HIPAA Electronic Security: Small Health Plan Compliance Date Approaching

June 5, 2008 — 768 views  

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires group health plans to protect the confidentiality of participant health information. This requirement is implemented primarily through the HIPAA privacy rules, which govern the use and disclosure of protected health information. However, it is also implemented through the HIPAA electronic security rules, which require group health plans to protect the confidentiality, integrity, and availability of “electronic protected health information” (“ePHI”) that they create, receive, maintain, or transmit.

The general effective date for the electronic security rules was April 21, 2005. However, the compliance deadline for small health plans is April 21, 2006. A “small health plan” is one with annual receipts not exceeding $5 million, measured by premiums paid for a fully-insured plan and by claims paid for a self-insured plan. Administrators of small plans should begin the compliance process now by taking the following steps to ensure that ePHI is protected:

  • The security rules require the group health plan to perform a risk analysis to identify how ePHI is handled and to assess the confidentiality, integrity and availability of ePHI in operation. This risk analysis should be done in conjunction with the plan’s information technology specialists.

  • After the risk analysis, any problem areas must be isolated and corrected. This can include changes to technology as well as adjustments to administrative procedures and workspace safeguards.

  • Group health plans that have HIPAA privacy policies and procedures in place can build off these existing structures to address adjustments required by the security rules.

  • Plan administrators should use this opportunity to review the policies and procedures currently in place and to update plan documents and business associate agreements to comply with the security rules.

  • Plan administrators should consider whether it is feasible to limit or eliminate ePHI at the employer level to minimize the impact of the security rules on the employer.

  • Plan administrators should coordinate with the group health plan’s third party administrator or insurer to limit or eliminate ePHI where possible and to confirm that the third party administrator or insurer is itself compliant with the security rules.

  • Where ePHI cannot be eliminated, plan administrators should consider implementing security procedures, such as using passwords, to protect ePHI.

The Centers for Medicare and Medicaid Services (“CMS”), the agency responsible for enforcement of the security rules, has indicated that all standards and implementation specifications should be in place by the compliance date, since CMS does not anticipate that there will be an extension of the effective date of these rules. The enforcement process is expected to be similar to the process currently in place for the HIPAA privacy and electronic data interchange rules.

McGuireWoods