|
|
|
Deadline: Patient Privacy
How new health-care privacy rules impact employers
|
Business New Haven
3/1/2004
By: Karen Singer
|
A deadline is looming for small employers to comply with federal regulations regarding their employees' medical information.
Although the rules do not apply to all small employers, those concerned have until April 14 to develop programs to ensure the privacy of protected health information under the Health Insurance Portability & Accountability Act (HIPAA).
The rules forbid disclosure of health information that is "individually identifiable" by name, address, Social Security number, telephone number or other specific details.
"The employer has to make sure its group health plan does two things," explains attorney Robert D. Noonan, whose firm, Robert Noonan & Associates\EmpACTS of New England, works with Connecticut employers and trade associations on employer-employee issues.
First, the plan must "conform to the disclosure rule that employee medical information can be used only for limited purposes - payment, treatment and health-care operations - without the employee's consent.
"The second thing it says to employers is to take additional steps to have a structure in your organization to assure that group health-care information will remain confidential," Noonan adds.
HIPAA made big news in 2003, as hospitals, labs, insurance companies and other health-care providers, as well as employers with large group plans, geared up for the April 14 deadline. However, small employers (those with less than $5 million in health claims and premiums) had an additional year to comply.
Says Noonan, "When the rules took effect last year, most of the discussion concerned hospitals and doctors' offices, and there was less attention paid to the rules as they pertained to employer health plans."
Nevertheless, employers not directly involved in health care may in fact be subject to HIPAA regulations because of their role as plan sponsor or administrator.
Employers sponsoring self-funded and self-administered group health plans with fewer than 50 participants, for example, are not covered by HIPPA rules.
Self-funded plans using third-party administrators, however, are not exempt. Employers with fully insured plans but no medical information other than enrollment data also must adhere to HIPAA rules.
"If you have a carrier and the carrier takes care of everything, as long as you are not receiving identifiable health information, then you really have almost no obligation," explains Felicia DeDominicis, a Robinson & Cole lawyer who will discuss HIPAA compliance at a March 8 seminar at the Trumbull Marriott (co-sponsored by the Connecticut Business & Industry Association, CBIA). "We are telling clients who may be receiving this information that they should stop getting it."
HIPPA rules impose "definite restrictions on the ability of an employer's own health plan to share information with the employer," Noonan says. For example, "The group health plan can share information with the employer if the information is summary health information, with no individual identifiers.
"What it says to the group health plan is to provide the participants with the same degree of confidentiality you would expect a physician would apply to with respect to patient identification."
CBIA counsel Jan Spegele says the complexity of HIPPA regulations has prompted that organization to sponsor several seminars and to refer members with questions to attorneys who routinely tackle these types of employer health issues.
Workers compensation, life insurance and disability plans are not covered by HIPPA rules. Employment records such as drug-test results likewise are excluded, although testing facilities, which are covered, may require job applicants or employees to sign forms authorizing the release of results to employers.
HIPAA is enforced by the federal Department of Health & Human Services (HHS), which may impose civil penalties of up to $100 per violation, up to $25,000 per person per year. Criminal sanctions can range as high as $250,000 and ten years in prison for obtaining or disclosing protected health information with the intent to sell it.
HHS already has processed more than 2,000 HIPPA complaints nationwide, according to Noonan. And DeDominicis knows of "at least one or two" Connecticut employers receiving calls from the federal Office of Civil Rights in response to such complaints.
So far, government officials are being "pretty reasonable" in cases where they believe a complaint has some merit, by allowing companies to amend policies and procedures without penalties, DeDominicis says. "There's no HIPPA police yet," she adds. "But in years to come that might happen."
Both DeDominicis and Noonan point out that new HIPPA rules could be used as part of the basis for discrimination claims in employee lawsuits following adverse employment decisions.
"We've seen that already at our firm," notes DeDominicis.
"When problems arise at the company level for violations of the privacy rules, they're most likely to be complicated," adds Noonan. "Once that health information spills into the arena of employer decision making, it becomes a very high stakes game."
Which is all the more reason for employers to get their protected heath information procedures in order.
The steps involved in compliance with HIPPA rules are "not particularly onerous, but they do require the employer to take a systematic approach," Noonan says.
He recommends employers appoint a task force to determine whether the organization is covered under HIPPA.
"Look at the flow of protected health information throughout the organization," he advises. "That's where the task force might uncover some surprises."
For example, Noonan explains: "They might find health information they thought was being handled only by people in benefits administration also is being dealt with by other people. Or they might find the computer system is being maintained by people in information systems companies who have access to health information, or that the receptionist routinely gets calls from employee or family members about health information. They also have to look at procedures for telephone inquiries, faxing procedures and filing methods."
He adds, "Once they've divined that, then it's just a matter of bringing the organization into compliance, so the protected health information is used only for health care delivery, and that they have the permission of the individual to use it for other purposes."
Employers covered under HIPPA rules "have got a whole panoply of compliance obligations," says DeDominicis. "They have to designate a compliance officer, and that person is the contact point for compliance."
But that's only the beginning. Other obligations include creating and implementing written privacy policies and procedures regarding how protected health information is used and disclosed, training employees with access to personal health information and updating business contracts with third-party vendors who deal with personal health information.
In addition, computer data must be protected with technical safeguards, including password and screen protectors. Physical safeguards such as shredders also are a must.
For many large employers and health providers, gearing up for last April's HIPPA compliance deadline was a complicated and protracted process.
"We started a year before the law went into effect," says Karen Lawler, director of medical records and privacy officer at the Hospital of Saint Raphael in New Haven. Lawler headed the St. Rafe's effort, which involved creating a group of some two dozen representatives from all hospital departments to update policies and procedures for handling protected health information for patients.
"We took a comprehensive approach to the institution and developed separate policies as needed for departments and business associates," Lawler explains. An internal Web site helped to facilitate the process, and enabled other hospital personnel to offer suggestions. The site currently is used as a "one-stop shopping place for policies and procedures," Lawler adds.
Training programs were customized to job descriptions and access to health information. "Someone in medical records received higher training than, say, dietary workers," Lawler says.
The hospital also launched an awareness campaign for employees, with cartoons in internal publications and comical buttons bearing slogans such as "Shred it. Don't spread it."
In a sense, the job is never really done.
"It's not just about writing a policy and you're done with it," Lawler says. "We do walk-arounds to see if policies are being followed. "It's a constant re-education, and it has become part of our culture."
The same is true at Yale-New Haven Hospital (YNHH), which took more than two years to prepare for the 2003 HIPPA compliance deadline.
The biggest challenge, says former HIPPA project director Jean Ahn, was developing policies and procedures for Yale-New Haven and its corporate partners, Bridgeport Hospital and Greenwich Hospital.
Teams comprising more than 120 representatives from the three hospitals brainstormed on different parts of HIPPA, including privacy and security.
"We also hired a consultant and purchased a HIPPA education program, which we put on our intranet," Ahn says. The hospital's HIPPA policies and procedures also are posted on the internal Web site, and buttressed by training, meetings and an employee newsletter.
Smaller employers may be able to bring fewer resources to bear to prepare for the forthcoming April 14 HIPPA compliance deadline.
In companies where "one person is wearing several hats," Noonan recommends the person administering the benefits program become familiar with the restrictions for disclosure under the privacy rule, "to assure [that] no improper disclosure is made."
Such companies should at the very least take basic steps to develop a privacy policy and an authorization form to permit disclose of protected health information.
"The reality is there probably are thousands of smaller companies that need to do something," DeDominicis explains. "But in this economic climate, a lot of people are deciding they don't have the resources."
DeDominicis urges such companies to reconsider, pointing out federal authorities could perceive such a strategy as "an intentional violation" of the law.
Her advice? "A little bit of action now is potentially going to get them a long way."
|
Go FirstGo PreviousGo
NextGo LastGo
to Index
|
|
