FINAL PRIVACY RULES UNDER HIPAA AND THEIR IMPACT ON HOW

EMPLOYERS HANDLE EMPLOYEE HEALTH INFORMATION

January 2002 

General Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes provisions requiring safeguards to protect the security and confidentiality of personal health information (PHI) created and maintained by “covered entities”.  The Department of Health and Human Services (HHS) issued final privacy regulations in December 2000 to implement these privacy provisions, which went into effect on April 14, 2001.  The regulations, over 1,500 pages in length, are very extensive and complex. Because of the complex mandates, most covered entities have two full years, until April 14, 2003, to comply with them. 

The privacy rules prohibit covered entities from using or disclosing individually identifiable PHI absent a specific form of permission from the patient or unless the rules specify that the permission is not required.  PHI is broadly defined and includes electronic records, paper records and oral communications.  The entities covered by the rules are health care providers, insured and self-insured health plans and healthcare clearing houses.  While employers are not, as a whole, a “covered entity”, they may be indirectly covered by virtue of the fact that most employers sponsor health plans.  In this regard, self-insured employers are significantly affected by the rules. 

Further, covered entities that supply PHI to third parties are required to contractually obligate them to follow the HIPAA rules.  Under what the HIPAA rules refer to as “business-associate agreements” employers would be required to safeguard the confidentiality of the health information it receives or utilizes in the same fashion as the covered entity itself.  Therefore, as a practical matter, employers receiving medical information concerning its employees will need to become compliant with the HIPAA privacy regulations. 

What The Rules Mean For Employees

All employers who come in contact with health information and the process of administering benefit plans are considered “affected entities” that will be indirectly regulated by HIPAA. 

For employers who have insured health plans, the responsibility with complying with the privacy rules rests generally with the health insurers.  However, such employers may still want to familiarize themselves with the privacy regulations to determine what actions they may need to take to assure compliance with regard to their receipt and use of the PHI of their employees.

Actions self-insured employers may need to take include:

·         Review and amend plan documents to include privacy provisions required under the rules;

·         Assure that they enter into “business-associate agreements” with entities with whom they share PHI (third-party administrators, managed care organizations and the like) (note: the content requirement of these agreements are lengthy and detailed);

·         Adopt written privacy policies and procedures and appoint an individual (privacy officer) responsible for implementing them and training employees involved in handling PHI;

·         Obtain required permission from participants before disclosing or using their PHI (note: the privacy rules distinguish “consent” from “authorization; A “consent” is a less restrictive generally worded form of permission sufficient for the release of PHI for purposes of payment, treatment and health care operation.  A more formal restrictive form of permission (“authorization”) is required when PHI is disclosed or used for all other purposes;

·         Separate health plan administration from other general corporate functions including ERISA benefit plan administration.

Penalties for Violating HIPPA’s Privacy Rules

The HIPAA rules provide for significant penalties for covered entities that misuse PHI including civil money penalties of $100.00 per person, per violation, up to $25,000 per person, per year for each requirement or prohibition violated, and federal criminal penalties from $50,000 in fines and one year in prison to $250,000 in fines and 10 years in prison depending upon the type of violation.  Individuals do not have the right to bring an individual action for violation of HIPAA privacy rules.  Instead, the HHS Office of Civil Rights enforces the rules.  However, employees/participants may file common law actions for claims such as invasion of privacy using the HIPAA standards as a basis for the action.

Conclusion