Publications
Required Activity For Health Plans Under HIPAA
Many employer sponsored health plans are "covered entities" under the privacy rules of the Health Insurance Portability and Accountability Act. The following is a brief description of requirements that most covered health plans must meet by the April 14, 2003 deadline. Small health plans, those with less than $5 million in premiums collected or health claim payments have until April 14, 2004 to meet the requirements. Fully-insured health plans that take a "hands-off" approach (that is, health plans that generally do not create or receive protected health information from health care providers or the insurer), need only cooperate with the Secretary and avoid activity prohibited by the HIPAA rules. Cooperate with the Secretary of the Department of Health and Human Services: Health plans must make their books and facilities available to the Secretary for inspection. Health plans must provide compliance reports as required by the Secretary. Documentation: Health plans must maintain documentation as required by the rules. Amend Plan: Before a plan sponsor can receive protected health information (except for summary information for limited purposes or information regarding enrollment and disenrollment of participants), the plan must be amended. Pursuant to the amendment, the plan sponsor must agree to the most of the same requirements that apply to the plan itself. Policies and procedures: A health plan must implement policies and procedures designed to ensure compliance with HIPAA. Minimum necessary standard: Health plans can only use, disclose or request the minimum amount of protected health information necessary to accomplish the purpose of the use, disclosure or request. To ensure that the minimum necessary standard is met, health plans must establish procedures and policies for handling routine and recurring disclosures and requests and criteria for handling other disclosures and requests. Firewall: Health plans must identify employees who will have access to protected health information and the expected uses of that information. The health plan needs to ensure that the use and disclosure of the protected health information is limited to those employees and purposes. Access to PHI: Health plans must allow the subjects of the protected health information to access the information held by the plan or its agents. Amendment of PHI: Health plans must allow the subjects of protected health information to make appropriate amendments to the protected health information held by the health plan or its agents. If a request is denied, measures must be taken to indicate that there is a dispute regarding the information. Accounting of PHI disclosures: Health plans must provide an accounting of disclosures of protected health information to the subject of the information. Designate responsible personnel: A health plan must designate a privacy official and someone to contact for more information regarding HIPAA. Train personnel: A health plan must train personnel regarding the handling of protected health information. Complaint process: A health plan must establish a process for handling complaints of violations of HIPAA requirements. Discipline: A health plan must establish appropriate disciplinary measures for employees who improperly use, disclose or request protected health information. Mitigate negative impact: A health plan must take appropriate measures to mitigate any harm caused by an improper use, disclosure or request of protected health information. Authorizations: A health plan must get authorizations for uses or disclosures for which an authorization is specifically required (relating to psychotherapy notes and marketing) or which are not specifically required or permitted by the HIPAA privacy rules. Opportunity to agree: In certain circumstances (relating primarily to sharing information with family members or other designated people), a health plan must give an individual the opportunity to agree to or refuse a disclosure of protected health information. Verify requests: A health plan must verify requests for protected health information that it receives and obtain any required documentation. Requests for restrictions: A health plan must allow individuals to request restrictions on the use and disclosure of their protected health information. The health plan is not obligated to grant the requests. Alternative means of communications: In certain circumstances (relating to endangerment of the person involved), health plans must accommodate requests for alternative means of communication of protected health information. Notice: A self-insured health plan must create and distribute a Notice of HIPAA rights. A fully-insured plan that receives protected health information must maintain a Notice on file, but the obligation for distribution falls on the insurer. ©Moss & Barnett, A Professional Association, 2003 |
