What Every Employer Needs to Know About the HIPAA Privacy Rules

By Timothy J. Stanton, Kathleen S. Scheidt and Sarah Bassler Millar

It’s really going to happen.

That’s what more employers are thinking since the Department of Health and Human Services ("DHHS") on August 14 produced its "final" version of the Privacy Rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Though not completely abandoning their hope that the rules will be delayed or modified still further, employers are well advised to focus their attention now on developing a workable compliance strategy for their benefit plans.

Among the steps that employers are taking in the early stages of these compliance efforts are: determining which parts of their organizations are covered by the Privacy Rules; analyzing how their organizations use and disclose participant health information; reviewing contracts with administrative services companies; and appointing "privacy officials" to lead internal compliance efforts.

To assist you in developing a strategy for bringing your health benefit plans into compliance by April 14, 2003 (a year later for certain "small" plans), we have prepared this detailed question-and-answer guidance. This guidance incorporates the final version of the Privacy Rules and also draws on our experience advising clients on these issues over the past several years.

Our analysis is organized under 10 key subject headings—Covered Entities, Protected Health Information, Business Associates, Consents and Authorizations, Administrative Requirements, Individual Rights, Plan Amendments, "Minimum Necessary" Standard, Preemption, and Insured v. Self-Insured Plans. To make this Memorandum most useful for you, we have also included detailed lists of the requirements for many of the basic HIPAA compliance documents.

The Privacy Rules cover three types of entities: health care clearinghouses; certain health care providers (those that transmit health information in standard electronic transactions); and "health plans," which are defined broadly enough to include health insurers and HMOs, various government medical programs, and employer-sponsored health benefit plans.

The definition of health plan includes various types of benefit plans sponsored by any type of employer, such as medical, dental, vision, prescription drug, health flexible spending account, and long-term care plans, as well as most employee assistance plans.

A typical large employer might sponsor four or five separate plans that are "covered entities." Additionally, an employer-sponsored plan often will coordinate with an insurer or HMO to provide coverage to employees. The Privacy Rules ease the compliance burden on such group arrangements, called "organized health care arrangements." The covered entities participating in such arrangements are permitted to use and disclose information more freely with each other and may also issue a joint Notice of Privacy Practices to participants.

Unless your employer is itself a clearinghouse or health insurer or provider, the rules do not apply directly to the employer. But the health benefit plans or programs your company sponsors may be covered entities.

No. For example, long- and short-term disability plans, workers compensation benefits, life insurance plans, and sick pay programs are not covered by the Privacy Rules (even though they all involve employee health information). There is also a probably little-used exclusion from the "covered entity" definition for employer-sponsored health plans that are entirely self-administered and have fewer than 50 participants.

A "small health plan" is one with annual receipts of $5 million or less. Small health plans can delay compliance with the rules until April 14, 2004. Even a large employer may have some plans (e.g., long-term care or vision) that are "small."

"Protected health information," or PHI, is another important concept to incorporate into your compliance effort because the Privacy Rules prevent health plans from using or disclosing a participant’s (including a former participant’s) PHI except as authorized by the regulations under HIPAA.

Generally, PHI is individually identifiable health information that is transmitted or maintained in any form or medium and that relates to the past, present, or future physical or mental health or condition of a participant, the provision of health care to a participant, or the past, present, or future payment for the provision of health care to a participant. Information is "individually identifiable" if it either actually identifies an individual or contains enough specific information to do so.

No. Only health information used or created by your company’s health plans (or other covered entities) would be PHI. One significant change in the final rules is the addition of a specific exclusion from the definition of PHI for "employment records" held by a covered entity in its role as an employer. Though this language would be more reassuring to plan sponsors if the provision specifically mentioned employer health plans, it does indicate an acknowledgment that not all health information held by employers is affected by the Privacy Rules.

Many employers would find it difficult, if not impossible, to administer health benefit plans without some of their employees having access to some PHI. This information can be shared with the plan sponsor if the PHI has been "de-identified," if it is merely enrollment information or "summary" claims information (that is not individually identifiable), or, more importantly, if your company certifies that it will comply with the Privacy Rules, takes the appropriate steps to do so, and amends its plan document as needed. In one useful change for employers, the final rules clarify that simple enrollment information is, in fact, PHI, but it can be shared between a plan and plan sponsor without the plan amendments summarized below.

No matter how far along they are in their compliance efforts, many employers are finding that the impact on dealings with "business associates" is one of the most immediately tangible effects of the Privacy Rules.

Under the Privacy Rules, your plans cannot disclose plan PHI to their business associates without having in place a written contract that includes almost a dozen specific privacy protections. These business associate agreements are critical to fully safeguarding PHI when used or disclosed by service providers - such as third-party administrators, pharmacy benefit managers, benefit consultants, and attorneys - not otherwise covered by the Privacy Rules.

A services firm whose work includes using individually identifiable health information from your plan could be a "business associate" of the plan in one of two ways. First, it could perform on behalf of the plan any of a range of functions covered by the Privacy Rules (examples include claims processing, utilization review, and quality assurance). Second, it could provide to the plan one or more specific services (legal, actuarial, consulting, accounting, data aggregation, management, administrative, accreditation, or financial).

These agreements could be entirely new contracts or just additions to existing agreements. The final rules provide very limited relief from the general requirement that an employer-sponsored health plan have a HIPAA-compliant business associate agreement in place by April 14, 2003. A written contract with a business associate that is in place by October 15, 2002, and is not renewed or modified by April 14, 2003, is deemed to comply with the Privacy Rules until it is either renewed or modified, or April 14, 2004, whichever is earlier.

Generally, if a contract is renewed or modified between October 15, 2002 and April 14, 2003, this transition relief is not available. But "evergreen" contracts, in which renewal is automatic without changes in terms, do qualify for this relief.

No, not really. This delayed compliance date gives plans less substantive relief than it might initially seem. During the transition period, plans must still allow participants to access and amend their PHI and to receive an accounting of disclosures of that PHI, and plans must also give DHHS information as needed to determine compliance. Throughout this period, your plan also must mitigate (to the extent practicable) any harmful effect that is known to the plan, of a use or disclosure of PHI by a business associate in violation of the plan’s policies or the Privacy Rules.

No. Even under prior versions of the rules, health plans would not have had to obtain participant consent to use PHI for "payment, treatment, and health care operations" (a broadly defined phrase that encompasses most activities in which an employer-sponsored health plan is likely to engage). The final version of the Privacy Rules eliminates the consent requirement for all other covered entities as well.

Although consents are not required, some employers are opting to include in their enrollment forms some sort of acknowledgment by a participant that he or she is consenting to the use and disclosure of his or her information for plan administration purposes. Doing so reminds participants that such uses and disclosures are not prohibited under the Privacy Rules.

Plans must still obtain participant "authorization" for most uses and disclosures of PHI beyond "payment, treatment, and health care operations" of the plan. Participants generally can revoke an authorization at any time in writing. Your plan may condition enrollment or eligibility for benefits on a participant providing authorization only in very limited circumstances when authorization is sought for pre-enrollment underwriting purposes.

Many plans probably will not use PHI for purposes beyond "payment, treatment, and health care operations," and so will not use authorizations on a large scale. However, one instance in which an authorization might be needed is where health plan PHI is used to administer other benefit programs, such as LTD plans.

Prior to the final modifications of the Privacy Rules, the authorization requirements differentiated between authorization requests made by covered entities and those made by individuals. The final rules incorporate some of the requirements that originally applied only to covered entity-initiated authorization requests and eliminate the distinction between covered entity requests and individual requests.

Rather than use this cumbersome authorization process, employer-sponsored health plans that want to use PHI for something beyond payment, treatment and health care operations could consider using "de-identified" information. "De-identified" information is PHI that has been stripped of all identifying data that might enable someone to identify the person to whom the PHI applies.

This could be done by means of an outside expert or a safe-harbor method that involves removing 18 direct identifiers ranging from name and address to biometric indicators.

As an alternative to full de-identification, the final rules also permit employer health plans to disclose information in a "limited data set." A limited data set is PHI that excludes 16 of the 18 direct identifiers. These data sets would require an additional contract and are primarily designed for use in research. Employers that need only limited information from their health plans may be able to take advantage of the limited data set alternative. The use of limited data sets may slightly reduce the privacy compliance burden for such health plans, in part because the plans are not required to account to participants for disclosures of PHI in limited data sets.

They might not. One common misconception about HIPAA compliance is that it requires not much more than adding some standard language to your contracts and distributing some standard communication materials to your participants.

To see why this is a misconception, you need only look at the administrative requirements. Of particular interest to benefits executives and in-house benefits counsel is the requirement that a plan designate a "privacy official" responsible for developing and implementing the plan’s privacy and procedures policies, and a "contact person" (who may also be the Privacy Official) to receive complaints and provide further information about those policies and procedures. Furthermore, a plan may not require participants to waive their right to file a DHHS complaint as a condition for the provision of treatment under, payment by, enrollment in, or eligibility for the plan. Additional administrative requirements are described below.

The Privacy Rules require plans to have policies and procedures to implement the administrative requirements and other parts of the rules. These policies would be for internal use and would describe a plan’s internal operations. There are not sets of required provisions for these policies, as is the case, for example, for notices of privacy practices, business associate agreements, and health plan documents.

The final rules clarify that there is no violation when an incidental use or disclosure occurs in connection with the intended use or disclosure - provided that a plan has in place reasonable safeguards to prevent such incidental uses or disclosures. This is relevant to employers, for example, where conversations between benefits administrators may be overheard.

The general compliance dates apply in this area as well, but compliance with the administrative requirements should be an ongoing process. For example, training must be provided to current employees performing plan administrative functions by April 14, 2003; to new employees hired after April 14, 2003 within a reasonable period of time after their date of hire; and to employees whose functions are affected by a material change in the plan’s policies and procedures within a reasonable period of time after the change becomes effective.

No part of your HIPAA compliance effort is likely to have a greater impact on participants (or to produce more calls and e-mails from them) than your efforts to enable them to exercise their individual rights under the Privacy Rules. The Privacy Rules create three important rights - to access your PHI, to amend it, and to receive an accounting of disclosures made of it - and require covered entities to explain these rights in a Notice of Privacy Practices.

Participants have broad rights to access and copy their PHI that is part of the records maintained by or for the plan. Your plan must respond to requests for access to the information within 30 days and will have to provide access in the format requested unless such information is not readily producible. One 30-day extension is available if the plan needs additional time to respond and notifies the participant in writing of the reasons for the delay and the date by which the plan will respond. Your plan may deny requests for access, but in most circumstances (except those delineated in the Privacy Rules) the plan must allow the requesting individual to have the denial reviewed by a health care professional who was designated by the plan to conduct such reviews and who did not participate in the denial.

Participants also have the right to have your health plan amend their PHI as long as it is part of the records maintained by or for the plan. The plan must respond to requests to amend within 60 days, although the plan may extend its response time once by up to 30 days if it needs additional time to respond and notifies the participant in writing of the reasons for the delay and the date by which the plan will respond. There is greater flexibility to deny these requests (compared to requests for access), most interestingly on the grounds that the PHI on file is already "accurate and complete." But if your plan denies a request, a participant may either file a statement of disagreement or request that the amendment request and denial be included with all future disclosures of the participant’s PHI. The plan may prepare a written rebuttal to a participant’s statement of disagreement. If it does, the plan must provide a copy of the rebuttal to the participant.

The Privacy Rules require your plans to document and retain the designated health records that participants may access or amend as well as titles of the individuals responsible for processing requests for access or amendment. In addition, the rules contain specific access and amendment request denial and review procedures and deadlines that your plans must communicate to participants.

Participants have the right to receive once every 12 months, upon request and free of charge, an accounting of the disclosures of their PHI made by your health plans for up to six years immediately preceding the date of the request (this would not apply to disclosures made prior to April 14, 2003, and by a plan for treatment, payment, or health care operations, and disclosures authorized by the participant). An accounting must be written and must satisfy several requirements imposed by the Privacy Rules. Reasonable fees could be charged for additional accountings.

The Privacy Rules contain special accounting rules for multiple disclosures of PHI to the same person or entity for a single purpose as well as for research-related disclosures for 50 or more individuals.

Your plans must document and retain the information required to be included in a disclosure accounting, records of the accountings provided to individuals, and the titles of the persons responsible for receiving and processing requests for accountings.

Though the standards are the same, insured plans may have an easier time complying with the access, amendment and accounting rules because insurance companies and HMOs are required to comply with the rules in their own right as covered entities. For employers with self-insured plans, it will be very important to work with your service providers to assign responsibility for responding to these requests and to coordinate efforts.

Needless to say, with these important new rights available to your participants, you will be responsible for providing an explanation and telling participants how they can exercise these rights. The mechanism that the Privacy Rules use for this task is a sort of mini-SPD (in fact, many employers may consider simply incorporating this document into their SPDs). This "Notice of Privacy Practices" must be distributed to participants in your plan on or before the date the Privacy Rules take effect (April 14, 2003 for most plans) and to new participants as they enroll, and it will have to be updated to reflect changes in how your plan handles PHI.

Employer-sponsored health plans generally must also include a separate statement that the plan may disclose PHI to the sponsor of the plan.

Your plan may elect to limit further the uses or disclosures that it would be permitted to make under the Privacy Rule. If it does so, the plan may describe its more limited uses or disclosures in its notice, although the plan may not limit its right to make a use or disclosure that is required by law or permitted to prevent or lessen a serious or imminent threat to the health or safety of a person or the public. If your plan wants to be able to apply a change in its more limited uses and disclosures to PHI created or received before it issues a revised notice, the plan must reserve the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The statement also must describe how the plan will provide individuals with a revised notice.

That is a risk, especially when incorporating them into an already long and detailed SPD. Recognizing this problem, DHHS has indicated that it would be appropriate to use a short summary of the notice attached to a longer, complete notice (i.e., a "layered" notice). One other useful device is a combined notice, which is permitted for a group of plans sponsored by one employer (remember, this is called, in HIPAA-speak, an "organized health care arrangement").

You may hear references to some providers obtaining a patient’s written acknowledgment of receipt of the provider’s Notice of Privacy Practices. These acknowledgments reflect a change in the final rules, which require certain providers (but not health plans such as yours) to make a good-faith effort to obtain these acknowledgments. Your plans may wish to obtain participants’ acknowledgments that they received the notice as a way to document your compliance with the Privacy Rules.

Unless nobody at your organization will be receiving any PHI (except enrollment information or aggregate "summary" claims information from which nearly all identifiers have been removed), you will need to make fairly extensive plan amendments. These plan amendments make it clear that not only must the plan safeguard PHI, but you, as plan sponsor, also must do so if you wish to use and disclose your plan’s PHI.

Actually, yes. The Privacy Rules require your health plans to ensure "adequate separation" between the plans (which probably have PHI) and the rest of your company’s operations. The preamble to the rules borrows the computer security term "firewall." The "firewall" that separates your other business operations from your health plan is critical to safeguarding the plan’s PHI. The policy and provisions establishing this firewall must: (i) describe which employees will have access to PHI; (ii) restrict this access to plan administrative functions; and (iii) provide a way to resolve any violations of the policy by these employees.

One of the biggest HIPAA privacy compliance wildcards for employers is the "minimum necessary" standard. Under this standard, your plan and its business associates must take reasonable steps to limit each use or disclosure of PHI to the minimum necessary use or disclosure to accomplish the relevant task.

The Privacy Rules, even the final version, contain little guidance about how a plan is supposed to determine whether any particular use or disclosure is actually the minimum needed to do the job. But the Privacy Rules are clear in requiring your plan to develop and implement policies and procedures appropriate for your company’s business practices and workforce that are designed to minimize the amount of PHI that is used, disclosed, and requested. Plan documents and employee communications, internal procedures, and administrative arrangements must be updated to incorporate the minimum necessary standard as reflected in the plan’s privacy compliance policies and procedures.

Most things, but not all. The Privacy Rules clarify that the standard does not apply to certain uses and disclosures, such as those required by law, disclosures made to an individual pursuant to that individual’s authorization, disclosures to and requests by health care providers for treatment purposes, and incidental disclosures as long as the disclosing party uses reasonable safeguards and has implemented minimum necessary standards. Therefore, health plans may disclose PHI that is reasonably necessary for workers’ compensation purposes because the Privacy Rules specifically permit disclosure of PHI if the disclosure is legally required. In informal guidance, DHHS has helpfully stated that it does not intend the minimum necessary standard to interfere with best industry practices and it views this as a reasonable and flexible standard.

The efforts of your health plans to establish "minimum necessary" policies and procedures should begin with a survey of the types of PHI used in plan administration and the types and degree of PHI disclosures. Plan administrators may find that some functions can be performed adequately with fewer or less extensive uses or disclosures.

Generally, the Privacy Rules will preempt state laws that are contrary to the Privacy Rules. But there is one specific exception that is potentially very important for employer-sponsored health plans: "more stringent" state laws may not be preempted. If your plan operates in a state that has more stringent laws that would apply to the operations of an employee benefit plan (i.e., that would not be preempted by ERISA), your Notice of Privacy Practices must explain the more stringent state law protections.

HIPAA preemption is another compliance wildcard for employers, but one that will likely come into play only in future years and future state privacy laws. DHHS has indicated that it did not intend the Privacy Rules to replace the current ERISA preemption scheme. Still, it remains to be seen whether states will - in the interest of medical record privacy - enact laws that will affect benefit plan administration, and how courts would react to such laws.

Insured vs. Self-Insured Plans

No. Compliance generally may be easier for insured plans because insurance companies and HMOs are themselves covered entities, but the same rules usually apply.

However, the Privacy Rules do provide a limited exception for group health plans that provide benefits solely through an insurance contract (including a contract with an HMO). Two important forms of relief are available for such fully insured plans if the plans do not create or receive any PHI, except "summary" information and enrollment/disenrollment information.

First, insured plans will not have to comply with most of the administrative requirements under the Privacy Rules and may not have to amend their plan documents. Second, these plans will not be required to provide or maintain a Notice of Privacy Practices because the insurer or HMO will be doing so.

Our sense is that insured plans sponsored by large employers often may receive more PHI than this exception would allow, though some employers may alter their procedures to try to take advantage of this exception. And even employers that provide benefits only through insured plans and receive little or no PHI could decide to take precautionary steps like appointing a privacy official or training employees in properly handling PHI.