|  |
|
|
HIPAA, the Employer, and Employee Privacy
by Steve Norman, J.D.
Recently, Congress passed several amendments to the Health Insurance Portability and Accountability Act (HIPAA); the Act that, among other things, simplifies an employee’s ability to obtain health insurance when transferring jobs. The new amendments to HIPAA require covered entities to make reasonable efforts to preserve the confidentiality of employee health information by ensuring that the information is only accessed and used for permissible purposes. Therefore, covered entities including Health Plans, Health Care Clearinghouses and Health Care Providers must certify that employers who contract for their services are complying with the new requirements. While this would seem to impose new recordkeeping obligations on employers, in fact, existing laws such as the ADA, FMLA and OSHA already require employers to have many of the recordkeeping practices in place. The practices identified in the new amendments are as follows:
- Restrict access to employees’ protected health information (For example, employers should keep protected health information separate from all other employment records and keep this information in a locked file cabinet.);
- Limit access to the protected health information to designated employees having a need to know such as a benefits administrator;
- Restrict the use of protected health information by designated employees to only administrative functions the employer performs for the plan;
- The employer may not disclose protected health information without the written consent of the employee;
- The employer may not use the protected health information for job-related actions such as evaluations, terminations, and promotions;
- Allow employees to correct the health information in their records;
- Destroy protected health information when it is no longer needed or is no longer being utilized for the original purpose for which it was obtained;
- Ensure that any entity that receives protected health information will agree to the same restrictions and conditions; and
- Report to the health plan any use or disclosure inconsistent with these amendments.
“Protected health information” is broadly defined as any individually identifiable health information transmitted or maintained in any form.
Finally, all group health plans covering more than five employees must be amended to specifically state that the employer will restrict the release of all protected health information unless the above requirements are met.
What should you do?
The new requirements do not take effect until April 14, 2003. Between now and then, employers will probably receive notice from their health insurance providers detailing the information above and changes that will need to be made to the employer’s group health plan contract. The plan providers may also require employers to certify that they are complying with the new requirements. In the meantime, employers should review their recordkeeping practices to ensure that they are in compliance with HIPAA. If you would like assistance evaluating your practices, contact us today.
[PRINTER FRIENDLY VERSION]
|
|
|
