Employee Benefits Advisory Bulletin

HIPAA Security Rules Compliance Deadline Fast Approaching!
Small group health plans must comply by April 20, 2006

By Jason T. Froggatt and Sarah L. Bhagwandin
[February 2006]

Any employer that sponsors a group health plan that creates, maintains, or transmits protected health information electronically must comply with the security regulations issued pursuant to the Health Insurance Portability and Accountability Act (the “Security Rules”). The Security Rules are intended to create national safeguards to protect the confidentiality, integrity, and availability of an individual’s health information that is maintained, stored, sent or received in an electronic format. These rules apply to medical, dental, and vision plans, as well as health flexible spending accounts and many employee assistance plans.

The deadline for small group health plans to comply with the Security Rules is April 20, 2006. Large group health plans were required to comply with the rules by April 20, 2005.

Unlike the privacy regulations, the Security Rules do not expressly carve out “fully-insured” group health plans. The Security Rules do create an exception for group health plans that have fewer than 50 participants and are administered by the employer that established and maintains the plan. For the purpose of the exception, “participant” includes any eligible employee, whether or not the employee actually is enrolled in the plan.


The Security Rules

The Security Rules relate to and build on the rules established by the privacy regulations of HIPAA. (The privacy regulations applied to small health plans on April 14, 2004, and all other plans group health plans on April 14, 2003. See “HIPAA Compliance for Small Group Health Plans: Four Steps for Determining What You Need to Do”).

The basic rule is that covered entities, including employer-sponsored group health plans, must (1) ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits, (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information, (3) protect against any reasonably anticipated uses or disclosures that are not permitted or required by the privacy regulations, and (4) ensure the compliance of its workforce.

Examples of activities that are regulated by the rules include: email transmissions of protected health information; electronic records that are maintained, accessed, or transmitted in databases; information that is transmitted to or from a personal digital assistant (PDA); and, the physical transporting of any equipment that is used for electronic transfer, such as laptops or disks.


Documentation

The Security Rules contain a series of "Standards" and "Implementation Specifications" relating to security concerns. The Standards create a broad framework. Each Implementation Specification is designated as “required” or “addressable.” The required specifications must be incorporated into the procedures governing the administration of the group health plan. The addressable specifications must be implemented if reasonable and appropriate for the group health plan. If the Implementation Specification is not reasonable and appropriate for the group health plan, the employer must document why and adopt a reasonable alternative.

In order to comply with the Security Rules, an employer must make sure that its group health plan complies with each Standard and Implementation Specification, and that compliance is documented. Employers that fail to properly document group health plan compliance may be at risk for civil or criminal penalties, or lawsuits from employees or former employees.


Compliance Plan

Each employer sponsoring a group health plan that creates, maintains or transmits electronic protected health information must take the following steps by April 20, 2006 (for small group health plans):

  1. Appoint a Security Official

  2. Conduct a Risk Assessment and develop a Risk Management Plan

  3. Adopt appropriate Safeguards

  4. Develop Policies and Procedures

  5. Conduct appropriate Training and Awareness Programs

  6. Adopt a Sanctions Policy

  7. Amend the health plan document, if the plan sponsor receives electronic protected health information

  8. Update or adopt business associate contracts to include the HIPAA Security Rules

A complete list of the action items for employers, as well as a description of the Standards and Implementation Specifications are available in the HIPAA Compliance Assessment Checklist.

For information about how Davis Wright Tremaine LLP can assist with your group health plan HIPAA Security Rules compliance efforts, click here.

For information about The HIPAA Security Rules: A Blueprint for Compliance, a self-help resource for employers complying with the HIPAA Security Rules, click here.

For more information, please contact:

Jason T. Froggatt Jason T. Froggatt
Seattle, Washington
(206) 628-7629
jasonfroggatt@dwt.com 		Sarah L. Bhagwandin

Sarah L. Bhagwandin
Seattle, Washington
(206) 903-3959
sarahbhagwandin@dwt.com


This Advisory is a publication of the Employer Services Department of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in employment law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may be given only in response to inquiries regarding particular situations.

Copyright © 2006, Davis Wright Tremaine LLP.

return to Advisory Bulletins main page