It’s HIPAA Time AgainFebruary 21, 2006
The time has come once again to think about the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification rules. New enforcement rules and reminders of already existing obligations are contained in this Health Care Update.
Final HIPAA Enforcement Rules Effective March 16, 2006
After almost three years of interim rules, Department of Health and Human Services (DHHS) issued final HIPAA enforcement regulations on February 16, 2006. The final enforcement rules are effective on March 16, 2006. Several key changes to the final rules were made by DHHS in response to comments on the proposed final rules. Of particular importance are the following changes:
- When conducting an investigation, DHHS must describe the basis of the complaint in the first communication with a covered entity.
- The method for determining the number of violations will be based upon the substantive requirement or prohibition violated, as opposed to the originally proposed action, persons, or time variables. A separate violation will be deemed to occur on each day such a violation continues. An administrative law judge conducting a hearing for HIPAA violations will be able to review the number of violations determined as part of his or her review of the proposed civil penalty.
- Affiliated covered entities will continue to have joint and several liability under the final enforcement rules, unless it is established that another member of the affiliated covered entity was responsible for the violation.
- The timeline for a covered entity to request a hearing has been extended to 90 days from the original 60 days in the proposed final rules.
In light of the DHHS comments regarding joint and several liability, covered entities that participate in an “affiliated covered entity” (ACE) arrangement or an “organized health care arrangement” (OHCA) for HIPAA compliance purposes are advised to immediately review the formal (or informal) agreements establishing the ACE or OHCA. If you have questions about liability exposure under HIPAA, or would like assistance with development or review of agreements, please contact Thomas Shorter, Barbara Zabawa or any other member of the Godfrey & Kahn Health Care Practice Group. Small Health Plans to Complete HIPAA Security Compliance by April 20, 2006
The deadline for compliance with the HIPAA Security Rules is approaching for small health plans. Other covered entities were required to be in compliance by April 20, 2005. Small health plans are defined to include those with annual receipts of $5 million or less. Employers with health flexible spending arrangements may fall into this category. Among other requirements,
the Security Rule requires a risk analysis, appointment of a security officer, training, and other policies to protect the security of electronic protected health information. Recommendation:
Time is running short for small health plans to comply with the HIPAA Security Rules. If you have questions about the HIPAA Security Rule obligations or need assistance in developing a compliance solution that fits a small health plan, please contact Thomas Shorter, Barbara Zabawa or any other member of the Godfrey & Kahn Health Care Practice Group. Health Plans Must Send a Reminder Notice to Enrollees by April 14, 2006
The HIPAA privacy regulations first became effective on April 14, 2003. As the three-year anniversary date approaches, this alert reminds all covered health plans of their obligation to notify individuals currently covered by the plan “of the availability of the notice [of privacy practices] and how to obtain the notice” at least once every three years.
Because of the three-year notice requirement, many health plans should be preparing to distribute a reminder notice to their enrollees in the coming weeks. The rules for distributing these notices are the same as those that apply to the initial distribution of privacy notices.
Because small health plans were not required to comply with HIPAA until April 14, 2004—one year after the regulations first became effective—they have until April 14, 2007 to send reminder notices to enrollees. Small health plans are defined to include those with annual receipts of $5 million or less.
In addition, the reminder notice requirement does not apply to health care providers, who, among other requirements, must (a) supply privacy notices to individuals as they provide medical services to them; (b) post privacy notices at service delivery sites; and (c) make privacy notices available upon request after any revision to the notice. Recommendation:
Develop a reminder notice to be sent to enrollees that complies with the requirements of the HIPAA Privacy Rule. If you have any questions about the requirements for a compliant reminder notice, or need assistance in developing a notice to enrollees, please contact Thomas Shorter, Barbara Zabawa or any other member of the Godfrey & Kahn Health Care Practice Group.