It's a common misconception: Employers have been lulled into thinking that the strict privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) apply only to health care providers and insurers. The truth is that any employer that sponsors anplan covered by ERISA must comply with those privacy rules as long as the plan has 50 or more participants or is administered by a third-party provider.
The rules represent a sea change in the handling of health-related information. And the race is on to comply before the deadline of April 14, 2003. For small employers and small health plans ($5 million or less in annual receipts), the deadline is April 14, 2004. Also, Congress did extend the deadline for compliance of certain electronic communication and transactions from Oct. 16, 2002, to Oct. 16, 2003.
Your company could bump up against HIPAA's privacy rules any time it exchanges a person's individually identifiable health information, such as when an employee with a chronic illness contacts the HR department to ask about a claim.
Considering that noncompliance can erupt into civil and criminal penalties, not to mention invasion of privacy lawsuits, it's important that employers make sure their policies are in line with the new requirements.
Don't disclose identifiable data
Although it took regulators 1,500 pages to explain it, the basic privacy premise of HIPAA is pretty straightforward: Organizations that have personal information related to an individual's health care (or payment for health care) can't disclose it, except directly to the employee, to the government for certain purposes (public health or abuse/fraud prevention) or if there's a signed consent form to carry out treatment, payment or health care operations.
The rules cover personally identifiable information, where the health care data can be linked to a person's name, Social Security number, employee number or other identifier. It's legal to disclose summarized data that can't be linked to any specific person.
Gone are the days when an employer could simply call its health plan or a health care provider to get that information freely. Employers, doctors and health plans must now make a reasonable effort to limit the release of health information to the minimum amount of information necessary.
Meanwhile, state laws also play a role. Many states have developed their own health-information protections. HIPAA's standards generally pre-empt state law unless the state rules are stricter.
What you should do
Take these steps:
- Beef up administrative, technical and physical safeguards for health care data. Example: Put up "firewalls" between plan-related uses and employment-related uses. "The typical dual model of HR staff who handle both employment and benefits-related data will likely not survive HIPAA," warns Thomas S. Schroeder, a partner and specialist in health care law at Faegre and Benson LLP in Minneapolis.
- Amend health plan documents to spell out the rules.
- Train employees and name a privacy officer. HIPAA requires employers to assign staff to develop and implement HIPAA policies, including designating a privacy officer.
- Police any business associates with whom your organization shares protected health information, such as technology vendors and plan administrators, and rewrite contracts to assure that third parties are in full compliance with HIPAA. Reason: Employers can be liable for the violations of business associates if they disclose protected information.
For answers on common questions surrounding this sleeping giant, visit the government's two main HIPAA Web sites at www.hhs.gov/ocr/hipaa and http://aspe.hhs.gov/admnsimp.
Like what you've read? ...Republish it and share great business tips!
Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...
We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.
The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.
" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/619/hipaa-health-care-privacy-rules-they-do-apply-to-you "
- Counter retaliation claims by tracking PHRC and EEOC filings, internal complaints
- Using Independent Contractors? Here's how to make the call
- Independent contractor or employee? How to make the call
- Walking competition generates ROI of 10 times the cost
- Check for retaliation before disciplining employee who requested ADA accommodations