After being flooded with more than 11,000 comments from the public about proposed changes to federal health care privacy rules, the government has now released new privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). Generally, the new rules require health plans and providers to take steps to safeguard an individual’s PHI, or protected health information. PHI includes any data that could identify an individual (such as age, sex, medical record number or email address) that is sent by a health care provider, health plan, employer or health care clearinghouse and was gathered because the person received health care services. Although, as we’ll explain, the new rules don’t directly cover employers, you still may need to take some measures to ensure compliance. Also, the new rules don’t supersede any stronger state or federal health care privacy laws.
Under the new regulations, “covered entities” include health plans (such as insurers and self-insured plans), health care clearinghouses and most health care providers—but not employers. Covered entities have until April 14, 2003, to comply with the privacy rules, but certain small health plans with annual receipts of $5 million or less will have an additional year.
400+ pages of state-specific, easy-read reference materials at your fingertips—fully updated! Check out the Guide to Employment Law for California Employers and get up to speed on everything you need to know.
Some Impact On Employers
Employers who provide health plans for their employees must still comply with the new provisions that address the flow of PHI between a covered entity and an employer that’s a plan sponsor. This could come up, for example, if you receive PHI from a covered entity in connection with employee assistance programs, wellness programs and on-site medical testing.
A covered entity can disclose PHI to you if your benefit plan documents are amended to restrict your uses and disclosure of the private information. For example, your plan might state that you require the PHI for a wellness program but that you won’t use the information for other work-related decisions. Note, however, that a group health plan can share summary health information and enrollment or disenrollment information with you even if the plan documents aren’t amended.
Some Employers Have Dual Role
If you’re a health care company or provider, or you’re self-insured, you’re in the unusual situation of being both an employer and a covered entity. The rules make clear that employment records maintained by a covered entity in its capacity as an employer don’t qualify as protected health information. Employment records for this purpose include any medical information needed for an employer to carry out its obligations under the Family and Medical Leave Act, the Americans with Disabilities Act and similar laws. It also includes medical information related to occupational injury, disability insurance eligibility, sick leave requests, drug screening, workplace medical sur- veillance and fitness-for-duty tests. Note that even if such information is kept in a separate benefits file, it will be considered part of the employment record—and not PHI.
Whether you’re a covered entity or an employer that receives PHI from a covered entity, it’s important to take steps to safeguard your employees’ medical information. Although you should consult an attorney to determine precisely what you’ll need to do to comply with the new rules, here are some recommendations for how to prepare:
- Keep PHI separate from employment records. Establish a firewall or internal security system separating those who view PHI for purposes such as administering your health plan and those who handle it for other reasons such as ADA accommodations or workers’ compensation.
- Amend your plan documents as necessary. The plan documents must: 1) describe the permitted uses and disclosures of PHI; 2) specify that disclosure is permitted only on receipt of a certification from the plan sponsor that the plan documents have been amended and the plan sponsor has agreed to certain conditions regarding the use and disclosure of PHI; and 3) provide adequate firewalls by identifying the employees or classes of employees who will have access to PHI; restricting access solely to the employees identified and only for the functions performed on behalf of the group health plan; and providing a mechanism for resolving noncompliance problems. Naming a class, rather than individuals, is wise so you don’t have to update the documents when the workforce turns over.
- Establish internal privacy guidelines. Designate a privacy officer responsible for updating your privacy policies and conducting training throughout your organization.
Other New Requirements
Besides the privacy rules, there are other new HIPAA provisions of interest to employers:
- Administrative simplification. New technical standards must be used if a covered entity conducts certain transactions electronically, such as online enrollment. These rules take effect Oct. 16, 2002, unless a one-year extension is applied for by Oct. 15. Although HIPAA doesn’t require employers to use the transaction standards, your health plan may ask you to if you complete certain health insurance-related transactions online.
- Identifier for employers. Employers, as plan sponsors, often need to be identified in health care transactions. A rule that took effect July 30, 2002, specifies that a covered entity must use an employer’s IRS Employer Identification Number in certain health care transactions. Note that your health plan may ask you to use the identifier but that HIPAA doesn’t require you to do so.