Even Fully Insured Employers May Be Required to Meet the HIPAA Privacy Rule's April 14, 2004 Compliance Deadline
Many employers, upon learning about the HIPAA Privacy Rule's "exemption" for fully-insured group health plans, breathed a sigh of relief. Under this "exemption," a group health plan is relieved from complying with the HIPAA Privacy Rule's most onerous requirements if the plan provides benefits "solely through an insurance contract with a health insurance issuer or HMO," (i.e., is fully insured) and receives only enrollment and disenrollment information and information summarizing claims history at the group level.
This apparent compliance oasis, in fact, is a mirage for many employers. The reason? Most medical flexible spending accounts ("FSA") and most employee assistance program ("EAP") are subject to the HIPAA Privacy Rule, even though these plans typically do not result in the employer's creating or receiving a significant amount of health information about plan participants. Put another way, employers offering a medical FSA or an EAP as a complement to a fully-insured group health plan most likely will be required to comply with the HIPAA Privacy Rule by April 14, 2004, unless they scuttle these subsidiary, but highly popular, benefits plans.
Some Medical FSAs and Some EAPs are Excepted from HIPAA Compliance
The HIPAA Privacy Rule does offer an escape hatch for some fully insured employers who also offer a medical FSA or an EAP.
A medical FSA with fewer than 50 participants that also is self-administered falls outside the HIPAA Privacy Rule. Smaller employers whose medical FSA currently is administered by a third party should, therefore, weigh the cost of HIPAA compliance against the cost of in-house administration. Those with the resources to administer a medical FSA in-house should consider switching to in-house administration before April 14, 2004, as a means of avoiding the cost of HIPAA compliance and the potential liability for violations.
At least two types of EAPs fall outside the HIPAA compliance net. "Referral only" EAPs, i.e., those providing only references to mental health counselors, are not subject to ERISA and, therefore, also are not subject to HIPAA. In addition, some long-term disability carriers offer employee assistance programs as a benefit embedded in a disability income insurance policy. Because disability insurance is not subject to HIPAA, the subsidiary EAP benefit also is not covered. Employers whose EAP does not currently fall within one of these exceptions should weigh the benefit of their current program and the cost of HIPAA compliance against the cost of switching to an EAP not subject to HIPAA and the benefit of avoiding potential liability for violations.
Employers Offering a Medical FSA or an EAP Subject to HIPAA Should Take Six Steps to Comply with the HIPAA Privacy Rule
While the compliance obligations for medical FSAs and EAPs are the same as those for medical, dental and vision plans that are not fully insured, the compliance undertaking is less complex because fewer individuals typically are involved in plan administration, and the amount and type of employee health information available to the employer usually is limited.
In the case of a medical FSA, a payroll administrator or benefits coordinator usually receives only monthly or quarterly reports reflecting account usage. EAPs, by contract, generally may not disclose any health information to the employer without the plan participant's written authorization. Given this distinction from self-insured medical, dental and vision plans, an employer should focus on the following steps to meet the April 14, 2004, compliance deadline:
Step 1: Appoint A Privacy Official.
Like most business endeavors, HIPAA compliance will succeed only if someone is accountable for the project's progress. The HIPAA Privacy Rule establishes no qualification for the position, but as common sense would suggest, the privacy official should be sufficiently senior to command the respect of others and have some involvement in, and understanding of, how the medical FSA or the EAP, is administered.
Step 2: Negotiate A "Business Associate Contract" With Third-Party Service Providers.
A "business associate" is a third-party service provider, such as a third-party administrator or an EAP provider, who creates or receives "protected health information" ("PHI") for the benefit of plan participants. PHI is individually identifiable information related to the past, present or future medical condition of a plan participant, treatment for that condition, or payment for treatment. PHI includes information about claims against, and reimbursements from, a medical FSA. Records related to mental health counseling and drug or alcohol abuse treatment rendered by an EAP are PHI as well. After April 14, 2004, a business associate may not create or receive PHI on behalf of plan participants unless the business associate agrees, in writing, to use and disclose PHI only in accordance with the HIPAA Privacy Rule, to safeguard PHI, and to assist the employer in providing HIPAA-created rights.
Step 3: Establish Policies And Procedures To Restrict The Use And Disclosure Of PHI And To Safeguard PHI.
Under the HIPAA Privacy Rule, only those employees who perform plan administration functions may use and disclose PHI, and authorized personnel may use and disclose only those categories of PHI necessary to perform assigned duties. These restrictions should be memorialized in writing. The policies and procedures also should implement physical, technical and administrative safeguards for PHI. For example, a fax machine used to transmit and receive PHI should be in a secure location, paper documents containing PHI should be shredded before being discarded, and electronic files with PHI should be password protected.
Step 4: Distribute A Notice Of Privacy Practices.
Even if the insurance company issues a privacy notice for an employer's fully-insured health plan or the HMO plan, the employer still must distribute a separate privacy notice for a covered medical FSA or a covered EAP (or a joint notice for both). The notice must describe how the plan will use and disclose PHI without a participant's authorization. The notice also must explain how a plan participant can exercise her HIPAA-created rights, including the right to access PHI, the right to amend PHI, the right to an accounting of disclosures of PHI, and the right to file a complaint with the employer.
Implementing these rights necessarily will require the participation of the medical FSA's and EAP's business associate(s), who usually will possess most of the PHI related to plan participants. Consequently, the employer should ensure that the business associate contract details how the service provider will satisfy these rights given that the service provider will be in a far better position to provide access, effectuate amendments, and account for disclosures.
Step 5: Create A Complaint Mechanism And Document Compliance.
Under the HIPAA Privacy Rule, the employer must establish a procedure for resolving any complaint charging that policies or procedures have not been followed or that the HIPAA-created rights have not been properly administered. Appropriate sanctions must be imposed on violators. In addition, the regulations require that the employer document not only all complaints and sanctions but all other efforts to comply with the HIPAA Privacy Rule. The documentation must be retained for six years.
Step 6: Amend Plan Documents.
Under the HIPAA Privacy Rule, the plan document for each covered plan, including medical FSAs and EAPs, must contain specific provisions addressing how the employer will safeguard PHI, restricting the employer's use and disclosure of PHI to plan administration functions, and mandating that the employer implement the HIPAA-created rights described above. Plan documents prepared before January 1, 2004, typically do not contain the required provisions and will need to be amended.
Conclusion: When It Comes to HIPAA Privacy, Few Employers Are Off the Hook
The popularity of medical FSAs and the prevalence of EAPs means that many employers, even those with fully-insured medical, dental, and vision plans, should have addressedcompliance with the HIPAA Privacy Rule before the April 14, 2004 compliance deadline. For those who fail to do so, there may be a brief grace period while the U.S. Department of Health and Human Services, the administrative agency with enforcement authority, emphasizes voluntary compliance and event-driven enforcement. At some point, however, this forgiving attitude towards enforcement will change, or angered employees will pursue private theories of recovery. Employers who have failed to bring their medial FSA or their FSA into compliance with the HIPAA Privacy Rule may then discover a costly Achilles' heel.