HIPAA Deadline for “Small” Employer Group Health Plans
By David B. Spanier, Greenberg
Traurig, New York Office
View or download the PDF version of this Alert
Effective April 14, 2003, the responsibility for protection of
the privacy of medical records under federal law was imposed upon “Covered
Entities” under the “Privacy Rule” of the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”). For “small” group health plans
(“GHPs”), however, the effective date of The Privacy Rule was delayed
until April 14, 2004.
|"The broad severity of potential
penalties for failure to comply suggests that exposure to such penalties
may be minimized by a careful program of self-examination and compliance
with the applicable regulations."
A Covered Entity means health plans, health care providers and health
care clearing houses, but does not include Employers who sponsor GHPs,
(also known as “Plan Sponsors”). GHPs are defined as those plans with annual
premiums (insured plans) or paid claims (self-insured plans) under $5 million
for the most recent plan year.
The Privacy Rule requires GHPs to limit the use and disclosure of individually
identifiable health information (“Protected Health Information” or “PHI”),
thereby possibly excluding health information contained in employment records
held by Employer for other reasons. PHI is
“Information that is a subset of health information, including demographic
information collected from an individual and (1) is created or received
by a health care provider, health plan, employer, or health care clearinghouse;
and (2) relates to the past, present or future physical or mental health
or condition of an individual; or the past, present or future payment
for the provision of health care to an individual; and (i) that identifies
the individual; or (ii) with respect to which there is a reasonable basis
to believe the information can be used to identify the individual.” (Emphasis
supplied) [45 CFR §160.202]
For more detailed information on the HIPAA Privacy Rule, see the
captioned “Compliance with Privacy Requirements Protecting Personal Medical
Records Under the Health Insurance Portability and Accountability Act of
More importantly, Employers are directly impacted if they are the “Fiduciary”
or “Administrator” of a GHP (hereinafter referred to as the “Named Fiduciary”)
under the Employee Retirement Income Security Act of 1974 (“ERISA”). The
significance of such status is that GHP disclosures not specifically permitted
by the Privacy Rule require an express authorization by the GHP participant
who is the subject of PHI. Accordingly, as a practical, as well as a legal
matter, Employers who are Named Fiduciaries, which include a large majority
of Employers, will be responsible for HIPAA compliance under the Privacy
Rule and could face additional exposure under ERISA for failure to follow
HIPAA required GHP document provisions and related requirements under both
HIPAA and ERISA.
A widespread misconception is that HIPAA was only directed at the health
care industry. In reality, GHPs of Employers are affected by HIPAA in several
ways. First, all self- insured GHPs (“Self-Insured Plans”), are covered
by HIPAA if they are administered by a Third Party Administrator (“TPA”)
and Insured Plans of any size are covered by HIPAA.
Second, Plan Sponsors can be directly affected by HIPAA by engaging in
a function that is covered by the Privacy Rule. An on-site medical clinic,
such as an employee health service, is one example. However, if the clinic
does not engage in “covered electronic transactions” it may not be subject
to the Privacy Rule.
Finally, Employers frequently contract for mental health, drug abuse
and related services either directly, (e.g., a long term care insurance
plan), or indirectly through an Employee Assistance Program (“EAP”), wellness
program or any other plan or program that provides or pays the cost of medical
care as its primary coverage. The EAP or similar type of plan is an ERISA
“employer welfare benefit plan” since it performs functions and provides
benefits within the meaning of ERISA. In addition, many Employers have adopted
Flexible Spending Account Plans providing for pre-taxation of medical premiums
and/or medical reimbursements for medical care expenses not covered by an
insured or self-insured health plan. Such plans are “GHPs” under HIPAA.
The nature and extent of Plan Administrator’s responsibilities under
HIPAA will vary depending on the type of GHP(s) it sponsors. Therefore,
a determination of what these responsibilities are can only be made in the
context of an understanding of these different types of GHPs and potential
penalties for failure to comply with the HIPAA Privacy Rule.
Comparison of GHP Requirements Based on Type of Group Health Plan
Generally, there are two major types of GHPs, those with an Insurer or
Health Maintenance Organization (“HMO”), collectively referred to as “Insured
Plans”, and Self-Insured Plans, which are administered directly by the Employer
or by a Third Party Administrator (“TPA”). Both of these types of plans
are considered GHPs under HIPAA and are subject to HIPAA’s privacy requirements,
unless they qualify for a specified exception.
For Insured Plans, the privacy requirements are usually satisfied
by the Insurer or HMO which maintains the applicable participant records,
and processes claims for benefit payments. If the GHP only provides benefits
through an Insurer or HMO and only receives summary information on
participation, enrollment or disenrollment information, then the GHP
will not need to comply with administrative requirements outlined below
for Self Insured Plans. However, if an employee of the Employer “troubleshoots”
claims with the Insurer or HMO, he or she will need a disclosure authorization
from the GHP participant and procedures to protect the security of the PHI.
In contrast, for Self-Insured Plans, the GHP itself must comply
with all of the HIPAA administrative requirements applicable to Covered
Entities, which include, but are not limited to, the following:
- appointing a privacy officer to supervise HIPAA Compliance;
- training employees;
- establishing security safeguards for PHI protection;
- receiving complaints for violations;
- amending GHP documents to clarify workforce access to PHI;
- issuance of a Notice of Privacy to GHP Participants Rights;
- adopting Policies and Procedures for HIPAA administration including
a minimally necessary disclosure policy, sanctions for workforce employees
of the GHP who do not comply and creating procedures for mitigation of
harmful effects of an improper disclosure;
- negotiating business associate agreements;
- amendment of plan documents to authorize any employer access to PHI;
- securing a certificate from the employer that PHI will not be used
for other purposes (e.g., hiring or continuing employment decisions).
For GHPs not authorized to receive PHI, the Employer will continue
to be able to receive the type of information it currently receives without
amending its plan documents, unless the Plan Sponsor determines that it
wishes to receive PHI for other purposes. If the Employer later decides
that it wants to receive additional PHI from the GHP, it would need to comply
with the requirements set forth below with regard to the GHPs authorized
to receive PHI.
For the Insured GHP authorized to receive PHI, the Employer will
need to decide whether it will discontinue its practice of receiving PHI
from the Plan (except for permitted information described above) in which
case it would not be required to amend the Plan documents or take the steps
related to such amendment or comply with the HIPAA requirements. If the
Employer determines it desires to continue receiving PHI, the Employer and
GHP will need to make the following determinations and amend the plan documents
in order to establish adequate separation between the Employer and the authorized
- What the permitted and required uses and disclosures of PHI are; and
- Which of the Employer’s employees will be given access to PHI; how
to restrict access to and use by these workforce members to the GHP administration
functions which Employer performs for the Authorized Plan; and what the
procedure for resolving issues of noncompliance (i.e., sanctions) will
For each Insured GHP authorized to receive PHI, the Employer must also
amend the plan documents, certify that it has done so and develop procedures
to ensure compliance by the Employer and/or the GHP with the HIPAA administrative
requirements for Self-Insured Plans identified above.
For each authorized GHP which is a Self-Insured Plan (“Authorized
Self-Insured Plan”), the Plan Sponsor will need to take the following steps:
- Comply with all of the requirements discussed above with regard to
the Self-Insured GHPs;
- Comply with all of the privacy requirements applicable to the GHP
as a Covered Entity, subject to the exceptions discussed above;
- Comply with the HIPAA Security Regulation; and
- Comply with the HIPAA Electronic Transactions Standards, meaning that
the Self-Insured Plan, either directly or through its TPA, will need to
be able to accept all eight of the electronic transactions required by
HIPAA in the HIPAA standard formats by the implementation date.
Consequence of Non-Compliance with HIPAA
The United States Department of Health and Human Services (“HHS”) may
conduct compliance reviews to determine whether Covered Entities are adhering
to HIPPA’s Privacy Rule. However, the Rule also states that, “to the extent
practicable,” HHS will seek the cooperation of Covered Entities in obtaining
compliance. HHS may also provide technical assistance to Covered Entities
to assist them in complying with the Privacy Rule.
HHS has indicated that it is more interested in achieving compliance
than in identifying violators. However, HHS has already received a large
number of complaints since April 14, 2003. In addition, privacy lawsuits
by individuals have increased dramatically in recent years.
Violation of HIPAA’s Privacy Rule carries potentially stiff penalties.
The HHS may impose a civil monetary penalty of up to $100 per year
for each violation, subject to the limitation that a person or entity
may be fined no more than $25,000 in any calendar year for violating a single
provision. Criminal penalties may be imposed on any person or entity
that knowingly and in violation of HIPAA uses or causes to be used or discloses
PHI. In such event, the violator may be fined up to $50,000 to $250,000
and/or imprisoned for not more than one year, or up to ten years depending
on the nature and extent of the violation.
In addition to the potential penalties under HIPAA, the Employer may
be subject to claims for violation of ERISA, e.g., breach of fiduciary duty
for failure to follow the ERISA Plan document provisions required under
HIPAA for restricting access to PHI. Since there is apparently no private
right of action for a participant to enforce HIPAA under federal law other
than a request to HHS for administrative investigation and/or penalties,
the likelihood is high that judicial action to “enforce” HIPAA will be pursued
Notwithstanding the failure to include the Employer as a Covered Entity
under HIPAA, the Employer may have a number of responsibilities under HIPAA.
These will vary depending on the type of GHP its sponsors. However, the
broad severity of potential penalties for failure to comply suggests that
exposure to such penalties may be minimized by a careful program of self-examination
and compliance with the applicable regulations.
© 2004 Greenberg Traurig
For more information, please review our Labor and Employment Practice
or Executive Compensation & Employee Benefits Group description, or feel
free to contact one of our attorneys.
This GT ALERT is issued for informational purposes only and is not intended
to be construed or used as general legal advice. Greenberg Traurig attorneys provide
practical, result-oriented strategies and solutions tailored to meet our clients’
individual legal needs.