Publications
Do HIPAA Privacy Rules Apply To Your Business?
The Department of Health and Human Services has issued its final rules implementing the privacy requirements of the Health Insurance Portability and Accountability Act ("HIPAA"). The HIPAA privacy rules apply to three categories of "covered entities": health care clearinghouses, health care providers engaging in electronic transmissions of health information, and health plans. Although HIPAA does not apply to other businesses directly, many businesses will be impacted by HIPAA through sponsorship of a health plan for employees or by providing services to the health care industry. This simple questionnaire will help your determine what impact HIPAA may have on your business. Links are provided to a glossary of terms. 1. Is your business a health care clearinghouse? If yes, HIPAA directly impacts your business. The business must comply with all of the HIPAA privacy rules for health care clearinghouse? by April 14, 2003. 2. Is your business a health care provider that transmits health information in electronic form? If yes, HIPAA directly impacts your business. The business must comply with all of the HIPAA privacy rules for health care provider by April 14, 2003. 3. Is your business a health plan? If yes, HIPAA directly impacts your business. The business must comply with all HIPAA privacy rules for health plans by April 14, 2003, unless it is a small health plan, in which case it must comply by April 14, 2004. 4. As an employer, does your business sponsor a health plan (including a group health plan with 50 or more participants or external administration)? If no, go to question 7. 5. Is the health plan fully insured? If yes, move on to question 6. If no, the health plan must comply with the full extent of HIPAA's privacy rules for health plans. If your business is the plan administrator, it is responsible for making the health plan HIPAA compliant by April 14, 2003, unless it is a small health plan, in which case the compliance date is April 14, 2004. 6. Does the health plan receive protected health information? If no, only minimal HIPAA privacy requirements apply. If yes, the health plan must comply with the full extent of HIPAA's privacy rules for health plans, except that the insurer will be responsible for distributing the required Notice. If your business is the plan administrator, it is responsible for making the health plan HIPAA compliant by April 14, 2003, unless it is a small health plan, in which case the compliance date is April 14, 2004. Move on to question 7 to determine if your business has other HIPAA obligations. 7. Is your business a business associate of a health care provider that electronically transmits health information, a health care clearinghouse?, or a health plan? If yes, you will be required to sign a business associate contract or incorporate certain terms into an existing agreement. If no, your business will not be asked to enter into a business associate contract. Business Associate: A person who, on behalf of a health care provider that electronically transmits health information, a health care clearinghouse, or a health plan that is not the person's employer, performs or assists in the performance of a function or activity involving the use or disclosure of protected health information. Fully Insured: Employer bears no financial liability beyond the payment of premiums. Group Health Plan: An employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that (1) has 50 or more participants or (2) is administered by an entity other than the employer that established and maintains the plan. Group health plans include vision and dental plans and flexible spending accounts covering medical expenses. Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. Health Care Provider: A provider of services (as defined in 42 U.S.C. § 1395x(u)), a provider of medical or health services (as defined in 42 U.S.C. 1395x(s)), or any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health Plan: An individual or group plan that provides, or pays the cost of medical care. Health Plan includes, but is not limited to, any entity that is a group health plan, health insurance issuer, an HMO, an issuer of a long-term care policy other than a nursing home fixed-indemnity policy, a multi-employer employee welfare plan for health benefits, and any individual or group plan that provides or pays for the cost of medical care. Protected Health Information: Individually identifiable health information, excluding certain education records and employment records held by a covered entity in its role as employer. Health information is any information, whether oral or recorded in any form or medium, that is (1) created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and (2) relates t the pas, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Health information is individually identifiable that identifies the individual or with respect to which there is a reasonable basis to believe the information can be sued to identify the individual. Small Health Plan: A health plan with annual receipts of $5 million or less. If the health plan is fully insured, "receipts" are the total premiums paid to the health plan. If the health plan is self-insured, "receipts" are the amounts paid by the health plan for health care claims. ©Moss & Barnett, A Professional Association, 2003 |
