Did you hear that Jerry in the mail room hurt his back playing softball last week?
If you heard it from somebody who processed Jerry's insurance claim for medical treatment, you may wish you hadn't. Stringent new regulations called for by the federal Health Insurance Portability and Accountability Act (HIPAA) say that individually identifiable information maintained by an employee's health plan can only be revealed to another party for reasons relating to payment, treatment or medical operations.
HIPAA privacy rules also call for employers to rewrite contracts with insurance companies and HMOs, revise their own health plan documents, and appoint a privacy officer to oversee training and implementation of the rules. In addition, companies must arrange for any employee to be able to inspect and correct his or her health records, and get permission before revealing any personal health information. Generally, a wall must be erected between health plan administration and other functions.
The new HIPAA rules are confusing and complex. However, HIPAA is the law of the land, and most employers who handle protected health information already had to comply by October 16, 2002. Penalties for disobeying HIPAA mandates start with fines of $100 per person every time you disclose protected health information. You could be in for $250,000 in fines and 10 years in prison if you did it for commercial advantage.
There are, however, a number of exceptions. If you're the owner of a typical small business, chances are good that one or more will apply to you.
To begin with, if the total premiums you and your employees pay for coverage don't exceed $5 million a year, you don't have to comply with the privacy rules until April 14, 2004, notes Stephen Huth, managing editor of Spencer's Benefits Reports, a Chicago publisher of guides on implementing the new HIPAA rules. That delay covers the majority of companies with under 500 employees.
If you employ a smaller number of people, you may not have to worry about HIPAA at all. "As long as they have fewer than 50 participants, they're not subject to the privacy requirements," says Huth. "This 50-participant cutoff is key. If you have 50 or more, be very careful what you do."
If the number of participants in your plan is 50 or more, the first question to ask yourself is whether you handle protected health information (PHI). PHI is any individually identifiable information about health. If a health record is tied to a person's name, address or Social Security number, it's probably PHI. Not all small businesses handle such information. If you don't transmit health claims or other information directly to the insurance company, and you receive only a summary report listing such information as the number of plan recipients and monthly outlays, you probably aren't handling individually identifiable information.
The best place to look for help is your insurance company or health management organizations. These entities all have to comply with the rules, which generally means they have to make sure all the businesses they deal with have to comply. In fact, almost all employers who offer health plans, whether self-insured or through an insurance company, are likely to be affected in one way or another by HIPAA.
"They may find themselves on the one hand not covered until 2004, but on the other hand required to come under compliance by their business partners in 2003," says Neil Trautwein, director of employment policy for the National Association of Manufacturers, a Washington, DC, business group. "So this should at least be on their radar screen."
Austin, Texas, writer Mark Henricks has covered business and technology for leading publications since 1981.