Subscribe (Free) to
Daily or Weekly Newsletters
Post a Job

Featured Jobs

Sr. Retirement Plan Administrator

Tycor Benefit Administrators, Inc.

Tycor Benefit Administrators, Inc. logo

Retirement and Executive Compensation Consultant

Retirement Learning Center
(Remote / Brainerd MN)

Retirement Learning Center logo

Director of Member Services, Member/ Employer Experience

Orange County Employees Retirement System
(Santa Ana CA)

Orange County Employees Retirement System logo

Regional VP of Sales

The Retirement Plan Company
(Remote / AZ / CA / CO / MN / MO / OR / WA)

The Retirement Plan Company logo

Retirement Plan Administrator

Nicholas Pension Consultants

Nicholas Pension Consultants logo

Senior Defined Contribution Account Manager

Nova 401(k) Associates

Nova 401(k) Associates logo

Retirement Plan Services Analyst

Jordan & Associates Retirement Services
(Santa Rosa CA)

Jordan & Associates Retirement Services logo

DC Plan Administrator

Heritage Pension Advisors, Inc.
(Commack NY)

Heritage Pension Advisors, Inc. logo

DB/DC Administrator

Primark Benefits
(Remote / San Mateo CA)

Primark Benefits logo

401(k) Plan Administrator

Abacus Retirement Solutions, LLC
(Remote / Albuquerque NM)

Abacus Retirement Solutions, LLC logo

Senior Consultant

(Remote / Putnam Valley NY)

Pentegra logo

View More Employee Benefits Jobs

Free Newsletters

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile App image LinkedIn icon
Twitter icon
Facebook icon

Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

Proposed Privacy Revisions Could Ease Compliance Efforts for Employers

Summary: The recently proposed amendments to HIPAA's privacy rules could ease compliance efforts somewhat for employers, although the major compliance burdens remain unchanged. Among the provisions that plan sponsors would find helpful are a one-year extension for negotiating and finalizing business associate contracts, and a clarification that group health plans may exchange enrollment and disenrollment information with the employer without amending the plan documents.

The amendments proposed March 27 (67 F.R. 14775) to HIPAA's privacy rules, particularly the extra year in which to negotiate and finalize business associate contracts, could ease compliance efforts somewhat for employers working to ensure that their group health plans meet the April 2003 compliance date. However, the major compliance burdens remain unchanged.

The U.S. Department of Health and Human Services (HHS) proposed giving covered entities an additional year, until April 2004, to revise their existing contracts with business associates. The existing rules, as finalized in December 2000, require these contracts to include assurances that the business associate will observe the rules' safeguards on the use and disclosure of protected health information (PHI). The proposal also includes model business associate contract provisions designed to make it easier and less costly to implement this requirement.

The proposal also would clarify that group health plans may exchange enrollment and disenrollment information with the employer without amending the plan documents to incorporate certain privacy protections. This clarification will be good news for employers with fully insured plans that, under the current rules, already do not have to comply with certain administrative requirements because they do not create or receive detailed health information to administer their plans. Additional proposed changes will simplify current requirements for the content of written authorizations and written accountings of the disclosure of protected information.

All in all, however, the proposed modifications to the final privacy rules should do little to alter employers' compliance plans. The most significant proposed modification -- elimination of the consent requirement -- has little impact on group health plans. Employer-sponsored group health plans were never required to obtain a written consent in order to use or disclose PHI for TPO purposes. While a major burden of compliance has been lifted for providers, the compliance obligations of group health plans have not been significantly changed.

The proposed changes to the rules regarding marketing would implement a stricter requirement for group health plans engaged in marketing activities (such as a health plan selling its subscriber list to a drug company). The proposal would require that all covered entities obtain written authorization in order to engage in marketing activities. However, the proposed changes also would clarify that communications regarding disease management and wellness programs generally will not be considered marketing. This will ease the concerns of some employers as disease management and wellness programs increase in use and popularity. In addition, the proposed changes would remove the prohibition against third parties paying for health plan communications.

Employers cannot ignore the proposed changes, since many of the changes will have an impact on compliance if they are finalized. However, most of the substantive rules that apply to employer-sponsored group health plans (including implementing firewalls, developing privacy policies and procedures, amending plan documents and creating business associate contracts) have not been altered.

HHS is accepting public comments on the proposal until April 26. A 30-day comment period should be adequate because of the "public concerns already communicated to the Department through a wide variety of sources since publication of the Privacy Rule in December 2000," according to the agency.

Comments on Business Associate Provisions

HHS has received many comments on the business associate provisions, most expressing concern about the administrative burden and implementation costs, according to the preamble to the proposed rule. "Some commenters stated that covered entities might have existing contracts that are not set to terminate or expire until after the compliance date of the Privacy Rule," HHS stated. "Many of these commenters expressed specific concern that the two-year compliance period does not provide enough time to reopen and renegotiate what could be hundreds or more contracts for large covered entities."

The one-year extension would be available for a contract or other written arrangement that is not renewed or modified between the effective date of the proposed revisions to the rule and the privacy rules' compliance date of April 14, 2003. The covered entity could continue to disclose PHI to the business associate, or allow the business associate to create or receive PHI on its behalf, under their existing contract until April 14, 2004, or until the contract is renewed or modified, whichever is sooner. This extension does not apply to small health plans that already have until April 2004 to comply with HIPAA's privacy rules.

The model business associate contract provisions, included in the proposal as an appendix to the preamble, include definitions, the business associate's obligations and activities, the business associate's permitted PHI uses and disclosures, the covered entity's obligations, permissible requests by the covered entity and the contract's term and termination. HHS notes that this model language is not required for compliance with the privacy rules and may be amended to more accurately reflect business arrangements.

Some commenters requested clarification on whether business associate contracts were required between a health plan and the health care providers participating in the plan's network. HHS noted that participation in a plan network in and of itself does not result in a business associate relationship to the extent that neither entity is performing functions or activities, or providing services to, the other entity.

Reprinted with permission from the April 2002 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.
© 2022, Inc.