HIPAA Facts & Info Who is affected by HIPAA? What is a small employer HIPAA Healthcare Plan What is the Role of the plan sponsor in more detail? What Healthcare Plans are affected? Exceptions for the Group Health Plans of small employers Is there an exception for the group health plans of small employers? Is there an exception for the group health plans of government employers? Is there an exception for the group health plans of non-profit (tax-exempt) employers? My group health plan does not transmit any information electronically. Is it exempt from the Administrative Simplification Rules? Can I Change How We Handle Employee Medical Applications and Eliminate the Need to Comply with HIPAA? Compliance dates for initial implementation of the privacy standards. Is The Employee Employment Data Covered? What must a group health plan do to comply with the Privacy Rule? Who are Business Associates to a small health plan? Exceptions to the Business Associate Rules Can I be sued for alleged violations of the Administrative Simplification (HIPAA) Rules? ------------------------------------------------------------------------- What is a HIPAA Healthcare Plan? HIPAA is the most far reaching legislative act passed since ERISA. It affects healthcare providers, medical insurance companies, healthcare clearing houses and healthcare plans all across the nation. It will be a culture change and alter the way the healthcare sector does business. And it will have a direct impact on health insurance plans, and the employers that sponsor them. The law requires healthcare plans to comply with the new HIPAA privacy and security rules. Employers who offer group medical, dental or vision plans to their employees are defined as plan sponsors of their healthcare plan and therefore the ultimate responsible entity for the HIPAA compliance of the health plan.  A healthcare plan is an employee welfare benefit plan as defined by the Employee Retirement Income and Security Act of 1974 (ERISA), including insured and self-insured plans.  ERISA says a welfare benefit plan is any plan, fund, or program which was established or maintained by an employer or by an employee organization, or both, to provide for its participants or their beneficiaries, by purchasing insurance or otherwise. The plans are defined as: medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, death or unemployment, or vacation benefits, apprenticeship or other training programs, or day care centers, scholarship funds, or prepaid legal services, or  any benefit described in section 302(c) of the Labor Management Relations Act, 1947 (other than pensions on retirement or death, and insurance to provide such pensions). HIPAA further defines a healthcare plan as providing medical care including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise. There are two definitions of health care plans, large and small. Plans affected fall under the following guidelines: Has 50 or more participants or Is administered by an entity other than the employer that established and maintains the plan such as a FSA (flexible spending account). Small health plan means a plan with annual receipts of $5 million or less. A large plan has more than $5 million in revenues. (There is no specific definition as to what is meant by participants in a healthcare plan in the HIPAA regulations. The commonly accepted definition is to consider ALL eligible employees including Cobra participants as participants. If a firm has 75 eligible employees including Cobra ex-employees but only 45 are actually taking coverage, HIPAA still applies because the eligible number exceeds 50. If a Healthcare Plan has fewer than 50 eligible employees, is fully insured but offers a medical reimbursement plan as part of a FSA (flexible spending account), it is a covered entity under HIPAA IF the FSA is administered by someone outside the employer. On the other hand a fully insured medical plan with fewer than 50 eligible employees that does not have any third party doing any administration work for the plan and/or that administration work is done internally DOES NOT have to be HIPAA compliant. (Fully insured plans should use the premiums paid to calculate whether the receipts exceed $5 million. Self insured plans should use claims paid only and not any insurance or administration costs. This definition has no affect on the degree of compliance only the date it must be done by.) back to the top menu What is the Role of the plan sponsor in more detail? The plan sponsor is defined by reference to ERISA. For single employer plans, this means the plan sponsor is the employer. As a conceptual matter, however, for purposes of the Privacy Rule, the plan sponsor will not be the entire employer. Rather it will be the group of employees who are involved in "plan administration functions," or who are responsible for "settlor functions" – either amending the plan or negotiating service provider contracts for the plan. [45 CFR § 164.501 (definition of "plan sponsor"); 65 Fed. Reg. 82496.]  Who is the "Plan Sponsor"? Simply put it is the group of employees that are involved with the administration of the Health Care Plan. Not all employees of an employer are "Plan Sponsors". Think of the Healthcare Plan as a separate entity from the Employer. Only certain employees, more defined by functions in the employer, are involved as "Plan Sponsor". Employers also have to treat their group health plans as being separate and distinct from all of their other welfare benefit plans. For example, an employer currently sharing health information between welfare plans – e.g., between an LTD plan and a group health plan in a disability management program – is not likely to be able to continue this type of sharing after the effective date of the Privacy Rule for its group health plan. [65 Fed. Reg. 82507, 82645-47.] back to the top menu What Healthcare Plans are affected? HIPAA broadly includes many forms of healthcare plans and providers (as defined in §2791(a)(2) of the Public Health Service Act (PHSA)).: almost all group health plans (insured or self-insured) covered under the Employee Retirement Income Security Act of 1974 (ERISA) (i.e, those group health plans with 50 or more participants and plans of any size that are administered by other entities), health insurance issuers (as defined by HIPAA to include an insurance company, insurance services, or insurance organization which is licensed to do the business of insurance in a state and which is subject to state law regulating insurance (under ERISA § 514(b)(2)), HMOs, Medicare, Medicaid, Medicare-supplemental policy issuers, an employee welfare benefit plan or any other arrangement providing health benefits to employees of two or more employers, MEWAs (multiple employer welfare arrangements), health care programs for active military personnel and veterans, CHAMPUS, the Indian Health Service, the Federal Employees Health Benefit Program, approved SCHIP programs Medicare +Choice plans state high risk pools. back to the top menu Exceptions to the HIPAA healthcare plans are: Coverage only for accident, or disability income insurance, or any combination thereof. Coverage issued as a supplement to liability insurance. Liability insurance, including general liability insurance and automobile liability insurance. Workers’ compensation or similar insurance. Automobile medical payment insurance. Credit-only insurance. Coverage for on-site medical clinics Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits. 401k and pension plans Has fewer than 50 covered employees (unless local state laws apply the rules.), is fully insured and does not have any third party do administration work on the health care plan (including Cobra and cafeteria plan administration.) back to the top menu Is there an exception for the group health plans of small employers? No. The Administrative Simplification Rules do not provide an exception for the group health plans of small employers. The Rules do, however, provide more time to comply for "small health plans." While small health plans must still comply with the Administrative Simplification Rules, they have an extra year to comply with each of the Rules’ deadlines. Also see "Can I Change How We Handle Employee Medical Applications and Eliminate Any Need to Comply with HIPAA?" back to the top menu Is there an exception for the group health plans of government employers? No. The Administrative Simplification Rules do not provide an exception for the group health plans of governmental employers. The Rules do, however, have some special provisions that recognize the inability of government entities to enter into contracts (for instance, for business associate contracting purposes). Instead, government employers may enter into "memoranda of understanding" (MOUs) with their business associates.  back to the top menu Is there an exception for the group health plans of non-profit (tax-exempt) employers? No. The Administrative Simplification Rules do not provide an exception for the group health plans of non-profit organizations My group health plan does not transmit any information electronically. Is it exempt from the Administrative Simplification Rules? No. Employer group health plans are covered entities whether or not they transmit information electronically. Only providers, such as doctors, nurses, on-site clinics, etc., are exempt from these Rules if they do not transmit electronically. back to the top menu Can I Change How We Handle Employee Medical Applications and Eliminate Any Need to Comply with HIPAA? No. An Employer Sponsored HealthCare Plan that falls under HIPAA will always be a HIPAA plan. The Plan Sponsor can minimize HIPAA exposures but cannot eliminate the need for HIPAA compliance. How employee medical applications are handled is not a criteria to determine if a Healthcare Plan must be HIPAA compliant.  In fact, it is important for the Plan Sponsor to document any and all actions taken in the HIPAA Policies and Procedures Manual, your first line of HIPAA defense. Compliance dates for initial implementation of the privacy standards. A health plan must comply with the applicable requirements of this subpart no later than the following as applicable:     (1) Health plans other than small health plans: April 14, 2003. (Over $5,000,000 in revenue or premiums)     (2) Small health plans: April 14, 2004. (Under $5 million in premiums and more than 50 employees). back to the top menu Is Employee Employment Data Covered? Another point to cover is the employment information collected in the normal course of hiring an employee is not considered to be PHI. HIPAA discriminates between that information and the data collected in the course of establishing a medical plan. It would have been simpler if HIPAA would have made the employer a covered entity instead of a plan sponsor. But the law treats employment information as non-HIPAA. Our approach is to recommend treating it the same. Click here for more discussion on this point. back to the top menu What must a group health plan do to comply with the Privacy Rule? For a group health plan, the Privacy Rule’s compliance obligation can be divided into the following five parts: Limiting the uses and disclosures of protected health information as permitted or required by the Privacy Rule Enforcing individual rights with respect to protected health information.  Providing of a notice of privacy practices Amending plan documents to permit disclosures and uses of protected health information for purposes of plan administration.  Satisfying other administrative requirements including the appointment of a privacy official, implementing safeguards, and training employees Do all group health plans have to satisfy all five parts? No. The compliance burden for a group health plan will vary significantly depending upon three factors: The insured status of the plan The type of health information received by the plan sponsor How the plan sponsor uses summary health information back to the top menu Who are Business Associates to a small health plan? Another group of businesses that have a direct impact from HIPAA are Business Associates of the healthcare plan. A Business Associate is an individual or entity that receives protected health information (PHI) from a covered entity,  an insurance broker is a BA to a healthcare plan. The business associate may perform services or functions, or assist in the performance of services or functions, on behalf of the healthcare plan. An insurance broker often is the intermediary between an employer and the insurance company. HIPAA mandates the covered entity require a Business Associate (BA) to sign a Business Associate Agreement (BAA). This agreement pulls parties that normally do not fall under the definition of a covered entity right into the HIPAA water. The agreement requires the BA to offer the same protection of the data as the covered entity must and it is a contract enforceable in court.  If the BA does not sign the agreement or fails to protect the data, HIPAA requires the covered entity to terminate relationship with the BA. Bottom line is BA's must follow the same guidelines as a covered entity. A BAA can also be an addendum to an existing business agreement and does not have to be separate. It is up to the employer to provide and require the insurance broker or other third parties to sign the Business Associate Agreement. If the Business Associate will not sign the BAA, then the healthcare plan sponsor, the employer, can not do business with that person or firm.  What are examples of Business Associates? Employee Benefit Insurance Brokers Third Party Administrators (this includes medical reimbursement 125 plans, HRA and 105 plans) Lawyers who get PHI from the employer Accountants who get PHI from the employer Employee Benefit Consultants Computer Consultants if protected employee health information is in your computer system ANY person or company that receives protected health information from the employer! An employee of the covered entity or a member of the covered entity's own workforce is not considered a business associate.  Some persons or companies such as computer consultants or janitors should sign a confidentiality agreement instead of a BAA since it is not their job to receive the PHI, but they might happen on it. A Business Associate might also be a covered entity as well as those not directly affected by HIPAA. Even if a BA is a covered entity, your firm would still need a BA Agreement with them if they receive protected health information from you about your employees. An insurance company or an HMO is not a BA to a health care plan but an insurance broker or TPA would be. Business Associates need to demonstrate "HIPAA Compliance" by going through the same processes that a covered entity must. This means setting up a manual for HIPAA policies & procedures and training employees.  BA.HIPAAps.com Business Associate version is designed to simplify that process and is offered along side this web site. In many ways the responsibilities of a healthcare plan sponsor/employer are similar to a Business Associates. It is the employer's responsibility to know if Business Associates of the healthcare plan comply. Note: There are other insurance companies, such as a worker compensation company, and non-insurance firms that are not covered entities as defined by HIPAA an employer may do business with. Some of these relationships involve providing certain employee information from the employer. An employer cannot disclose PHI to any of these companies without a proper, current and signed employee authorization with a few exceptions. back to the top menu Exceptions to the Business Associate Rules: Exceptions to the above rule are re-insurance and stop-loss carriers involved with the actual "healthcare operations" and where the information release is required by a state or federal agency. The employee does not have to sign an authorization for these releases of PHI. Your employees are not Business Associates either. Can I be sued for alleged violations of the Administrative Simplification (HIPAA) Rules? The Administrative Simplification Rules themselves do not provide a private right of action, meaning they do not authorize private individuals to sue covered entities, such as covered group health plans, for alleged for violations. [65 Fed. Reg. 82566, 82604.] Nonetheless, employers might find themselves subject to private lawsuits under other theories. For example, in certain circumstances, the Administrative Simplification Rules require an employer to amend its group health plan documents. To the extent that such a group health plan is governed by ERISA, participants and beneficiaries will have the right to sue for enforcement of the plan document, including, perhaps, the amendments required by the Administrative Simplification Rules.  In addition, as noted above, state laws providing more stringent remedies are likely to apply. Those applicable state laws may provide private rights of action, and if they do, participants and beneficiaries may be able to invoke them such as state privacy laws. [65 Fed. Reg. 82582.] ---------------------------------------------------- Order today, don't put off your path to HIPAA compliance any longer. HIPAA is the law! Penalties apply April 14, 2004! back to the top menu