[ Wednesday, April 14, 2004 ]
Today's the day for small plans.
As this artic
le points out, today's the deadline for small (less than $5,000,000) health plans to be compliant with the HIPAA privacy rule. And "plan" includes any employee health benefit plan, even if it's fully insured.
A "health plan" is any plan that pays for or arranges for the payment for or provision of healtht care services, and includes any plan defined under ERISA. Most of the HIPAA privacy rules for health plans are found at 45 CFR 164.504(f), but the specifics of what the plan must do depend on (i) whether the plan is fully insured and (ii) just how much PHI the plan receives.
One very important distinction in figuring out how your plan complies with HIPAA: the rules apply to your plan, not to your company. This seems like an artificial distinction, but it is very real. Many years ago, if a company provided insurance to its employees, it simply bought insurance from an insurance company like Blue Cross. If an employee or an employee's family member had a health problem, the employer would not know about it other than through the workplace grapevine; if the employee was discrete, the employer would never know that the employee was at high risk to have a heart attack, for example. Since ERISA, companies now self-insure or establish health plans where the "plan" receives health information that might be peeked at by the company; the company never would have received this information in the past, but now could look and, for example, decide to fire the employee who was at risk of a heart attack. There are reasons the plan needs to have and use the information, but the company shouldn't have access to it; that's what HIPAA tries to ensure by making a distinction between the plan and the employer.
General rules for such plans are:
-- Except for "summary plan information" (information stripped of identifiers that is used to shop for coverage and premiums) and information on whether someone is enrolled or not, the plan can't disclose PHI it receives to the company, and the company can't use the information it receives for employment-related decisions.
-- If the plan gets PHI, the plan documents should be amended to make sure the PHI is protected and the plan participants have their rights protected.
-- The plan must restrict uses and disclosures of PHI it holds to HIPAA-allowed uses and disclosures.
-- The "minimum necessary" rule applies to disclosures by the plan.
-- The plan must have a Notice of Privacy Practices (NoPP) and deliver it to the beneficiaries, although the insurer (if the plan is not self-insured) can be the one to provide it.
-- The plan must comply with the administrative requirements of HIPAA (have a privacy officer, train the staff, have a complaint procedure, etc.), but if the plan is not self-insured and doesn't receive PHI other than summary health information and enrollment data, the only administrative requirements it's required to meet are that it can't retaliate against complainers, can't make beneficiaries waive their HIPAA rights, and must document what it's done to comply with HIPAA, including documenting the amendments to the plan if those are done.
Basically, the plan must protect the PHI, and can't let the employer use it for bad purposes. Now, don't be fooled into thinking the employer can't ever have information that might otherwise be considered PHI. Some folks think HIPAA means that you can't announce when someone has had a baby or is sick. If the information only comes from the health plan, then the health plan must keep it secret. But if the employee tells co-workers, or if the information comes to the company from a source other than the health plan (for example, an on-the-job injury or a company physical required as a condition of employment), it isn't entitled to the same level of HIPAA protection.
Now, go and amend those plan documents!
Jeff [8:59 AM]
Blogger: HIPAA Blog - Edit your Template