MMA Publications
Michigan Manufacturing Insight : July/August 2002

| Michigan Manufacturing Insight | Michigan Manufacturing Agenda | E-Pubs Signup |
| Capitol Report | HR Report | Environmental Report | Health and Safety Report |
| Technology Report | MMA Articles | GLMC Michigan Focus | Employer Handbook | Advertising |
| Workers’ Compensation 101 | Posting Requirements | Retention Guidelines | Speakers Bureau |

Feature Articles

The HIPAA Privacy Rules: Are you Ready?

By Patricia F. Claire, M.P.A., J.D.

Employers have spent years battling escalating health insurance costs in order to maintain their group health plans.

Now, a new and important challenge has appeared on the horizon for employers who continue to provide group health plans. This challenge stems from the new HIPAA Privacy Rules protecting individually identifiable health information.

The timing and scope of the Rules are two critical issues for employers. The effective date is coming up fast, since the Privacy Rules have a target compliance date of April 2003 for many organizations. They affect all employers who sponsor a group health plan, whether fully insured or a self-insured alternative, even a medical reimbursement plan. Non-compliance with the Rules can have serious legal consequences including liability exposure, fines and imprisonment. 

This article will focus on providing a basic, condensed explanation of the extensive and complex Privacy Rules and their impact on employers. First, we’ll address how the Rules seek to protect employees’ individually identifiable health information (“protected health information” or “PHI”), since this is key to understanding how the Rules affect employers. How the Rules treat group health plans and affect the relationships of plans with their sponsoring employers and with service providers will then be outlined.

What are the HIPAA Privacy Rules all about? 
The Rules are intended to protect the privacy of individually identifiable health information while allowing for a free flow of that information among what the Rules call “covered entities.” These are health care providers such as doctors and hospitals, health care insurers and HMOs, group health plans and health care clearing-houses (such as billing companies). The information is permitted to flow freely among covered entities as long as its use by the health care provider initially is consented to by the individual, and its use is limited to the minimum necessary for health care treatment, payment or health plan “operations” (such as utilization review).

Covered entities can’t use the information for any other purposes, or disclose it to any non-covered entity, without specific time-limited advance written authorization from the individual. At this time,

covered entities are scrambling to be ready to meet standards for notices, administrative procedures, training, record-keeping, contracts, other requirements of the Privacy Rules and other lengthy new HIPAA “Administrative Simplification” standards that continue to emerge.

Although they are not “covered entities,” employers, as well as the business associates that provide services for covered entities, are affected by the Privacy Rules indirectly. Since the impact of the Privacy Rules on employer and group health plan operations has not been as well publicized as the impact on doctors, hospitals and insurers, not all employers are up to date on what is required. The time has come for employers to understand how the Rules apply and what they must do to be in compliance.  

What’s prompting these efforts at privacy protection?
One reason protection of health information privacy has suddenly come to the forefront is that the Federal government will soon require covered entities to use nation-wide, standardized means for electronic transmission of personal health information between themselves. With this uniform national system, confidential health records could be readily and widely available, were there no rules to protect the privacy and security of the data.

Even with the paper format and file cabinets of the past, a belief has developed among consumers that personal health information frequently is misused or disclosed in unanticipated ways. Concerns about privacy are escalating, particularly given widespread attention to the vulnerability of electronic transmissions, whether for financial services, retail purchases, employee benefits or just browsing on the Internet. Government regulation and enforcement have already been stepped up in many of these arenas.

As users of health care, we would all agree that protecting the privacy of our medical records is a good thing. The issue is what reasonable steps must be taken to make that privacy protection a reality.  

This might seem familiar
Employers already are familiar with many requirements of confidentiality and restricted use of employees’ health information because most employers are subject to state and federal laws on disability, workplace safety and family and medical leave.

For many years employers have been advised to collect and maintain only the minimally necessary employee health information needed for an intended purpose, to keep the information separate from other personnel records, to limit access, to restrict release, to de-identify personal health information and to destroy the information as soon as applicable laws permit. So the HIPAA Privacy Rules should not seem entirely new, since so much of the Rules are, in a sense, a revisiting of requirements already in place.

The HIPAA Privacy Rules were issued by the U.S. Department of Health and Human Services (HHS) as mandated by the HIPAA statute (the Health Insurance Portability and Accountability Act of 1996). Does the term HIPAA sound familiar? The HIPAA statute was the result of a Congressional effort at health care reform, the misnamed “Portability” part of which tries to minimize barriers to health coverage for workers.

A few years ago, HIPAA brought us the now-familiar limits on excluding coverage for pre-existing conditions, special enrollment rights for those who lose other health coverage and elimination of medical underwriting in group health plans. Most recently, new non-discrimination rules were added. Now HHS is bringing us the result of years of effort, that began with the first Bush Administration, which sought to contain health care costs by simplifying electronic data exchanges in the health care industry. The effort turned into far-reaching regulations under the Clinton Administration, and has now been confirmed and made effective by the current Bush Administration.  

New rights for individuals
Going beyond the HIPAA “Portability” rights, new rights for individuals are established by the Privacy Rules. Protected health information can only be used for health care treatment, payment or operations. Health care providers, insurers and plans will have to provide clear notice of how the entity will use and disclose PHI. Individuals will be able to see and get copies of their records and request amendments, and have the right to know who has accessed their PHI.

The Rules currently provide that written consent is required before PHI can be shared for the purposes permitted by the Rules. Separate, specific, time-limited, advance written authorization (which is different from consent under the Rules) is required for non-routine disclosures and for purposes other than treatment, payment and operations — for example, for use in marketing. (However, no individual authorization is required for disclosure for specific public purposes such as public health, emergency circumstances or national security.)

In addition, individuals have the right to request that restrictions be placed on the use and disclosure of their PHI, and they have the right to file a formal complaint about violations. To give reality to these rights, each covered entity will have to have an administrative system in place, a privacy notice available describing that system, a Privacy Officer designated, trained staff and a complaint procedure.

Group health plans are affected
The law does not allow the Privacy Rules to apply directly to employers, but the Rules have been written to reach each employer that sponsors a group health plan for its employees. One of the most difficult concepts in the Rules is the idea of the group health plan being an entity separate from the employer. For most employers, the plan is regarded as nothing more than a document, often an insurance policy. The entire role of the employer is seen as handling selection of the insurer, payment of premiums and performing some limited administrative activity, such as enrollment, that is not provided by the insurer or third party administrator.

However, the Rules treat the plan as a separate entity, one at arms-length from the employer, and subject to all the procedural privacy requirements except if the Rules provide otherwise. The Rules very broadly define health plans to include any individual or group plan that provides, or pays the cost of, medical care.

A health plan includes group health plans (whether insured or self-insured), health insurers, HMOs, Medicare, Medicaid and certain other government programs.

The few exclusions from the HIPAA Privacy Rules include plans that only provide “excepted benefits” and plans that are a minimum size and are self-administered. There are no exemptions for collectively bargained plans.

Surprisingly, some types of insurance that might seem logical to include in the HIPAA privacy requirements are not included, such as workers’ compensation, life insurance and disability — a gap considered likely to be filled by clean-up legislation. Also the “HIPAA-excepted benefits” from the earlier HIPAA rules are excluded: stand-alone dental and vision insurance. Again, this is expected to change in the future.

Also surprising is that the definition of a health plan that is considered a “small health plan” was changed in the final rules to include far more plans than the original HIPAA definition. For purposes of the Privacy Rules, a small health plan is now defined as a health plan with $5 million or less in annual receipts. Such a plan is still covered by the Rules but has an extra year for compliance, April 2004 rather than April 2003. Only a group health plan with fewer than 50 participants, and which is self-administered, is excluded from compliance with the Privacy Rules altogether.

Fully insured and self-insured plans
The Rules apply differently to fully insured plans and self-insured plans. For fully insured plans, compliance requirements will depend on the extent that the employer continues to receive PHI from any HIPAA covered entity such as the employer’s own plan, its insurer or its HMO. In contrast, self-insured plans are treated as covered entities subject to all the Privacy Rule requirements.

The least impact will be on an employer that does nothing more than select the insurer and pay the premiums. However, the insurer or HMO through which the employer’s plan acquires coverage will still be responsible for meeting all of the HIPAA Privacy Rules. Covered entities can exchange PHI among themselves for the permitted purposes, but they cannot disclose the information to “outsiders” like the employer sponsoring the plan, without specific authorization from the individual employee, or unless the employer meets special rules.

How can a covered entity share PHI with an employer sponsoring a health plan? HIPAA provides special rules for employers to receive information from covered entities including their own plans. Summary health information, that is, claims history, expenses and types of claims experienced in the plan, which does not identify individuals, can be shared without individual authorization, for the limited uses of obtaining premium bids and amending or ending the health plan.

However, if the employer requires individually identifiable health information, certain actions must be taken in order to allow the information to be disclosed from the plan or insurer to the employer without each employee’s individual authorization for the intended purpose. The plan documents must be amended and certified by the employer as meeting relevant Privacy Rules requirements that restrict the employer’s uses and further disclosure of the PHI. These include requiring a policy of no use of PHI for employment related decisions or actions, no use of PHI in connection with any other employee benefit plans of the employer, restriction of use by any agent of the employer, establishment of required firewalls so that the privacy of the information is protected within the employer’s human resources operations and destruction or return of PHI when it is no longer needed.

All of these privacy related provisions required in the health plan documents bring their enforcement within the orbit of ERISA, the major federal law that governs employee benefit plans.

Business associate agreements
All covered entities, including employer-sponsored group health plans, are required to identify their “business associates” and enter into agreements with them by the entity’s required compliance date.

A business associate for HIPAA Privacy Rules purposes is a person or enterprise that performs essential functions for the covered entity requiring the use or disclosure of protected information. Examples are audit companies, third party administrators, actuaries, attorneys and consultants. 

The purpose of this type of agreement is to extend the protection of the Privacy Rules to PHI used or disclosed by the business associates of the covered entity, and to limit the uses and disclosures to just those permitted by the agreement. Monitoring is the responsibility of the covered entity, which is expected to take action if the business associate fails to properly comply with the Rules.

In the many instances where the parties, such as a plan and its third-party administrator, operate without a current signed agreement, a separate business associate agreement will need to be in place by the compliance date for the plan.

The proposed revisions of the Rules, which are expected to be adopted, provide a model business associate agreement. They also propose a somewhat longer period for phasing-in these agreements. The revisions would take into account that the natural timing for amending existing agreements would be upon renewal of the agreement, rather than an artificial date like the plan’s compliance date under the Rules.

Penalties
There are stiff penalties for violating the HIPAA Privacy Rules. Civil penalties for violation of requirements include $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated. There are also federal criminal penalties for knowing violation, with varying fines and length of prison terms — up to $250,000 and ten years — when there is intent to seek commercial advantage, personal gain or malicious harm. The federal government will enforce the Rules.

Past experience indicates that disgruntled former employees will act as whistleblowers, and also seek to take advantage of private rights of action under other laws. Because of the employer’s fiduciary role with the group health plans it sponsors, ERISA will provide another avenue for employee lawsuits for breach of commitments established in health plan documents.

What can employers do now?
Every employer that sponsors a health plan of any kind needs to become familiar with the basic HIPAA privacy requirements, and then audit their health plans, employment practices and relationships with service providers to determine the extent of their exposure for compliance with the HIPAA Privacy Rules. Employers need to find out how their plans and employment practices actually work by determining what individually identifiable health information currently is received and from what source, why it is needed, what use is made of it, where and how long it is stored, how it is secured and who has access to it.

Next, the employer needs to formulate a strategy either to minimize exposure or to meet whatever level of compliance is required, in which case a compliance timetable should be developed. They need to take appropriate steps to minimize risks regardless of the strategy selected, and plan, implement and monitor compliance as needed. Few employers will escape, altogether, the reach of the HIPAA Privacy Rules.

It’s not likely that the Privacy Rules will be repealed; Congress supports the Rules and the Bush Administration recently restated its commitment to strong patient privacy protection.

Some proposed revisions of the Rules were published in March 2002 and it is expected that the final revised Rules will be available this fall, but the core requirements for group health plans and employers continue. These are not the only new HIPAA rules affecting group health plans, insurers, other covered entities and employers. For example, rules for the security of health information and for the use of standard identifiers for employers have already been published.

It’s advisable that employers catch up with the current HIPAA Privacy Rules now, begin the process of determining the extent of its effect and develop a timetable for compliance. 

Patricia F. Claire is an attorney with Willingham & Cote´, P.C., and has been working with HIPAA issues since the law was passed in 1996. Pat can be reached at 517-351-6200 or pclaire@willinghamcote.com.

Previous Article | Back to Table of Contents | Next Article