plan is going to be the head of HR or whoever oversees the plan.
What should the overall goal be?
The idea is to create a firewall between the plan and the employer, so
protected health information that the plan has access to is not communicated to
the employer for employment-related purposes. For example, someone who operates
the plan might become aware that an employee is receiving health-care services
for cancer or a mental-health problem. That information cannot be communicated
to the employer because it might have an impact on a promotion decision or
compensation decision. So employers must establish the necessary barriers or
firewalls between the plan and the employer. The degree of these firewalls and
policies and procedures varies based on whether the plan is self-insured. If an
employer offers health benefits to its employees but does so exclusively through
insured products (you sign up through Blue Shield or Aetna) then there are still
HIPAA requirements, but they’re substantially less. But if the employer is
self-insured in full or in part, even though they might use Blue Shield as a
third-party administrator, then there are much broader requirements. If you
offer cafeteria plans that have health-benefit components, that’s a form of
self-insurance.
What else do the privacy rules require?
Employers are required to amend their ERISA plan to ensure that the employer
acknowledges and respects this firewall that has to be created between the plan
and the employer. So there are going to be changes required to the ERISA plan
documents. Those plan documents, the amendment, may have to be filed with the
IRS.
What about the security component of HIPAA?
The security rules are not yet out in final form [as of press time, they were
expected in December]. They won’t become effective for two years after they’re
released. So companies don’t have to worry about security, but they have to
start thinking about how to protect any electronically stored or transmitted
information from improper use or disclosure. This may be as simple as physically
limiting who has access to that information by the use of passwords, or
establishing that only certain computers allow access to this information. Or it
can be more sophisticated, with electronic firewalls and things of this nature.
Don’t employers also have to comply with HIPAA transaction standards?
If an employer’s health plan communicates with an insurer or third-party
administrator electronically, then that communication must be done in accordance
with HIPAA’s standard electronic formats. So you’ve got to get your IS
people involved and communicate with your insurers and find out how you need to
now interface with them. Those standards don’t go into effect until October
2003, but you’re required to begin testing to make sure you’re on track for
that deadline by April 2003.
Any final thoughts on the privacy rules?
Small group health plans--those plans with less than $5 million per year in
either total health-care premiums or benefits paid out—have an additional year
to comply with the privacy rule, so they have until April 2004. As for the rest
of employers, most group health plans require some form of assistance from
lawyers, consultants, or others, to ensure they’re compliant by April 14,
2003. If employers have not yet begun these compliance efforts, they should
begin them as quickly as possible, because there are penalties that, although
they’re likely to be moderate, could in some cases be as high as 10 years in
prison and $250,000 in fines.
The information contained in this article is intended to provide useful information on the topic covered, but should not be construed as legal advice or a legal opinion. Also remember that state laws may differ from the federal law.
Reproductions and distribution of the above article are strictly prohibited. To order reprints and/or request permission to use the article in full or partial format, please contact our Reprint Sales Manager at (732) 723-0569.
Comments
Guidelines: Comments that include profanity or personal attacks or other inappropriate comments or material will be removed
from the site. We will take steps to block users who violate any of our posting standards, terms of use or privacy policies
or any other policies governing this site. You are fully responsible for the content you post.
= Member Only
he clock is officially ticking. If your company has at least 50 employees,
and you offer health benefits to them, you’re required to comply with HIPAA,
the Health Insurance Portability and Accountability Act of 1996. On April 14,
2003, HIPAA’s privacy rules regarding Protected Health Information go into effect--and if your company
isn’t well on its way to compliance, HR should jump-start the effort. John A.
Knapp, a senior member of the health law group at Cozen O’Connor in
Philadelphia, offers advice.
