Coalition America, Inc.

Soon, many businesses will be facing a new federal bureaucracy with more teeth and tenacity than the Internal Revenue Service ever dreamed of. To make matters worse, many top executives don’t even know about the impact of a new federal law on their management information and human resources operations, much less the potentially large fines and penalties they face.

The Health Insurance Portability and Accountability Act (HIPAA), which goes into affect this October, is primarily aimed at hospitals, insurance companies, health care providers and other organizations more directly involved in handling individual healthcare information. Yet, as the providers of health coverage for their employees, businesses still face significant risks because the law affects any organization that touches individual health care information.

The regulating entity is the U.S. Department of Health and Human Services, the nation’s top welfare bureaucracy, and it starts enforcing HIPAA effective April 3, 2003.

A primary goal of HIPAA is to ensure that individual medical information remains absolutely private and that is used only in an unconditional "need-to-know" basis. The law is so strict that companies cannot disclose to parents and spouses ven basic information like the kinds of insurance or medical coverage available to an employee or the status of a claims payment without a signed consent or authorization from the individual involved - including, in some cases, minor children.

Worse, they could face significant fines for even inadvertent disclosure, such as a claim form being left unattended on a desk. Further, the law turns any employee into a potential whistleblower who can turn in the company for any violation.

Do I have your attention yet? Given the tremendous implications of this new act, corporate managers should now be reexamining how their employee health information is handled with an eye towards:

Strictly limiting the people involved in a company’s health plan administration to only few, justifiable human resources personnel and the benefits appeal committee;
Working with the company’s CIO to establish firewalls against any outside access to employee information;
Review the chain of control over company documents and data relating to healthcare and amend any business agreements with outside vendors (not only your insurers, but such groups as janitorial services) who could come in contact with relevant documents to ensure they have proper handling and disposal procedures;
Physically and electronically securing what is known as PHI - personal healthcare information;
Ensuring that the human resources department has well defined policies and procedures governing protection and access to employee health information, and;
Designating a privacy official to monitor and enforce company privacy policies.

The penalties for violating key HIPAA provisions are significant. Civil fines range from $100 to $25,000 per violation, while criminal penalties include fines of $50,000 to $250,000 with imprisonment from one-to-ten years.

Employers have risks at three levels - as an employer, as a plan sponsor and as a plan administrator - and each role carries different responsibilities. So, the best strategy is to look at every point where your company accumulates or processes employee health-related information, then adopt processes for each point.

Under the law, health information can be used and shared only for treatment and payment of healthcare and employees must be notified how their information will be used. Any deviation from permitted use requires signed consents or authorizations.

Further, companies must maintain administrative and physical safeguards to ensure that information is used only for permitted purposes. This is trickier than it may seem.

Protected information includes any individually identifiable information in any form or media, which includes demographic, clinical and financial information. Even information that can possibly link someone to their health information must be protected, which includes names, dates, phone and fax numbers, social security numbers, medical record numbers, beneficiary information, account numbers, vehicle numbers, email or internet addresses, photographs and a host of other uniquely personal data.

The best process for most organizations is to analyze how your organization accesses personal health information and define how it shall be handled at each point. Typically, companies access PHI at several points during the employee/employer relationship.

These include ERISA claims and appeals, insurance eligibility and enrollment periods, during trustee or vendor audits, 'stop loss' claims, COBRA enrollment, company data analysis, subrogation and third party reimbursement and COB.

Companies truly need to examine their processes carefully and manage them daily, because a key provision of the law turns every employee into a potential enforcer. The law rewards whistleblowers - anyone who turns in a breach of the law - and a breach could be as simple as leaving a healthcare form unattended on a desk.

In developing procedures, both management information and human resources experts need to be at the table. HHS, as required by the law, has developed standards for electronic transactions involving medical and health information and your IT department should determine how they affect your operations.

Human resources and benefits employees will play important roles in complying with the law. Management must make sure proper safeguards are implemented and that employees are trained in the proper use of those procedures.

In the end, while employers are less impacted than medical providers, insurers and others whose businesses involve intimate contact with individual medical information, employers still must make changes. Given the stringent penalties and the looming deadlines, any companies who have not focused on this issue need to move quickly to prepare for compliance.

EDITORS NOTE. Mr. Smith is Chairman & CEO of Coalition America, Inc. (CAI) is an Atlanta-based leader in healthcare cost-containment and preferred provider organization (PPO) network management services emphasizing transactional excellence. CAI specializes in cost containment, out-of-network bill negotiations through supplemental network relationships and negotiations on all claims and primary PPO network integration and management, electronic data interchange (EDI), Internet repricing and data-entry options. For more information on Coalition America, please visit www.coalitionamerica.com.

###