How HIPAA will change group health plan administration. (Article).(privacy requirements of Health Insurance Portability and Accountability Act of 1996 )

By April 14, 2003, most group health plans must amend their plan documents to incorporate the HIPAA privacy standards. This article includes a sample plan amendment, as well as a suggestion for how to handle requests for information protected by the privacy standards.

**********

Administrative simplification rules and regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) create standards for protecting health information and for conducting certain health care transactions electronically. HIPAA will dramatically change the way that virtually every group health plan (plan) is administered. The changes will be keenly apparent when a plan receives a request for protected health information (PHI) from the employer (company). Under HIPAA, the company and the plan are two separate entities. The plan is a covered entity, or an entity regulated under HIPAA; the company is not.

Protected health information, or PHI, is information that relates to the physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual. The information either identifies the individual, or provides a reasonable basis to believe the information can be used to identify the individual. Information that is in a "de-identified" or summary form is not considered PHI.

This article provides

1. A two-step approach to assist plan employees in determining when they may disclose a participant's PHI to the company;

2. A series of commonly asked questions that highlight a plan's new obligations for handling a participant's PHI, and responses to those questions; and

3. Some timely words of advice on why plan sponsors should act now to make their plans HIPAA compliant.

Part I: The Two-Step Approach

When a plan receives a request for PHI from the company, the plan should have a process for determining whether or not it may disclose the information. For example, if the company requests the plan to provide a list of plan participants who are submitting the largest plan claims, along with the health information about those claims, the plan should consider the following two-step approach before making such a disclosure:

1. Review the plan documents to determine the plan's rules on the disclosure of PHI.

2. Check the guidance from the Department of Health and Human Services, including HIPAA and the preamble to the regulations, to ensure that such a disclosure complies with HIPAA. As noted below, several Web sites contain this and …