Employers, Are You Ready for April 14th?

Volume 2, Issue 2
March 19, 2003

U.S. employers have less than one month left before the April 14th deadline for compliance with HIPAA's privacy reforms, deemed by one author "one of the most significant compliance burdens facing employers in many years." This article addresses how HIPAA's new privacy requirements will affect employers.

What Do These New Privacy Requirements Protect?

HIPAA's privacy regulations are chiefly concerned with the communication of "private health information." Private health information is any information created by an employer, health care provider, or health plan that relates to the past, present or future physical or mental health of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual. Thus, employers that offer group health plans will be subject to the new privacy regulations, to the extent that they create and/or use private health information.

The following types of information are considered private health information when held by an employer in its capacity as a group health plan (i.e., when it is using information in order to provide current or future health treatment to an employee):1

  • Name, address, birth date, marital status, dependent information, and SSN

  • The individual's choice of health plan

  • The amount of premiums/contributions for coverage of an individual

  • Whether the individual is an active employee or retired

  • Whether the individual is enrolled in Medicare

The regulations do not affect the communication of "summary health information," information which excludes individual names and identifying information. This information can be used by employers, without employee consent, for certain limited functions, i.e., obtaining insurance bids.

It should also be noted that the definition of private health information specifically exempts information which is held by an employer in its capacity as an employer (and not in its capacity as a group health plan). Thus, all of the following are not subject to HIPAA's privacy rules:

  • FMLA records

  • ADA records

  • Records relating to occupational injury (OSHA records)

  • Records relating to disability insurance eligibility

  • Records relating to sick leave requests and justifications

  • Drug screening results

  • Workplace medical surveillance

  • Fitness for duty test results

  • Records related to alcohol and drug-free workplace policies

Which Employers Are Covered by the New HIPAA Privacy Rule?

While employers are not directly covered by the regulations, health plans are covered. Thus, most employers who offer group health plans will be indirectly subject to the HIPAA Privacy Rule.2

Employers should first determine if their health plans fall under the statutory definition of "Group Health Plan." Essentially, the only group health plans that are not covered by the rule are those that are self-administered and have fewer than fifty (50) participants. All other plans will have some level of compliance to achieve.

What Will My Compliance Burden Be?

It depends. Many employers will be able to reduce their compliance burden by working together with their health insurance issuer or HMO to jointly comply with the HIPAA requirements. The rules call this an OHCA, or Organized Health Care Arrangement. Thus, your first step in achieving compliance should be to contact your health insurance issuer or HMO to determine if an OHCA is feasible.

Not all group health plans have the same compliance burdens. An individual employer's compliance burden will depend on whether the group health plan is fully-insured or self-insured, what kind of information the group health plan receives (private vs. summary health information), and what the plan does with the information it receives.

Group Health Plans (employers) will face compliance burdens in five separate areas:3

1) Privacy Notice

The group health plan must provide all participants with written notice of the plan's privacy policies and procedures. If an employer's benefits are completely insured, the notice should be supplied by the employer's insurance company or HMO.

2) Use & Disclosure Requirements

A group health plan may not use or disclose an individual's private health information except as permitted or required by the regulations, without written authorization from the individual.

3) Individual Rights

Employees/group health plan participants enjoy each of the following five (5) rights with respect to their private health information:

  • Right to receive a copy of the privacy notice

  • Right to request restrictions on use/disclosure of confidential communications

  • Right of access (a participant has a right to see his private health information as held by the plan/employer)

  • Right to request an amendment (i.e., that his or her protected health information be amended or changed, if in his or her view the information is inaccurate)

  • Right to an accounting (i.e., a list of certain instances where private health information has been disclosed to other entities)

4) Administrative Requirements

Group health plans must:

  • Maintain and provide the required privacy notice

  • Designate a privacy official (responsible for developing and implementing the group health plan's privacy policies and procedures)

  • Train the workforce responsible for administering the group health plan

  • Implement safeguards to guard against improper disclosure of private health information

  • Implement a complaint process and sanctions for employees that misuse private health information

  • Mitigate harm (in case of accidental disclosure of private health information)

  • Ensure that no intimidation or retaliation occurs for exercise of individual rights under HIPAA

  • Ensure that no waiver of rights occurs

  • Implement policies and procedures (detailing the plan's safeguards)

  • Document and maintain all communications and actions related to the individual's private health information

  • Contract with "Business Associates" (service providers who may use, disclose or create private health information)

5) Plan Amendments

Plan amendments must include the following to comply with the new HIPAA privacy rules:

  • Purposes for which private health information will be disclosed to plan sponsors

  • Assurances that the plan sponsor will make certification prior to plan disclosures to plan sponsor

  • Safeguards between the group health plan and the plan sponsor

  • Classes of employees that will have access to protected health information

  • Assurances that access to and use of protected health information will be limited to plan administration

  • A mechanism for resolving non-compliance

  • Assurances that the plan sponsor will not use or disclose private health information except as specified

  • Assurances that the plan sponsor will not use or disclose private health information for employment-related purposes

  • Assurances that the plan sponsor will report any inconsistent acts to the group health plan

  • Assurances that the plan sponsor will honor individual rights to protected health information

  • Assurances that the plan sponsor will make books and records containing protected health information available for HHS audits

  • Assurances that the plan sponsor will return or destroy protected health information if feasible. (ERISA may not allow this in many cases)

The foregoing is only a brief summary of the compliance obligations which HIPAA will impose on employers. Should a specific situation arise, or if you need further information, please contact us.

1 The privacy regulations distinguish between the employer acting in its capacity as a group health plan and its capacity as an employer. One example of the effect of this distinction is that of a drug test. Normally, the results of an employee's drug test would only be allowed to be communicated to and among those portions of the employer that constitute the "group health plan." If, however, employment is conditioned upon passing the drug test, the employer will have a right to receive the information in its capacity as an employer, allowing access to the information for personnel outside the "group health plan" portion of the employer.

2 The rule does provide an extra year for compliance for those health plans whose annual premiums are $5 million or less (i.e., compliance must be achieved for these plans by April 14, 2004).

3 We have sought to be thorough in an attempt to provide information to those employers who are self-insured, or will not be involved in an OHCA and will thus face a higher compliance burden. Those employers in an OHCA will not necessarily face as detailed a compliance burden as discussed below. Health insurance issuers and HMOs can and should satisfy much of the compliance burden for the group health plans they administer.

KZA Employer Report articles are for general information only; they are not intended and should not be construed to be legal advice. Reading or replying to such articles does not establish an attorney-client relationship. In addition, because the subject matters and applicable laws discussed in Employer Report articles are often in a state of change and not always applicable to every type of business entity or organization, readers should consult with counsel before making decisions based on the same.