April 14, 2004 is the approaching deadline for small health plans - plans that have annual total premiums (both employer and employee contributions) of $5,000,000 or less - to comply with the privacy regulations under the Health Insurance Portability and Accountability Act (“HIPAA”).

The approaching deadline will have its greatest impact on mid-size and small employers who did not have to comply with last year’s deadline that applied to large health plans. The amount of work required for a mid-size or small employer to comply will depend on whether the employer has any self-funded plans and the extent to which the employer receives protected health information.

The April 14, 2004 deadline, however, will also impact many large employers.  Many large employers sponsor small health plans (e.g., dental plans, vision plans, health flexible spending arrangements, and employee assistance plans) that are not yet compliant. We recommend that all employers, regardless of size, review all of their health plans to determine compliance with the HIPAA privacy regulations.

HIPAA Privacy Requirements

The regulations impose numerous requirements concerning the use and disclosure of protected health information by health plans. Employers sponsoring health plans should review the following:

  • Employers should determine the flow of information between the plan and the employer, and from the plan to other entities.
  • Privacy policies and procedures. Employers need to prepare policies and procedures for handling protected health information.
  • Notice of privacy practices. Employers must provide a notice to currently covered employees and to new enrollees within 60 days of enrollment.
  • Business associate agreements. Employers, on behalf of their health plans, must enter into business associate agreements with entities providing services to the plan. Business associates include third party administrators, flex or cafeteria plan administrators, lawyers, and others.
  • Plan document. Employers must amend their health plan documents in order to permit sharing of information between the plan and the employer for certain permitted purposes.
  • Forms for authorization and consent. Employers must develop forms for authorizations and consent to disclose protected health information for reasons other than treatment, payment, or health care operations.
  • Privacy officer. Employers must designate a privacy officer responsible for the development, implementation, and ongoing oversight of the HIPAA privacy compliance effort.
  • Training. Employers must train staff members who have access to protected health information on the employer’s HIPAA privacy policies and procedures.

HIPAA Privacy Exemption

HIPAA provides an exemption for self-funded, self-administered health plans with fewer than 50 participants.  These plans are not required to comply with HIPAA’s privacy regulations.  This exemption, however, does not apply to the health plan if the employer has hired a third party administrator to administer the plan.

Conclusion

The compliance deadline for small health plans is rapidly approaching.  If you have questions relating to complying with the HIPAA privacy regulations, please contact the attorney you work for assistance.