Health care providers, health plans, and health care clearinghouses that transmit health information in electronic form are “covered entities,” and must comply with the HIPAA privacy rule. Compliance requirements differ depending upon the insurance status of the health plan, such as whether the plan is self-insured, fully insured, a small plan, or a large one. If the health plan is fully insured, your insurance company is most likely handling the compliance procedures. For a self-insured company, the employer is responsible for the health plan’s compliance with the privacy rule. The compliance deadline for large health plans was April 14, 2003, but the deadline for small health plans is not until April 14, 2004. Typically, third party administrators (TPAs) oversee self insured health plans and have some of the responsibilities for HIPAA compliance. If you are using a TPA, contact them first to determine which privacy rule compliance steps it has taken, and what available resources it has. It is important to understand that the employer ultimately has responsibility for its health plan’s compliance with the privacy rule. Treat the preparation of your health plan’s compliance manual with the same care as preparations for the health care provider compliance manual. There are varying requirements for health plans v. health care providers. Use the original health care provider version of the manual as a foundation for the health plan manual, but significantly revise it in order to make it suitable from a health plan perspective. A qualified lawyer or consultant should perform this task. You may obtain a template and revise it to create your health plan manual. However, there is a potential for error if the template/your revisions are inaccurate. If you choose to use a template, ask a qualified lawyer to review it. Although it is probably less expensive, a manual adapted from a template may not be as thorough as one a law firm prepares. Any inaccuracy risks a violation of the privacy rule, potentially leading to additional costs down the road. Keep in mind, the compliance manuals for both the health care provider and health plan are meaningless until you implement each manual’s policies and procedures and put them to use in your company’s daily practices.
