Consumer Privacy Information
As of February 26, 2001, final health information privacy rules were issued by the Department of Health and Human Services, in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Insurance companies and health care providers are embarking on compliance and informing consumers of their rights. Notifying health plan participants of their rights is of paramount importance.
What is affected?
All employee benefit plans, insurance companies, HMOs, self-insured health plans, multi-employer health plans, and federal, state and local government plans including Medicare and Medicare + Choice plans, Medicaid, and the Federal Employees Health Benefits Program (FEHPB).
Small group health plans with fewer than 50 participants are exempt if administered by the employer.
What is protected?
Any information that relates to an individual’s past, present or future health and health care, and payment for that care.
Any such information that could be used to identify that individual.
Who is protected?
Consumers have the right to inspect and copy protected health information, request amendments to their information, receive an accounting of certain disclosures, restrict certain uses and direct where communications from a plan be sent. For instance, Explanation of Benefits forms can be directed to the workplace rather than a home address.
What about group health plans?
Employers and plan sponsors have different regulations. In order for group health plans, or issuers acting for a group, to disclose protected health information, documents must be amended to specify which of the sponsor’s employees will have access to the information and restrict use of it to plan administration functions.
What about information that is disclosed?
Disclosure of protected health information is prohibited unless the health plan has the consent of the individual, or the regulation specifically permits or requires use of the information. Health plans generally can use such data for treatment, payment and health care operations without the individual’s consent, as well as for public purposes such as research and general health and law enforcement. Other uses and disclosures, such as those to an employer for use in employment determinations or to another benefit plan, are strictly prohibited unless authorized by the individual.
How much Personal Health Information is disclosed?
Only the minimum necessary amount to satisfy the request.
How will participants be informed?
Ultimately (compliance deadline is April 2003) plans will provide notice to participants and beneficiaries explaining their rights and privacy policies.
Each plan must establish the position of privacy official responsible for development and implementation of the plan’s privacy policies and procedures.
Each plan must provide an education program for employees and mechanism for individuals to lodge privacy concerns/complaints.
What if my state already has a statute in place?
This act in no way preempts stronger state laws. The Act establishes a baseline of protection.
Enforcement?
Health plans that do not comply with the requirements face penalties of up to $100/plan per violation with a maximum calendar year penalty of $25,000/plan per violation. Wrongful disclosures can result in criminal penalties of up to $50,000 and/or imprisonment for up to one year. Offenses committed with intent to sell, transfer or use of protected health information for commercial or personal gain or malicious harm are punishable by a fine not to exceed $250,000 and/or 10 year imprisonment.
What else do I need to know?
Final regulations were published in The Federal Register, Vol. 65, No. 250 (12/28/00).
Compliance dates were published in The Federal Register, Vol. 66, No. 38 (2/26/01).
As in any case that involves implementation of law, sponsors and administrators should confer with their legal counsel.
You may also contact 21st Century Benefit Advisors, Inc. for further discussion of this issue.