April 15, 2002
Proposed Modifications to HIPAA Privacy Rules: Implications for Plan Sponsors
On March 27, 2002, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) to clarify its rules concerning the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to modify certain portions of those rules that were considered unworkable.
Most of the substantive privacy rules that apply to group health plans (including implementing firewalls, developing privacy policies and procedures, naming a privacy officer, amending plan documents and creating business associate agreements) have not been altered. In addition, the NPRM does not change the effective date for the privacy rules (noted in the next section).
This issue of Capital Checkup addresses some implications of the proposed changes for plan sponsors.
Background on the HIPAA Privacy Rules
HHS issued final rules governing the privacy of individually identifiable health information on December 28, 2000. These rules require that covered entities (i.e., health care providers that conduct electronic covered transactions, health plans and health care clearinghouses) establish extensive procedures and policies to ensure that protected health information is used and disclosed only within the limits of the rule. The privacy rules are effective April 14, 2003 (April 14, 2004 for small health plans).
Implications of the Proposed Modifications for Plan Sponsors
For plan sponsors (including both employers and trustees of multiemployer plans) working to ensure that their group health plans will comply with the privacy rules by April 2003, the proposed modifications to the rule should do little to alter their compliance plans. The most significant proposed modification — elimination of the consent requirement — has little impact on group health plans because group health plans were never required to obtain a written consent in order to use or disclose protected health information for treatment, payment or health care operation.
If they are finalized, a few proposed modifications would ease compliance efforts somewhat for group health plans, including:
- One-Year Extension of Deadline in which to Negotiate and Finalize Business Associate Agreements Business associates generally are entities that perform or assist in the performance of a function involving the use or disclosure or protected health information. Under the NPRM, most plans with existing written business associate agreements would have until April 14, 2004, in which to amend these contracts to incorporate HIPAA privacy protections.
- Elimination of the Requirement to Amend Plan Documents to Incorporate Certain Privacy Protections Merely to Exchange Enrollment and Disenrollment Information with a Group Health Plan, Health Insurance Company or Health Maintenance Organization (HMO) This clarification would be good news for plan sponsors with fully insured plans who under the final privacy rules already do not have to comply with certain administrative requirements if they do not create or receive detailed health information to administer their plans.
- Simplification of Requirements for the Content of Written Authorizations The final privacy rules contained different rules for the content of the authorization depending on the type of authorization. The NPRM would streamline these provisions by providing one set of standards for the content of most authorizations.
- Limitation on the Need to Provide Certain Accountings of the Disclosure of Protected Health Information The NPRM would eliminate the need to provide individuals with an accounting of those disclosures that were made pursuant to a written authorization.
- Clarification that Communications Regarding Disease Management and Wellness Programs Will Generally Not Be Considered Marketing This will ease the concerns of some plan sponsors as disease management and wellness programs increase in use and popularity.
Comment Period on the NPRM
The NPRM changes will not be final until HHS issues a final rule. The public has until April 26, 2002, to comment on the proposed revisions. The NPRM is available on the following page of the HHS Web site: http://www.hhs.gov/ocr/hipaa/whatsnew.html.
Capital Checkup is The Segal Company's periodic electronic newsletter summarizing activity in Washington with respect to health care and related subjects. Capital Checkup is for informational purposes only. It is not intended to provide guidance on current laws or pending legislation. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.