Publications

HIPAA Privacy Requirements

Under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Department of Health and Human Services has issued detailed regulation s (the "Privacy Standards") governing the privacy of certain individually identifiable health information ("protected health information," or "PHI"). The Privacy Standards impose significant obligations on covered entities such as employer-sponsored health plans, including medical, dental, vision, and flexible benefit plans. Disability, life insurance, and workers' compensation benefits are not affected by HIPAA.

In general, the Privacy Standards limit the use and disclosure of PHI to those uses and disclosures which are either for

1. treatment, payment, or health care operations (generally, administration of the health plan),
2. limited uses specifically authorized by the Privacy Standards (for example, disclosures required by law), or
3. which are specifically authorized by the individual.

In addition, the Privacy Standards impose extensive administrative requirements which are described in more detail below.

Compliance Deadline

The deadline for compliance with the Privacy Standards is generally April 14, 2003. However, "small health plans" have an automatic extended compliance deadline of April 14, 2004. A health plan is a "small health plan" if it pays $5 million or less in insurance premiums (if it is insured) or claims (if it is self-insured), or a combination that totals $5 million (if the plan is partly insured).

Your HIPAA Obligations

Numerous compliance tasks must be completed in advance of the HIPAA deadline, including:

• Undertaking a thorough review of current privacy practices;
• Designating a "privacy officer" to oversee compliance;
• Adopting and implementing new policies governing uses of PHI;
• Training employees about the privacy policies and adopting sanctions for violation of the policies;
• Meeting extensive documentation requirements, including preparing health plan amendments, "business associate agreements" with certain outside vendors and consultants, and detailed participant notices;
• Implementing administrative, technical, and physical safeguards to protect PHI; and
• Maintaining written privacy policies and procedures, including procedures for individuals to exercise certain rights with respect to their own PHI.

Each health plan's actual compliance obligations will differ, depending on the health plan's funding arrangement and the extent of access to PHI. Please contact your Thompson Hine employee benefits lawyer for further assistance.

For More Information

Please contact William S. Fein, Jack F. Fuchs, or Karen D. Youngstrom or any member of our Employee Benefits & Executive Compensation or ERISA Litigation practice groups for more information.

Disclosure

This advisory may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions. Some of the design images and photographs in this document may be of actors depicting fictional scenes.