HIPAA Privacy – It’s Here (Closer Than You Think)

06/03/2003

With the passing of April 14, 2003, large health plans (those with more than $5,000,000 in annual receipts) became subject to the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA).  However, more HIPAA deadlines loom on the horizon.  Specifically, by October 16, 2003, small health plans (plans with annual receipts of less than $5,000,000) as well as large health plans that requested the extension, must comply with the final regulations regarding standards for electronic claims transactions.  Additionally, small health plans must comply with the privacy regulations by April 14, 2004, and the benefits gained by taking early steps toward HIPAA compliance cannot be understated.

By October 16, 2003, all health plans must be able to transmit and receive certain transactions for claims in the standard electronic transaction format.  Additionally, health plans must make sure that their vendors are able to submit and receive electronic transactions in the standard format.

The privacy regulation’s requirements applicable to a health plan and its employer-sponsor will depend, in part, on whether the plan is fully-insured or self-insured and on the extent to which protected health information (PHI) is received by the plan.  The privacy regulations may require amendments to the plan document and adoption of policies ensuring the physical and electronic protection of protected health information received by the plan either in written or electronic form.  Additionally, the plan sponsor may be required to provide participants and beneficiaries with a notice describing how their protected health information will be used or disclosed by the plan.  Plan sponsors also may be required to enter into business associate agreements with plan vendors, third party administrators, network providers, their accountants, attorneys and large case management consultants, among others.  Sponsors of small health plans should evaluate their plans and the steps required for HIPAA privacy compliance now, in addition to ensuring that their health plans or vendors for their health plans are able to comply with the applicable standards for electronic claims transactions, where appropriate.

Haynes and Boone, LLP’s HIPAA Privacy Practice Group has developed a flexible compliance program that takes into account the specific requirements applicable to the individual plan.  The program allows us to team with the employer to develop an approach to addressing privacy compliance that utilizes the employer’s internal resources and supplements those resources, to the extent necessary, with the tools and expertise we have developed.  By providing questionnaires, training, forms and procedures to assist employers with compliance, the program permits employers to undertake significant portions of the privacy compliance process, if they desire. For more information, please visit our HIPAA Privacy website.  Additionally, you may contact any one of the attorneys listed below or any other member of the Privacy Practice Group listed under the Contacts for HIPAA Privacy on our website.

Email Disclaimer