CSA's Home Page Member's Area Employer's Area Provider's Area Partial Listing of CSA's Capabilities Contact CSA Key Employee Profiles

HIPAA column

"HIPAA" is finally here

Complying with new health privacy regs

 

 

The IRS isn't the only federal regulator that business is worried about this spring. Employers must contend with yet another federal requirement on their group health plans: the "Health Insurance Portability and Accountability Act" (HIPAA) privacy rules that take effect in April.

 
In the computer age of easy-access data, the regulations are intended to protect private health information from inappropriate intrusion. They directly regulate group health plans and not employers, but apply to all companies and individuals who provide services to the group health plan.

 

Under the regulations, employers must develop policies and procedures to protect access and disclosure of their employees' private health information. This involves determining who has access to health records and how they are stored. The next step is to draft written procedures and train employees on the privacy requirements.

 

HIPAA requires that employers designate a "privacy official." This person is responsible for the development and implementation of the privacy policies. Employers must also designate someone to receive complaints about privacy violations, to document them and their outcome.

 

Surveys show most companies are designating someone in the human resources or benefits department.

 

Employers must develop sanctions against employees who fail to comply with the policies and procedures and they must document any sanctions imposed. In addition, they must show evidence of mitigation of any harm caused by improper use or disclosure of confidential medical information.

 

If an employer has a self-funded health plan, they are required to give notice, informing employees about their privacy rights and how their medical information is handled. Employers must give individuals the opportunity to agree or object to disclosures to family members. In addition, employees must be given the opportunity to inspect or obtain copies of their medical information, and make changes.

 

The April 14 compliance deadline is for large employers -- those with annual medical claims in excess of $5 million. Small companies have another year before it is required.

 

HIPAA requires "reasonable and flexible" policies and procedures. That gives companies latitude to determine what standards are reasonable and will work for them.

 

Employers retain the ability to examine employee benefits information to determine trends and make strategic decisions about coverage plans.

 

To some extent, the health care information culture is changing because of HIPAA. Doctors, pharmacies, insurance providers and human resource employees will still work on computers, and use e-mail and fax machines to transmit information extremely fast and accurately.

 

The new regulations do not prohibit anyone from talking to another or relaying information for the good of a health plan member.

 

But all will work under documented procedures and with heightened sensitivity on the handling of private medical information.

Privacy Statement
More News... 		Terms of Use
Corporate Systems Administration, Inc.
4722 Lake Park Drive
PO Box 4985
Johnson City, Tennessee 37602-4985
voice: 423.282.3420