When an employer self-administers a Health Reimbursement Arrangement (HRA) Plan, they should ensure they comply with the HIPAA Privacy Rule.
An HRA plan is a self-funded health plan and is governed by HIPAA Privacy Rules. In order to administer an HRA, the entity processing employee claims receives protected health information (PHI) that is protected by HIPAA. Employers that offer a fully-insured health plan and sponsor an HRA often overlook their HIPAA Privacy obligations and rely on the insurance carrier to comply with the HIPAA Privacy Rules. HRA compliance obligations, however, rest with the employer. Employers that do not comply can be subject to civil penalties of up to $100 per violation.
The HIPAA privacy rule Web site from HHS (http://www.hhs.gov/ocr/hipaa/) has a Q & A section that attempts to cover the privacy rule from the standpoint of covered entities, employers, health care consumers, health care providers, and other interested parties.
Keep reading for important information about the HIPAA privacy rule that is specifically focused on how the privacy rule will affect employers when administering an HRA plan.
What is the primary purpose of the HIPAA privacy rule for HRA Plans?
Most health plans (including HRA Plans) that are covered by the new Rule must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
It gives patients more control over their health information.
It sets boundaries on the use and release of health records.
It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
It empowers individuals to control certain uses and disclosures of their health information.
The rule protects from unauthorized disclosure any personally-identifiable health information (protected health information, or PHI) that pertains to a consumer of health care services.
What is considered "personally-identifiable health information" for HRA Plans?
Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; it generally includes the following, whether in electronic, paper, or oral format:
Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
- Health care payment and remittance advice;
- Coordination of health care benefits;
- Health care claim status;
- Enrollment and disenrollment in a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certifications and authorization;
- First report of injury;
- Health claims attachments.
What is a covered entity with regard to HRA Plans?
The privacy rule applies to health plans, health care clearinghouses, and health care providers. It applies to employers only to the extent that they somehow operate in one or more of those capacities. HRA plans are self-insured health plans.
How is an employer a covered entity with HRA Plans?
Normally, an employer will only deal with covered entities, not actually be one. However, if an employer provides a self-insured health plan for employees (e.g. an HRA Plan), or acts as the intermediary between its employees and health care providers, it will find itself handling the kind of PHI that is protected by the HIPAA privacy rule.
What must employers do to protect employee PHI when administering an HRA Plan?
Employers offering an HRA Plan must adopt written PHI privacy procedures and designate a privacy officer. They must also establish a process for employees to use in filing complaints and for dealing with complaints. Finally, they must take any measures necessary to see that PHI is not used for making employment or benefits decisions.
What do the written privacy procedures include for an HRA Plan?
An employer's written privacy procedures for an HRA Plan must include safeguards for administration of PHI, physical security of such information, and electronic and other types of technical security. The procedures should include the designation of a privacy officer and an explanation of the complaint and resolution process.
What penalties apply to violations of privacy rule requirements and HRA Plans?
There are civil penalties of $100 per violation, but the penalties can be "stacked" if there are multiple violations with respect to a single individual. The maximum civil penalties are $25,000 per year, per person, per standard. Thus, if two standards were violated with respect to one person, the potential penalties could mount to as much as $50,000. Criminal penalties (up to a $250,000 fine and ten years in prison) may be imposed for "knowingly and improperly" disclosing information or obtaining information under "false pretenses", with higher penalties reserved for violations designed for financial gain or "malicious harm". In addition, of course, state laws may impose additional penalties for the same offenses, and most states would also allow common-law suits for torts such as invasion of privacy and infliction of emotional distress, among other causes of action. In November, 2004, a federal district court sentenced a former employee of a Seattle, Washington cancer clinic to 16 months in prison under the criminal penalty provisions of HIPAA after he admitted he used a patient's birthdate and SSN information to fraudulently obtain four credit cards in the patient's name and charge over $9,000 in goods.