Health information must stay private - Legal Insight

The clock is officially ticking. If your company has at least 50 employees, and you offer health benefits to them, you're required to comply with HIPAA, the Health Insurance Portability and Accountability Act of 1996. On April 14, 2003, HIPAA's privacy rules regarding Protected Health Information go into effect--and if your company isn't well on its way to compliance, HR should jump-start the effort. John A. Knapp, a senior member of the health law group at Cozen O'Connor in Philadelphia, offers advice.

What should HR professionals know about HIPAA?

It came out of the failed healthcare reform effort of the Clinton administration. In the early 1990s there was a lot of concern about people who were restrained in moving from one employer to another because they were afraid of losing their health insurance due to pre-existing conditions. So although the overall health-reform efforts failed, one of the things that came out of those efforts was this bill, which was aimed at allowing the portability of health insurance by preventing insurers from imposing requirements about pre-existing conditions when you move from one employer to another. At the time, employers were concerned that this was going to lead to an increase in health insurance costs. So there was an effort made to reduce costs in the health-care system as a way of offsetting the increased costs caused by these portability requirements.

How was this done?

People quickly identified the amount of administrative expense throughout the health-care system caused by inefficient communications. For example, there are more than 400 different formats in use throughout the country by which health-care providers and insurers exchange information related to services provided and payments made. So HIPAA contained within it a set of provisions under its administrative simplification section. The goal was to simplify the process by which health-care providers and health-care payors communicate with each other. This will have a very dramatic effect. It's going to standardize in one electronic format all of the information that gets exchanged. Now, Congress recognized that this was going to result in enhanced flow of individually identifiable health information in electronic format. There was concern that this would increase the risk of private health information being improperly disclosed. So part of the administrative simplification rules deal with protective measures that health-care providers and payors have to take in order to protect the privacy and security of this individually identifiable health information.

What do employers need to do regarding the privacy and security of health information?

Since the plan has to deal with protected health information, HIPAA insists there be a firewall established. That can be established physically through use of things like security measures, computer passwords, firewalls, etc. Or it can be implemented through policies, procedures, and training for people who handle protected health information, to ensure that the HIPAA requirements are understood and followed. Organizations that have any form of self-insurance are required to appoint a privacy officer; oftentimes the privacy officer for the plan is going to be the head of HR or whoever oversees the plan.

What should the overall goal be?

The idea is to create a firewall between the plan and the employer, so protected health information that the plan has access to is not communicated to the employer for employment-related purposes. For example, someone who operates the plan might become aware that an employee is receiving healthcare services for cancer or a mental-health problem. That information cannot be communicated to the employer because it might have an impact on a promotion decision or compensation decision. So employers must establish the necessary barriers or firewalls between the plan and the employer. The degree of these firewalls and policies and procedures varies based on whether the plan is self-insured. If an employer offers health benefits to its employees but does so exclusively through insured products (you sign up through Blue Shield or Aetna) then there are still HIPAA requirements, but they're substantially less. But if the employer is self-insured in full or in part, even though they might use Blue Shield as a third-part y administrator, then there are much broader requirements. If you offer cafeteria plans that have health-benefit components, that's a form of self-insurance.

What else do the privacy rules require?

Employers are required to amend their ERISA plan to ensure that the employer acknowledges and respects this firewall that has to be created between the plan and the employer. So there are going to be changes required to the ERISA plan documents. Those plan documents, the amendment, may have to be filed with the IRS.

What about the security component of HIPAA?

The security rules are not yet out in final form [as of press time, they were expected in December]. They won't become effective for two years after they're released. So companies don't have to worry about security, but they have to start thinking about how to protect any electronically stored or transmitted information from improper use or disclosure. This may be as simple as physically limiting who has access to that information by the use of passwords, or establishing that only certain computers allow access to this information. Or it can be more sophisticated, with electronic firewalls and things of this nature.

Don't employers also have to comply with HIPAA transaction standards?

If an employer's health plan communicates with an insurer or third-party administrator electronically, then that communication must be done in accordance with HIPAA's standard electronic formats. So you've got to get your IS people involved and communicate with your insurers and find out how you need to now interface with them. Those standards don't go into effect until October 2003, but you're required to begin testing to make sure you're on track for that deadline by April 2003.

Any final thoughts on the privacy rules?

Small group health plans--those plans with less than $5 million per year in either total health--care premiums or benefits paid out-have an additional year to comply with the privacy rule, so they have until April 2004. As for the rest of employers, most group health plans require some form of assistance from lawyers, consultants, or others, to ensure they're compliant by April 14, 2003. If employers have not yet begun these compliance efforts, they should begin them as quickly as possible, because there are penalties that, although they're likely to be moderate, could in some cases be as high as 10 years in prison and $250,000 in fines.

COPYRIGHT 2003 ACC Communications Inc.
COPYRIGHT 2003 Gale Group