Sponsors of small health plans should immediately determine whether they need to take action to comply with the “Privacy Rule” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). 

What Plans Are Subject To The Privacy Rule?

All “health plans” must comply with the Privacy Rule. A “health plan” includes fully insured and self-insured group medical plans, health flexible spending accounts, prescription drug plans, employee assistance plans and programs providing dental or vision benefits.

Large health plans were required to comply with the Privacy Rule by April 14, 2003. Small health plans must comply with the Privacy Rule by April 14, 2004. A health plan is a “small” health plan (i) if it is fully insured with total annual premiums of less than $5 million, OR (ii) if it is self-insured with total annual claims of less than $5 million.

What Is The Privacy Rule?

HIPAA’s Privacy Rule imposes numerous requirements that restrict how an individual’s health information can be used or disclosed. Generally speaking, protected information includes any information relating to an individual’s health, the health care provided to the individual or the payment arrangements for the individual’s health care, if that information identifies the individual or could be used to identify the individual. 

The rule governs the conduct of companies that sponsor and administer health plans. If your company has a health plan and any of your employees receive or handle participant health information, you need to be sure that you understand how the Privacy Rule applies so you can comply.

What Must Health Plan Sponsors Do To Comply With The Privacy Rule?

If your company sponsors one or more health plans, you should take the following steps:

• Evaluate how protected health information flows through your organization;
• Develop privacy policies for the use and disclosure of health information;
• Train employees on the proper storage, use and disclosure of protected health information;
• Identify “business associates” to whom the plan communicates protected health information, and execute a “business associate contract” to govern the exchange of that information;
• Amend plan documents as required; and
• Prepare and distribute required privacy notices to plan participants.

What Is The Penalty For Not Complying With The Privacy Rule?

The sponsor of a covered health plan can be fined $100 per day, per violation, with a cap of $25,000 for a single violation of the Privacy Rule. However, there is no limit to the number of violations that can be cited for a single incident. The Privacy Rule also includes criminal penalties. Knowing violations can be punished by up to a $50,000 fine and one year imprisonment, and violations committed for commercial gain or with malicious intent can be punished by up to a $250,000 fine and 10 years imprisonment.

If you have questions regarding this alert or other HIPAA related issues, please contact Hugh Davis at 919.783.2908 or hwdavis@poyners.com or Nancy Brower at 704.342.5275 or nbrower@poyners.com. 

This electronic publication is published by Poyner & Spruill LLP to provide general information about significant legal developments. Because the facts in each situation vary, the legal precedents noted herein may not be applicable to individual circumstances.

Physical Address:  3600 Glenwood Avenue, Raleigh, NC 27612