HIPAA Privacy Rule Alert
2004-03/24 Mary Ellen Schill

It’s almost April 14, and do you know where your HIPAA‑covered group health plans are??  Last year sponsors of large group health plans scrambled to comply with the privacy rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and those who sponsored “small” plans promised themselves they would do their homework ahead of time and not have to go through the same last‑minute anxiety as their large plan brethren.  Well, here we are, a little over two weeks before the deadline, and if you haven’t yet determined whether you sponsor a group health plan which must satisfy the HIPAA Privacy Rule, or if you know you have to comply but still have not gotten around to putting together policies, procedures, privacy notices, and authorization forms, the Employee Benefits group at Ruder Ware is ready, willing, and able to help.  Here is a quick and dirty questionnaire to assist you in identifying the group plans you sponsor that must comply with the Privacy Rule.

Is your plan a “group health plan”?

A group health plan is any plan or program which provides, or pays for the cost of, medical care and which is sponsored by an employer for its employees.  Medical care includes health, medical, dental, and vision care and also includes medical care provided through medical reimbursement coverage.  An employer’s employee assistance plan could be considered a group health plan in certain circumstances also.  All employer-sponsored group health plans must comply with the HIPAA Privacy Rule, unless they are small, self-administered group health plans, defined below.

Is your group health plan a “small, self‑administered” group health plan?

If your group health plan has 1) fewer than 50 participants and 2) is administered by you as the employer (that is, there is no insurance company or third-party administrator which administers it), then your group health plan is considered a small, self‑administered group health plan which is not subject to the HIPAA Privacy Rule.  Generally, only small health flexible spending accounts would meet this exception.

Is your group health plan fully insured?

Some group health plans are fully insured, meaning that benefits are provided solely through an insurance contract with a health insurance issuer or an HMO.  Fully insured group health plans, while still subject to the HIPAA privacy rule, may be able to take advantage of limited compliance obligations if certain requirements are met.  If you sponsor a fully insured group health plan and the plan neither creates nor receives protected health information other than enrollment and disenrollment information or summary health information for the purposes of obtaining premium bids or amending or terminating the plan, then your group health plan is only subject to limited portions of the Privacy Rule.  These limited provisions require that you not take retaliatory acts against an individual for exercising rights under the Privacy Rule, that you not require any individual to waive his rights under the Privacy Rule, and that you amend the group health plan document to restrict the use or disclosure of protected health information by the employer.

In summary, if you sponsor a fully insured group health plan and the plan (and your employees who assist in administering the plan) only receive summary health information and/or enrollment and disenrollment information, you do not need to worry about all of the other provisions of the Privacy Rule, such as designating a privacy officer, establishing HIPAA policies and procedures, distributing a privacy notice, training your plan personnel, and entering into business associate agreements.

So far, it looks like I have a group health plan, but it isn’t a small, self-administered plan nor does it meet the requirements for limited compliance.  What does that mean?

• It sounds like your group health plan is either 1) self‑funded (i.e., self‑insured) with more than 50 participants, 2) is self‑funded with 50 or fewer participants but is administered by a TPA, or 3) is fully insured but the plan receives protected health information and not just summary health information.  What this means is that your group health plan must, by April 14, 2004, fully comply with the HIPAA Privacy Rule.  You should by now have taken the following action steps:

• Appointed a privacy officer.

• Amended the plan document to restrict uses and disclosures of protected health information in accordance with the HIPAA Privacy Rule.

• Prepared a notice of privacy practices for distribution to all your plan participants (if your plan is fully insured, you may only need to provide the notice upon request).

• Adopted written HIPAA Privacy Rule policies and procedures and trained your plan personnel on those policies and procedures.

• Prepared appropriate forms for use by plan participants to authorize the use and disclosure of their protected health information, to request an accounting of uses and disclosures of protected health information, or to request an amendment of protected health information.

• Identified your plan’s “business associates” and entered into written business associate agreements with those entities.  Business associates may include the plan’s third-party administrator, actuary, consultants, or attorneys.

I have a few action steps that need to be completed.  Where can I go for help?

For more general background information on the HIPAA Privacy Rule, the website for the United States Department of Health and Human Services is a good place to start.  There is a special section on HIPAA, found at http://www.hhs.gov/ocr/hipaa/.  For more specific guidance and assistance, the Employee Benefits group at Ruder Ware is ready to work with you to determine if and to what extent the group health plans you sponsor must comply.  From privacy notices to policies and business associate agreements, our attorneys are ready to help you get into compliance before April 14.

If you have any questions concerning the HIPAA Privacy Rule or if you would like our assistance in ensuring that you are “HIPAA ready” on April 14, please contact Attorney Mary Ellen Schill at (715) 845-4336.

© 2004 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.
This document provides information of a general nature regarding legislative or other legal developments. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed.