Hidden HIPAA Hurdles

» Articles » Legal Articles » Article

May 01, 2006


Implementing the HIPAA Privacy Rule may seem like ancient history for many physician practice managers: drafting notices of privacy practices, entering into business associate agreements, adopting policies and procedures, and the like. While it was three years ago next month that the HIPAA Privacy Rule became effective for providers such as hospitals and physicians, and only last April that the HIPAA Security Rule did so, barely half of all providers surveyed currently claim to be fully compliant with the Security Rule and there remains a lot of confusion regarding how each such provider may fall under the category of a “Covered Entity” under HIPAA.

Most physician practices know that they are “Covered Entities” under HIPAA due to their status as medical providers. However, many are not aware that, as an employer, they may be caught in another category of Covered Entity: health plans. In fact, even though the US Department of Health and Human Services was explicit in noting that “employers” are not Covered Entities under HIPAA, many employers (including many healthcare providers) offer fully or partially self-funded health plans to their employees, and those health plans are Covered Entities under HIPAA.

Most HIPAA rules apply equally to all Covered Entities, whether they are providers, plans, or healthcare clearinghouses. Therefore, providers who also offer health plans to their employees will need to ensure that their health plans comply with the Privacy Rule and the Security Rule. One area where HIPAA differentiates Covered Entities relates to the size of the health plan: small health plans (less than $5,000,000 in size) were granted an extra year to comply with the Privacy Rule (April 2004), as well as an extra year to comply with the Security Rule (April 2006).

If you offer your employees a health plan, that plan must meet the requirements of the Privacy Rule and the Security Rule (and if your plan is a “small” plan, the Security Rule deadline is fast approaching). For most small plans, Security Rule compliance is relatively easy, since the Security Rule is geared toward protecting electronic protected health information; most small plans, especially those that outsource much of their operations to third party administrators, will find that they have very little interaction with electronic PHI. However, small plans are still required to comply.

And while you’re at it, now would be a good time to review your Privacy Rule compliance and determine if you need to update your HIPAA policies and procedures. Remember, HIPAA compliance is a process, not an event.

For further information or assistance, you may contact Jeff Drummond by telephone at (214) 953-5781, or by e-mail at [email protected]. In addition, Click Here, to access Mr. Drummond's HIPAA blog.

If you wish to be added or removed from this list, please reply to this e-mail with the word "add" or "remove" in the subject line.


The material appearing in this web site is for informational purposes only and is not legal advice. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal or other professional advice is required, the services of a professional should be sought.

The opinions or viewpoints expressed herein do not necessarily reflect those of Lorman Education Services. All materials and content were prepared by persons and/or entities other than Lorman Education Services, and said other persons and/or entities are solely responsible for their content.

Any links to other web sites are not intended to be referrals or endorsements of these sites. The links provided are maintained by the respective organizations, and they are solely responsible for the content of their own sites.