- HIPAA Privacy: Are You In Compliance With The New Requirements?
- December 23, 2003 | Author: Robert H. Pritchard
- Law Firm: Rogers Towers, P.A. - Jacksonville Office
As many of you may know, the privacy requirements of the Health Insurance Portability and Accountability Act ("HIPAA") and the implementing regulations became effective on April 14, 2003, and for small health plans, on April 14, 2004.
What does this mean to employers? While HIPAA privacy obligations explicitly apply only to health plans, health care providers and health care clearinghouses, as defined in the implementing regulations, many employers are subject to HIPAA privacy obligations in their role as plan sponsors of their group health plans, whether self-insured or fully-insured.
We recommend that all employers, if they have not already done so, conduct an immediate internal review to determine whether they are subject to HIPAA's privacy requirements and to ensure compliance. CMS (Centers for Medicare and Medicaid Services) has set up the following website to help you determine if you are a covered entity: www.cms.hhs.gov
Employers who determine that they are subject to HIPAA's privacy requirements will need to immediately begin working towards compliance which will require, among other things:
- Possibly amending health plan documents to address privacy issues;
- Identifying business associates (vendors and contractors with whom you share protected health information) and entering into written agreements with such vendors and contractors governing the use and disclosure of protected health information;
- Implementing privacy policies and procedures governing the use and disclosure of protected health information;
- Designating a privacy official;
- Distributing privacy notices to plan participants summarizing and explaining the plan's privacy practices;
- Conducting training of the workforce to highlight HIPAA privacy issues and insure the security of protected health information;
- Creating safeguards to protect health information; and
- Designing a complaint process.