By MARTIN SIMON
Legal Editor, Business & Legal Reports

The April 14, 2004 deadline for small health benefit plans to comply with the HIPAA Privacy Rules is fast approaching. The Privacy Rule sets out national standards to protect individuals' medical records and other personal health information, sets limits on the use and release of health records, and sets out safeguards that the covered entities (healthcare providers, health plans, and health care clearing houses) must implement to protect the privacy of health information.

Deadlines

The first Privacy Rule compliance deadline was April 14, 2003. Small health plans, however, have until April 14, 2004, to comply. A small health plan is defined as a plan with annual receipts of $5 million or less. Health plans that do not report receipts to the IRS should use proxy measures to determine their annual receipts. Fully insured health plans should use the amount of total premiums paid for health insurance benefits during the plan's last full fiscal year. Self-insured plans, both funded and unfunded, should use the total amount paid for health care claims by the employer, plan sponsor, or benefit fund on behalf of the plan during the plan's last full fiscal year.

The $5 million threshold applies separately to each group health plan that an employer sponsors. The regulations give no advice on how to determine what a separate group health plan is for this purpose. Each ERISA plan that files its own 5500 form could be considered as independent from other plans for applying the small plan test. Another approach for non-ERISA plans would be to examine how the plan is disclosed to participants. Plans that are explained as separate entities and not part of a combined package are more likely to be a separate plan for the small plan test.

Coverage exemption

Group health plans with fewer than 50 participants and that are administered by the employer are exempt from the Privacy Rule.

Health FSAs

The Privacy Rule does apply to Flexible Spending Accounts (FSAs). But because FSAs are self-insured, many sponsored by small employers \qualify for a full exemption from the Privacy Rule if they are administered in-house and have fewer than 50 participants.

General principles

The Privacy Rule provides that, in general, a covered entity may not use or disclose an individual's protected health information (PHI) without specific authorization except for treatment, payment, or healthcare operations. The Rule provides individuals with the right to access and amend their PHI. It generally limits the release of PHI to the minimum reasonably needed for the purpose of the disclosure.

The Privacy Rule requires that many healthcare plans do the following:

• Notify patients about their privacy rights and how their information can be used
  
  
• Adopt and implement privacy procedures
  
  
• Train employees so that they understand the privacy rules
  
  
• Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed
  
  
• Secure PHI so that access is not available to those who do not need the information

Important: Health plans may disclose PHI to plan sponsors only for plan administrative purposes and only if the sponsor certifies that it will use the information in accordance with the standards. Plan documents must be amended to provide that disclosure will be limited to that permitted.

Warning: A plan may never disclose PHI to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor.

Compliance requirements

The Privacy Rule sets out numerous specific policies, procedures, documents, and personnel appointments that a covered entity must implement in order to comply. In addition, the rule sets out several ways that a group health plan can reduce its compliance burden.

Privacy notice

The Privacy Rule requires that group health plan participants be provided with adequate notice of the uses and disclosures of their PHI that may be made by a covered entity and of their privacy rights and the plan's legal duties with respect to PHI. A group health plan that provides benefits through insurance or an HMO does not have to provide a notice. If such a plan receives more than summary health information and/or enrollment information from the insurer, it must have a notice prepared that must be provided upon request to any person who has a right to a notice. A self-insured group health plan must distribute the notice itself.

Policies and procedures

Many of the compliance requirements involve adopting written policies and procedures. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to PHI undertaken by the covered entity, to ensure such compliance. Thus, a very big organization with many employees handling large volumes of PHI will have to adopt much more elaborate policies and procedures than a small organization with few employees handling a small volume of PHI.

These requirements include a policy and procedure:

• For implementing the minimum and necessary standard
  
  
• On the use of authorizations
  
  
• On administrative, physical, and technical safeguards of PHI
  
  
• For distributing the privacy notice
  
  
• For training employees
  
  
• For verifying the identity of an individual or entity requesting PHI
  
  
• For recognizing a personal representative
  
  
• For distribution of the privacy notice
  
  
• For implementing individual privacy rights
  
  
• For handling complaints
  
  
• For sanctions when a covered entity's employees violate the Privacy Rule
  
  
• For mitigation of violations
  
  
• On refraining from intimidating or retaliatory acts against individuals asserting their privacy rights
  
  
• Barring waivers of privacy rights by individuals
  
  
• For documentation of privacy decisions

Reduced compliance

A group health plan is exempt from several compliance requirements if it provides health benefits solely through an insurance contract with a health insurance issuer or an HMO, and the only PHI it receives or creates is either summary health information or enrollment information.

Plans that qualify for this exemption do not have to:

• Name a privacy officer
  
  
• Provide training
  
  
• Provide administrative, technical, and physical safeguards
  
  
• Have a complaint procedure
  
  
• Provide a policy on sanctions for violations
  
  
• Have a procedure to mitigate violations
  
  
• Adopt general policies and procedures for compliance

Such an exempt plan does have to refrain from intimidating and retaliatory acts, may not require a waiver of rights, and must comply with the documentation requirements.

A group health plan does not have to be amended before it is permitted to share information with the plan sponsor if it or its health insurance issuer or HMO disclose only limited information to the plan sponsor. The information that may be provided without activating the amendment requirement falls into two categories.

The first is summary health information that the plan sponsor requests for the limited purposes of:

• Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or
  
  
• Modifying, amending, or terminating the group health plan.

The second category is information on whether an individual is participating in the group health plan or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

Business associate contracts

The Privacy Rule requires new written provisions in the agreements that health plans have with so-called "business associates" by the plan's compliance date. Business associates are typically service providers such as third-party administrators, actuaries, or others who receive individually identifiable health information from the plan, create individually identifiable health information, or disclose individually identifiable health information in the course of providing their service for the plan.