The Integrity News
Vol. XII No. 14
April 14, 2003
"objective risk management services"
April 14, 2003
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
is a comprehensive law that addresses
a number of health care issues including
data transmission and protection, fraud
and abuse, insurance portability, and, it
defines "The Privacy Rule" which goes
into effect today.
The Privacy Rule generally prevents the
disclosure of Protected Health Information
(PHI) by "covered entities". You need
to become familiar with which of your
records are PHI, and which are classified
as "employment records".
HIPAA applies to any group health plan
that has more than 50 participants, OR
that is administered by an entity other
than the plan sponsor.
It has been generally assumed that the
covered entities are: (1) most group
health plans and (2) health care providers.
However, while HIPAA does not give the
U.S. Department of Health and Human Services
(HHS) the authority to regulate private
businesses, and while employers and other plan
sponsors are technically not "covered entities",
employers may be subject to the Privacy Rule
by virtue of acting as a plan sponsor and
offering benefit plans to their employees.
Plan sponsors that either require access
to PHI to carry out administrative functions,
or that become involved in the administration
and operation of a group health plan, will
have to comply with the HIPAA Privacy Rule
on behalf of their group health plans.
If you have a billing company or any other
entity conducting covered electronic HIPAA
transactions on your behalf, you are considered
to be performing electronic transactions
because the billing company or other entity is
considered to be an "extension" of you.
There are many other HIPAA considerations that one
needs to become familiar with, such as: annual plan
receipts, self-insurance, Flexible Spending Arrangements,
Family Medical Leave Act, Worker's Compensation,
and others. Some facts existing in your organization
will make HIPAA applicable, and others will not.
The Privacy Rule generally requires that covered
entities take reasonable steps to limit the use or
disclosure of PHI to the minimum number of people
necessary to accomplish the intended purpose. This
includes making reasonable efforts to limit access to
PHI to those in the workforce that need access based
on their roles in the covered entity. Therefore, redesigning
one's facility is probably not necessary. However, covered
entities may need to make certain adjustments to their
facilities to minimize access, such as isolating and locking
file cabinets or records rooms, or providing additional
security such as passwords on computers or storage
systems used to maintain protected health information.
Email is one of the biggest hurdles of HIPAA compliance.
Other vendors use it because it is very inexpensive.
As of April 14, 2003, PHI can no longer be put in emails
that are not encrypted. The Integrity Center has been
saying for years that drug test results and other sensitive
health information (now, PHI) cannot be trusted to email.
That is why The Integrity Center developed its secure
and encrypted client interface The Integrity Connection (tm).
Beginning in 1992, we used secure dial-up record transfer,
and since 1996, we have been using secure encrypted
Internet transfer. Now, getting or exchanging any PHI by
non-encrypted email or other insecure means is illegal.
Complying with HIPAA's Privacy Rule is not just a matter
of computer technology. Among many other considerations,
workers handling PHI need to lay reports face down, keep
records locked when they are not in attendance, and not
leave messages on phone systems with voice mail that can
be accessed by other than the intended necessary recipient.
While you are probably well along with your general HIPAA
compliance efforts, if you have not begun your Privacy Rule
compliance efforts, then a good starting point for establishing
your Privacy Rule compliance program would be to determine:
what types of PHI you currently receive and handle
who sees it
how they use it
where it is retained, and
whether such access and use is necessary to accomplish
your covered entity's purposes.
The HIPAA Privacy Rule will certainly impose additional
administrative burdens on employers. Although the
Privacy Rule includes no authority for private lawsuits,
significant penalties may be imposed for violations,
including criminal sanctions.
Reports from The Integrity Center, Inc. are all HIPAA
compliant. We would be happy to discuss helping you
make all of your Background Checking, Employee File,
and Benefits Administration records satisfy the Privacy
Rule. We have these capabilities on the Internet, and
all communications are secure and encrypted. Just give
us a call at: (972) 484-6140.