On April 14, 2003, HIPAA’s privacy rules went into effect. Employer health plans are one of the three types of entities that are subject to the privacy rules. Large health plans (plans with $5 million or more in annual claims) were required to comply with the privacy requirements by April 14, 2003. Small health plans (plans with $5 million or less in annual claims) had one extra year to comply.
Among other requirements, health plans and other covered entities were required to distribute a Notice of Privacy Practices to plan participants. HIPAA provides that this Notice must be distributed at least once every three years. This means that large health plans that last distributed their Notice of Privacy Practices on the initial compliance date of April 14, 2003, should update and again distribute them on April 14, 2006.
Health plans are also subject to HIPAA security requirements. The security standards are more limited in scope than the privacy standards and protect only a subset of protected health information (“PHI”) – electronic PHI (typically referred to as “ePHI”). Accordingly, the security standards apply to PHI that is transmitted by or maintained in electronic media. Large health plans with ePHI are required to comply with the security standards by April 20, 2005. Small health plans are required to comply by April 20, 2006.
There is no set way to approach the HIPAA security requirements. Each covered entity’s security protocol should be based on the exposure risk to ePHI. Factors to evaluate this risk include the entity’s size, the complexity involved with the transmittal of ePHI and the entity’s capabilities. Security controls should be proportionate to risk. The larger the entity, the more precautions the entity must take in order to secure the ePHI.
The federal agency in charge of overseeing compliance with HIPAA, the Department of Health and Human Services, has issued updated guidance on HIPAA’s privacy and security requirements. For additional information on what your company’s health plan must do to comply, check out HHS’s website at http://www.hhs.gov/ocr/hipaa/, or contact any of the attorneys in Holland & Hart’s Benefits Law Group.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.