Did you hear that Jerry in the mail room hurt his back playing
softball last week?
If you heard it from somebody who processed Jerry's
insurance claim for medical treatment, you may wish you hadn't.
Stringent new regulations called for by the federal Health
Insurance Portability and Accountability Act (HIPAA) say that
individually identifiable information maintained by an
employee's health plan can only be revealed to another party
for reasons relating to payment, treatment or medical
operations.
HIPAA privacy rules also call for employers to rewrite contracts
with insurance companies and HMOs, revise their own health plan
documents, and appoint a privacy officer to oversee training and
implementation of the rules. In addition, companies must arrange
for any employee to be able to inspect and correct his or her
health records, and get permission before revealing any personal
health information. Generally, a wall must be erected between
health plan administration and other functions.
Content Continues Below
The new HIPAA rules are confusing and complex. However, HIPAA is
the law of the land, and most employers who handle protected health
information already had to comply by October 16, 2002. Penalties
for disobeying HIPAA mandates start with fines of $100 per person
every time you disclose protected health information. You could be
in for $250,000 in fines and 10 years in prison if you did it for
commercial advantage.
There are, however, a number of exceptions. If you're the
owner of a typical small business, chances are good that one or
more will apply to you.
To begin with, if the total premiums you and your employees pay
for coverage don't exceed $5 million a year, you don't have
to comply with the privacy rules until April 14, 2004, notes
Stephen Huth, managing editor of Spencer's Benefits
Reports, a Chicago publisher of guides on implementing the new
HIPAA rules. That delay covers the majority of companies with under
500 employees.
If you employ a smaller number of people, you may not have to
worry about HIPAA at all. "As long as they have fewer than 50
participants, they're not subject to the privacy
requirements," says Huth. "This 50-participant cutoff is
key. If you have 50 or more, be very careful what you do."
If the number of participants in your plan is 50 or more, the
first question to ask yourself is whether you handle protected
health information (PHI). PHI is any individually identifiable
information about health. If a health record is tied to a
person's name, address or Social Security number, it's
probably PHI. Not all small businesses handle such information. If
you don't transmit health claims or other information directly
to the insurance company, and you receive only a summary report
listing such information as the number of plan recipients and
monthly outlays, you probably aren't handling individually
identifiable information.
The best place to look for help is your insurance company or
health management organizations. These entities all have to comply
with the rules, which generally means they have to make sure all
the businesses they deal with have to comply. In fact, almost all
employers who offer health plans, whether self-insured or through
an insurance company, are likely to be affected in one way or
another by HIPAA.
"They may find themselves on the one hand not covered until
2004, but on the other hand required to come under compliance by
their business partners in 2003," says Neil Trautwein,
director of employment policy for the National Association of Manufacturers, a
Washington, DC, business group. "So this should at least be on
their radar screen."
Austin, Texas, writer Mark Henricks has covered business and
technology for leading publications since 1981.
Originally published in the March 2003 issue of Entrepreneur Magazine