Your Business Associate Agreements should have language requiring them to adhere to the provisions of the HIPAA Security and Privacy Rule. For example, Business Associates are required to notify you of any security breaches. Since, in many cases, the majority of ePHI that is associated with a group health plan is handled in large part by their Business Associates (brokers, TPAs, etc.). It's critical that employers ensure this piece of documentation is in place.

These are some of the most common HIPAA issues facing employers. It's by no means complete, but intended to alert those employers who may be thinking they have nothing to do - when, in fact, they do have some work ahead of them. The most important part of the regulation is to perform (and document) a risk assessment. All other activities flow from this document.

A small health plan is defined as a plan with annual receipts of $5 million or less. The method by which group health plans determine whether they are "small" depends upon whether they are fully-insured or self-insured.

Fully-insured group health plans should use total premiums paid for health benefits for their last full fiscal year. Self-insured group health plans should use the total amount paid for health care claims, not including administrative expenses or service charges, for their last full fiscal year. Stop-loss premiums should not be included. A plan that is partly insured and partly self-insured should combine the measures.

Health plans that file federal tax returns and report receipts on those returns should use the guidance provided by the Small Business Administration at 13 CFR § 121.104 to calculate annual receipts.

My group health plan does not transmit any information electronically. Is it exempt from the Administrative Simplification Rules?

No. Employer group health plans are covered entities whether or not they transmit information electronically. Only providers, such as doctors, nurses, on-site clinics, etc., are exempt from these rules if they do not transmit electronically.

There can be a significant difference in a group health plan's compliance obligations because of its insured status. In general, a fully-insured group health plan that receives only limited information about its participants and beneficiaries will have a lighter compliance burden. For most such fully-insured group health plans, it might be that their insurance issuers or HMOs will bear the brunt of the compliance burden. A self-insured group health plan, on the other hand, is presumed to receive information about its participants and beneficiaries and will have a significant compliance burden.

As noted above, an employer's obligations under the Administrative Simplification Rules will vary depending on whether its group health plan (or plans) is fully-insured or self-insured, on the type of identifiable health information the employer receives about employees and their families, and on whether the employer provides other employee health services (such as on-site clinics) that are covered by the Rules. If an employer is covered indirectly as the sponsor of a group health plan, or directly as a health care provider, or both, it may be required to:

• Follow detailed rules about the internal use or external disclosure of employee and family health information from the group health plan. 
• Implement new federal rules granting rights to employees and their covered family members relating to information in group health plan records or provider records. 
• Implement numerous other administrative requirements such as written policies and procedures, workforce training, designation of a privacy official, and distribution of a notice of privacy practices. 
• Comply with rules governing Electronic Transactions.