What plan sponsors are required to do under the HIPAA Privacy Rule Featured

9:12pm EDT November 30, 2012
What plan sponsors are required to do under the HIPAA Privacy Rule

The Health Insurance Portability and Privacy Act (HIPAA) governs the use of Protected Health Information (PHI), and failure to comply with the requirements of the policy can be a costly mistake.

As an employer who sponsors a health plan, it is important to fully understand your responsibilities under the act, as failing to do so can result in severe penalties, says Jessica Galardini, president and COO of JRG Advisors, the management arm of ChamberChoice.

“As an employer, you may think that HIPAA doesn’t apply to you,” says Galardini. “But if you are an employer that also sponsors a health plan, ignorance of the law could lead to fines and even jail time.”

Smart Business spoke with Galardini about what plan sponsors need to know about HIPAA and how to ensure that you remain compliant.

What is the HIPAA Privacy Rule?

As required by the Health Insurance Portability and Accountability Act of 1996, the U.S. Department of Health and Human Services (HHS), in December 2000, released final federal regulations that govern the use and disclosure of personally identifiable health information — the HIPAA Privacy Rule. In most cases, the deadline for compliance with the HIPAA Privacy Rule was April 14, 2003. The rule was then updated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which took effect in 2010.

The HIPAA Privacy Rule directly regulates health plans, health care clearinghouses and health care providers that conduct certain transactions electronically, and indirectly regulates plan sponsors.

What information is governed by the HIPAA Privacy Rule? 

The HIPAA Privacy Rule governs personal health information, which is defined as information that is oral, written or electronic; individually identifiable; created or received by a covered entity; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

What are plan sponsors required to do? 

The compliance requirements indirectly imposed upon a plan sponsor by the HIPAA Privacy Rule vary based on whether or not the plan sponsor has access to PHI. A plan sponsor that offers a fully insured group health plan will be minimally impacted by the HIPAA Privacy Rule if its access to health information is limited to the following plan sponsor functions:

  • Assisting employees with claim disputes as permitted by the employees’ written authorization.

  • Receiving Summary Health Information (SHI) for purposes of obtaining premium bids or modifying, amending or terminating the plan.

  • Conducting enrollment and disenrollment activities.

A plan sponsor that has access to PHI in order to perform plan administration functions must amend the plan documents to include a description of permitted uses and disclosures of PHI by the plan sponsors; certify to the group health plan that the plan documents have been amended; and comply with all of the administrative requirements contained within the HIPAA Privacy Rule.

What are the administrative requirements of the HIPAA Privacy Rule?

In general, the HIPAA Privacy Rule requires plan sponsors with access to PHI, together with the group health plan, to comply with all of the administrative requirements contained within the HIPAA Privacy Rule. For a summary of requirements, contact your benefits advisor or visit www.hhs.gov.

What are the penalties if an organization fails to comply with the HIPAA Privacy Rule?  

Failure to comply with the HIPAA Privacy Rule may result in civil or criminal penalties. HIPAA’s civil penalties were increased by the HITECH Act but may not apply if the violation is corrected within 30 days. For violations in which the individual is not aware that the violation has occurred, the minimum penalty remains $100 per violation, up to $25,000 per calendar year for identical violations.

If the violation is due to reasonable cause, the minimum penalty is $1,000 per violation, up to $100,000 per calendar year. For corrected violations that are caused by willful neglect, the minimum penalty is $10,000 per violation, up to $250,000 per calendar year.

The maximum civil penalty for any type of violation and the minimum penalty for uncorrected violations caused by willful neglect is $50,000 per violation, up to $1.5 million per calendar year for identical violations.

The criminal penalties are:

  • $100 per violation, up to $25,000 per year, per standard, for disclosures made in error.

  • $50,000 and/or one year in prison for knowingly obtaining or disclosing PHI.

  • $100,000 and/or up to five years in prison for obtaining information under false pretenses, and $250,000 and up to 10 years in prison for obtaining PHI with an intent to sell, transfer, or use it for commercial advantage, personal gain or malicious harm.

Taking the time to understand the rules will ensure that your organization is complying as it should under the law.

Jessica Galardini is president and COO of JRG Advisors, the management arm of ChamberChoice. Reach her at (412) 456-7231 or jessica.galardini@jrgadvisors.net.

Insights Employee Benefits is brought to you by ChamberChoice