Compliance Alert: New Healthcare Rules

Next month, certain printing companies will be subject to regulations recently enacted to protect the privacy of patients' health records. The legislation, notes Jim Kyger, director of Federal Employment Compliance Assistance for the Printing Industries of America, Alexandria, Va., is the fourth and final phase of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Kyger, who is certified as a senior professional in human resources, explains that the new rules—which take effect April 14—apply to any business that works with a "covered entity" (defined by law as healthcare providers, health plans, and insurance companies or clearinghouses) that receive protected health information.

As defined, protected health information consists of individually identifiable health information that is transmitted or maintained in any form and that relates to the past, present, or future physical or mental health or condition of a health plan participant. Information is "individually identifiable" if it either actually identifies an individual or contains enough specific information to do so.

[For smaller health plans—those with annual receipts of $5 million or less—the compliance deadline is April 14, 2004.]

Says Kyger, printing companies will usually be covered by these regulations if they self-fund their health coverage or internally administer such plans as flexible spending accounts or employee assistance programs, or if they audit these or other health plans internally. Companies found to be out of compliance could face both civil and criminal penalties.

The regulations require businesses that have relationships with covered entities to enter into special contracts, with specifically mandated provisions. Any company that receives protected health information from a health plan or a healthcare provider or carrier will have extensive obligations under HIPAA.

What are the compliance necessities? To see a comprehensive review of federal guidelines, visit the Web site of the U.S. Department of Health and Human Services at hhs.gov/ocr/hipaa/.

Meanwhile, here's a checklist of action items:

• Appoint a "privacy officer" to be in charge of compliance.
• Establish policies and procedures designed to safeguard private health information compliance with the new privacy rules.
• Amend documents and create disclosure authorizations that comply with the rules.
• Train staff members in handling protected information.
• Amend current contracts with vendors and business associates who help you administer the plan and process claims.
• Comply with new guidance regarding security and electronic transactions.
• Provide a process for participants to complain about your plan's policies and procedures and its compliance with them.
• Establish administrative, technical, and physical procedures that reasonably safeguard private health information from uses and disclosures that violate the privacy rules.

E-mail questions about the rule to ocrprivacy@hhs.gov.