There are two Health Insurance Portability and Accountability Act (HIPAA) deadlines in April, one for employers with large health plans and one for employers with small health plans.

Large health plans (i.e., plans with annual receipts exceeding $5 million) had to distribute the initial HIPAA Privacy Notice by April 14, 2003, and a reminder every three years thereafter. Therefore, by April 14, 2006, large health plans must provide notification reminding plan participants of the availability of, and how to obtain, the notice.

Before sending out the reminder, review the notice itself to check for any changes and/or updates and edit the notice to reflect the new date. While there haven't been any government-mandated changes to the notice, check to see that company-specific information (e.g., a contact name and telephone number) hasn't changed.

Most covered entities were required to comply with HIPAA's Security Rule in April 2005, but employers with small health plans (i.e., plans with annual receipts of $5 million or less) were given an extra year. April 21, 2006, marks the deadline by which small plans must become compliant.

The Security Rule requires covered entities to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI), and implement measures to reduce identified risks. Note: Informal statements from officials at the Centers for Medicare & Medicaid Services indicate that if no ePHI is discovered through the risk assessment, there would not be much left for the employer to do.

The implementation of protective e-measures may appear to be a job for your company's IT department. However, there are several steps that "non-techies" can take to help ensure compliance:

1. Amend business associate agreements and plan documents to include ePHI provisions. State that the business associate or plan sponsor is required to implement safeguards for ePHI, ensure that any subcontractor or agent does the same, and report any known security incident.
2. Name a single security official who will be responsible for the security of ePHI. Select someone other than the individual named as the privacy official in existing HIPAA privacy documents.
3. Assist IT in controlling access to ePHI. Start by cataloguing the different types of ePHI stored and transmitted by the company and how this information is used and disclosed. Next, create a list of individuals who are authorized to have access to ePHI and the scope of that access. Then, keep the list current and promptly inform IT when an individual's access rights are terminated.
4. Create and implement policies that address: access to ePHI; security awareness training; how to identify, report, and investigate security incidents; and data destruction.
5. Collaborate with IT to develop a security awareness training program. Also, identify whom to train and when employees should be afforded supplemental and/or refresher training.
6. Plan for an emergency. The Security Rule requires covered plans to:

Create and maintain data back-ups;

be capable of restoring lost data; and

establish policies that will safeguard, while ensuring access to, ePHI when operating in crisis mode.

For any questions regarding HIPPA, please contact David Hansen of HR-OneSource’s at 515-221-1718.