You may have heard about the Health Insurance Portability and Accountability Act ("HIPAA") that was adopted in 1996 and thought it would not affect you as an employer because your company is not in the "health industry." However, if this was your analysis of HIPAA, then you need to reconsider HIPAA and its possible effects on your company. Additionally, you should think about it now because of HIPAA deadlines.

Although HIPAA was adopted to simplify the health care system, it has a far reaching effect on various entities: health care clearinghouses, certain health care providers, health insurers, health plans and programs sponsored by a company, and business associates of those entities. Thus, even if your company is not in the "health industry," it could be affected if your company sponsors any health plan. The definition of a health plan includes various types of benefit plans sponsored by any type of employer, such as medical, dental, vision, prescription drug, and others.

In August 2002, the Department of Health and Human Services finalized the version of its Privacy Rules under HIPAA which means that employers should currently be taking steps to determine which parts of their businesses are covered by these rules, if any. If your business is a covered entity, you must be in compliance with the Privacy Rules by April 14, 2003. Small health plans can delay compliance until April 14, 2004 and are defined as a health plan with annual receipts of $5 million or less.

Any company that is a clearinghouse, health insurer, or health care provider is clearly covered by the rules. Additionally, the health plans sponsored by your company may also be covered if it allows for your company to have access to specific medical information of your employees. For example, self-insured employers with more than 50 participants with access to and who transmit employees' health care information are covered. Thus, if your company is covered under HIPAA, you should begin to take steps to comply with HIPAA, which would include making initial determinations on how your company uses and transmits health information, and what needs to be completed so that your access and transmissions are compliant. In addition, as a covered entity, your company will need to use consent and authorization forms that are compliant with the Privacy Rules.

HIPAA covered entities should also understand the restrictions in regard to Protected Health Information ("PHI"). The rules prevent health plans from using or disclosing a participant's PHI except as authorized by the regulations under HIPAA. PHI is identifiable health information maintained or transmitted in any medium that relates to the condition of a participant, health care provided, or payments for health care. Generally, information is "individually identifiable" if it either specifically identifies an individual or includes enough information that could be used to identify the individual. Further, although employment records are excluded from the definition of PHI, employer health plans are not.

Additionally, the Privacy Rules effects on a covered employer's relationships with "business associates" may be the most significant for your company. This provision of the Privacy Rules will affect you whether you are a covered entity or a company that does business with a covered entity. In sum, a covered entity's plans cannot disclose PHI to business associates without having specific privacy protections included in their contracts. This prohibition is to protect the release of PHI to service providers, such as benefit consultants, third-party administrators and pharmacy benefit managers not otherwise covered by the Privacy Rules.

Under the Privacy Rules, a business associate agreement must include a number of specific obligations and requirements on the business associate.

If your company is a business associate not otherwise covered by the Privacy Rules then you should make contact with the businesses who provide you with PHI and make joint efforts to make sure your contracts are compliant with the Privacy Rules. Additionally, as a business associate, you want to confirm that the revised contracts are compliant but also protect your company to the best of your ability. The deadline for covered entities and business associates to comply with the Privacy Rules is April 13, 2003. However, if a business associate had a written contract in place by October 15, 2002 and it is not renewed or revised by April 14, 2003 then it is deemed to comply with the Privacy Rules until it is either renewed or revised, or you have until April 14, 2004 to comply, whichever is earlier. However, if you modify a contract between October 15, 2002 and April 13, 2003, the transition relief previously explained is not available.

You can obtain additional information on HIPAA by visiting the Department of Health and Human Services' web-site at www.hhs.gov . Additionally, should you have the need for counsel in regard to HIPAA and its effect on your company, we have a HIPAA Compliance Group at Rhoads & Sinon LLP available to assist your company. Please feel free to visit our web-site at www.rhoads-sinon.com where you can find more information about our firm and its available services.