Are you HIPAA Compliant?

A closer look at HIPAA
By - Matt Sears, Senior Vice President
Athens Benefits Insurance Services, Inc.
A division of The Jenkins Athens Group

HIPAA. Perhaps one of the most significant laws in recent memory; certainly one of the most complex. While this short article won't make anyone an expert, it will, hopefully, demystify this wide ranging set of laws and put you on the path towards compliance.

First, let's answer the question; "What is HIPAA?" HIPAA stands for the Health Insurance Portability and Protection Act of 1996. Although it purports to regulate health insurance, HIPAA provisions extend far beyond insurance. HIPAA introduced broad disclosure and privacy requirements. It also established civil and criminal penalties for each violation (up to $25,000 per person per year in civil penalties and up to $250,000 in criminal fines - along with imprisonment).

Title I of HIPAA deals with portability and special enrollment rights for health plans. Those conditions must have been incorporated into your plans by now (original compliance date was 1997). Title II of HIPAA governs a wide ranging set of conditions called, "Administrative Simplification". For those charged with compliance, the notion that HIPAA simplifies anything qualifies as "dark humor". Administrative simplification attempts to create a uniform system for processing and retention of health information and ensuring the security of that information.

For the purposes of this article, we're only concerned with those portions of the law impacting most employers...privacy. Notably the privacy of personal data defined by HIPAA as "Protected Health Information" or "PHI" - information that is personally identifiable. In the broadest summary possible, key components of HIPAA privacy requirements for a plan sponsor are fairly straightforward:

ØGenerally, the employer (Plan Sponsor) is not a HIPAA "Covered Entity" - the Health Plan is. For fully insured plans, this typically means the health insurer, HMO, EAP provider, etc.
ØAs the Covered Entities, health plans bear the brunt of compliance requirements (your responsibilities become exponentially larger as the quantity of data you receive increases)
ØMeet with every service provider, or ensure that your broker or consultant has reviewed compliance requirements with each
ØUse protected health information only for needed administration of the benefit programs (HIPAAspeak: "Treatment, Payment and Health Care Operations)
ØCollect (and release) only the minimum data required to "do the job" (e.g. enroll an employee, file claims, etc.)
ØRestrict the data to those persons who absolutely must use it
ØEstablish "firewalls" and safeguards to protect the data (separate locked files, restricted access, password protect systems)
ØAppoint a Privacy Official (not required for fully insured plans that never receive PHI)
ØCreate a Privacy Policy and distribute a Privacy Notice to participants
Ø"Scrub" personally identifiable data from communications pieces, ID Cards, etc.

HIPAA, like COBRA before it, will continually change as new rules and regulations are released (for example, the U.S. Dept. of HHS has yet to release enforcement rules for HIPAA). Ongoing compliance will require vigilance in remaining up to date on the changing laws. It's vital your broker/consultant proactively work with your organization to review plans, identify problems and provide ongoing education to maximize the performance of your benefit plans.