HIPAA Privacy and Security
Deadlines Approaching
Large Health Plans
Must Provide Reminder That HIPAA Privacy Notice Is Available.
Once every three years, health plans and flexible spending account plans must remind participants that their Notice of Privacy Practices is available and how to obtain it. For plans that first issued their Notices in 2003, the reminder needs to be provided by April 14 of this year (unless the plan has reissued its Notice since 2003 either as part of an annual open enrollment packet or because of a change in privacy practices). For fully-insured plans, the insurance carrier typically will provide the Notice (although a wise employer will confirm this with the insurance carrier), but employers who sponsor self-funded plans or pay benefits out of general assets must comply with this deadline.
The HIPAA regulations do not specify the wording or delivery method for the reminder. The reminder only needs to be provided to covered employees, unless the employer is aware of any dependents living apart from the employee. Employers may include the reminder with other materials sent to employees (including an employee newsletter or paycheck) and need not make a separate mailing. The reminder may be e-mailed only if the individual has agreed to receive notices electronically.
We recommend that you take this opportunity to review your health plan's Notice of Privacy Practices and update it for any changes you have made to your plan's privacy practices since 2003. With the advent of Medicare Part D and increased interest in disease management and predictive modeling programs, some plans are finding that they need to expand the list of situations in which protected health information routinely may be used and shared.
Note that plans also must provide the Notice of Privacy Practices to new participants when they enroll in the plan and to any enrollee at any time upon request. In addition, plans that post benefits information electronically must post a copy of the Notice with other plan information.
Small Health Plans
Must Comply With HIPAA Security By
Small
health plans (those having under $5,000,000 in receipts during the prior year)
must comply with the HIPAA Security Rule by
· Add HIPAA Security provisions to their Business Associate Agreements;
· Add HIPAA Security provisions to their health plan documents;
· Perform a HIPAA Security risk assessment;
· Appoint a Security Official;
· Develop HIPAA Security Policies and Procedures that address the handling of electronic protected health information by the plan sponsor and/or the plan;
· Conduct workforce training.
The HIPAA Security Rule requires a plan to ensure the confidentiality, integrity, and availability of the electronic protected health information (PHI) it creates, receives, maintains, and transmits. This includes protecting electronic PHI from reasonably anticipated threats to its security and accuracy and from improper disclosure of the information. For example, do you restrict access to electronic PHI by passwords, locked doors, etc.? What if a natural disaster damaged the computer system, storage disks, etc.? Have you secured the system from hackers, viruses, etc.? Plans need to document the results of their security assessment and take corrective action as needed.
For assistance in updating your Notice of Privacy Practices or navigating the HIPAA Security requirements, please contact Chris Sears, Stephanie Smithey, or Linda Rowings.
This publication is intended for general information
purposes only and does not and is not intended to constitute legal
advice. The reader must consult with legal counsel to determine how laws
or decisions discussed herein apply to the reader's specific circumstances.
©2006 Ice Miller