The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires anyone in the health business to keep an individual's health information private and to make it available to the individual upon request. While the major burden of HIPAA compliance falls on health insurers, hospitals, doctors and other health care providers, the HIPAA Privacy Rule also applies to employer health plans. Employer health plans must protect the privacy of health information gathered from individuals as a part of plan enrollment and claims administration.
It is important that employers with health plans review their HIPAA obligations. The Privacy Rule is complicated and the consequences of noncompliance can be severe. Large health plans, those with revenues of more than $5 million a year, had to be in compliance with HIPAA last April 14, 2003. Small health plans — the typical plan sponsored by most employers in New Hampshire - have until April 14, 2004 to be fully compliant with the HIPAA Privacy Rule.
With few exceptions, any health plan that generates health information about an employee or dependents will be faced with the privacy obligations of HIPAA. However, health information gathered by the employer as part of the employment process, such as a medical examination given when an employee is hired, and health information gathered for a worker's compensation claim, is not subject to HIPAA.
An employer with an insured health plan has minimal compliance responsibilities.
The insurance company is itself subject to HIPAA and should have extensive privacy procedures in place. If the insurance company, or HMO, does not share any individual health information with the employer -- a common practice now -- the employer has no access to health information and will not have any HIPAA obligations. However, sometimes an insurance company will require the employer to exercise final review functions on claims. If the employer has such review functions, it necessarily has access to individual health information and must comply with HIPAA. Similarly, if the employer collects detailed health information as part of the insurance enrollment process, or reviews disputed claims denials, that information may be subject to the Privacy Rule protections.
Many medium and most large employers have self-insured plans. This means that the payment of benefits is made directly by the employer instead of by the insurance company. Self-insured plans are often administered by an insurance company, which makes its claims departments and medical networks available to the employer. In other instances, the plan is administered by a third party administrator (TPA). In both cases, however, the self-funded employer is much more likely to require extensive HIPAA privacy procedures, because the employer will have more access to health information, even though the information may be in the hands of the TPA or insurer.
Employers that offer cafeteria plans that include a medical reimbursement arrangement must comply with HIPAA because those arrangements are considered "health plans" under the Privacy Rule. If the cafeteria plan or other health plan is administered by a TPA, HIPAA requires that the employer enter into a specific agreement with the TPA requiring the TPA to keep health information private. This agreement is referred to as a "business associate contract." If the employer has access to health information as part of the administration of its cafeteria plan, or other health plan, HIPAA mandates that procedures be put in place to prevent an individual's health information from being used by the employer for any reason other than to administer the health plan. Basically, the employer must erect an information wall, or "firewall", between the employees who have access to health information as part of their administrative duties for the health plan, and all other employees. This can be awkward in light of the fact that many are administered by Human Resources employees with multiple responsibilities. Policies must be adopted for both the employer (employee guidelines saying it is against the employer's policy for employees to solicit or use protected information) and the plan. A privacy officer must also be appointed by the employer to enforce the policies.
It is important to remember that HIPAA provides that an individual may voluntarily release health information to anyone, provided that the authorization is specific and in writing. For example if an employer wants to help its employees with claims and coverage issues, the employer should do so only if authorized in writing by the employee, unless the employer has amended its plan documents to expressly reserve the right to do so without an authorization. HIPAA has extensive requirements for what will be considered a valid authorization.
In order to assess your company's HIPAA obligations, someone will have to review the health plan documents, including ERISA plan documents, summary plan descriptions, TPA contracts and insurance contracts, to determine whether protected information is available to the employer. In those cases in which it is not, compliance work will be minimal. In some cases the only compliance work will be to add contract provisions to administration contracts and adopt streamlined procedures. In many other cases, generally when the plan is self-insured and self-administered, extensive HIPAA procedures will be required.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
|
