| email to a friend

What Our Clients Need to Know About HIPAA

The following is provided as a brief summary to help RSI Gallagher clients deal with HIPAA’s Privacy Rule. As with many federal regulations, the Privacy regulations are long and subject to interpretation. As you know, RSI Gallagher cannot practice law. Therefore, this document is provided as a guide to assist RSI Gallagher clients with their health plan administration needs.

1. The Privacy regulations affect group health plans (e.g., medical and dental, not life insurance, disability insurance, and Workers’ Comp) and “protected health information” (PHI) which is individually identifiable health plan information such as patient-specific
   claim information.
   
   
2. The regulations apply to PHI in all forms: written, electronic, or oral.
   
   
3. You would not expect to receive PHI on your covered employees or their families from carriers, hospitals, and doctors. They are restricted from providing such information to anyone other than the patient unless the patient provides a signed authorization. As a result, the impact of HIPAA’s Privacy regulations can be greatly reduced for employers with fully insured plans.
   
   
4. You can continue to conduct routine enrollment, disenrollment, and plan renewal activities with little or no impact by HIPAA.
   
   
5. You may be asked to sign a “business associate agreement” by an insurance carrier, hospital, or doctor to provide an assurance that you will not mishandle PHI. There is generally no reason not to sign such documents, but they should be reviewed before signing; they are legal contracts.
   
   
6. Insurance carriers, hospitals, and doctors may be sending privacy notices to you and your covered employees/family members. These notices are similar to privacy documents sent by credit card companies and banks.
   
   
7. Employees and family members covered by your group health plans can expect to be asked to provide written authorization forms to carriers, hospitals, and doctors if they seek help from another party (e.g., RSI Gallagher) with regard to their PHI.
   
   
8. Employees and family members should be directed to call RSI Gallagher or their carrier with any issues regarding PHI (e.g., claims, treatment, etc.). You and your benefits team should make every effort not to receive PHI.
   
   
9. Internal procedures should be developed at your company to ensure that you do not receive or mishandle individually identifiable health plan information. These procedures should include specific instructions and actions regarding any violations of these procedures and how to handle such information should it come to your attention.
   
   
10. Should you choose to help an employee and receive or use PHI, you will need a signed authorization form. Every effort should be made to keep PHI separated from those who make employment decisions. Under no circumstance should an employment-related decision be affected by PHI.
    
    
11. Please note: voluntarily receiving PHI from your full-insured group health plan subjects you to all of the regulations applicable to a self-funded plan. Insurers, providers, and employers with self-funded health plans must:
    
    
    
    • Appoint a Privacy Officer that is responsible for the development and implementation of the health plan’s policies and procedures;
    • Designate a contact person (or office), usually the privacy officer,
      who is responsible for receiving complaints;
    • Establish policies and procedures to properly handle PHI;
    • Train all employees on these policies and procedures;
    • Establish administrative, technical, and physical safeguards to
      protect the privacy of PHI from misuse;
    • Provide a process for individuals to make complaints concerning
      the use and disclosure of their PHI;
    • Establish and apply appropriate disciplinary measures in the case
      that PHI is mishandled;
    • Act promptly to correct any violations of using or disclosing PHI;
    • Prepare and distribute a Notice of Privacy Practices to all individuals
      in the health plan(s);
    • Provide each individual with the right to request access, amendment, accounting, confidential communications, and restrictions of PHI;
    • Prepare and distribute a Plan Document Amendment to all individuals
      in the health plan(s);
    • Prepare a Certification of Amendment of the Plan Document; submit
      it as requested; and
    • Retain compliance documentation for six years.

RSI can advise you on these additional requirements and provide sample documents.

Compliance for small businesses (those with annual health insurance receipts [premiums/claims expenses] of $5 million or less) is April 14, 2004.

12. HIPAA is very consumer-oriented, and there are penalties for violations, including hefty fines and imprisonment. At least for now, enforcement of the regulations is expected to be complaint-based.
    
    
13. Following good business practices and common sense will serve you well under HIPAA. Similar to payroll information, PHI is highly confidential and should be treated accordingly. HIPAA formally reinforces this point and spells out under what circumstances, and how, PHI can be used.
    
    
14. Please direct any questions you have about HIPAA to your Benefits Consultant at RSI Gallagher.