Tips Offered for HIPAA Compliance in the Home Stretch

Summary: HIPAA privacy compliance is an ongoing project. In the pinch of the last four months, employers that have not yet begun HIPAA privacy compliance efforts should build compliance backward from the April 14, 2003, deadline.

1. Determine whether you are a covered entity, a hybrid entity or a business associate.
2. Analyze which of your health and welfare benefits meet the definition of a "health plan" under HIPAA.
3. Don't forget about employee assistance programs, wellness benefits and flexible spending accounts.

1. Identify business associates that provide services to your group health plan.
2. Assess the impact of HIPAA on current operations (for example, changes in reports from service providers).
3. Develop a business associate contract or get one from your business associate.
4. Execute the contract by April 14, 2003. It probably takes more time to analyze whether you qualify for the one-year extension than to just get a contract.

1. Create firewalls between the group health plan and your human resources (HR) functions.
2. Ensure that protected health information (PHI) is not used or disclosed for employment or other benefit plan purposes.
3. Go ahead with plan document amendments even if you haven't completed a gap analysis, because otherwise you won't get information from your health plans.

1. Prepare a notice of privacy practices no later than April 14, 2003.
2. Plan a distribution mechanism for the notice.
3. You may need to coordinate the notice with your business associates.
4. Some fully insured plans may not need a notice but should be aware that their employees will be receiving them from insurers.
5. HIPAA doesn't require the revision of the summary plan description (SPD), but if you want to add language to the SPD, do so as necessary.

1. Employees who use PHI must be trained by April 14, 2003, so schedule training time now.
2. Determine how training will be tracked and documented.
3. Train benefits staff first -- implement the firewall to protect information.
4. Train HR staff second -- implement the prohibition against improper PHI use and disclosure.
5. Train managers and supervisors third.

1. Customer service procedures will change. Employees may have different relationships with call-in centers.
2. HR professionals should determine whether they need new authorizations for functions such as disability applications, integrated disability management and implementation of the Family and Medical Leave Act and the Americans With Disabilities Act.
3. HR also should determine what firewalls need to be created for risk management purposes, to ensure that health information is not used in the employment process.
4. Ensure that employees can access, amend and receive an accounting of PHI.