Indiana employers have struggled in their efforts to understand and comply with the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule, a new and complex federal regulation that radically changes how certain entities may use or disclose protected health information.
Although this law continues to evolve, it is clear that most Indiana employers will be affected and need to undertake significant efforts to ensure compliance.
Here are three key components of the Privacy Rule that you should be familiar with.
Employer health plans must comply
If your company maintains a partially or fully self-funded group health plan, you need to make sure your plan complies with the Privacy Rule. Large health plans, those with annual receipts in excess of $5 million, were required to comply last year. All employer health plans must comply no later than April 14, 2004.
Virtually all Indiana employers offer health flexible spending accounts that must comply with the Privacy Rule. In addition, many offer self-funded medical, prescription drug, dental, vision, employee assistance, long-term care and medical reimbursement plans that are required to comply.
Note that, with respect to your company’s self-funded health plans, it is unlikely that your third party administrator (TPA) or insurance company will assume this obligation for the company. Rather, your company will need to retain legal counsel to ensure that these plans comply.
Requirements imposed by the Privacy Rule
Your company has several obligations under the Privacy Rule. For example, employer health plans need to appoint a privacy official, develop policies and procedures governing the use and disclosure of health information, and negotiate business associate agreements with their vendors. Employer health plans will also need to distribute a notice of privacy practices to all participants in the plan informing them of their rights under this new federal regulation.
This notice must be distributed no later than April 14, 2004. The Privacy Rule also requires employer health plans to provide HIPAA training to designated members of the work force.
Penalties for noncompliance
The penalties for failing to comply could be harsh. In extreme situations, violators may be subject to fines of up to $250,000 and terms of imprisonment of up to 10 years. Fortunately, the Department of Health and Human Services is required first to seek informal compliance prior to the imposition of any civil or criminal penalties.
The federal government has indicated that the Privacy Rule is necessary because medical records are now being transmitted electronically, and the risk of unintended disclosures has dramatically increased. For example, an individual’s personal medical record could be posted to the Internet for the entire world to see with the simple click of a button.
The risks are real, and the potential harm to individuals is great. Nevertheless, it remains to be seen whether the Privacy Rule will be implemented in a way that will provide a practical solution to this problem, or whether it is merely another regulatory burden and expense for Indiana employers to bear. Jim Hamilton ([email protected]) is an employee benefits attorney with Bose McKinney & Evans LLP in Indianapolis. Hamilton is the co-author of “What Indiana Employers Need to Know About the HIPAA Privacy Rule,” published by the Indiana Chamber of Commerce. Reach him at (317) 684-5000.