Health Information Must Stay Private

The clock is officially ticking. If your company has at least 50 employees,and you offer health benefits to them, you’re required to comply with HIPAA,the Health Insurance Portability and Accountability Act of 1996. On April 14,2003, HIPAA’s privacy rules regarding Protected Health Information go into effect–and if your companyisn’t well on its way to compliance, HR should jump-start the effort. John A.Knapp, a senior member of the health law group at Cozen O’Connor inPhiladelphia, offers advice.

What should HR professionals know about HIPAA?

It came out of the failed health-care reform effort of the Clintonadministration. In the early 1990s there was a lot of concern about people whowere restrained in moving from one employer to another because they were afraidof losing their health insurance due to pre-existing conditions. So although theoverall health-reform efforts failed, one of the things that came out of thoseefforts was this bill, which was aimed at allowing the portability of healthinsurance by preventing insurers from imposing requirements about pre-existingconditions when you move from one employer to another. At the time, employerswere concerned that this was going to lead to an increase in health insurancecosts. So there was an effort made to reduce costs in the health-care system asa way of offsetting the increased costs caused by these portabilityrequirements.

 

How was this done?

People quickly identified the amount of administrative expense throughout thehealth-care system caused by inefficient communications. For example, there aremore than 400 different formats in use throughout the country by whichhealth-care providers and insurers exchange information related to servicesprovided and payments made. So HIPAA contained within it a set of provisionsunder its administrative simplification section. The goal was to simplify theprocess by which health-care providers and health-care payors communicate witheach other. This will have a very dramatic effect. It’s going to standardizein one electronic format all of the information that gets exchanged. Now,Congress recognized that this was going to result in enhanced flow ofindividually identifiable health information in electronic format. There wasconcern that this would increase the risk of private health information beingimproperly disclosed. So part of the administrative simplification rules dealwith protective measures that health-care providers and payors have to take inorder to protect the privacy and security of this individually identifiablehealth information.

 

What do employers need to do regarding the privacy and security of healthinformation?

Since the plan has to deal with protected health information, HIPAA insiststhere be a firewall established. That can be established physically through useof things like security measures, computer passwords, firewalls, etc. Or it canbe implemented through policies, procedures, and training for people who handleprotected health information, to ensure that the HIPAA requirements areunderstood and followed. Organizations that have any form of self-insurance arerequired to appoint a privacy officer; oftentimes the privacy officer for theplan is going to be the head of HR or whoever oversees the plan.

 

What should the overall goal be?

The idea is to create a firewall between the plan and the employer, soprotected health information that the plan has access to is not communicated tothe employer for employment-related purposes. For example, someone who operatesthe plan might become aware that an employee is receiving health-care servicesfor cancer or a mental-health problem. That information cannot be communicatedto the employer because it might have an impact on a promotion decision orcompensation decision. So employers must establish the necessary barriers orfirewalls between the plan and the employer. The degree of these firewalls andpolicies and procedures varies based on whether the plan is self-insured. If anemployer offers health benefits to its employees but does so exclusively throughinsured products (you sign up through Blue Shield or Aetna) then there are stillHIPAA requirements, but they’re substantially less. But if the employer isself-insured in full or in part, even though they might use Blue Shield as athird-party administrator, then there are much broader requirements. If youoffer cafeteria plans that have health-benefit components, that’s a form ofself-insurance.

 

What else do the privacy rules require?

Employers are required to amend their ERISA plan to ensure that the employeracknowledges and respects this firewall that has to be created between the planand the employer. So there are going to be changes required to the ERISA plandocuments. Those plan documents, the amendment, may have to be filed with theIRS.

 

What about the security component of HIPAA?

The security rules are not yet out in final form [as of press time, they wereexpected in December]. They won’t become effective for two years after they’rereleased. So companies don’t have to worry about security, but they have tostart thinking about how to protect any electronically stored or transmittedinformation from improper use or disclosure. This may be as simple as physicallylimiting who has access to that information by the use of passwords, orestablishing that only certain computers allow access to this information. Or itcan be more sophisticated, with electronic firewalls and things of this nature.

 

Don’t employers also have to comply with HIPAA transaction standards?

If an employer’s health plan communicates with an insurer or third-partyadministrator electronically, then that communication must be done in accordancewith HIPAA’s standard electronic formats. So you’ve got to get your ISpeople involved and communicate with your insurers and find out how you need tonow interface with them. Those standards don’t go into effect until October2003, but you’re required to begin testing to make sure you’re on track forthat deadline by April 2003.

 

Any final thoughts on the privacy rules?

Small group health plans–those plans with less than $5 million per year ineither total health-care premiums or benefits paid out—have an additional yearto comply with the privacy rule, so they have until April 2004. As for the restof employers, most group health plans require some form of assistance fromlawyers, consultants, or others, to ensure they’re compliant by April 14,2003. If employers have not yet begun these compliance efforts, they shouldbegin them as quickly as possible, because there are penalties that, althoughthey’re likely to be moderate, could in some cases be as high as 10 years inprison and $250,000 in fines.

 

The information contained in this article is intended to provide useful information on the topic covered, but should not be construed as legal advice or a legal opinion. Also remember that state laws may differ from the federal law.

Workforce, January 2003, p. 64 — Subscribe Now!