Triangle Business Journal  

 

 CONTACT:
PHONE:
DATE:           

Rob Karn
919.821.9192
3.29.2004

HIPAA Help • If you're not hip to HIPAA, you're running out of time
By Rob Karn
Published: March 29, 2004


What does April 14, 2004 mean to your company? It is much more than the day before taxes are due. As of April 14, nearly all of the nation's businesses that offer health benefits to employees will be required to comply with a federal law protecting the confidentiality of employee's health information. Health insurance agents indicate that most companies don't even know about the requirement.

The Health Insurance Portability and Accountability Act, or HIPAA, privacy rule requires employers with health plans to establish and follow policies and procedures that prevent the use of employee health information to make employment decisions.

Business owners and managers who offer health benefits have been overwhelmed with the escalating costs of health insurance. At renewal time, the temptation is to identify those employees who are increasing the premiums and replace them with healthier employees. Under HIPAA, using health information to make employment decisions is a violation of the law.

Many employees already know something about HIPAA after receiving a Notice of Privacy Practices at pharmacies, medical and dental offices, or hospitals last year. What employers do not realize is the same HIPAA requirements protecting employee health information apply to almost all businesses that sponsor a health benefits plan, no matter how small the business.

The April 14 deadline applies to any sponsored health care plan with premiums of less than $5 million.

The government expects companies to scale their privacy plans to match the size of the company. That means the level of implementation needs to be more elaborate the larger the company. If there is an employee complaint filed, the U.S. Department of Health and Human Services, or HHS, will look at whether there is a plan in place and whether the company is trying to comply. If there is no budget for training and implementation, this will be viewed by HHS that the company is not serious about implementing the rule.
The steps to implementing a plan are straightforward.
  • Appoint a privacy officer.
  • Build a privacy team. Include your CEO, CFO, CIO and communications team. Make a list of your business associates (those who see employee health information).
  • Conduct a risk analysis to see where Protected Health Information, or PHI, can be found in your business.
  • Learn the employees' rights and train supervisors on those rights.
  • Appoint a contact person to handle complaints.
  • Evaluate other federal and state laws for overlap.
  • Develop privacy policies and procedures.
  • Develop a Notice of Privacy Practices and send to each employee.
  • Develop a business associate agreement and obtain signatures from associates.
  • Establish administrative firewalls that protect the security and operation of your health information.
  • Amend plan documents (if they exist) to reflect your HIPAA implementation.
  • Ask an attorney to review your HIPAA documentation before releasing it.
  • Train your HR staff and supervisors on HIPAA Privacy.
  • Retrain HR staff and supervisors at job change and when necessary.

Some businesses are betting the government won't come looking for noncompliance. Initially, the government won't send investigators to knock on your door, but it will respond to complaints. In less than one year, more than 4,000 complaints have been filed with HHS against health care providers. Nearly a third of these complaints have been passed on to the Department of Justice for action. The number of employee-generated complaints will likely be much higher, especially when there is an adversarial relationship between employer and employees.

If your company decides not to comply, you could face fines of $100 per day per incident up to $25,000 a year with a 10-year prison sentence and up to $250,000 in fines for intent to harm. Top management will be accountable for noncompliance.

This is the trade-off: Does an employer put a compliance program in place as an insurance policy against government enforcement efforts, or does the employer gamble that it can resolve any issues before a complaint is filed? An employee cannot benefit financially from filing a complaint, but a HIPAA privacy violation could become part of a wrongful dismissal suit. Thus, an employee complaint could force your company into expensive legal action and fines that may result in business disruption.

If your business is just finding out about the law and the April 14 deadline, what are your options?

  1. Go to the HHS web site (www.cms.hhs.gov/hipaa/hippa2/), learn the law and create your own program. Expect to spend 100 to 150 hours of time. Good luck.
  2. Hire HIPAA qualified legal counsel and start from scratch. Expect to pay for 40 to 60 hours of legal time.
  3. Purchase a kit for $250 to $900 and get legal review on the finished documents you fill out. Time required is 10 to 15 hours for the privacy officer plus three to five hours of legal time for final legal review.
HIPAA privacy compliance makes good business sense and promotes positive employer-employee relations.As more information is available in cyberspace, every employee will want stronger protections for his or her individual health information.
With each court case, the pressure will increase for companies to comply.

The smart bet is to find a compliance solution that matches the size of your company and your budget.

 

Close Window