Self-Help Guide to HIPAA for Small Employers
Serena G. Simons and Peter N. Cizik
HIPAA is probably one of the most misunderstood sets of regulations facing employers today. The good news is that there is a huge amount of information available to help you comply with HIPAA. The bad news is that a fair amount of what is out there is wrong. And don't look to the federal government for help. It is still trying to sort these regulations out for the health industry and has few resources left to devote to issues related to employer group health plans. This article will attempt to tilt the balance back in your favor by providing some practical steps you can take to control your obligations under these new regulations and to minimize your compliance costs.
"This Doesn't Really Apply To Me, Does It?" And Other Common HIPAA Misunderstandings
Before discussing the steps you can take to control your obligations and minimize your compliance costs under the HIPAA regulations, we'd like to discuss some common misunderstandings about HIPAA. Many employers have been told - and erroneously believe - that they are not affected by HIPAA. The results of this misunderstanding might not only be embarrassing, but also illegal and expensive. Below is a list of these misunderstandings - and the real answer for each one.
Misunderstanding No. 1: Small employers don't have to worry about HIPAA
Wrong! There is no "small employer" exception. Every employer that offers a group health plan to its employees will be affected by HIPAA and will have to determine its compliance obligations, even though an insurance company "does all the work" administering those benefits.
If you pay less than $5 million a year in premiums (or benefits if you are self-funded) your compliance date for the privacy rule is April 14, 2004. Larger group health plans had to comply last year.
The ONLY real health plan exception under HIPAA is for very small, self-administered group health plans - those with fewer than 50 participants AND which are self-insured and self-administered. Most small employer health plans are insured (not self-administered), and therefore are subject to the privacy rule.
Misunderstanding No. 2: My group health plan does not transmit any information electronically, so it is exempt from HIPAA
Wrong again. Group health plans are covered by the HIPAA regulations whether they transmit information electronically or not. Health care providers, such as doctors, nurses, on-site clinics, etc., are exempt from these regulations if they do not transmit electronically, but this exemption applies only to providers, not to group health plans.
Misunderstanding No. 3: My insurance company is responsible for HIPAA compliance, not me.
Not quite - you are both covered by the rule. You - the employer - are the legal sponsor of the group health plan (a covered entity) and you must ensure that your group health plan complies with HIPAA. Your insurer is also a covered entity and must ensure that it complies with HIPAA in its own activities. Note that, if the type of health information you receive from your insurance company is strictly limited in accordance with special rules set out in the HIPAA regulations (known as "Summary Health Information"), your compliance burden will be very small. But the burden with regard to your group health plan is still legally yours.
Misunderstanding No. 4: My health Flexible Spending Account (FSA) isn't subject to HIPAA.
Unfortunately also wrong - your health FSA is subject to HIPAA (unless, of course, it has fewer than 50 participants and is self-administered). What's more, these plans are always self-insured and so will require the highest levels of HIPAA compliance - even if you as the employer are not directly involved in the administration of the plan.
Misunderstanding No. 5: My broker or third party administration (TPA) will take care of HIPAA for me.
Maybe. Your broker or TPA may, indeed, perform this service for you. But you must understand that the legal obligation is still yours, and any penalties imposed for a failure to comply will be imposed on you and not your broker or TPA. So it is in your interest to know something about HIPAA and to be pro-active in raising compliance issues with your broker or TPA.
Misunderstanding No. 6: I don't get any health information about my employees, so I don't have to comply with HIPAA.
Unfortunately, it is not that simple. An employer with a self-insured plan is deemed to receive employee health information even if the employer has taken careful steps to ensure that it does not, for example, by using a third party administrator for all aspects of plan administration. Such an employer is relieved of some, but not all HIPAA compliance obligations. Also, an employer with a fully-insured plan may be receiving protected health information of which it is not aware. It is your obligation to determine what information you are receiving and what your compliance obligations are.
Practical Steps to Minimize HIPAA Obligations and Costs
This brings us to the main part of our article: What can you do as an employer to keep your HIPAA obligations and costs as small as possible?
The key to minimizing your compliance burden is whether you "see" protected health information (PHI) in the course of administering your company's group health plan. Note that hiring vendors will not insulate you completely. In general, if your vendor sees PHI on your behalf, then you are deemed to have seen it as well. If you - and your vendors - do not "see" (i.e., receive) PHI, your compliance burden and costs will be significantly smaller. Therefore, your primary task as an employer that wishes to minimize its obligations, costs, and risks under HIPAA will be to avoid seeing (receiving) PHI about your employees and their families.
So, what exactly is PHI? PHI - protected health information - is any information relating to an individual's health, or health benefits, from which they can be identified. The information does not need to include medical data to be protected. If, for example, a person is enrolled in the PPO option of an employer's group health plan, the person's name and choice of plan are considered protected health information.
Protected health information can be on paper, in electronic media, or it can be an oral statement. For instance, if an insurance company's customer service representative tells an employer over the telephone that a particular employee has diabetes, the representative has disclosed protected health information. Other common examples of PHI are: enrollment forms, explanations of benefits ("EOBs"), and claims forms. See www.hipaaemployer.net for more examples.
Now that you know what PHI is and that you should avoid it, what are some common practices you should review to minimize your exposure to PHI and thus your compliance burden?
- Enrollment. With rising healthcare costs, there's a good chance you may be shopping around for a different health plan. Many insurance company enrollment forms request all kinds of PHI from employees and their families, including specific information about medical histories. Institute a process by which enrollment forms are sent directly to the insurer and not to you! If you or your HR department insists on collecting the forms first, make sure employees seal the forms in envelopes before turning them in. If this information is sent to your broker, determine what role the broker is playing when it receives this information and whether there are contract implications for you (i.e. make sure there is a business associate agreement in place with that broker first).
- Claims Advocacy. An employee has filed a claim that hasn't been paid and has asked for the company's help to get the claim paid. This is almost impossible to do without getting additional PHI from the insurance company. First decide whether your broker or you will handle this for employees. Then set up a process by which your broker (or you) obtains a HIPAA compliant "authorization form" from your employee and provides that form to the insurance company. That form authorizes the insurance company to release additional information to your broker (or you) for purposes of resolving the claim. Make sure that your broker (or you) takes precautions to safeguard any PHI received from the insurance company. In fact, the best course might be to destroy the PHI once the claim has been resolved.
- Claims Reports. Many employers receive regular reports on claims experience for the preceding week, month, etc. Often these reports identify the individuals filing the claims. This information is PHI. Consider whether you need to continue to receive this identifying information, or whether information with the identifiers removed would be sufficient for your plan administrative purpose. Remember that, under HIPAA, you may not use information about an individual from your group health plan to make any employment decisions!
- Duplicate EOBs. Some employers receive duplicate copies of the EOBs sent to health plan participants. Here again, these documents are clearly PHI, and employers should carefully consider whether the purposes for which they have been receiving this information are permitted after HIPAA and if so, whether they need to continue to receive this information.
But what are the absolute minimums? If you do nothing else, what is it you should do to protect yourself under HIPAA?
- Be smart. As with taxes, ignorance is no defense when it comes to HIPAA. Get educated on the regulations. Even if you think it doesn't apply to you directly, chances are it will have some impact on how you run your business on a day-to-day basis. Also, while your compliance burden may be small today, your situation may change and you need to know what to watch for, so that you can increase your compliance infrastructure as required.
- Be pro-active. If your broker has not discussed HIPAA compliance with you, take the initiative. In particular, determine whether you will need a "business associate contract" with your broker. In general, the contract stipulates that your broker will do certain things to ensure the PHI it receives on your behalf remains secure and protected from unauthorized disclosures. The HIPAA regulations require such a contract in some circumstances, and in other circumstances it also might be a good idea. Also, make sure you and your insurer discuss and agree on who is responsible for what.
- Be good. Much of what used to be standard operating procedure for both insurance companies and employers is now prohibited under federal law, or must be structured differently. Take the time to think about the information you have been getting and whether you can properly - or whether you even want to - continue to get it at all.
- And be careful. Employers tend to get and use lots of PHI for no reason other than because they "always have." That was then, this is now. HIPAA has changed the rules and you must be careful not to inadvertently set yourself up for a burdensome compliance program that you don't need and you certainly don't want - if you can avoid it.
The checklist below provides a good starting point for your HIPAA compliance program, if your plan is fully insured, and will still be helpful if your plan is self-insured. Even the 10-employee company needs to be concerned with HIPAA - don't be lulled into noncompliance because auditors aren't knocking on your door. These are some easy steps that will get you started. But remember - this is NOT the "be all and end all" list of what needs to be done. Only a thorough review of your health plan practices will give you that answer. Check out www.hipaaemployer.net and some of the other resources listed for additional useful information and tools to help you out.
Compliance Checklist - Initial Compliance Steps
- Get trained on HIPAA. Even executive management (or maybe, especially executive management) needs to have a working knowledge of the risks of noncompliance.
- Contact your service providers (e.g., brokers, TPAs) to determine compliance roles and responsibilities. Establish and/or review contracts with these providers for confidentiality and/or "Business Associate" provisions, as applicable.
- Contact your insurance carrier (if fully insured) to discuss compliance roles and responsibilities including responsibility for distributing Notice of Privacy Practices.
- Establish procedures to insure you receive only Summary Health Information (SHI) and use it only for proper purposes.
- Establish procedures to handle claims advocacy, including an "authorization" form.
- Establish procedures to handle any specific request, from an employee or otherwise (e.g., subpoenas or other court orders) that may require you to receive PHI
- Establish complaint procedures.
- Establish procedures to comply with the "residual" compliance obligations for fully insured plans (no retaliation, no waiver, confidential communications).
- Document all related policies, procedures and compliance efforts. This will be the first question asked during any kind of audit (formal or informal)!
- Don't forget your FSA!
Centers for Medicare & Medicaid Services
State preemption analysis
About the Authors
Serena G. Simons
Serena has practiced in the area of employee benefits for more than 15 years. She regularly advises employers on such matters as plan design and compliance with statutory and regulatory regimes that affect benefits plans including the Internal Revenue Code, ERISA, COBRA, FMLA, HIPAA, ADEA, and ADA. Serena has a significant amount of experience in drafting and amending health plan documents, in preparing plan-related employee communications (in both electronic and paper formats), in negotiating service-provider contracts, and in dealing with the benefits issues related to business transactions. She also has worked extensively with plan sponsors on such matters as plan administrative structure, fiduciary responsibilities, and claims review processes and procedures under ERISA. Serena speaks and writes frequently and advises employers on various issues related to HIPAA privacy compliance for group health plans and other employer-provided health services. Serena received her law degree, with high honors, from the Duke University School of Law, and her B.A. from Duke University.
Peter N. Cizik
Peter is a Managing Director and co-founder of HIPAA Solutions Rx. He has over 18 years of management and consulting experience in Fortune 500 companies such as Andersen Consulting (now Accenture) and Intel Corporation as well as numerous startups. He has an Electrical Engineering degree from the University of Texas and an MBA from the Harvard Business School. Peter brings his years working in the Healthcare industry and ISO level compliance projects to the HIPAA compliance "challenge", driving HIPAA Solutions Rx to provide industry leading tools to all organizations impacted by these sweeping regulations. Partnering with leading experts, HIPAA Solutions Rx provides cost effective tools that are of the highest quality.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, which, among other things, attempts to simplify the health care system by requiring standardized electronic transmissions of claims-related information. It also protects the privacy of health information. This article discusses HIPAA's privacy requirements. Group health plans are also required to comply with other HIPAA regulations, most of which have compliance dates in 2005 or later. Return to Top