Hidden HIPAA Hurdles

Jeffery Drummond
June 5, 2008 — 961 views  

Implementing the HIPAA Privacy Rule may seem like ancient history for many physician practice managers: drafting notices of privacy practices, entering into business associate agreements, adopting policies and procedures, and the like. While it was three years ago next month that the HIPAA Privacy Rule became effective for providers such as hospitals and physicians, and only last April that the HIPAA Security Rule did so, barely half of all providers surveyed currently claim to be fully compliant with the Security Rule and there remains a lot of confusion regarding how each such provider may fall under the category of a “Covered Entity” under HIPAA.

Most physician practices know that they are “Covered Entities” under HIPAA due to their status as medical providers. However, many are not aware that, as an employer, they may be caught in another category of Covered Entity: health plans. In fact, even though the US Department of Health and Human Services was explicit in noting that “employers” are not Covered Entities under HIPAA, many employers (including many healthcare providers) offer fully or partially self-funded health plans to their employees, and those health plans are Covered Entities under HIPAA.

Most HIPAA rules apply equally to all Covered Entities, whether they are providers, plans, or healthcare clearinghouses. Therefore, providers who also offer health plans to their employees will need to ensure that their health plans comply with the Privacy Rule and the Security Rule. One area where HIPAA differentiates Covered Entities relates to the size of the health plan: small health plans (less than $5,000,000 in size) were granted an extra year to comply with the Privacy Rule (April 2004), as well as an extra year to comply with the Security Rule (April 2006).

If you offer your employees a health plan, that plan must meet the requirements of the Privacy Rule and the Security Rule (and if your plan is a “small” plan, the Security Rule deadline is fast approaching). For most small plans, Security Rule compliance is relatively easy, since the Security Rule is geared toward protecting electronic protected health information; most small plans, especially those that outsource much of their operations to third party administrators, will find that they have very little interaction with electronic PHI. However, small plans are still required to comply.

And while you’re at it, now would be a good time to review your Privacy Rule compliance and determine if you need to update your HIPAA policies and procedures. Remember, HIPAA compliance is a process, not an event.

For further information or assistance, you may contact Jeff Drummond by telephone at (214) 953-5781, or by e-mail at [email protected]. In addition, Click Here, to access Mr. Drummond's HIPAA blog.

If you wish to be added or removed from this list, please reply to this e-mail with the word "add" or "remove" in the subject line.

Jeffery Drummond

Jackson Walker L.L.P.