| 
HIPAA Security Rules Small Health Plan Compliance Deadline: April 20, 2006
Many Health Plans Remain Out of Compliance!
By Jason T. Froggatt and Sarah L. Bhagwandin
[April 2006]
Any employer that sponsors a group health plan that creates, maintains, or transmits protected health information electronically must comply with the security regulations issued pursuant to the Health Insurance Portability and Accountability Act (the “Security Rules”). The Security Rules apply to medical, dental, and vision plans, as well as health flexible spending accounts and many employee assistance plans.
The deadline for small group health plans to comply with the Security Rules is April 20, 2006. Large group health plans were required to comply with the rules by April 20, 2005. Many employers have not yet completed – or perhaps even begun – their compliance efforts because of the confusing nature of the application and the obligations of the Security Rules.
Insured Plans Compliance Obligations
Your insured health plans may have compliance obligations under the HIPAA Security Rules.
Unlike the privacy regulations, the Security Rules do not expressly carve out “fully-insured” group health plans that receive only limited information. If any plan administration function is conducted on behalf of your insured health plan by the plan sponsor or another entity other than the insurer, and that activity involves the use of electronic protected health information, the plan will have to comply with the HIPAA Security Rules. Because information as common as enrollment and disenrollment information maintained in an electronic format is “e-PHI,” most group health plans will have compliance obligations under the HIPAA Security Rules.
Below are examples of plan administration functions that may trigger compliance obligations:
COBRA Administration. COBRA administration, such as distributing the election COBRA Notice to plan participants.
Advocacy. Advocating on behalf of employees to the insurer regarding any issue, such as eligibility and payment of claims.
Flexible Benefits Plan Administration. Administering changes in election for your flexible benefit plan in connection with the change of status rules.
What are the HIPAA Security Rules?
The Security Rules relate to and build on the rules established by the privacy regulations of HIPAA. (The privacy regulations applied to small health plans on April 14, 2004, and all other plans group health plans on April 14, 2003. See “HIPAA Compliance for Small Group Health Plans: Four Steps for Determining What You Need to Do”).
The basic rule is that covered entities, including employer-sponsored group health plans, must (1) ensure the confidentiality, integrity, and availability of all electronic protected health information that the health plan creates, receives, maintains, or transmits, (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information, (3) protect against any reasonably anticipated uses or disclosures that are not permitted or required by the privacy regulations, and (4) ensure the compliance of its workforce.
Examples of activities that are regulated by the rules include: email transmissions of protected health information; electronic records that are maintained, accessed, or transmitted in databases; information that is transmitted to or from a personal digital assistant (PDA); and, the physical transporting of any equipment that is used for electronic transfer, such as laptops or disks.
Compliance Plan
Each employer sponsoring a group health plan that creates, maintains or transmits electronic protected health information must take the following steps by April 20, 2006 (for small group health plans):
- Appoint a security official
- Conduct a risk assessment and develop a risk management plan
- Adopt appropriate safeguards
- Develop policies and procedures
- Conduct appropriate training and awareness programs
- Adopt a sanctions policy
- Amend the health plan document, if the plan sponsor receives electronic protected health information
- Update or adopt business associate contracts to include the HIPAA Security Rules
A complete list of the action items for employers, as well as a description of the Standards and Implementation Specifications are available in the HIPAA Compliance Assessment Checklist. To review the HIPAA Compliance Assessment Checklist, click here.
For information about how Davis Wright Tremaine LLP can assist with your group health plan HIPAA Security Rules compliance efforts, click here.
For information about The HIPAA Security Rules: A Blueprint for Compliance, a self-help resource for employers complying with the HIPAA Security Rules, click here.
For more information, please contact:
This
Employment Law Advisory is a publication of the Employer Services
Department of Davis Wright Tremaine LLP. Our purpose in publishing
this Advisory is to inform our clients and friends of recent
developments in employment law. It is not intended, nor should
it be used, as a substitute for specific legal advice as legal
counsel may be given only in response to inquiries regarding
particular situations.
Copyright
© 2006, Davis Wright Tremaine LLP.
return to Advisory
Bulletins main page |
