• Backup Advisory on HIPAA
  • May 21, 2003
  • Law Firm: McGlinchey Stafford, PLLC - New Orleans Office
  • Every employer with a health plan needs to consider whether the new HIPAA privacy rules will require the implementation of privacy safeguards. Plans with over $5 million in annual receipts should have taken these steps by April 14, 2003; smaller plans have until April 14, 2004 to comply. Employers whose employees act as the plan administrator of the employer's own self-funded health plan have a long list of tasks to accomplish to ensure HIPAA privacy compliance:

    1. Furnish a written notification to each participant in the plan regarding their privacy rights.
    2. Draft a policy regarding the administrative, technical and physical safeguards that the company has instituted to keep protected health information private.
    3. Amend the health plan document to specify the circumstances under which the plan sponsor is entitled to have access to private health information (which is particularly important if the plan sponsor or its employees act as the plan administrator of the health plan).
    4. Execute a written certification that the plan sponsor will observe the plan's limitations or the sponsor's use of private health information obtained through the plan.
    5. Prepare or review business associate agreements for each entity with which the plan contracts for services, including the plan's third-party administrator (which rarely is the plan's official plan administrator), its utilization reviewer, its pharmacy provider, etc. These agreements are legally required so that the plan's business associate contractually obligates itself to keep the plan's private health information private.
    6. Assist the company in selecting a privacy officer and assist the privacy officer in training the appropriate employees in the plan's privacy policies and establishing and maintaining a complaint process.
    7. Establish standard forms to authorize the plan to disclose a person's private health information upon request.