HIPAA Compliance Deadlines Affect Employer Health Plans

By Ronald J. Souza

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has compliance deadlines prescribed by Department of Health and Human Services (DHHS) regulations. Those regulations set forth two tiers of compliance— one for large health plans and the other for small health plans. Further, there are staggered deadlines for compliance. Two important deadlines have recently passed. One related to large health plans (i.e., insurance premiums or claims of $5 million or more); the other to small plans.

Notification and Compliance Deadlines

By April 14, 2006, large health plans should have notified individuals covered by those plans that a notice of their privacy rights is available for review and how to obtain that notice. A reminder notice must be sent out at least every three years.

The privacy notice must include the following: In the case of group health plans, enrollees must be told (1) the uses and disclosures of personal protected health information (PHI); (2) an explanation of individual privacy rights; and (3) details of health plan responsibilities under HIPAA and how to file complaints with the DHHS. For fully insured plans receiving only summary information (i.e., non-identifiable personal information, except for a five-digit zip code), or data for enrollment, the insurer or HMO must provide notice of privacy practices. Where an employer with a fully insured plan receives PHI for other purposes, the group health plan must maintain a policy on privacy practices and provide it upon request.

The large plan reminder notice can be hand-delivered or sent by U.S. Mail to the named insured or covered employee. The notice can be sent electronically if the insured or covered employee has agreed to receive the notice electronically. Group health plans that have been providing updated notices each year as part of the open enrollment materials will not have to provide the new privacy notice to those who already have received it as part of the enrollment package.]

By now, large health plans should have (1) completed the required risk analysis; (2) proposed any necessary remedial measures; and (3) have drafted HIPAA security policies and procedures and revised their business associate agreements to include the requirements of the HIPAA security rule. Plan documents should have been amended by April 21, 2006.

By April 21, 2006, small health plans should have implemented administrative, physical, and technical safeguards to ensure the integrity and confidentiality of electronic health information, and to protect against threats to security and unauthorized uses and disclosures of health information.

To Summarize

If you do not have a group health plan, no HIPAA security compliance is required. If you are self-insured, administer your own plan and have fewer than fifty (50) participants, your plan is exempt from the HIPAA security rules. If you are a small plan (i.e., premiums or claims of less than $5 million), you should have complied with HIPAA Security Rules by April 21, 2006. If you are a small plan sponsor without access to electronic PHI, you are exempt from the privacy rules. But, you do have a security compliance obligation, although it is a “Phase I” burden with fewer requirements than those employers with “Phase II” burdens.* If you are a small plan sponsor with access to electronic PHI, you have “Phase II” HIPAA compliance obligations, which involves more issues and more complexity than “Phase I” compliance.

Compliance Obligations

Phase I: If you have Phase I obligations, you must: adopt and maintain limited HIPAA security policies and procedures (administrative, technical and physical); conduct a limited HIPAA security risk analysis; appoint a security official and implement complaint contacts and procedures; if applicable, create business associate contracts compliant with HIPAA security rules; and conduct periodic re-evaluation of status and compliance.

Phase II: Phase II compliance requires employers to: adopt and maintain limited HIPAA security policies and procedures (administrative, technical and physical); HIPAA security risk analysis; appoint security officials and implement complaint contacts and procedures; if applicable, create business associate contracts compliant with HIPAA security rules; conduct periodic re-evaluation of status and compliance; provide training to responsible personnel and document training; and complete an appropriate plan amendment.

What is Protected Health Information?

“Protected health information” (PHI) refers to individually identifiable health information created or received by a covered entity that relates to the past, present or future physical or mental health or condition of an individual, including information regarding the provision of and payment for healthcare, which is transmitted or maintained in any form or medium.

The HIPAA privacy rules apply to all PHI. However, the Security Rules protect only a portion of this category of information—information that is stored electronically. Thus, health information that is transmitted by or maintained in “electronic media” is protected by the Security Rules. “Electronic media” means certain types of electronic storage, such as hard drive, as well as any removable slant transportable digital memory medium, such as a flash drive; or information already in electronic storage media, such as the Internet, leased lines, dial-up lines, private networks, and the physical movement of removable transportable electronic storage media. However, where the protected information being exchanged did not exist in an electronic format before transmission, it does not become PHI under the Security Rules through the electronic transmission.

Overview of HIPAA Privacy and Security Requirements

HIPAA’s Security Rules are made up of specific “standards” and “implementation specifications.” In order to be in compliance, health plans must comply with all standards based on (1) risk assessment; (2) provisions of the specific standards and implementation specifications; and (3) the flexibility permitted under the Security Rules.

Generally, HIPAA’s Security Rules seek compliance with the following general security standards: (1) ensure confidentiality, integrity and availability of PHI and protect against any reasonably anticipated threats or hazards to that security; (2) protect against reasonably anticipated prohibited uses or disclosures; and (3) ensure company workforces comply with the Security Rules.

The security standards are separated into three categories: administrative, physical and technical. Security Rules also provide organizational and procedural standards. There is no requirement that a covered health plan must obtain a certificate of compliance. Compliance is not a one-time goal, but rather must be maintained indefinitely.

The following is a brief overview of the administrative, physical, and technical safeguards prescribed by HIPAA.


The following are some of the security implementations to satisfy the administrative safeguards:

  • Security management process to identify risks to the security of electronic PHI and implement policies and procedures to prevent, detect, contain and correct security violations.
  • Security responsibility requires covered plans to appoint a security officer responsible for the development and implementation of policies and procedures to comply with the Security Rules.
  • Workforce security requires policies and procedures to insure that only authorized workforce members have access to PHI.
  • Information access management requires the plan to implement policies and procedures for granting access to PHI that are consistent with the privacy rules.
  • Security training to insure that all members of the covered plan’s workforce are aware of its security policies and are trained to carry out their assigned tasks.
  • Security violation response requires procedures for dealing with security breaches leading to disclosure of PHI.
  • Contingency plans for responding to emergencies that cause damage to systems containing PHI.
  • Evaluation requires policies and procedures for periodically testing and evaluating the effectiveness of security measures in place.
  • Business associate agreements should be signed by all business associates who have access to a company’s PHI as a part of the services they render.

Physical Safeguards

The following implementation specifications satisfy HIPAA’s physical safeguard requirements:

  • Facility access controls that protect physical access to electronic information systems and the facilities in which they are housed.
  • Workstation use to insure that workstations are used for the proper functions and in the manner intended.
  • Workstation security requires that each workstation that has access to PHI be physically safeguarded.
  • Controlled devices and media require the protection of the flow of hardware devices and electronic devices that contain PHI into and out of the facility.

Technical Safeguards

The following implementation satisfies these safeguards:

  • Access control that limits access to electronic information.
  • Audit controls that will record and examine activity in information systems that contain PHI.
  • Maintain integrity to protect PHI from improper alteration or destruction.
  • Access authentication requires verification that the person or entity accessing PHI is authorized to do so.
  • Transmission security requires technical security to guard against unauthorized access in transmission of PHI over a network.


A person who knowingly uses a “unique health identifier” or knowingly obtains or discloses individually identifiable PHI to another person is subject to a criminal fine of up to $50,000 and/or one year in prison. Where the offense is committed under “false pretenses,” the maximum penalty will be increased to a $100,000 fine and/or five years imprisonment. Where offenses are committed with the intent to sell, transfer or use individually identifiable PHI for commercial advantage, personal gain or malicious harm, the maximum penalty jumps to $250,000 and/or ten years imprisonment.

Perhaps the greatest practical risk to employers would be potential civil liability. Should individually identifiable PHI be inadvertently disclosed to a person or entity who misuses the same to the detriment of an employee, the employer may be exposed to civil action by the injured employee. Substantial recent verdicts have been reported from Northern and Southern California counties where confidential and sensitive PHI has been revealed to supervisors or co-workers (e.g., Hepatitis C and HIV infections). In each instance, the jury awards were well into six figures.

Given the HIPAA mandates for protecting PHI and the penalties for violation, which include individual lawsuit liability, all employers would be wise to obtain an audit of their compliance with the recently effective HIPAA regulations.

If an employer’s health plan is fully insured, and the employer does not have access to any electronic PHI, an employer probably has to do little else. The Centers for Medicare and Medicaid Services (CMS), the arm of the DHHS charged with enforcing the security rules, has informally opined that in this case, an employer must go through the risk analysis required by the HIPAA security rules to determine if any of their computer systems contained electronic PHI. Assuming no electronic PHI was discovered during the analysis, there would not be much more for the employer to do.