A regulatory surprise: the recent deadline for HIPAA privacy compliance caught many employers off guard - Legal Trends

HR Magazine, May, 2003 by Jodi Plavner

If an employer is a hybrid entity for HIPAA purposes, then disclosures from the covered function within the organization (the clinic or counseling center) to a non-covered function (all other functions or departments) are treated as disclosures to someone outside of the employer.

In other words, for HIPAA purposes, non-covered functions of the employer are treated as a separate legal entity. Firewalls must be established between the covered functions and non-covered functions.

While the hybrid entity concept generally applies only to health care providers, it does not apply to health care plans. The plan is a covered entity. However, to limit the scope and impact of HIPAA, the employer can designate as a separate entity those functions or individuals--such as the HR department--that are responsible for HIPAA compliance for covered plans. When this occurs, training and other HIPAA requirements will apply only to the employees and departments dealing with PHI.

Compliance Tasks

Clearly, coverage determinations are difficult, and extensive HIPAA knowledge is necessary to make informed coverage determinations. Therefore, depending on your organization's role as plan sponsor or provider, the types of plans your organization sponsors, your organization's exposure to PHI from the plan, and the other factors mentioned above and within the HIPAA rule, employers may have to comply with a variety of HIPAA's privacy provisions, including some or all of the following:

* Designate a privacy officer and HIPAA compliance team.

* Amend your group health plan documents to allow PHI to be passed from the plan to you as plan sponsor and provide the required certification to the group health plan (insured or self-insured; medical, dental, vision, long-term care or FSA) or the carrier/HMO, certifying that the plan sponsor will comply with relevant HIPAA obligations, including amending the plan to allow it to provide PHI to the plan sponsor.

* Provide employees with a notice of their rights to review, amend and receive an accounting of their PHI.

* Prepare and execute business associate agreements (or amendments to existing agreements), with those third parties with whom you as an employer/plan sponsor need to share PHI to ensure that the third parties comply with HIPAA's privacy obligations when they receive PHI from your plan.

* Prepare and provide an authorization form for your employees to sign allowing you as the employer/plan sponsor to share PHI with third parties or to get PHI from another covered entity.

* Implement written privacy policies and procedures, including processes by which PHI is used and disclosed, policies that explain how employees can lodge complaints, procedures for employees and other plan participants to examine and amend their PHI, policies governing record retention, and procedures for the advancement toward the minimum necessary standard.

* Develop appropriate safeguards (physical, administrative and technical) to guard against unintended disclosure of PHI.