Health Information Portability Accounting Act (HIPAA, went into effect the first quarter of 2003. Indeed, HIPAA creates federally mandated requirements regarding protected health information (PHI) that can impact any employer, regardless of its size, location or industry. Government estimates place the price tag for compliance within the public and private sectors at an estimated $22 billion. While the Privacy Rules were not aimed at regulating non-medical employers, employers who sponsor group health plans are affected, de-pending on whether the employer: (1) is fully insured or self-insured; and (2) creates or receives Protected Health Information. Protected Health Information (PHI) is defined to include all individually identifiable health information held or transmitted by a covered entity or business associate electronically or in other forms (Amatayakul, 2000). There are some exceptions. One important PHI exception is that the Privacy Rules do not apply to employment records, including medical information employers use to comply with various disability laws, such as American Disabilities Act (ADA), and workers' compensation, or to administer workplace disability policies, or substance abuse rules (Lax, 2002). Employers solely using medical information for compliance with the disability laws and workplace policy administration are not covered. Another important exception is accomplished through de-identified health information, useful to the employer in administering their health plan.
There are four components of the Privacy Rules (Amatayakul, 2000).1. Use and disclosure rules: provide for written consents that may be obtained for treat-ment, payment, and related health care operations. Authorization is required in writing to use PHI for purposes other than treatment, payment, and related health care operations, such as marketing. 2. Privacy practices notice: mandates that a privacy notice be given to the individual whose health information is being used, with the same notice being given to anyone who re-quests that information. 3. Individual rights provisions preserve the individuals right to: access and amend the information; obtain an accounting of disclosure; and secure additional protections.4. Administrative requirements: designating a privacy officer; providing a complaint responder; conducting training; and establishing security policies, including fire walls to secure the information (Lax, 2002).
The healthcare industry is familiar with the Privacy Rule HIPAA Act, however many outside the industry are not necessarily aware of the significant impact that the Privacy Rule may have on them. All employers that provides healthcare coverage to its employees, either through a fully insured or self-insured health plan, is affected by the Privacy Rule and must comply with the Rule. The U.S. Department of Health and Human Services ("HHS") is not authorized to regulate employers directly, however employers are regulated under the Privacy Rule indirectly, through the group health plans that they establish. A group health plan is considered a "covered entity," and is therefore directly regulated unless it is a small, self-administered plan with less than 50 participants. Many group health plans are contractual entities with no independent assets. Although not directly covered by the Rule, employers acting as "plan sponsors" who must administer the group health plan is responsible for ensuring that the mandate of the Privacy Rule is met. For example, although a Business Associate Agreement is not required for disclosures of protected health information, or PHI, between a group health plan and the plan sponsor, the employer will have to voluntarily agree to use or disclose such PHI only as permitted or required by the Privacy Rule.
Subject to certain exceptions, the major steps that an employer must take in order to comply with the Privacy Rule with respect to use and disclosure of PHI between the group health plan and the plan sponsor are below:
1. Create privacy policies and procedures that ensure that all PHI relating to employees is adequately protected to comply with the Privacy Rule
2. Amend group health plan documents to specify how the use of PHI will be restricted to the purposes permitted by the Privacy Rule.
3. Establish policies and procedures to ensure that consent is obtained from an employee prior to using PHI for purposes such as enrollment in a group health plan,
4. Establish "firewalls" between personnel (and workspace) associated with handling PHI for purposes of administering the group health plan and the rest of the employer's personnel and operations
5. Implement a compliance program for employees which includes appointing a privacy officer, training employees likely to come into contact with PHI, and creating a process to sanction employees who violate the employer's privacy policies and procedures
Regarding the second point above, the Privacy Rule instructs entities as to the types of restrictions that must be included in plan documents prior to any disclosures of PHI being made by the group health plan to the plan sponsor (Lax, 2002). The fourth point above is an important issue for employers because it requires them to set up firewalls in order to ensure that PHI is used for purposes of plan administration only, and not for any other employment related purposes, such as decisions on employee hiring or termination. Additionally, although the Privacy Rule does not dictate how these firewalls must be established, it does describe the general issues that must be addressed by the employer in creating such firewalls. The following issues must be included in the plan documents and include the following: 1. A description of the employees or classes of employees or other persons under the control of the plan sponsor who are to be given access to PHI; 2.Restrictions on the access to and use by such employees and other persons to permit only plan administration functions; 3. An effective mechanism for resolving issues of noncompliance by such employees or persons with the provisions set forth in the plan documents.
In connection with implementing a compliance program, group health plans are exempt from these requirements if they provide health benefits solely through an insurance contract with a health insurance issuer or an HMO and they do not create or receive PHI except for summary health information, or information regarding the status of an individual's enrollment, or disenrollment from the HMO or health insurance issuer. It is important to note that employers must consider their activities not only in the context of use and disclosure of PHI between the group health plan and the plan sponsor, but also in the context of any disclosures of PHI to a third party. A disclosure from the group health plan to a third party administrator would require adequate assurances of confidentiality, and would require a business associate agreement under the Privacy Rule before PHI could be disclosed.
While the HIPAA privacy rule raises a number of questions for employers, there are limited circumstances under which employers and covered entities can share protected health information without employee authorization. According to the final regulation, a covered entity may disclose PHI to an employer for public health activities under four conditions (Lax, 2002). First, HIPAA mandates the covered entity must be a covered health care provider who is either a member of the employer's workforce or is contracted by the employer for the purposes of performing a medical surveillance of the workplace or evaluating whether an individual has a work-related illness or injury. The PHI that is disclosed must consist of findings from that surveillance or investigation. The employer must also be seeking this information to comply with Occupational Safety and Health Administration (OSHA) or Mine Safety and Health Administration (MSHA) guidelines, or under a state law that has a similar purpose. The employer would need these findings to record an illness or injury or to carry out its responsibilities for workplace medical surveillance, according to the regulation. For example, OSHA requires employers to monitor employees' exposures to certain substances and to take specific actions when an employee's exposure level to a substance exceeds a specific limit. A covered entity might test an individual for such exposure…