NEW MEDICAL RECORDS PRIVACY RULES CREATE HR CHALLENGES
By Shawn Smith, J.D.


If you thought it was challenging keeping up with emerging employee privacy rules on every front, prepare yourself for the new medical privacy regulations. Recently, the Department of Health and Human Services (HHS) issued the final regulations governing medical privacy rights for patients under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

All insured or self-insured employer group health plans are covered by the HIPAA rules. The new rules are the first federal rules to give patients broad protections over the privacy of their medical records. They are designed to control the use and disclosure of certain defined protected health information (PHI). The rules provide that patients must give specific authorization before health plans, doctors, pharmacies or other covered parties can release PHI in most non-routine circumstances. "Non-routine circumstances" include the release of information to an employer.

In addition, the HIPAA regulations apply to certain third party "business relationships," and require that group health plans obtain employees' specific consent before their PHI is used for marketing purposes.

The rules also contain extensive requirements regarding administration and documentation of use and disclosure of PHI. Patients will be able to access their personal medical records, and request changes to correct any errors. In addition, patients can generally request an accounting of non-routine uses and disclosures of their health information. The penalties for violation can be steep, and include both civil and criminal sanctions.

These new regulations will have a significant effect on the way that information is used, disclosed and retained by employers. First, as a result of the complexity of the rules and the onerous penalties involved, it is likely that health care providers and insurance companies will restrict the flow of medical information to employers rather than risk violating the rules. Employers who request PHI even for legitimate purposes will have a more difficult time obtaining it.

In addition, although employers are not directly covered under the HIPAA rules, their group health plans are. As most employers are the administrators of their group plans, they will need to understand and abide by the privacy obligations mandated by the regulations, and to perform compliance activities on behalf of the plans. You can obtain further information on the HIPAA rules at the Department of Health and Human Services web site at www.hhs.gov/ocr/hipaa, but taking the following steps will help your company to comply:

  • Appoint a privacy officer, designate individuals responsible for accepting reports of, investigating and documenting violations, and develop a compliance schedule that meets the applicable deadline for your company. The deadline for compliance for most employers is April 14, 2003, but companies with small health plans (annual claims under $5 million) will have until April 14, 2004.
  • Examine the flow of PHI in your organization: how the company obtains information, how much and what kind of data is normally received, and where the data goes upon receipt. Ask yourself whether the company has a legitimate need for the level of information received, and whether there are safeguards in place for preventing improper access to PHI.
  • Develop or upgrade company medical privacy policies and procedures to comply with HIPAA restrictions on the use and disclosure of PHI. Train employees with access to PHI to follow these policies and procedures. Make sure that only employees with a "need to know" have access to protected data.
  • Amend current health plans to comply with the HIPAA rules, especially to expressly allow employee PHI to be provided by the plan to the employer.
  • If you presently allow employee health information to be distributed to outside parties, determine that this distribution is permitted under the rules. Bear in mind that distribution of information for marketing purposes is specifically prohibited. Revise any contracts you may have with outside parties to obtain assurances that they will abide by the privacy rules.
  • Document all use and disclosure of employee PHI, and retain this documentation for six years.