| HIPAA Employer > About HIPAA Privacy Regulations |
|
Each rule issued by HHS as part of the Administrative Simplification package has its own compliance deadline. In addition, "small health plans" have an additional year to comply with each rule. In summary, deadlines with respect to existing final rules (Electronic Transactions, the Privacy Rule) are as follows:
COMPLIANCE
DATE |
RULE |
| October
16, 2002 |
Electronic
Transactions (original) |
| October
16, 2003 |
Electronic
Transactions (extended and small health plans) |
| April
14, 2003 |
Privacy
Rule |
| April
14, 2004 |
Privacy
Rule (small health plans) |
| April
14, 2004 |
Extended
business associate contracts |
| April
20, 2005 |
Security
Rule Deadline |
|
|
A small health plan is defined as a plan with annual receipts of $5 million or less. The method by which group health plans determine whether they are "small" depends upon whether they are fully-insured or self-insured.
Fully-insured group health plans should use total premiums paid for health benefits for their last full fiscal year. Self-insured group health plans should use the total amount paid for health care claims, not including administrative expenses or service charges, for their last full fiscal year. Stop-loss premiums should not be included. A plan that is partly insured and partly self-insured should combine the measures.
Health plans that file federal tax returns and report receipts on those returns should use the guidance provided by the Small Business Administration at 13 CFR § 121.104 to calculate annual receipts.
My group health plan does not transmit any information electronically. Is it exempt from the Administrative Simplification Rules?
No. Employer group health plans are covered entities whether or not they transmit information electronically. Only providers, such as doctors, nurses, on-site clinics, etc., are exempt from these Rules if they do not transmit electronically. |
|
There can be a significant difference in a group health plan's compliance obligations because of its insured status. In general, a fully-insured group health plan that receives only limited information about its participants and beneficiaries will have a lighter compliance burden. For most such fully-insured group health plans, it might be that their insurance issuers or HMOs will bear the brunt of the compliance burden. A self-insured group health plan, on the other hand, is presumed to receive information about its participants and beneficiaries and will have a significant compliance burden.
|
|
As noted above, an employer's obligations under the Administrative Simplification Rules will vary depending on whether its group health plan (or plans) is fully-insured or self-insured, on the type of identifiable health information the employer receives about employees and their families, and on whether the employer provides other employee health services (such as on-site clinics) that are covered by the Rules. If an employer is covered indirectly as the sponsor of a group health plan, or directly as a health care provider, or both, it may be required to:
- Follow detailed rules about the internal use or external disclosure of employee and family health information from the group health plan;
- Implement new federal rules granting rights to employees and their covered family members relating to information in group health plan records or provider records;
- Implement numerous other administrative requirements such as written policies and procedures, workforce training, designation of a privacy official, and distribution of a notice of privacy practices; and
- Comply with rules governing Electronic Transactions.
|
|