Healthcare Privacy and Security
I am pleased to offer expert advice to those entities subject to HIPAA privacy rules, particularly health and welfare plan administrators and third party administrators, and in some cases, employers. One of the prime purposes of the HIPAA privacy rules is to define and limit the circumstances in which an individual’s protected heath information (“PHI”) may be used or disclosed by covered entities.
If you are an employer and sponsor a fully insured healthcare plan, you might believe that you need not comply or even consider the privacy rules, since you do not have access to PHI. This is unlikely, since most employers who participate in resolving disputes (claims and appeals) and monitor whether its insurer has complied with the claims regulations receive PHI. Moreover, since the privacy rules impose specific responsibilities on the plan sponsor, this ultimately places the compliance burden on the employer as plan sponsor. The extent of this responsibility will vary depending on whether the health plan is self-funded or provides fully insured health benefits through a health insurance issuer. Of course, the extent to which the plan provides PHI to the plan sponsor for administrative purposes is also an issue.
Determining the Scope of your obligations
I can assist employers and plan administrators in navigating the ambiguities of HIPAA privacy rules and determine whether the rules are applicable and if so, the scope and allocation of responsibility. This initial step is crucial since all other HIPAA compliance obligations flow from that determination.
Constructing a Framework of Compliance and Training
Many of the rules require the establishment of formal (written) procedures and related operational practices. This is a relatively painless and straightforward matter and does not require custom-made forms or documentation. However, training and education is crucial in order to provide background on the rationale behind the rules and how they are to be applied in varied circumstances.
It is unknown what type of audits or review the Office of Civil Rights or the Department of Labor will undertake in enforcing the privacy, security and claims rules. However, based on past experience it is certain that the most severe penalties will be borne by those employers that do nothing in order to meet their legal obligations. Employers that can demonstrate that they have made a good faith effort to comply are likely to be treated less harshly by these regulatory agencies (or a court) if a shortcoming is discovered or a complaint filed.