HIPAA (Health Insurance Portability and Accountability Act) Privacy Regulations

Compliance for employers with large plans (over $5 million in premiums or $5 million in claims for self insured employers) is required by April 14, 2003. For employers with small plans, less than $5 million in premiums or claims, compliance is required by April 14, 2004.

HIPAA generally protects individually identifiable health information and if you are a covered entity you have to take steps to safeguard PHI (protected health information).

In some cases employers are covered entities. If you offer:

• Fully Insured Health Plan
  You are not covered because you do not have access to Protected Health Information
  
  
• Self-Insured with 50 or more participants
  Covered as you have access to PHI
  
  
• Self-Insured, TPA (third party administered) with fewer than 50 participants
  Covered if you are involved with claims administration decisions, not covered if you play no part in claims decisions.
  
  
• Health FSA, self administered and fewer than 50 participants
  Exempt with fewer than 50 participants
  
  
• Health FSA, self administered and more than 50 participants
  Covered as you have access to PHI
  
  
• Health FSA with TPA and 50 or more participants
  Covered unless the TPA has total authority in claims decisions. Require the TPA to meet privacy requirements.
  
  
• Health FSA with TPA and less than 50 participants
  Covered unless the TPA has total authority in claims decisions. Require the TPA to meet privacy requirements.

If you are covered under one of the above scenarios, you are required to take certain steps to protect individually identifiable health information.

a. adopt privacy policies and procedures;
b. designate a privacy/compliance officer;
c. train all employees with respect to privacy policies;
d. establish administrative safeguards to protect PHI;
e. establish a complaint procedure;
f. apply discipline for failure to comply with privacy policies; and,
g. retain records.