HIPAA Employer Home

HIPAA EMPLOYER - ABOUT HIPAA SECURITY
  HIPAA for Employers & Brokers

QUICK HIPAA REFERENCE LINKS

   
 

Why do I need to worry about HIPAA anyway? My insurance company takes care of everything.

This is a difficult concept to get across to employers when discussing their group health plan: the insurance company or HMO through which benefits are provided is not the group health plan. Rather, the insurance company or HMO is a vendor to the plan. The "plan" is the set of promises that the employer makes to its employees respecting health care, together with the supporting administrative scheme that enables the employer to make good on its promise. Lacking competence in plan operation, most employers hire an outside vendor, such as an insurer, to handle the details. What makes this confusing is that the terms of the insurance contract provide many of the material terms of the plan.

It is the set of promises/administrative scheme that HIPAA regulates as a separate covered entity for which the employer is generally responsible. Where employees of the employer make up the plan's workforce, and where these individuals get ePHI in the course of administering the plan, the HIPAA security rules are implicated and compliance is required.

Bottom line: While an insurance company, consultant or broker might be able to lend assistance, compliance with the HIPAA security rule is usually the employer's responsibility (and liability if something gets disclosed inappropriately).

My TPA does everything - do I need to do anything?

If you sponsor a self-funded plan (such as a Flexible Spending Account), then compliance with the security rule is required. This is so because, even if you rely on an administrative-services-only provider, the plan sponsor or someone associated with the sponsor generally has access to claims and payment data on an ongoing basis and usually has final claims adjudication authority.

Were you required to comply with the HIPAA Privacy Rule?

If the answer is YES (which implies your group health plan is defined as a Covered Entity), than you are also required to comply with the Security Rule provisions that come into effect in April 2006. The definition of a Covered Entity is the same for both the Privacy Rule and the Security Rule. In the case of employers - your group health plans fall into this category. Typically - those group health plans that are self-insured have the highest compliance burden.

<Previous     Page 2 of 4     Next>

 

  
 
Excerpts from our manual - HIPAA for the Employer
  
     
© HIPAA Solutions RX | About HIPAA | Our Products | Brokers | About Us | Site Map