related information

Services
Employee Benefits
Related Publications
 publications full of ideas
HIPAA Deadline for Small Health Plans Fast Approaching

03.01.2004

 
Sponsors of small health plans should immediately determine whether they need to take action to comply with the “Privacy Rule” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

What Plans Are Subject To The Privacy Rule?

All “health plans” must comply with the Privacy Rule. A “health plan” includes fully insured and self-insured group medical plans, health flexible spending accounts, prescription drug plans, employee assistance plans and programs providing dental or vision benefits.

Large health plans were required to comply with the Privacy Rule by April 14, 2003. Small health plans must comply with the Privacy Rule by April 14, 2004. A health plan is a “small” health plan (i) if it is fully insured with total annual premiums of less than $5 million, OR (ii) if it is self-insured with total annual claims of less than $5 million.

What Is The Privacy Rule?

HIPAA’s Privacy Rule imposes numerous requirements that restrict how an individual’s health information can be used or disclosed. Generally speaking, protected information includes any information relating to an individual’s health, the health care provided to the individual or the payment arrangements for the individual’s health care, if that information identifies the individual or could be used to identify the individual.

The rule governs the conduct of companies that sponsor and administer health plans. If your company has a health plan and any of your employees receive or handle participant health information, you need to be sure that you understand how the Privacy Rule applies so you can comply.

What Must Health Plan Sponsors Do To Comply With The Privacy Rule?

If your company sponsors one or more health plans, you should take the following steps:

  • Evaluate how protected health information flows through your organization;
  • Develop privacy policies for the use and disclosure of health information;
  • Train employees on the proper storage, use and disclosure of protected health information;
  • Identify “business associates” to whom the plan communicates protected health information, and execute a “business associate contract” to govern the exchange of that information;
  • Amend plan documents as required; and
  • Prepare and distribute required privacy notices to plan participants.
 
What Is The Penalty For Not Complying With The Privacy Rule?

The sponsor of a covered health plan can be fined $100 per day, per violation, with a cap of $25,000 for a single violation of the Privacy Rule. However, there is no limit to the number of violations that can be cited for a single incident. The Privacy Rule also includes criminal penalties. Knowing violations can be punished by up to a $50,000 fine and one year imprisonment, and violations committed for commercial gain or with malicious intent can be punished by up to a $250,000 fine and 10 years imprisonment.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601
Communication Agreement

I understand and agree that Poyner Spruill LLP will have no obligation to keep confidential the information that I am now sending to the firm.