The final HIPAA portability regulations issued in December 2004 require a group health plan to provide potential enrollees with a description of any preexisting condition limitations of the plan. The plan is required to provide this notice to an employee at or before the time the employee is initially offered the opportunity to enroll in a group health plan.  TCO prepares and mails Initial HIPAA Notices which includes Preexisting Condition language to all eligible new employees entered into the TCO/BPM System.

<<TOP>>

The compliance burden imposed on employer group health plans under the privacy rule varies depending upon the funding method (self-funded vs. fully insured) and the approach the employer takes in plan administration.  While The Compliance Office can advise you concerning specific issues, it is your responsibility as an employer to determine with your legal representative your precise responsibilities under the HIPAA Privacy rules.

If the employer's group health plan provides health benefits only through an insurance contract and does not create, maintain, or receive PHI, the vast majority of administrative burdens imposed by the privacy rule do not apply to that employer. By taking this approach the employer avoids having to:

• comply with HIPAA's use and disclosure rules

• provide individuals with the rights to access, amend, and receive an accounting of PHI

• prepare and provide a HIPAA Privacy Notice

• comply with the HIPAA administrative requirements (other than the prohibitions against retaliatory acts and requiring a waiver of HIPAA rights).

Instead, these requirements will be imposed upon the insurer. The employer must be careful not to become so involved in plan administration that it inadvertently obtains PHI. It may, however, engage in the following activities:

• Provide employees with assistance in claim disputes or in understanding their plan (although generally, the employer must obtain the individual’s authorization in order to have access to that individual’s PHI).

• Receive summary health information from an insurer for the limited purposes of obtaining premium bids or modifying, amending, or terminating the plan. The plan’s notice of privacy practices (which should be provided by the insurer) should inform participants that the plan may disclose this type of information to the employer. And the minimum necessary standard applies to such disclosures.

• Perform enrollment and disenrollment activities and payroll deductions. Employers may receive PHI for the purposes of performing enrollment and disenrollment functions without having to comply with any plan document and firewall requirements.

If an employer wishes to have access to PHI (in addition to summary information and enrollment/disenrollment information), then additional requirements apply. The employer itself will need to:

• comply with the use and disclosure rules;

• provide individuals with the rights to access, amend, and receive an accounting of PHI;

• prepare a privacy notice, except that the plan will only need to provide the notice upon request; and

• comply with the administrative requirements.

Any plan documents must be amended and a firewall put in place to protect any PHI disclosed to the employer. The employer will need to comply with any plan document and firewall requirements and provide a certification that these requirements have been satisfied.

A self-funded employer group health plan will be required to:

• comply with HIPAA's use and disclosure rules

• provide individuals with the rights to access, amend, and receive an accounting of PHI

• prepare and provide a HIPAA privacy notice

• comply with HIPAA's administrative requirements

The privacy standards do not clearly address how the administrative obligations imposed upon the plan (e.g., appointing a privacy official) are to be satisfied. In many cases, the employer's legal role as plan administrator will cause the employer itself to perform these functions on behalf of the plan.

Other requirements will apply directly to the employer if it has access to PHI. For example, if the plan intends to provide to the plan sponsor PHI other than summary health information and enrollment/disenrollment information, then the plan sponsor will be responsible for amending the plan document, creating a firewall to protect the information, agreeing to limitations on the use of the information, and otherwise complying with the terms of the plan amendment as required by the regulations.

A plan may delegate many of these requirements by contracting with its TPA to perform the required functions on behalf of the plan. However, few TPAs will assume complete responsibility for overall privacy compliance, and few plan sponsors will be comfortable in giving up complete control to a TPA.

<<TOP>>

The HIPAA requires that health plans, health care clearinghouses, and health care providers that conduct electronic transactions must maintain reasonable and appropriate safeguards (a) to ensure the integrity and confidentiality of health information; (b) to protect against reasonably anticipated threats or hazards to the security or integrity of the information and reasonably anticipated unauthorized uses or disclosures of the information; and (c) to ensure compliance with the security standards by the covered entities’ officers and employees.

Most health plans and other covered entities have to comply with the security rule by April 20, 2005. Small health plans had an additional year (until April 20, 2006) to comply.  If you require assistance developing your company's HIPAA Security Policy contact TCO's Compliance Officer.