612-877-5000 | Contact us

Extranet Login

Publications

Required Activity For Health Plans Under HIPAA


By Marcy R. Frost
February, 2003

Many employer sponsored health plans are "covered entities" under the privacy rules of the Health Insurance Portability and Accountability Act. The following is a brief description of requirements that most covered health plans must meet by the April 14, 2003 deadline. Small health plans, those with less than $5 million in premiums collected or health claim payments have until April 14, 2004 to meet the requirements. Fully-insured health plans that take a "hands-off" approach (that is, health plans that generally do not create or receive protected health information from health care providers or the insurer), need only cooperate with the Secretary and avoid activity prohibited by the HIPAA rules.

Cooperate with the Secretary of the Department of Health and Human Services: Health plans must make their books and facilities available to the Secretary for inspection. Health plans must provide compliance reports as required by the Secretary.

Documentation: Health plans must maintain documentation as required by the rules.

Amend Plan: Before a plan sponsor can receive protected health information (except for summary information for limited purposes or information regarding enrollment and disenrollment of participants), the plan must be amended. Pursuant to the amendment, the plan sponsor must agree to the most of the same requirements that apply to the plan itself.

Policies and procedures: A health plan must implement policies and procedures designed to ensure compliance with HIPAA.

Minimum necessary standard: Health plans can only use, disclose or request the minimum amount of protected health information necessary to accomplish the purpose of the use, disclosure or request. To ensure that the minimum necessary standard is met, health plans must establish procedures and policies for handling routine and recurring disclosures and requests and criteria for handling other disclosures and requests.

Firewall: Health plans must identify employees who will have access to protected health information and the expected uses of that information. The health plan needs to ensure that the use and disclosure of the protected health information is limited to those employees and purposes.

Access to PHI: Health plans must allow the subjects of the protected health information to access the information held by the plan or its agents.

Amendment of PHI: Health plans must allow the subjects of protected health information to make appropriate amendments to the protected health information held by the health plan or its agents. If a request is denied, measures must be taken to indicate that there is a dispute regarding the information.

Accounting of PHI disclosures: Health plans must provide an accounting of disclosures of protected health information to the subject of the information.

Designate responsible personnel: A health plan must designate a privacy official and someone to contact for more information regarding HIPAA.

Train personnel: A health plan must train personnel regarding the handling of protected health information.

Complaint process: A health plan must establish a process for handling complaints of violations of HIPAA requirements.

Discipline: A health plan must establish appropriate disciplinary measures for employees who improperly use, disclose or request protected health information.

Mitigate negative impact: A health plan must take appropriate measures to mitigate any harm caused by an improper use, disclosure or request of protected health information.

Authorizations: A health plan must get authorizations for uses or disclosures for which an authorization is specifically required (relating to psychotherapy notes and marketing) or which are not specifically required or permitted by the HIPAA privacy rules.

Opportunity to agree: In certain circumstances (relating primarily to sharing information with family members or other designated people), a health plan must give an individual the opportunity to agree to or refuse a disclosure of protected health information.

Verify requests: A health plan must verify requests for protected health information that it receives and obtain any required documentation.

Requests for restrictions: A health plan must allow individuals to request restrictions on the use and disclosure of their protected health information. The health plan is not obligated to grant the requests.

Alternative means of communications: In certain circumstances (relating to endangerment of the person involved), health plans must accommodate requests for alternative means of communication of protected health information.

Notice: A self-insured health plan must create and distribute a Notice of HIPAA rights. A fully-insured plan that receives protected health information must maintain a Notice on file, but the obligation for distribution falls on the insurer.

©Moss & Barnett, A Professional Association, 2003

Related

News Headlines


Case Summaries

Family Law

[02/02] Southerland v. City of New York
In a suit under 42 USC Section 1983 asserting that a New York City children's services caseworker entered the plaintiffs' home unlawfully and effected an unconstitutional removal of children into state custody, the district court's grant of summary judgment to the defendant caseworker is: 1) affirmed with respect to the dismissal of the father's substantive due process claim; but 2) vacated with respect to the father's and his children's Fourth Amendment unlawful-search and Fourteenth Amendment procedural due process claims and the children's unlawful-seizure claim, where the district court wrongfully concluded that the caseworker was entitled to qualified immunity with respect to all of the claims against him.

[02/02] Marriage of Walker
In a family court proceeding in which the recipient of a California State Teachers' Retirement System (CalSTRS) disability allowance challenged earlier family court orders awarding a community property interest in the allowance to his former spouse, the family court's denial of the appellant's motion to set aside the earlier orders is reversed, where the family court erred as a matter of law in concluding that the recipient had made "no mistake" in agreeing that his spouse had a community property interest in his disability allowance and thus should not have denied his motion on this basis.

[02/02] Marriage of Wahl
On appeal from an order requiring an ex-wife to pay to her former husband $552,153.28 in attorney's fees and costs as a sanction because of her conduct with respect to two post-dissolution orders, the order is affirmed, where the record disclosed no abuse of discretion in the trial court's award, and additional sanctions are imposed against the appellant and her appellate attorneys on a finding that the appeal is frivolous.

[01/31] T.W. v. Superior Court (San Diego County Health and Human Servs. Agency)
In proceedings in mandate to review an order designating the specific placement of a dependent child after termination of parental rights, the petition is granted with directions, where the district court abused its discretion by denying a petition by the San Diego County Health and Human Services Agency to remove the child from the home of his prospective adoptive parent, because the district court did not give appropriate weight to the legislature's goal of securing an adoptive home for a dependent child that is free from the influences of criminal activity and substance abuse.

More...

4800 WELLS FARGO CENTER | 90 South Seventh Street | Minneapolis, MN 55402-4129
P: 612-877-5000 F: 612-877-5999 Contact us