Small Health Plans Shouldn't Forget About HIPAA
By Shannon B. Hartsfield, Esq., with Holland & Knight, LLP, Tallahassee, Fla.
While health care clearinghouses and most providers and health plans faced a compliance date of April 14, 2003, small plans were given an extra year. April 14, 2004 loomed as the day by which "small" health plans had to comply with the privacy rules implementing portions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Many employers with self-insured health plans may not have realized that they have significant obligations under these new rules. Even employers with fully insured plans need to be aware of the rules and how they impact such plans.
HIPAA defines small health plans as those having annual receipts of $5 million or less. For health plans that file certain federal tax returns and report receipts to the IRS, they should follow the Small Business Administration's guidelines to calculate whether they are under or over the $5 million threshold.
ERISA group health plans and other plans that do not report receipts to the IRS should use proxy measures to calculate annual receipts. For example, self-insured plans are small health plans if the total amount paid in health benefits by the employer or plan sponsor during the last fiscal year is $5 million or less. Fully insured health plans should add up total premiums paid for health benefits during the plan's last fiscal year. If the premiums are less than a total of $5 million, the plan is a small health plan. If the plan used a combination of purchased insurance and self-insurance to provide health benefits, those numbers should be combined to calculate total receipts.
As the compliance deadline has passed, small health plans that have not yet addressed HIPAA have much to do. Some of the required compliance activities include assessing how the plan uses and discloses protected health information; appointing someone to act as a "privacy official"; drafting and negotiating "business associate" agreements with vendors and third party administrators; training staff; and developing a notice of privacy practices, policies and procedures, and other documents required by HIPAA. Small health plans and larger ones that have missed the 2003 deadline should work quickly to develop compliance plans that will help to avoid potential civil or even criminal penalties for misuse of health data.