Medical Reimbursement Plans

What are the effective dates for the HIPAA privacy rules?

For small health plans (those with annual receipts of $5 million or less), the effective date will be April 14th, 2004. Any plan that exceeds five million in annual receipts is already subject to the HIPAA privacy rules (beginning April 14^th, 2003). The amount of the plan’s "annual receipts" for this test is determined by looking at the total health insurance premium payments, or the total of paid claims (in the case of self-funded plans) or the total of participant contributions to the plan (in the case of health FSAs in a Cafeteria Plan), whichever is applicable, for the last full fiscal year that ended before April 14, 2003. (Stop Loss insurance premiums are not included in "annual receipts".) If this amount is less than $5 million, the plan is a "small health plan" and qualifies for the later effective date.

What types of health plans are "covered entities" under HIPAA and therefore required to comply with HIPAA privacy rules?

In general, group health plans will be "covered entities", including self-funded plans such as Section 105 medical reimbursement plans and health FSAs in a Cafeteria Plan. The US Department of Health and Human Services (HHS) offers the following flowchart online to determine if your plan is a covered entity:

1) Is the plan an individual or group plan, or combination thereof, that provides, or pays for the cost of, medical care? (if the answer is yes, go to question 2; if it is no, the plan is not a health plan).

2) Is the plan a group health plan*? (if the answer is yes, go to question 3; if it is no, the plan is not a health plan).

*Group Health Plan Definition: An employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependants directly or through insurance, reimbursement, or otherwise, that: (1) has 50 or more participants; or (2) is administered by an entity other than the employer that established and maintains the plan. See 45 C.F.R. 160.103

3) Does the plan have both of the following characteristics: (a) it has fewer than 50 participants, and (b) it is self-administered? (if the answer is NO, the plan is a group health plan and therefore a "covered entity"; if the answer is YES, the plan is not a health plan and not a "covered entity").

What must a "covered entity" group health plan do to comply with the HIPAA privacy rules?

While the detailed answer to this question would fill an entire book (and there are many available on the topic which should be consulted by the covered entity seeking to meet the requirements), the following is a brief summary of what covered entities are required to do:

1. Provide a notice of privacy practices to plan participants. This notice is to be distributed to: all participants in the plan as of the effective date of the HIPAA privacy rules; any new participants entering the plan thereafter; all participants every three years at a minimum; and upon any request for one from a plan participant.
2. Designate a privacy officer.
3. Implement appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information (PHI).
4. Develop written privacy policies and procedures.
5. Develop procedures to ensure that the request, use, or disclosure, of PHI involves only the minimum amount of information necessary to perform the function in question.
6. Develop procedures to ensure that the only individuals that have access to PHI are those that must have it in order to perform their functions for the group health plan.
7. Develop procedures for covered individuals’ access, amendment, or restriction, of their PHI (protected health information).
8. Develop procedures to document disclosures of PHI.
9. Discipline persons who use or disclose PHI in violation of the covered entity’s written policies and procedures.
10. Provide training to all members of the workforce on the privacy policies and procedures and maintain documentation of all such training.
11. Designate an individual to receive complaints, to respond to questions about privacy policies and procedures and to receive and fulfill requests for a notice of privacy practices.
12. Develop procedures for participants to lodge complaints about the plan’s privacy policies and procedures, and to report alleged violations, as well as for documenting all such complaints or reports.
13. Develop procedures and a written authorization form for the use and/or disclosure of PHI.
14. Obtain signed "business associate agreements" from business associates, defined under HIPAA as businesses and individuals that contract with covered entities (health plans) to create, use, receive, or disclose PHI on behalf of the covered entity, such as health insurance brokers or agents and third-party administrators, prior to the effective date of the HIPAA privacy rules.

Determine whether the group health plan must amend plan documents to include the elements mandated by the HIPAA privacy rules.