GT Alert

HIPAA Deadline for “Small” Employer Group Health Plans

March 2004
By David B. Spanier, Greenberg Traurig, New York Office

  View or download the PDF version of this Alert here.

Effective April 14, 2003, the responsibility for protection of the privacy of medical records under federal law was imposed upon “Covered Entities” under the “Privacy Rule” of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For “small” group health plans (“GHPs”), however, the effective date of The Privacy Rule was delayed until April 14, 2004.

"The broad severity of potential penalties for failure to comply suggests that exposure to such penalties may be minimized by a careful program of self-examination and compliance with the applicable regulations."

A Covered Entity means health plans, health care providers and health care clearing houses, but does not include Employers who sponsor GHPs, (also known as “Plan Sponsors”). GHPs are defined as those plans with annual premiums (insured plans) or paid claims (self-insured plans) under $5 million for the most recent plan year.

The Privacy Rule requires GHPs to limit the use and disclosure of individually identifiable health information (“Protected Health Information” or “PHI”), thereby possibly excluding health information contained in employment records held by Employer for other reasons. PHI is

“Information that is a subset of health information, including demographic information collected from an individual and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (Emphasis supplied) [45 CFR §160.202]

For more detailed information on the HIPAA Privacy Rule, see the GT Article captioned “Compliance with Privacy Requirements Protecting Personal Medical Records Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).”

More importantly, Employers are directly impacted if they are the “Fiduciary” or “Administrator” of a GHP (hereinafter referred to as the “Named Fiduciary”) under the Employee Retirement Income Security Act of 1974 (“ERISA”). The significance of such status is that GHP disclosures not specifically permitted by the Privacy Rule require an express authorization by the GHP participant who is the subject of PHI. Accordingly, as a practical, as well as a legal matter, Employers who are Named Fiduciaries, which include a large majority of Employers, will be responsible for HIPAA compliance under the Privacy Rule and could face additional exposure under ERISA for failure to follow HIPAA required GHP document provisions and related requirements under both HIPAA and ERISA.

A widespread misconception is that HIPAA was only directed at the health care industry. In reality, GHPs of Employers are affected by HIPAA in several ways. First, all self- insured GHPs (“Self-Insured Plans”), are covered by HIPAA if they are administered by a Third Party Administrator (“TPA”) and Insured Plans of any size are covered by HIPAA.

Second, Plan Sponsors can be directly affected by HIPAA by engaging in a function that is covered by the Privacy Rule. An on-site medical clinic, such as an employee health service, is one example. However, if the clinic does not engage in “covered electronic transactions” it may not be subject to the Privacy Rule.

Finally, Employers frequently contract for mental health, drug abuse and related services either directly, (e.g., a long term care insurance plan), or indirectly through an Employee Assistance Program (“EAP”), wellness program or any other plan or program that provides or pays the cost of medical care as its primary coverage. The EAP or similar type of plan is an ERISA “employer welfare benefit plan” since it performs functions and provides benefits within the meaning of ERISA. In addition, many Employers have adopted Flexible Spending Account Plans providing for pre-taxation of medical premiums and/or medical reimbursements for medical care expenses not covered by an insured or self-insured health plan. Such plans are “GHPs” under HIPAA.

The nature and extent of Plan Administrator’s responsibilities under HIPAA will vary depending on the type of GHP(s) it sponsors. Therefore, a determination of what these responsibilities are can only be made in the context of an understanding of these different types of GHPs and potential penalties for failure to comply with the HIPAA Privacy Rule.

Comparison of GHP Requirements Based on Type of Group Health Plan

Generally, there are two major types of GHPs, those with an Insurer or Health Maintenance Organization (“HMO”), collectively referred to as “Insured Plans”, and Self-Insured Plans, which are administered directly by the Employer or by a Third Party Administrator (“TPA”). Both of these types of plans are considered GHPs under HIPAA and are subject to HIPAA’s privacy requirements, unless they qualify for a specified exception.

For Insured Plans, the privacy requirements are usually satisfied by the Insurer or HMO which maintains the applicable participant records, and processes claims for benefit payments. If the GHP only provides benefits through an Insurer or HMO and only receives summary information on participation, enrollment or disenrollment information, then the GHP will not need to comply with administrative requirements outlined below for Self Insured Plans. However, if an employee of the Employer “troubleshoots” claims with the Insurer or HMO, he or she will need a disclosure authorization from the GHP participant and procedures to protect the security of the PHI.

In contrast, for Self-Insured Plans, the GHP itself must comply with all of the HIPAA administrative requirements applicable to Covered Entities, which include, but are not limited to, the following:

• appointing a privacy officer to supervise HIPAA Compliance;
• training employees;
• establishing security safeguards for PHI protection;
• receiving complaints for violations;
• amending GHP documents to clarify workforce access to PHI;
• issuance of a Notice of Privacy to GHP Participants Rights;
• adopting Policies and Procedures for HIPAA administration including a minimally necessary disclosure policy, sanctions for workforce employees of the GHP who do not comply and creating procedures for mitigation of harmful effects of an improper disclosure;
• negotiating business associate agreements;
• amendment of plan documents to authorize any employer access to PHI; and
• securing a certificate from the employer that PHI will not be used for other purposes (e.g., hiring or continuing employment decisions).

Implementation

For GHPs not authorized to receive PHI, the Employer will continue to be able to receive the type of information it currently receives without amending its plan documents, unless the Plan Sponsor determines that it wishes to receive PHI for other purposes. If the Employer later decides that it wants to receive additional PHI from the GHP, it would need to comply with the requirements set forth below with regard to the GHPs authorized to receive PHI.

For the Insured GHP authorized to receive PHI, the Employer will need to decide whether it will discontinue its practice of receiving PHI from the Plan (except for permitted information described above) in which case it would not be required to amend the Plan documents or take the steps related to such amendment or comply with the HIPAA requirements. If the Employer determines it desires to continue receiving PHI, the Employer and GHP will need to make the following determinations and amend the plan documents in order to establish adequate separation between the Employer and the authorized Insured GHP:

• What the permitted and required uses and disclosures of PHI are; and
• Which of the Employer’s employees will be given access to PHI; how to restrict access to and use by these workforce members to the GHP administration functions which Employer performs for the Authorized Plan; and what the procedure for resolving issues of noncompliance (i.e., sanctions) will be.

For each Insured GHP authorized to receive PHI, the Employer must also amend the plan documents, certify that it has done so and develop procedures to ensure compliance by the Employer and/or the GHP with the HIPAA administrative requirements for Self-Insured Plans identified above.

For each authorized GHP which is a Self-Insured Plan (“Authorized Self-Insured Plan”), the Plan Sponsor will need to take the following steps:

• Comply with all of the requirements discussed above with regard to the Self-Insured GHPs;
• Comply with all of the privacy requirements applicable to the GHP as a Covered Entity, subject to the exceptions discussed above;
• Comply with the HIPAA Security Regulation; and
• Comply with the HIPAA Electronic Transactions Standards, meaning that the Self-Insured Plan, either directly or through its TPA, will need to be able to accept all eight of the electronic transactions required by HIPAA in the HIPAA standard formats by the implementation date.

Consequence of Non-Compliance with HIPAA

The United States Department of Health and Human Services (“HHS”) may conduct compliance reviews to determine whether Covered Entities are adhering to HIPPA’s Privacy Rule. However, the Rule also states that, “to the extent practicable,” HHS will seek the cooperation of Covered Entities in obtaining compliance. HHS may also provide technical assistance to Covered Entities to assist them in complying with the Privacy Rule.

HHS has indicated that it is more interested in achieving compliance than in identifying violators. However, HHS has already received a large number of complaints since April 14, 2003. In addition, privacy lawsuits by individuals have increased dramatically in recent years.

Violation of HIPAA’s Privacy Rule carries potentially stiff penalties. The HHS may impose a civil monetary penalty of up to $100 per year for each violation, subject to the limitation that a person or entity may be fined no more than $25,000 in any calendar year for violating a single provision. Criminal penalties may be imposed on any person or entity that knowingly and in violation of HIPAA uses or causes to be used or discloses PHI. In such event, the violator may be fined up to $50,000 to $250,000 and/or imprisoned for not more than one year, or up to ten years depending on the nature and extent of the violation.

In addition to the potential penalties under HIPAA, the Employer may be subject to claims for violation of ERISA, e.g., breach of fiduciary duty for failure to follow the ERISA Plan document provisions required under HIPAA for restricting access to PHI. Since there is apparently no private right of action for a participant to enforce HIPAA under federal law other than a request to HHS for administrative investigation and/or penalties, the likelihood is high that judicial action to “enforce” HIPAA will be pursued under ERISA.

Conclusion

Notwithstanding the failure to include the Employer as a Covered Entity under HIPAA, the Employer may have a number of responsibilities under HIPAA. These will vary depending on the type of GHP its sponsors. However, the broad severity of potential penalties for failure to comply suggests that exposure to such penalties may be minimized by a careful program of self-examination and compliance with the applicable regulations.

© 2004 Greenberg Traurig

Additional Information:

For more information, please review our Labor and Employment Practice or Executive Compensation & Employee Benefits Group description, or feel free to contact one of our attorneys.

• Labor and Employment Practice Area
  • Labor and Employment Attorneys
• Executive Compensation & Employee Benefits Practice Area
  • Executive Compensation & Employee Benefits Attorneys