 |
 |
 |
 |
||
 |
||
Small Business And The New HIPAA Privacy & Security Requirements
By Steve Trumble
New privacy and security standards set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996-designed to protect employee health information-are beginning to be felt by area businesses. All companies with annual total health care spending (which includes medical, dental, HMO, vision, flexible spending accounts and long-term care) greater than $5 million had to be in full compliance by April of this year or potentially face significant fines.
But it's not just larger companies that will be facing the new regulations.
In April 2004, any company that sponsors health plans for employees will be held accountable. No matter the size, be it five or 5,000 employees, HIPAA will apply. The clock is ticking, and CEOs will have to take action over the course of 2003 to ensure that their companies are protected. So, where do you start?
Protected Health Information
The first step for the uninitiated is to define what the issue is and the level of exposure. From the business owner perspective, it comes down to protected health information (PHI). HIPAA defines health information as any information (oral or recorded) in any form or medium that is created (or received) by a health care provider, health plan, public health authority, employer or health care clearinghouse. It relates to past, present or future physical (or mental) health condition, treatment of an individual or past, present or future payment for health care. In other words, health information, no matter how it is communicated or recorded (electronic, written or spoken), is protected under HIPAA guidelines.
The HIPAA "privacy" standards essentially say that a health plan cannot use or disclose PHI except as authorized by the individual or by Department of Health and Human Services (HHS) regulations. The HIPAA "security" standards go a step further to say a health plan must adopt safeguards to prevent unauthorized electronic access (e.g., by hackers breaking into a health plan's claims records) or unauthorized destruction of the information.
The Risk of
Non-compliance
Although much of the burden of HIPAA regulations falls upon health insurers and HMOs, employers who sponsor such plans have many responsibilities in the process and could end up paying dearly for not being compliant.
If a company is caught out of compliance after the deadline, it runs the risk of significant fines and potential criminal charges. The Department of Health and Human Services will investigate complaints and will enforce the Privacy Rule. Failure to comply could result in penalties of up to $100 per person per violation or up to $25,000 per year for each violation of an identical requirement. Criminal penalties can apply for intentional violations of the rules. Such knowing violations could result in a criminal fine of up to $250,000 and up to 10 years in prison. It's clearly in every employer's best interest to develop a HIPAA compliance plan to ensure that its sponsored health plans are in compliance.
What You Need to Do -Before Next April
Planning is crucial, and the sooner a workable HIPAA Action Plan is put in place, the sooner you won't have to worry about non-compliance penalties. Here are the three main components of an action plan.
1. Appoint a Privacy Official. A company as a plan sponsor must designate a privacy official responsible for developing and implementing its privacy policy and procedures. Implementing the security standards as soon as possible after compliance with the privacy standards makes a lot of sense because the security standards complement the privacy standards.
2. Finalize Plan Documentation. A health plan document must contain the appropriate privacy standards for the plan, and the employer as plan sponsor must agree to abide by these standards before the plan can disclose protected health information to the plan sponsor.
3. Set Up Business Associate Agreements. A business associate is any person or organization who uses protected health information on behalf of a health plan to perform benefits management, claims processing or administration, billing, data analysis, legal, actuarial, consulting, accounting or other similar services. A health plan may only disclose protected health information to a business associate and allow the business associate to create or receive information on its behalf, if an agreement is in place that binds the business associate to the same privacy requirements that are imposed on the health plan.
Fleshing Out the Plan:
Gap Analysis
An effective strategy to comply with both the privacy and security standards would be to start with a "gap analysis" to compare existing policies and procedures with those required by the final regulations and to review and evaluate whether technology used to secure the protected health information is still appropriate. Implementing remedial policies, procedures and supporting technology and training employees would follow. Some of the activities around that exercise include:
- Distributing a privacy notice to employees;
- Establishing a procedure for employees to exercise their rights to access their own health information and to obtain an accounting of disclosures;
- Amending health plan documents to establish the permitted uses and disclosures of health information by the plan sponsor;
- Adopting appropriate administrative, technical and physical safeguards to protect the privacy of health information; and
- Making sure your vendors are prepared to conduct electronic transactions in the standard format that will be required under the electronic data interchange or EDI provisions.
Before the compliance date, the safeguards would be reviewed as the first of a series of periodic evaluations required under the regulation. The main thing to keep in mind is that there is plenty of time to meet compliance expectations, as long as you begin to think about it today.
Steve Trumble is senior vice president in Aon Consulting. He can be reached at 410-547-2967.