Skip to main content
Find a Lawyer

Only Three Months Until the HIPAA Privacy Compliance Deadline

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA is a comprehensive health reform act whose purpose is to improve the availability of health insurance coverage. Among other things, HIPAA facilitates the electronic transmission of patient health, administrative and financial data. HIPAA also establishes and implements security standards designed to protect the privacy of an individual's health and medical information.

Generally, HIPAA covers group health plans that provide or pay the cost of medical care, and a group health plan that provides health coverage is a "covered entity" under HIPAA. An employer, as plan sponsor of a group health plan, must take measures to ensure that the group health plan complies with HIPAA. These requirements may entail more oversight on the part of the employer if the group health plan is a self-insured plan.

One of the most important aspects of HIPAA relates to the privacy of personal health information ("PHI"). In December 2000, the Department of Health and Human Services issued privacy regulations providing standards for the protection of PHI. Under these regulations, any covered entity using or disclosing PHI or requesting such information from other covered entities must make reasonable efforts to limit the use or disclosure of such information to the minimum necessary. These regulations do not preempt any state laws or regulations which may provide stricter privacy protections.

Covered entities must comply with the privacy regulations by April 14, 2003. This deadline is extended to April 14, 2004 for "small health plans" (generally defined as group health plans with annual receipts of $5,000,000 or less). Compliance includes, among other things, institution and documentation of appropriate policies and procedures, institution of appropriate administrative, technical and physical safeguards to protect the privacy of PHI and the institution and implementation of a program of sanctions imposed against employees who violate the privacy policies and procedures.



Wildman Harrold has significant experience dealing with HIPAA and is extremely well-versed with respect to the privacy regulations. If you would like to discuss any of the matters covered by this memorandum further, please contact Michael Rosenblum at 312.201.2129 or Angela Mersch at 312.201.2517.

Was this helpful?

Copied to clipboard