|  |
|
|
The Day Before Taxes, a HIPAA Deadline Looms
by Steve Norman, J.D. SPHR
If you thought the tax deadline was the only big due date in April, think again. In 2004, April 14th is a big deadline for small employers subject to the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). Most employers think they are exempt from the privacy regulations because their group health plans are: 1. fully insured; 2. administered by the insurance carrier or a third-party administrator; and 3. the employer only receives information about enrollments and cancellations and a summary of claims history for the entire group. However, employers that offer supplemental benefits like flexible spending accounts (FSA) and employee assistance programs (EAP) are likely subject to the privacy regulations because those types of plans are usually self-funded and, therefore, not exempt. The April 14, 2004 deadline applies to employers with self-funded plans that have $5 million or less in annual receipts, which is measured by the total amount paid for health care claims by the employer, plan sponsor or benefit fund, on behalf of the plan during the plan’s fiscal year. The only exception is if the employer’s plan has less than fifty participants and it is self-administered by the employer.
What Should You Do?
If you have an FSA or EAP plan with less than $5 million in annual receipts and do not meet the exception, you have a couple of options outside of complying with the regulations. The first option, of course, is to cancel the plan. If you do not have a plan in place on April 14, 2004, you do not have to comply with the regulations. However, since FSA plans usually have annual contracts based on the calendar year, you should first determine whether your plan administrator will charge a penalty for early cancellation. The cost of the penalty may outweigh the cost of compliance. You should also consider the potential financial impact on employees if the benefit is taken away and the decline in morale that may result. Again, if the cost of the financial impact and lowered morale is greater than the cost of compliance, then cancellation may not be the best option.
The second option is if you have less than fifty participants, but the plan is administered by a third-party provider, you can choose to self-administer the plan. In this case, you would have to determine if you have someone in-house who could take on the responsibility for administering the plan. If so, you will not be subject to the regulations and can avoid the deadline.
If you cannot go with either of the first two options, you will have to comply. To do so, you will have to do the following by April 14, 2004:
- Designate a Privacy Official – This person will be accountable to ensure that the program is put in place and followed by all employees.
- Business Associate Contracts – Any third-party service provider that creates or receives personal health information (PHI) about plan participants must enter into an agreement stating that they will disclose and use PHI only in accordance with the privacy regulations and will assist you in providing rights under HIPAA.
- Policies and Procedures – You must establish policies for the internal use and disclosure of PHI. The policies should address how PHI will be stored, transmitted and safeguarded.
- Notice of Privacy Practices – You must distribute notices to all plan participants explaining the policies on the use and disclosure of PHI and the limited situations where PHI will be used or disclosed without the participant’s authorization. It should also explain how participants can exercise their rights under HIPAA including the rights to access and amend PHI and file a complaint if the participant feels a right has been violated.
- Complaint Mechanism – You must establish a procedure for addressing a participant complaint regarding violation of the policies and procedures or other rights under HIPAA. If a violation occurs, you must take appropriate action against the violator. You must make sure all complaints are documented as well as the action taken and any other efforts to comply with the privacy regulations. These documents must be kept for six years.
- Amend Plan Documents – Plan documents for each plan subject to HIPAA must include provisions detailing how you will safeguard PHI and its use and disclosure in compliance with the regulations.
As stated earlier, these steps must be taken by April 14, 2004. If you have an FSA or EAP plan administered by a third-party, they will likely have information to help you implement the appropriate policies and procedures. You can also find more information and answers to many questions at the website for the federal Department of Health and Human Services. They are the agency charged with enforcing HIPAA. Their website is www.hhs.gov/ocr/hipaa.
Technology Corner: Beware of Social and Business Networks
By Richard Noland, Ph.D.
Using the Internet and the computer to create communities where everyone actively connects with each other is one of the biggest failures of the last ten years. It is one of those ideas that intuitively makes sense, but practically just doesn’t work. Using the timer on your VCR to record a show when you are out of town, advertising by e-mail and outsourcing a sales force are also examples of intuitively sound ideas that just don’t work.
One of the big dreams in the Human Resource industry is to create a place on an extranet where employees and managers can connect and, through an automated process, deal with issues. Well, another stab at making this happen is now showing up. They are called “social and business networks.”
But here is the rub. We are already bombarded by requests and issues in our 45-hour work week; we don’t need more. We are already bogged down by e-mails and voicemail; we don’t need to make it easier for people to get connected with us. The problem isn’t connecting; the problem is filtering. Adding one more means to “network” just makes it easier for people we don’t need to interact with – to interact with us.
And what about privacy? These new networks are not secure. If your company is thinking of signing up for one, read the fine print first. Virtually all of these services have a glaring omission regarding ownership of information and guarantees of privacy.
We are now moving into the decade of extranets, deal rooms and networked communities. If you haven’t been approached yet to buy one, you probably will be within the next twelve months. The three qualifying questions need to be: 1. How do you filter? 2. How do you make it private and secure? 3. Who owns the data?
[PRINTER FRIENDLY VERSION]
|
|
|
