News

Small Business and the New HIPAA Privacy and Security

June 25, 2003 /

MATR Sponsor (view all)


PFL Tech Inc. is a marketing technology company that provides sales enablement and marketing automation solutions, as well asprinting, mailing, and fulfillment services. They also provide some great Montana Jobs.

New privacy and security standards set forth by the
Health Insurance Portability and Accountability Act
(HIPAA) of 1996 — designed to protect employee health
information — are beginning to be felt by many
businesses.

by Kris Larsen, Aon Consulting NFIB.org

All companies with annual total health care costs
greater than $5 million had to be in full compliance by
April of this year. But it’s not just larger companies
that will be facing the new regulations. In April 2004,
any company that sponsors health plans for employees
will be held accountable. No matter the size, HIPAA
will apply. CEOs need to take action now to ensure that
their company is protected. So where do you start?

* Protected Health Information

The first step is to define protected health
information (PHI) and a company’s level of exposure.
HIPAA defines health information as any information
(oral or recorded) that is created (or received) by a
health care provider, health plan, public health
authority, employer or health care clearinghouse.

In other words, health information, no matter how it is
communicated or recorded (electronic, written or
spoken), is protected under HIPAA guidelines.

The HIPAA privacy standards essentially say that a
health plan cannot use or disclose PHI except as
authorized by the individual or by Department of Health
and Human Services (HHS) regulations.

* The Risk of Non-compliance

If a company is out of compliance, it runs the risk of
significant fines and potential criminal charges.
Enforced by the Department of Health and Human
Services, failure to comply with HIPAA’s privacy rule
could result in penalties of up to $100 per person per
violation or up to $25,000 per year for each violation
of an identical requirement.

Criminal penalties can apply for intentional violations
of the rules. Such knowing violations could result in a
criminal fine of up to $250,000 and up to 10 years in
prison.

To help prepare your business for HIPAA compliance next
April, planning is crucial. Here are the three main
components of an action plan:

1. Appoint a Privacy Official.

A company as a plan sponsor must designate a privacy
official responsible for developing and implementing
its privacy policy and procedures. A health plan’s
responsibility to safeguard electronic protected health
information extends to its entire workforce —
regardless of location.

2. Finalize Plan Documentation.

A health plan document must contain the appropriate
privacy standards for the plan, and the employer as
plan sponsor must agree to abide by these standards
before the plan can disclose protected health
information to the plan sponsor.

3. Set Up Business Associate Agreements.

A business associate is any person or organization
using protected health information on behalf of a
health plan to perform services such as benefits
management, claims processing or administration. A
health plan may only disclose protected health
information to a business associate and allow that
person to create or receive information on its behalf.
If an agreement is in place, that binds the business
associate to the same privacy requirements that are
imposed on the health plan.

* Fleshing Out the Plan: Gap Analysis

An effective strategy to comply with both the privacy
and security standards would be to start with a "gap
analysis." Compare existing policies and procedures
with those required by the final regulations.
Implementing remedial policies, procedures, supporting
technology and training employees would follow.

Some of the activities around that exercise include:

* Distributing a privacy notice to employees;
* Establishing a procedure for employees to exercise
their rights to access their own health information and
to obtain an accounting of disclosures;
* Amending health plan documents to establish the
permitted uses and disclosures of health information by
the plan sponsor;
* Adopting appropriate administrative, technical and
physical safeguards to protect the privacy of health
information;
* Making sure your vendors are prepared to conduct
electronic transactions in the standard format that
will be required under the electronic data interchange
(EDI) provisions.

Before the compliance date, the safeguards would be
reviewed as the first of a series of periodic
evaluations required under the regulation. The main
thing to keep in mind is that there is plenty of time
to meet compliance expectations, as long as you begin
to think about it today.

**************************************

Kris Larsen is Senior Vice President in Aon Consulting’s
Nashville, Tenn., office. Aon Consulting offers a
full range of HIPAA-related tools and consulting
services, from a self-contained "Guide to HIPAA
Compliance" to an on-line assessment tool.

Please visit http://www.aon.com/hipaahelp to find out more.

To read this article and other related articles online, visit:
http://www.nfib.com/cgi-bin/NFIB.dll/jsp/toolsAndTips/toolsAndTipsDisplay.jsp?contentId=3870498

MATR Supporters (view all)


Big Sky Commerce is an integrated provider of merchant credit card transaction processing services, check processing services, Internet payment gateways, related software application products and value-added services.

Montana Bioscience Cluster Initiative - Collaborative program design and execution and integrated programs fostering innovation, technology commercialization, entrepreneurship and sustainable small businesses

Great Falls trade area. Competitive for food, ag, bioprocessing, energy, and support. Closest U.S. metro area to Calgary. Untame Your Entrepreneurial Spirit!
Posted in:

News Catrgory Sponspor:


Dorsey & Whitney - An International business law firm, applying a business perspective to clients' needs in Missoula, Montana and beyond.

Leave a Comment

You must be logged in to post a comment.