.svg?rev=a492cc1069df46bdab38f8cb66573f1c&hash=2617C9FE8A7B0BD1C43269B5D5ED9AE2)
The deadline for "large health plans" to comply with the security standards for electronic protected health information ("PHI") under the Health Insurance Portability and Accountability Act (HIPAA) is April 20, 2005. "Large health plans" are those which paid premiums or claims of over $5 million in their most recent plan year. Employers with such plans should ensure that they will meet the upcoming deadline. Health plans below the $5 million threshold have an extra year (until April 20, 2006) to comply with the HIPAA security rules.
What do the HIPAA Security Rules Require?
The HIPAA security rules apply only to electronic PHI, which includes any protected health information stored in or received or sent by a computer, and phone voice response and faxback systems. In general, these rules require health plan sponsors to implement administrative, physical and technical safeguards in order to protect electronic PHI. In the group health plan context, electronic PHI is typically stored in, received or sent by computers which are part of the overall computer system of the sponsoring employer. In most cases, this will mean that some level of administrative, physical and technical safeguards is already in place on those computer systems. The HIPAA security rules require employers to assess the existing safeguards, determine whether they comply with the HIPAA security rules, and document the results of the assessments. In some cases, additional or different safeguards will prove necessary. If you have not already begun this type of identification and assessment process for a large health plan, you should do so immediately.
In addition to the safeguards which have to be implemented and/or documented, employers will need to:
- Revise their policies and procedures that were developed in connection with the HIPAA privacy rules to take into account the HIPAA security rules.
- Revise business associate agreements to include compliance with the HIPAA security rules, to the extent the business relationship involves electronic PHI.
- Appoint a security officer responsible for overall compliance of the employer's group health plans with the HIPAA security rules.
- Amend their health plan documents to provide for compliance with the HIPAA security requirements.
Bringing Plans into Compliance
If you have a large health plan that has not yet begun its efforts to comply with the HIPAA security rules, don't panic. The Department of Health and Human Services, which is charged with enforcing HIPAA, has enforced the HIPAA privacy rules in a compliance-oriented manner, and is expected to enforce the HIPAA security rules in the same way. Nonetheless, HIPAA provides for penalties of up to $25,000 per violation of a single standard per year (and fines of up to $250,000, and imprisonment, for certain knowing violations), so large health plans should not ignore compliance.