SecureOne logo
SecureOne logo
SecureOne Home > What's New > HIPAA Privacy Requrements  
About SecureOne
Products and Services
What's New
   PUP Talk
HIPAA Privacy Requirements
Resources
Networks
Contact Us
Forms

What's New
HIPAA Portability and Privacy
Source: Employee Benefits Institute of America LLC (EBIA)

HIPAA Applies to Most Group Health Plans
HIPAA's portability requirements (including pre-existing condition exclusion (PCE), special enrollment, and non-discrimination requirements) generally apply to group health plans and issuers of group health plan coverage. This means that both the plan itself and the insurer (if any) are obligated to comply. HIPAA's privacy requirements apply to "covered entities", a term that means health plans, health care clearinghouses, and health care providers that conduct certain transactions electronically. Thus, a group health plan will be required to comply with HIPAA's portability and privacy requirements unless an exception applies.

A "health plan" is a plan that provides (or pays the cost of) medical care.

A "group health plan" is a health plan maintained by an employer.

HIPAA contains exceptions for some types of plans, including:
  • Exempt From HIPAA. Plans providing only certain incidental types of coverages, including accident, disability income, liability insurance, and workers' compensation are exempt from HIPAA.
  • Exempt From HIPAA's PCE, Special Enrollment and Nondiscrimination Requirements. HIPAA's PCE, special enrollment and nondiscrimination rules do not apply to plans with fewer than two employees, plans providing limited-scope dental or vision benefits under a separate insurance policy or where coverage is elected by participants separately from the medical coverage, and health FSAs, if certain requirements are met.
  • Exempt From HIPAA's Privacy Requirements. Self-administered, self-funded group health plans with fewer the 50 participants are not required to comply with HIPAA's administrative simplification rules, including its privacy requirements. This exclusion will not apply to a self-funded health plan that uses a third-party administrator.

Consequences of Failing to Comply With HIPAA
Employers and insurers that do not comply with HIPAA will face monetary penalties and lawsuits. When enforcement action is taken against a plan, the employer sponsoring the plan is generally held responsible.

HIPAA is jointly enforced by the IRS, the Department of Labor (DOL) and the Department of Health and Human Services (DHHS).

  • The IRS may assess an excise tax penalty for a group health plan's failure to furnish certificates and for other failures to comply with HIPAA's PCE, special enrollment and nondiscrimination requirements. The excise tax amount is $100 per day of non-compliance for each individual to whom the failure relates. The penalty is imposed on the sponsoring employer.
  • The DOL is actively auditing plans for compliance with HIPAA's PCE, special enrollment and nondiscrimination requirement, and it may bring a civil action against an employer or insurance issuer to enforce these requirements.
  • DHHS can impose civil penalties for violation of HIPAA's administrative simplification (including privacy) provisions of up to $100 per violation, with the total amount imposed on a person for all violations of an identical requirement during a calendar year not to exceed $25,000. The maximum relates to each separate type of violation, and compliance failures most likely would violate numerous HIPAA provisions. DHHS also enforces the HIPAA requirements that apply to insurance issuers.
  • Criminal penalties may apply if a person knowingly uses or discloses individually identifiable health information in violation off HIPAA.

In addition, plan participants and beneficiaries can bring private lawsuits to enforce HIPAA's PCE, special enrollment and nondiscrimination provisions and can file a complaint with DHHS's Office for Civil Rights if they believe that an entity is not complying with HIPAA's privacy requirements. And participants and beneficiaries may also have a claim under ERISA if an employer fails to follow the terms of any privacy obligations set forth in a plan document.

HIPAA Privacy Rules in Practice: Three Plan Sponsors
The compliance burden imposed on group health plans and their sponsors under the privacy rules varies depending upon the role of the plan sponsor in plan administration.

1. Fully-Insured Group Health Plan/Employer Is "Hands-Off" the PHI (Protected Health Information)

If a group health plan provides health benefits only through an insurance contract and does not create, maintain, or receive PHI, the vast majority of administrative burdens imposed by the privacy rules do not apply to the plan or the plan sponsor. By taking this approach, both the plan and the plan sponsor avoid having to:

  • comply with the use and disclosure rules;
  • provide individuals with the right to access, amend, and receive an accounting of PHI;
  • prepare and provide a privacy notice; and
  • comply with the administrative safeguards (other than the prohibitions against retaliatory acts and requiring a waiver of' HIPAA rights).

Instead, these requirements will be imposed upon the insurer. The plan sponsor must be careful not to become so involved in plan administration that it inadvertently obtains PHI. It may, however, engage in the following activities:

  • Provide employees with assistance in claim disputes or in understanding their plan (although generally, the plan sponsor must obtain the individual's authorization in order to have access to that individual's PHI).
  • Receive summary health information from an insurer for the limited purposes of obtaining premium bids or modifying, amending, or terminating the plan. The plan's notice of privacy practices (which should be provided by the insurer) should inform participants that the plan may disclose this type of information to the plan sponsor. And the minimum-necessary standard applies to such disclosures.
  • Perform enrollment and disenrollment activities and payroll deductions. Plan sponsors may receive PHI for the purposes of performing enrollment and disenrollment functions without having to comply with the plan document and firewall requirements otherwise required when a group health plan shares PHI with a plan sponsor.

2. Insured Plan Sponsor Is "Hands-On" the PHI

If an insured plan sponsor wishes to have access to PHI (in addition to summary information and enrollment/disenrollment information), then additional requirements apply to both the plan and the plan sponsor. The plan itself will need to:

  • provide individuals with rights to review, amend, and receive an accounting of their PHI;
  • prepare a privacy notice, except that the plan will only need to provide the notice to participants upon request; and
  • comply with the administrative safeguards.

The plan will also need to obtain a certificate from the plan sponsor indicating that the plan documents have been amended and the firewall put in place to protect the disclosed PHI. The plan sponsor will need to comply with the plan document and firewall requirements and provide a certification to the plan that these requirements have been satisfied.

3. Self-Funded Group Health Plans and Their Sponsors

In contrast, a self-funded group health plan will be required to:

  • provide individuals with rights to review, amend, and receive an accounting of their PHI;
  • prepare and provide a privacy notice; and
  • comply with the administrative safeguards.

Reminder: Exception for Small, Self-Funded, Self-Administered Plans.
Self- funded, self-administered plans with fewer than 50 participants are not required to comply with these requirements.

The privacy standards do not clearly address how the administrative obligations imposed upon the plan (e.g., appointing a privacy officer) are to be satisfied. In many cases, the plan sponsor's legal role as plan administrator will cause the plan sponsor itself to perform these functions on behalf of the plan. For example, if plan sponsor personnel are servicing the plan, then the employer must satisfy the plan's administrative obligations with respect to those employees.

Other requirements will apply directly to the plan sponsor if it has access to PHI. For example, if the plan intends to provide to the plan sponsor PHI other than summary information and enrollment/disenrollment information, then the plan sponsor will be responsible for amending the plan document, creating a firewall to protect the information, agreeing to limitations on the use of the information, and providing individuals with rights (access, amendment, and accounting) with respect to their own PHI.

A plan sponsor whose self-funded group health plan is administered by a TPA and who does not have access to PHI except for summary information and enrollment/ disenrollment information may be able to avoid the privacy notice and some of the administrative safeguard requirement of HIPAA. This is because the plan sponsor itself is not a covered entity and would not be obligated to comply with the HIPAA privacy requirements as a covered entity.

Caution When Assessing Plan Sponsor's Access to PHI:
It is difficult to imagine a situation in which the sponsor of a self-funded plan is entirely "hands-off". In most cases, the plan administration obligations retained by the plan sponsor require some degree of access to PHI. For example, most TPA arrangements require that the plan sponsor serve as the ultimate claims fiduciary for appeal purposes. Serving in such a role would almost certainly require access to PHI—and compliance with the plan document and firewall requirements.

However, the plan itself will need to provide a privacy notice and implement the personal protections and administrative safeguards required by HIPAA. Although the privacy standards are not clear on this point, it seems that a plan could satisfy many of these requirements by requiring its TPA to perform the required functions on behalf of the plan. However, we think that few TPAs will assume complete responsibility for overall privacy compliance, and few plan sponsors will be comfortable in giving up complete control to a TPA.

Caution When Delegating Plan's Obligations:
Even if the plan has a contract with its TPA that obligates the TPA to perform the plan's privacy functions, the plan is still on the hook if the TPA fails to perform. (Of course, the TPA or other third party also might be faced with liability under its contract with the plan.) And it is possible that a court could, as a legal matter, hold the plan sponsor responsible for the plan's failure to comply.



© 2003 SecureOne, Inc. All Rights Reserved. Site Privacy Statement