HIPAA Compliance for Small Group Health Plans: Four Steps for Determining What You Need to Do

April 14, 2004 is the Health Insurance Portability and Accountability Act (HIPAA) privacy compliance date for small group health plans (group health plans with “receipts” of less than $5 million for the last plan year). The HIPAA privacy regulations impose use and disclosure rules on “covered entities,” including group health plans sponsored by employers, such as medical, dental, and vision plans, as well as health flexible spending accounts and many employee assistance programs. The HIPAA privacy regulations also create rights for individuals with respect to their health information and create administrative procedures that must be followed by covered entities.

Information—and misinformation—has swirled around HIPAA privacy compliance since the regulations first were proposed in 1999. Small group health plans can learn much from the compliance experiences by their larger counterparts, who were required to comply in April 2003.

Moreover, plans and other covered entities should revisit the compliance efforts made a year ago to adjust and improve on the practices and documents developed for the initial compliance deadlines. Many covered entities, with this year of experience, have identified problem areas that can be refined to more efficiently and effectively live with the HIPAA requirements.

For employers sponsoring small group health plans, the following four steps will assist in determining what you need to do to make sure your group health plans are compliant with the HIPAA privacy requirements:

1. Are You Excluded as a Small Self-Administered Plan?
HIPAA privacy regulations create an exclusion for group health plans that have fewer than 50 participants and are administered by the employer that established and maintains the plan. The first step in determining how to comply with HIPAA is to determine whether your plan is excluded from HIPAA compliance because it has fewer than 50 participants and is self-administered. Plans that use third-party administrators are not self-administered. Moreover, plans that designate the employer as plan administrator, but that receive administrative services (such as claims adjudication) from third parties likely are not “self-administered” either and likely do not fall within this exclusion.

A self-administered health flexible spending account program or medical reimbursement arrangement may fall within this exclusion even if the medical and dental plans do not.

2. Do You Sponsor Any Insured Plans That Receive Only Limited Health Information?
The second step in determining HIPAA compliance obligations is to determine whether any of your plans fall within the so-called “fully insured” exception. Although all group health plans are covered entities under HIPAA (except for the limited exclusion described in Step One above), group health plans that are fully insured and receive no health information (other than enrollment and disenrollment information or summary health information for the purposes of obtaining premium bids, or amending or terminating the plan) have only minimal compliance obligations. Such plans do not have to comply with the use and disclosure rules, do not have to provide for individual rights, and do not have to satisfy the administrative requirements imposed under HIPAA, except for the prohibitions against intimidating or retaliatory acts and against requiring a waiver of HIPAA rights.

In particular, this means that if you sponsor an insured plan that receives only enrollment or disenrollment information or summary health information, your plan does not have to appoint a privacy official, distribute a privacy notice, amend the plan document, or enter into business associate contracts. Additional compliance with respect to such plans may not be necessary.

3. Who Is Responsible for HIPAA Compliance for Your Plan and What Needs to Be Done?
If your plan does not qualify for the exclusion described in Step One or the limited exception described in Step Two, compliance essentially will consist of the following actions:

• Appoint a Privacy Official and Contact Person. The privacy official is responsible for HIPAA compliance for the group health plan. The contact person, who may be the same as the privacy official, serves to answer questions and receive complaints relating to privacy.
• Amend Plan Documents. If the employer sponsor receives protected health information from its group health plan, the group health plan must be amended to include mandatory requirements. This may be done as a stand-alone document, or may be incorporated in a restated plan document. Moreover, the employer, as plan sponsor, will need to take certain actions to safeguard plan-protected health information, such as to establish firewalls between plan and employer functions.
• Prepare Notice of Privacy Practices. The plan must develop a notice of privacy practices describing the use and disclosure practices, individual rights, and administrative procedures and including other required elements. For many plans, especially self-insured plans, the notice must be provided to participants in the plan prior to April 14, 2004. Thereafter, the group health plan will need to provide the notice to newly enrolled participants. If the notice is amended, then the new notice must be provided to participants within 60 days of a material change. Bear in mind that if the plan is fully insured, even if it receives plan information, at a minimum must develop a notice of privacy practices and provide the notice when requested. It is not necessarily required to distribute the notice. You need to verify your obligations with regard to the dissemination of the notice.
• Develop Policies and Procedures. The regulations recognize that small employers cannot afford the time and expense to adopt complex policies and procedures. They require only that the policies and procedures adopted be reasonable in light of the size and circumstance of the group health plan.

Many third-party administrators or benefits consultants are prepared to handle or assist you with group health plan HIPAA compliance. But you should not assume that they will handle your HIPAA compliance for you. With respect to most group health plans, the employer, as plan administrator, will be the fiduciary that is obligated to insure on-going group health plan compliance (including HIPAA compliance).

4. Who Are Your Business Associates?
The final step in HIPAA compliance is making sure that anyone who provides services to your group health plan is also complying with HIPAA. A business associate is someone who performs or assists the covered entity in performing a function of the covered entity, or who provides certain identified services to the covered entity, and receives or creates protected health information of the plan’s participants. Typical “business associates” of a group health plan include third-party administrators, outside service providers and professionals, such as actuaries, accountants and attorneys.

A group health plan may disclose protected health information to its business associates without an authorization from the participant only if it obtains satisfactory assurances, through a written contract, that the business associate will appropriately safeguard the information. The so-called “business associate contract” must contain specified provisions addressing the restrictions on the business associate’s use and disclosure of the health information it receives from the plan. Each business associate of the plan should execute a compliant business associate contract before April 14, 2004.

Following these four steps should allow most small group health plans to quickly determine their HIPAA compliance requirements. For more detail on the privacy rules, please see "A Road Map for Employer Compliance with HIPAA."