HIPAA Privacy Rules - Final Deadline

April 8, 2004

By Linda Bounds Sherman

The deadline for compliance with the Medical Privacy Rules issued under HIPAA is April 14, 2004. The Privacy Rules are designed to protect the confidentiality and to guard against the unauthorized use or disclosure of an individual's "protected health information." Protected Health Information, or "PHI" is information relating to the physical or mental health of an individual, the provision of health care, or the payment for such health care which identifies the individual or from which the individual can be identified.

If you provide health benefits to your employees, the Privacy Rules will impact you. They are specifically applicable to health plans; and, as the sponsor of the plan, you are required to comply if you have access to PHI in administering the plan. Whether or not action is required on your part depends on the type of health plans you maintain and each situation must be specifically reviewed.

  • If your health plan is fully insured, it is likely that the insurance carrier bears the responsibility and no action may be required on your part other that assuring that the carrier has complied with the Privacy Rules.

  • If your plan is self insured and/or you maintain a flexible benefit medical reimbursement plan, steps must be taken to comply with the Privacy Rules before the deadline.

  • Your plan is exempt from these requirements if it has fewer than 50 participants and is fully self-administered by you (no outside entity is engaged to maintain enrollment, process claims, etc.).

You should be aware that there are civil and criminal penalties for non-compliance violations, with fines up to $250,000 and/or imprisonment for up to 10 years.

If you are subject to the Privacy Rules, the following must be completed by the April 14th deadline:

  • Amend your health plan to allow disclosure of PHI to you as the plan sponsor for administrative purposes

  • Certify, in writing, to the plan that the amendment has been adopted and that as plan sponsor you agree to and will comply with certain limitations and restrictions on the use and disclosure of PHI

  • Adopt written policies and procedures for complying with the Privacy Rules

  • Develop a Notice of Privacy Practices describing your privacy policies and procedure and distribute to participants in the plan

  • Enter into Business Associate Agreements with any vendor who provides services to your health plan (insurance carriers, benefits managers, third party administrators, etc.)

  • Appoint a privacy officer and a person responsible for receiving and handling complaints

  • Identify your employees who need access to PHI for administrative purposes and implement procedure to limit access to PHI to only those individuals

  • Conduct training on the privacy rules for all employees who have access to PHI, document such training and develop ongoing training and education practices

  • Insure that adequate safeguards are in place to protect against the unauthorized use or disclosure of PHI, for example, revamping filing systems and limiting access thereto, using confidential passwords, etc.

We can help you assess your obligations under the Privacy Rules. If you have any questions or would like for us to assist you in complying with the Privacy Rules, please contact any member of our Labor and Employment Practice Group.

Linda Bounds Sherman is a shareholder in the Firm's Labor and Employment Practice Group and resides in the Firm's Jackson office.  She may be contacted at (601) 949-4960 or you may e-mail her at lsherman@watkinsludlam.com.