Every American understands the importance of April 15th as both a milestone and a millstone of civic responsibility. But in 2004, the day before tax day held even greater significance for many small- and mid-sized employers: It was the day they met the deadline for full compliance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules.
Or did they? It’s impossible to know for sure. But even larger companies — which were expected to achieve HIPAA compliance a full year earlier — still have work to do. A recent survey of 1,200 privacy and security officers conducted by the American Health Information Management Association found that fewer than 25 percent felt their organizations were fully HIPAA compliant.
Since large companies have greater resources and typically more robust compliance operations, it’s doubtful that smaller companies could have fared much better in meeting their April 14, 2004, deadline. Despite the one-year extension for compliance, many employers may still be struggling to reach their HIPAA goals — or wondering what they may have missed.
Paying the piper
The penalties for noncompliance can be steep. Civil fines are $100 per violation, but if personal medical information is intentionally released with the goal of inflicting harm, criminal penalties are up to $500,000 and 10 years in jail.
Heavy-duty enforcement efforts notwithstanding, most employers are eager to ensure that their employees receive the personal privacy they deserve. In addition to engaging legal support, many are working closely with their insurers, brokers and others to ensure that both the spirit and letter of HIPAA are met.
And although prefabricated HIPAA compliance kits are popular with many smaller employers, there is no substitute for a rigorous process that benefits from expert advice.
The fully insured factor
For plans providing benefits solely through insurers and HMOs, the impact of HIPAA’s Privacy Rules are fairly minimal. This assumes that the plans and plan sponsors don’t create or receive any personal health information other than “summary health information” for limited purposes or enrollment information.
Fully insured plans meeting this definition do not need to name a privacy officer, deliver a privacy notice (this is the insurer’s responsibility) or create and provide training on special privacy policies or procedures. However, they should consult their professional advisers about how the privacy rules might impact them.
Because the HIPAA burden is substantially greater for insured customers who create or receive personal health information, insurers will generally shield these customers from any nonsummary health information.
HIPAA check for the self-insured
HIPAA rules are more complex for self-insured companies, including those that only partially underwrite their health plans. If you are one of these employers, chances are you have already made significant progress on HIPAA compliance or may even be 100 percent completed.
However, if the April 14th deadline passed and you’re worried you may be risking fines or penalties, ask the following questions. Has your company:
- Created procedures to ensure secure handling of personal health information?
- Trained the right people to ensure that these procedures are followed to the letter?
- Appointed a privacy officer to oversee and document HIPAA compliance and ensure that complaints are handled appropriately?
- Ensured that those with whom you do business — such as vendors and business partners — understand your policies and have agreed to follow them?
- Given each plan participant a notice describing your privacy practices so that they understand how their personal health information will be handled?
- Revised your plan documents to describe in detail how you will use and disclose health information?
If you answered yes to these questions, chances are you’re on your way to HIPAA compliance. If you answered no, it might be wise to contact your legal counsel, broker or other professional adviser to square things away.
Either way, remember that HIPAA deadlines, unlike those dreaded tax deadlines, were not designed to be an end point but a starting point — for a continuing effort to preserve and protect your employees’ privacy.
Michael Eve is general manager for Aetna’s North Central Region, covering 16 states. He has responsibility for the customer segment representing all employers with 51 to 300 employees. With more than 22 years of insurance experience in finance, sales and service, network contracting and administration, he has an in-depth knowledge of the employee benefits business. Reach him at (312) 928-3397 or [email protected].