06/ 25/ 2003
by Kris Larsen, Aon Consulting
New privacy and security standards set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 -- designed to protect employee health information -- are beginning to be felt by many businesses.
All companies with annual total health care costs greater than $5 million had to be in full compliance by April of this year. But it's not just larger companies that will be facing the new regulations. In April 2004, any company that sponsors health plans for employees will be held accountable. No matter the size, HIPAA will apply. CEOs need to take action now to ensure that their company is protected. So where do you start?
Protected Health Information
The first step is to define protected health information (PHI) and a company's level of exposure. HIPAA defines health information as any information (oral or recorded) that is created (or received) by a health care provider, health plan, public health authority, employer or health care clearinghouse.
In other words, health information, no matter how it is communicated or recorded (electronic, written or spoken), is protected under HIPAA guidelines.
The HIPAA privacy standards essentially say that a health plan cannot use or disclose PHI except as authorized by the individual or by Department of Health and Human Services (HHS) regulations.
The Risk of Non-compliance
If a company is out of compliance, it runs the risk of significant fines and potential criminal charges. Enforced by the Department of Health and Human Services, failure to comply with HIPAA's privacy rule could result in penalties of up to $100 per person per violation or up to $25,000 per year for each violation of an identical requirement.
Criminal penalties can apply for intentional violations of the rules. Such knowing violations could result in a criminal fine of up to $250,000 and up to 10 years in prison.
To help prepare your business for HIPAA compliance next April, planning is crucial. Here are the three main components of an action plan:
1. Appoint a Privacy Official.
A company as a plan sponsor must designate a privacy official responsible for developing and implementing its privacy policy and procedures. A health plan's responsibility to safeguard electronic protected health information extends to its entire workforce -- regardless of location.
2. Finalize Plan Documentation.
A health plan document must contain the appropriate privacy standards for the plan, and the employer as plan sponsor must agree to abide by these standards before the plan can disclose protected health information to the plan sponsor.
3. Set Up Business Associate Agreements.
A business associate is any person or organization using protected health information on behalf of a health plan to perform services such as benefits management, claims processing or administration. A health plan may only disclose protected health information to a business associate and allow that person to create or receive information on its behalf. If an agreement is in place, that binds the business associate to the same privacy requirements that are imposed on the health plan.
Fleshing Out the Plan: Gap Analysis
An effective strategy to comply with both the privacy and security standards would be to start with a "gap analysis." Compare existing policies and procedures with those required by the final regulations. Implementing remedial policies, procedures, supporting technology and training employees would follow.
Some of the activities around that exercise include:
- Distributing a privacy notice to employees;
- Establishing a procedure for employees to exercise their rights to access their own health information and to obtain an accounting of disclosures;
- Amending health plan documents to establish the permitted uses and disclosures of health information by the plan sponsor;
- Adopting appropriate administrative, technical and physical safeguards to protect the privacy of health information;
- Making sure your vendors are prepared to conduct electronic transactions in the standard format that will be required under the electronic data interchange (EDI) provisions.
Before the compliance date, the safeguards would be reviewed as the first of a series of periodic evaluations required under the regulation. The main thing to keep in mind is that there is plenty of time to meet compliance expectations, as long as you begin to think about it today.
Kris Larsen is Senior Vice President in Aon Consulting's Nashville, Tenn., office. Aon Consulting offers a full range of HIPAA-related tools and consulting services, from a self-contained "Guide to HIPAA Compliance" to an on-line assessment tool.
Please visit www.aon.com/hipaahelp to find out more.
