April 1, 2005
HIPAA Security Deadline – April 20, 2005
Distributions of HSA funds are “tax free” only if attributed to qualified expenses.
The HIPAA Security Deadline is quickly approaching.
Are you ready?
The next phase of HIPAA is fast approaching. The Security Requirements build upon the Privacy Requirements. They focus on one piece, electronic protected health information (ePHI), and impose additional requirements.
ePHI is protected health information that is transmitted or maintained in electronic media.
Does it impact me?
Directly. Covered entities transmitting and/or maintaining ePHI are directly regulated by the Security Requirements. As with the Privacy Requirements, “covered entity” includes insurance carriers, health care providers and health plans sponsored by employers. Our focus is on the health plans sponsored by employers.
Indirectly. Any other entity dealing with a covered entity may be indirectly impacted. As with the Privacy Requirements, “business associates” must agree to follow requirements equivalent to the Security Requirements for the covered entity.
If it impacts me…
How…
Policies & Procedures. Covered entities must adopt policies and procedures reflecting the 18 security safeguards.
Plan Amendment. A covered entity that is a plan should be amended to reflect the treatment of ePHI.
Business Associate Agreements. Contracts with third party service providers should be reviewed. To the extent ePHI is or may be involved, the agreements should be amended to reflect the treatment of ePHI.
Training. As with the Privacy Requirements, actual implementation of the Policies and Procedures is crucial. This necessarily involves initial, and ongoing, training.
Security Officer. As with the Privacy Requirements, a Security Officer needs to be named. The Security Officer is responsible for development, implementation, and oversight of the organization’s security policies and procedures as they relate to ePHI. The Privacy Officer and Security Officer can be the same person.
When…
As with the Privacy Requirements, the compliance date depends on the size of the plan.
Large Plans – April 20, 2005
Small Plans 1 – April 20, 2006
1 Small plans have less than $5 million in annual gross revenues, which for insured plans means premiums paid and for self-insured plans means claims paid.
If you would like our assistance evaluating whether the Security Requirements apply to your plan and/or bringing the plan into compliance with the requirements, we would be happy to speak with you.