AVOID BEING CRUSHED BY HIPAA

By: Janet E. Lanyon

                Sponsors of self-insured health plans, including medical reimbursement accounts, health reimbursement arrangements or flexible spending plans which have 50 or more participants or are administered by a third party administrator, may be required to comply with the new privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), which are generally effective on April 14, 2003. Small health plans, with receipts of $5 million or less, have until April 14, 2004 to comply. The new regulations require that covered entities take numerous steps to protect the privacy of Personal Health Information (PHI) of employees and other plan participants, including establishing procedures to prevent PHI from being used in employment decisions, training employees who handle PHI in the new HIPAA regulations, establishing disciplinary measures for an employee’s failure to adhere to the regulations, amending health plan documents to incorporate the new HIPAA requirements, appointing a HIPAA privacy compliance officer, implementing written agreements with business associates who handle PHI, issuing a privacy notice to plan participants, and establishing procedures to make an employee’s PHI available for review and/or correction. Given the breadth of the new requirements, it is best to act now to determine if you have obligations under HIPAA and if so, to determine and carry out your HIPAA compliance strategy.