The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules and limits as to the use and disclosure of Protected Health Information (PHI). A piece of that is the HIPAA Privacy Rule, which is very complex — partially due to the fact that it regulates three very different types of organizations (defined as covered entities), and the rules related to each vary.
“In order to determine what an organization must do, if anything, in repose to the HIPAA Privacy Rule, it must first determine if it is a covered entity or has access to PHI,” says Amy Broadbent, vice president of JRG Advisors.
Smart Business spoke with Broadbent about the requirements of the HIPAA Privacy Rule and how it impacts your business and workforce.
Who is governed by the HIPAA Privacy Rules?
Covered entities that are governed by HIPAA include health plans; health care providers that conduct certain transactions electronically — this includes most doctors, clinics, hospitals, pharmacies, psychologists, chiropractors, nursing homes and dentists; and health care clearinghouses.
Contractors, subcontractors and other outside persons/companies that are not employees of a covered entity may have the need to access health information when providing services to the covered entity. These individuals are known as ‘business associates.’
Covered entities must have contracts in place with their business associates, ensuring that they only use or disclose PHI as permitted under HIPAA. HIPAA has been amended such that business associates, although not a covered entity, must comply with the HIPAA rules in the same manner as a covered entity.
What are the administrative requirements under the HIPAA Privacy Rule?
If the plan sponsor has access to PHI, other than for enrollment or termination of coverage under the plan, then it must comply with HIPAA’s administrative requirements.
Administrative requirements include limiting use and disclosure of PHI to activities related to treatment, payment or health care operations. You also must designate a privacy officer who is responsible for:
- The development and implementation of privacy policies and procedures.
- Training workforce members, known as designated employees, on those policies and procedures with regard to PHI.
- Having a complaint procedure.
- Providing a Notice of Privacy Practice to plan participants.
- Refraining from taking retaliation against an individual who makes a complaint alleging a HIPAA violation.
- Establishing sanctions against designated employees that fail to comply with the HIPAA requirements.
The HIPAA Privacy Rule permits a plan sponsor to receive summary health information from the insurance company for the purpose of obtaining premium bids from health plans for the purpose of providing health insurance coverage, and modifying, amending or terminating a group health plan. If a plan sponsor’s access to medical information is limited to summary health information, it will not be required to comply with the HIPAA administrative requirements.
The HIPAA Privacy Rule also sets limits as to who can review and receive protected health information. Covered entities and business associates are required to comply with an individual’s rights. These include the right to access and obtain a copy of health records, have corrections made to those records, limit communications and receive an accounting of PHI disclosures.
It is important for employers and employees alike to know their rights and obligations under HIPAA.
The HIPAA Privacy Rule is complex and includes additional requirements besides those discussed in this article — work with your advisor to ensure you fully understand this rule and how it impacts your business and workforce.
Insights Employee Benefits is brought to you by JRG Advisors