United States: Health Plans Must Comply with HIPAA’s Privacy Rule by April 14, 2003

Group health plans with 50 or more participants are "covered entities" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). As such, they are required to comply with HIPAA’s privacy rule. Most group health plans must be in compliance by April 14, 2003; however, the deadline for group health plans with annual receipts of $5 million or less is April 14, 2004.

The general purpose of the privacy rule is to secure individuals’ protected health information ("PHI") and ensure that it is made available only for purposes of treatment, payment, and health care operations. The driving concern is that an employer might learn of an employee’s medical condition and take adverse action against the employee on the basis of that information.

The privacy rule requires different degrees of compliance depending on whether the group health plan is self-insured and to what extent the employer/ health plan sponsor uses or discloses PHI. For example, in the case of an employer that needs PHI to administer its group health plan, the plan document and summary plan description will need to be revised, policies and procedures for handling PHI will need to be implemented, and contracts with business associates will need to be signed — among other things. For an employer that does not require PHI or for a fully insured group health plan, the administrative burdens are substantially lessened.

For assistance in implementing the HIPAA privacy rule, please contact one of the attorneys in Montgomery, McCracken’s Employee Benefits, Executive Compensation, and Immigration Services Section.