The U.S. Department of Labor issued regulations interpreting the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations apply directly to medical providers, insurers, and health plans, and indirectly to health plan sponsors.

What is HIPAA and how does it relate to privacy of health information? HIPAA is a federal law that increased access to group health care coverage by (a) placing limits on a plan’s ability to exclude people with pre-existing medical conditions, and (b) prohibits discrimination against people based on the status of their health. The law also includes provisions that require "covered entities" to ensure the privacy of certain protected health information and prohibits the disclosure of that information to third parties without the written consent of the employee. These privacy regulations take effect on April 14, 2003.

What is Protected Health Information (PHI)? The term "health information" is information that relates to a person’s past, present, or future physical or mental health or condition. Any "health information" transmitted or maintained in any form or medium (electronic or otherwise) is considered to be PHI and thus, protected under HIPAA’s privacy rules.

-- Health care providers. Entities that provide medical or health care services or supplies, or any other entity that furnishes, bills, or is paid for health care in the normal course of business.

-- Health plans. This includes individual or group plans and self-insured employee welfare plans covered by the Employee Retirement Income Security Act. A self-administered, self-funded plan with fewer than 50 participants is excluded from the regulations, but that exclusion does not apply to a plan that uses a third-party administrator.

-- Health care clearinghouses. These are public or private entities that process health information, such as billing services, repricing entities, or community health management information systems.

If employers are not "covered entities" why should they worry about compliance? Many employers have been lulled into believing that HIPAA only affects "covered entities" such as health care providers and insurers. This simply is not true. HIPAA will affect employers in several ways.

First, an employer’s self-insured health plan or any onsite nurse’s stations is considered a "covered entity" and therefore, HIPAA’s privacy rules will apply. As a result, employers must: (a) keep all PHI secure from being used or disclosed to other employer components; and (b) adopt standardized transmission standards to provide security for all PHI.

Second, even in the absence of a self-insured plan or on-site nurse’s station, employers that offer health benefits must change the way they interact with health care providers and health plans. Employers may be asked by these "covered entities" to provide assurances that all PHI is protected and that the employer will cooperate with the "covered entity" in meeting HIPAA requirements.

Third, although employers can legitimately access employee PHI to pay health claims, HIPAA requires that employers take affirmative steps to prevent disclosure of PHI to those who make employment decisions such as terminations and promotions. Unfortunately, this may be particularly problematic in small businesses.

Finally, one of the more difficult issues facing employers will be the tenuous balance between HIPAA’s privacy rules and the employer’s need for PHI to comply with health status employment laws such as COBRA, FMLA, ADA, Workers’ Compensation and OSHA. Many of these laws require the employer to take affirmative steps in response to an employee’s medical condition. HIPAA strictly prohibits an employer from using PHI for employment determinations unless the employee consents.

HIPAA provides civil and criminal penalties for "covered entities" up to $250,000 and 10 years in prison for obtaining or disclosing PHI for commercial advantage, personal gain or malicious harm. There is no private right of action available for people to sue an employer for HIPAA violations. HIPAA does create a higher standard of care regarding the proper use of PHI and may provide a tort cause of action under some type of a negligent conduct theory.

Who can PHI be disclosed to and how should it be done? HIPAA permits the disclosure of PHI to the person with their authorization and consent or as required under HIPAA’s specific public policy exceptions. A notice of privacy practices for PHI must be provided by every covered entity. That notice must describe: (1) the uses and disclosures of permissible PHI; (2) the person’s rights; and (3) the covered entity’s legal duties relating to PHI.

The notice must be provided to the person whose PHI will be used or maintained by the covered entity (e.g., everyone enrolled in the company health plan). Self-insured plans must issue the notice themselves. For fully insured health plans, the insurer has the obligation to issue the notice.

In most cases, the "covered entity" must obtain the person’s authorization before disclosing any PHI. HIPAA requires that each authorization clearly describe the information to be disclosed and the reason for the disclosure. Each authorization must contain: (1) who will be disclosing the PHI; (2) who will be using or receiving it; (3) information about the person’s right to revoke the authorization; (4) statement that information used or disclosed is subject to re-disclosure; (5) the date when the authorization will expire; and (6) the signature and the date.

Are there any exceptions to HIPAA disclosure requirements? HIPAA provides a limited public policy exception for PHI disclosure involving public health issues, judicial and administrative proceedings, law enforcement purposes, and others as required by law.

What rights do people have under HIPAA? HIPAA provides that people have a right to obtain and review their own PHI and to amend or correct any PHI which they believe is inaccurate or incomplete. People also have a right to obtain an accounting of all disclosures of their PHI, receive a written privacy notice, and request additional restrictions on the use and disclosure of their PHI.

What should employers do? Employers should take steps right away to ensure full compliance by April 2003. Employers will need to reconfigure their administrative, technical, and physical safeguards for PHI. This will likely include significant changes to information systems and the creation of a "firewall" between plan-related uses of PHI and employment-related uses of that information. The typical dual model of the Human Resource staff handling both employment and benefits related data will likely not survive HIPAA. HIPAA will require employers to designate a "Privacy Official" who will be responsible for the development and implementation of HIPAA’s rules, the training of responsible employees on appropriate uses and disclosures of PHI, and the development of appropriate sanctions for non-compliance.

These Privacy Officials should review the operations to identify the flow of PHI within the company and determine "gaps" between actual operations and HIPAA’s privacy rules, such as identifying all business associates who may have access to PHI, such as legal, accounting, actuarial, consulting, or financial services.

HIPAA’s rules also call for the creation of a process for people to lodge complaints with the covered entity. The Privacy Official should create a system for handling complaints, keeping records of those complaints, mitigating any harmful effects resulting from an improper disclosure of PHI, and recording the resolutions.

Finally, employers with fully insured health plans that have access to PHI and self-insured plans must make certain that the plan administrator complies with the regulations’ administrative requirements. Security of information, both physical and electronic, must be dealt with.

April 2003 may seem like a long way off, but time will fly by. Avoid the rush -- start planning now!