HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Title I of HIPAA governs portability of health benefits, special enrollment rights, and non-discrimination rules. Title II, Subtitle F of HIPAA governs "Administrative Simplification." The Administrative Simplification Rules are intended to create a uniform system for processing, retaining, and securing health care information by encouraging the use of electronic technology, mandating standardization of health-related transactions, and ensuring the security and privacy of health information.
Congress delegated responsibility for developing and implementing the Administrative Simplification provisions of HIPAA to the U.S. Department of Health and Human Services (HHS).
As a Business Associate or employer under HIPAA Privacy and Security laws there are many regulations to comply with. Also, there have been many recent changes to the laws due to the ARRA and HITECH Act. Read the frequently asked questions below to learn tips for compliance.
Do employers need to worry about complying with HIPAA?
Although employers are not "covered entities" under the Administrative Simplification Rules, every employer that offers health benefits or health services to its employees will be affected by the Rules. This is because the Rules directly regulate most employer group health plans and certain health care providers (which may include some employers' on-site providers).
Is there an exception for the group health plans of small employers?
No. The Administrative Simplification Rules do not provide an exception for the group health plans of small employers. The Rules do, however, provide more time to comply for "small health plans." While small health plans must still comply with the Administrative Simplification Rules, they have an extra year to comply with each of the Rules' deadlines.
Is there an exception for the group health plans of government employers?
No. The Administrative Simplification Rules do not provide an exception for the group health plans of governmental employers. The Rules do, however, have some special provisions that recognize the inability of government entities to enter into contracts (for instance, for business associate contracting purposes). Instead, government employers may enter into "memoranda of understanding" (MOUs) with their business associates.
Is there an exception for group health plans of non-profit employers?
No. The Administrative Simplification Rules do not provide an exception for the group health plans of non-profit organizations.
By what date do I have to comply with the Administrative Simplification Rules?
Each rule issued by HHS as part of the Administrative Simplification package has its own compliance deadline. In addition, "small health plans" have an additional year to comply with each rule. For more information, click here.
How do I know if my group health plan is a "small health plan"?
A small health plan is defined as a plan with annual receipts of $5 million or less. The method by which group health plans determine whether they are "small" depends upon whether they are fully-insured or self-insured:
Health plans that file federal tax returns and report receipts on those returns should use the guidance provided by the Small Business Administration at 13 CFR § 121.104 to calculate annual receipts.
My group health plan does not transmit any information electronically. Is it exempt from the Administrative Simplification Rules?
No. Employer group health plans are covered entities whether or not they transmit information electronically. Only providers, such as doctors, nurses, on-site clinics, etc., are exempt from these Rules if they do not transmit electronically.
Does it matter whether my group health plan is fully-insured or self-insured?
There can be a significant difference in a group health plan's compliance obligations because of its insured status. In general, a fully-insured group health plan that receives only limited information about its participants and beneficiaries will have a lighter compliance burden. For most such fully-insured group health plans, it might be that their insurance issuers or HMOs will bear the brunt of the compliance burden. A self-insured group health plan, on the other hand, is presumed to receive information about its participants and beneficiaries and will have a significant compliance burden.
In general, what are my obligations under the Administrative Simplification Rules?
As noted above, an employer's obligations under the Administrative Simplification Rules will vary depending on whether its group health plan (or plans) is fully-insured or self-insured, on the type of identifiable health information the employer receives about employees and their families, and on whether the employer provides other employee health services (such as on-site clinics) that are covered by the Rules. If an employer is covered indirectly as the sponsor of a group health plan, or directly as a health care provider, or both, it may be required to:
What information is protected by the Privacy Rule?
The Privacy Rule does not protect all forms of health information - only health information that is "individually identifiable." In other words, it protects health information from which an individual can be identified, but only if that information is in the hands of a covered entity. Generally, health information held in a group health plan's records will be protected.
Health information is protected if:
[45 CFR §§ 160.103 (definition of "health information"); 164.501 (definitions of "individually identifiable information" and "protected health information").]
What is "protected health information"?
"Protected health information" (often referred to "PHI") is the health information described above, i.e., it is the health information that is subject to the Privacy Rule's protections.
Do I need to comply with state privacy laws?
Possibly. The Privacy Rule does not preempt all state privacy laws. State privacy laws that are "more stringent" are preserved. That is, a state privacy law that provides more privacy protections or greater individual rights than provided by the federal Privacy Rule will apply, unless that law is otherwise preempted by a different federal law, such as ERISA. Generally, state laws preempted by ERISA will remain preempted. [45 CFR § 160.203; 65 Fed. Reg. 82483.]
Accordingly, employers must determine whether and to what extent they must follow state law (including decisional law as well as statutes and regulations). This task may be particularly complicated for employers with employees in more than one state. A detailed discussion of the preemption issues raised by the Privacy Rule is beyond the scope of this Workbook. Employers might wish to consult with legal counsel to determine applicable state privacy laws.
Do I need to comply with other federal laws that require me to use or release protected health information?
Generally, nothing in HIPAA or the Administrative Simplification Rules exempts an employer from complying with other federal laws (e.g., ERISA, ADA, FMLA) under the general rules of precedence applicable to federal law.
Generally, when may "protected health information" be used or disclosed?
Group health plans may use or disclose protected health information only if the use or disclosure is permitted or required by the Privacy Rule. [45 CFR § 164.502(a).] In very general terms, a group health plan may use protected health information internally or disclose it externally only under the limited circumstances and for the specific purposes permitted by the Privacy Rule. Otherwise, group health plans may use or disclose protected health information only with the permission of the individual who is the subject of the protected health information
Are there any penalties for not complying with the Administrative Simplification Rules?
Yes. There are both civil and criminal penalties for noncompliance. Civil penalties may be assessed at $100 for each provision of the Rules violated, with an annual cap of $25,000 per person, per violated provision. Criminal penalties for knowing violations of the Rules may include monetary fines as well as imprisonment. Fines range from up to $50,000 and one year of imprisonment to up to $250,000 and up to 10 years of imprisonment. [42 USC §§ 1176, 1177.]
Who enforces the Privacy Rule?
HHS has delegated responsibility for enforcing the Privacy Rule to the HHS Office for Civil Rights ("OCR"). OCR's enforcement regulations have not yet been published. [65 Fed. Reg. 82472.] OCR's web site, where it intends to publish enforcement information, is www.hhs.gov/ocr/hipaa.
Can a participant or beneficiary sue me for alleged violations of the Administrative Simplification Rules?
The Administrative Simplification Rules themselves do not provide a private right of action, meaning they do not authorize private individuals to sue covered entities, such as covered group health plans, for alleged for violations. [65 Fed. Reg. 82566, 82604.]
Nonetheless, employers might find themselves subject to private lawsuits under other theories. For example, in certain circumstances, the Administrative Simplification Rules require an employer to amend its group health plan documents. To the extent that such a group health plan is governed by ERISA, participants and beneficiaries will have the right to sue for enforcement of the plan document, including, perhaps, the amendments required by the Administrative Simplification Rules.
In addition, as noted above, state laws providing more stringent remedies are likely to apply. Those applicable state laws may provide private rights of action, and if they do, participants and beneficiaries may be able to invoke them. [65 Fed. Reg. 82582.]
Where can I find more information about the Privacy Rule?
More information about the HIPAA Privacy Rule can be found at the following web site: http://www.hhs.gov/ocr/privacy/.
Litmos Healthcare is the leading provider of HIPAA online education. Available online, anytime and anywhere. These online courses meet the federal standards for HIPAA compliance training required by law. A simple login allows employees access to the self-paced online courses; each course takes only 20-30 minutes to complete. Completions are reportable and certificates of completion are provided real-time.