G.Neil Tools To Manage And Motivate People Phone orders 800-999-9111Live Chat
Shopping Cart
    GNeil Library Customer Care My Account
 
Attendance Tracking Employee Records Performance Management Personnel Software Hiring & Recruiting Training & Development Labor Law & Compliance Workplace Safety Workplace Communications Motivation Recognition Greeting Cards
New ProductsWeb Specials 
Free eNewsletter
Enter Priority Number
Catalog Quick Order
-


Live Chat
Community Resources
Payroll Outsourcing Poster Guard Member Self-Service Website Chart of Posting ChangesFree Poster Audit
Click to verify BBB accreditation and to see a BBB report.

Connect with us on ...

Twitter

HR Forum Blog
HyperLink

HIPAA Privacy Rules: "No Shortcuts"

08/20/08

Unless they’ve been hiding in a cave for the past year or so, HR people know that they need to comply with HIPAA, the Health Insurance Portability and Accountability Act’s Privacy Rules. Small-company employers all over the country have been asking three simple questions: “Am I covered by HIPAA’s Privacy Rules. When do I have to comply? What do I have to do?”

The first two questions are easier to answer than the third. According to Richard Travers, CEO of benefits consultant Travers, O’Keefe in New York City, “The reality is that the privacy rules affect all group health plans, with the exception of companies that have fewer than fifty employees and that administer their own plans and pay their own claims.” You’re covered, therefore, even if all you do is sponsor a health plan for your employees.

But unless you spend more than $5 million a year on premiums and claims for all your health plans, you have until April 14, 2004, to sweat the details.

And those details are many — unless you rate an exception. Among other things, “covered entities” must:

  • Notify employees about their privacy rights and how your company and medical providers may use the information they collect.
  • Adopt and put into practice privacy procedures for your plan.
  • Train employees so they understand your privacy procedures.
  • Appoint a privacy official, who must see that the privacy procedures are implemented and followed.
  • Enact a complaint procedure for individuals having a problem with your privacy policies.
  • Ensure that health-related records are secure and available only to those with the authority to see them.
You may not retaliate against any person for exercising his or her privacy rights. Nor may you require a person to waive privacy rights “as a condition for obtaining treatment, payment, enrollment or benefits eligibility.”

The Idea Behind the Rules
Why all the fuss over privacy? “A major purpose of the Privacy Rule,” says the U.S. Department of Health and Human Services, “is to define and limit the circumstances in which an individual’s protected health information (PHI) may be used or disclosed by covered entities.” The rules are meant to give people much greater control over their health information and stop abuses by those who would otherwise disclose or market PHI inappropriately.

PHI is individually identifiable health information relating to a person’s physical or mental health or condition, the provision of health care for that person, or payment for that person’s health care.

The Exception You’ve Been Waiting to Hear About
These requirements seem like a huge burden to a company that does no more than sponsor a plan, collect basic information for enrollment purposes, and pay premiums. The government agrees, which is why there’s something called the Fully Insured Group Health Plan Exception. Let’s say all PHI is handled by your HMO, and you never see it. Then you need not comply with some of the administrative requirements mentioned above, such as appointing a privacy official or creating privacy policies.

Before you breathe a sigh of relief, you may need expert advice as to whether you’re qualified for this exception. Some flexible spending accounts or EAPs (Employee Assistance Programs), for example, may be considered self-insured plans. In that case, you’re covered by the entire regulation.

Not Business As Usual
Under the new privacy rules, it’s no longer business as usual for any employer sponsoring a health plan. “Whether facing a deadline this year or next,” says Travers, “it is the employer’s responsibility to maintain employee health privacy.”

Say an employee enters the hospital because of the onset of complications due to HIV or even a minor car accident. Can you tell fellow employees why he or she is in the hospital? No.

What about the common occurrence of helping an employee having trouble collecting on a claim with an insurer? “The privacy rules will almost certainly apply,” says Travers. “The simple way to remain compliant while going to bat on behalf of an employee is to have that person sign a PHI authorization form.” Doing so permits the disclosure of protected information in certain circumstances.

Travers elaborates on other mistakes small employers might be apt to make:

Not issuing a privacy statement (barring an exception). “This statement explains what steps the employer is taking to protect PHI as well as to spell out any instances in which PHI may be disclosed without an individual’s authorization.”

Not segregating PHI from everyday human resources information. “Part of the concept of HIPAA is to create a ‘firewall’ between PHI and human resource functions,” says Travers. “You don’t want to mix PHI with information on things like salary reviews, hiring/firing decisions, and other employment-related decisions.” Travers recommends outsourcing this firewall to a third-party administrator, such as his company. “This would eliminate any potential conflicts since the employer would no longer handle any PHI.”

If this all sounds terribly complicated, that’s because it is. It’s wise to discuss how the privacy rules affect your organization with a benefits consultant or attorney specializing in benefits law. “There are no true shortcuts to complying with HIPAA’s privacy rules,” concludes Travers. “And it can be an organizational nightmare if you don’t handle them correctly.”

G.Neil offers solutions to get you in compliance with the new HIPAA Privacy Rules. Our exclusive HIPAA Privacy Answer Kit contains an employer’s guide that explains the new rules in plain English. It also includes the authorization forms you need and an employee privacy rights poster.


Federal law mandates that employee medical records be filed separately from an employee's personnel records as required by the Occupational Health and Safety Administration (OSHA), Americans with Disabilities Act (ADA) and Family Medical Leave Act (FMLA). G.Neil’s Confidential Employee Medical Records Folder helps you do that by providing a cost-effective storage solution.