All employer-sponsored health plans (except those that have fewer than 50 participants and are administered in-house) must comply with new privacy requirements imposed by the HIPAA privacy regulations, issued by the U.S. Department of Health and Human Services (HHS). The compliance deadline is April 14, 2003. In addition, employers that sponsor health plans will have HIPAA privacy compliance obligations. This client bulletin focuses on the HIPAA privacy obligations of employers that sponsor health plans, and outlines some common issues and choices that employers will face.
If you are an employer that sponsors a group health plan or a health flexible spending account (FSA), you may already have received information from your insurer or your third-party administrator (TPA) about the new privacy requirements. Unfortunately, many employers have received, or will soon receive, privacy forms and instructions that do not meet the requirements of the HIPAA privacy regulations and which may expose the employers to civil and criminal penalties. In addition, many employers assume that there is a one-size-fits-all compliance program for HIPAA privacy. In fact, however, different employers will have different needs and should take different approaches to complying with the HIPAA privacy requirements.
From the employer’s point of view, there are two main areas of concern: performance of plan administrative functions, and providing employees with assistance in resolving claims issues.
1.If an employer performs administrative functions for its health plan, what must the employer do to comply with the HIPAA privacy requirements?
Three things: Amendment, certification, and adequate separation.
Employers often perform administrative functions for their health plans or FSAs, and receive information from their insurers or TPAs to perform those functions. However, the HIPAA privacy regulations limit such disclosures to the employer, and impose specific requirements before such disclosures may be made. To meet these requirements, the plan documents must be amended to specify how the employer may use information disclosed by the group health plan, and the employer must give the plan a certification covering a long list of items, including that the employer:
In addition, the employer must ensure “adequate separation” between the group health plan and the employer. To accomplish this, the plan documents must:
Unless these requirements are all met, a group health plan or health FSA will be allowed to disclose only “summary health information” (see question 3., below) or enrollment and disenrollment information to the employer.
Some employers have received documents from insurers and TPAs that are intended to permit disclosure of information to employers, but that do not meet the amendment, certification, and adequate separation requirements. Other documents appear to permit disclosure of information to the employers, but actually just place responsibility for compliance with the HIPAA privacy requirements on the employers. And, finally, some employers that would prefer not to have to satisfy the HIPAA privacy requirements, and are willing to limit the information they receive, are simply being given documents without first being given guidance about their HIPAA privacy compliance options.
2. If members of an employer’s staff (such as HR professionals) assist employees with claims problems, and need information from the health plan in order to provide the assistance, what does the employer need to do?
Obtain an authorization that complies with the HIPAA privacy requirements from the employee.
Many employers allow or encourage their employees to seek the assistance of the employer’s HR professionals to resolve health plan claims problems. Often, resolution of those problems requires disclosure of employee health information by the health plan to the HR professionals. However, HHS takes the position that a group health plan or an insurer may not disclose that information to the employer, unless the employee signs an “authorization.”
To qualify as an “authorization,” a document must meet a number of specific requirements, including the following:
3. Is it possible for an employer that sponsors a health plan to avoid some or all of the HIPAA privacy requirements?
Only under two very limited conditions.
First, if a health plan provides benefits only through insurance or an HMO (or a combination of the two), the employer may receive “summary health information” from the insurer or HMO without amending the plan, making a certification, and providing for adequate separation, and without obtaining authorizations from the plan participants. However, the employer may only use that information for two purposes:
“Summary health information” is information that has 17 separate categories of information removed from it.
Second, an employer that receives only enrollment and disenrollment information from its health plan will have no HIPAA privacy obligations. However, employers that receive only enrollment and disenrollment information will not be able to decide health plan appeals, and will have to make sure there is a named fiduciary to decide appeals. In addition, those employers may have difficulty fulfilling their fiduciary obligations under the Employee Retirement Income Security Act, which requires that a fiduciary must prudently select and monitor service providers (including insurers and TPAs).
Employer Action Items