HIPAA compliance requires training, documentation

Pre-existing conditions

The statute makes it easier for an individual to obtain health coverage for pre-existing medical conditions when moving from one employer to another. HIPAA does not consider a pre-existing medical condition to exist if the employee has not received any diagnosis, care, treatment or medical advice within six months prior to the enrollment date in the new employer’s health plan.

In addition, a pre-existing condition does not exist based upon pregnancy, birth, adoption, placement for adoption or if the employee enrolls within 30 days of eligibility.

The maximum pre-existing exclusion period under HIPAA is 12 months from the enrollment date. Pre-existing conditions are reduced by creditable coverage days if the employee was under another group health plan and a certificate of eligibility without a break in coverage for 63 days or more is provided.

Handling health information

HIPAA establishes standards concerning how providers, businesses, health insurers and group health plans handle personal health information in terms of usage, access and safeguarding.

Liability exists for organizations sponsoring self-ensured plans, including medical, dental, vision, prescription, employee assistance and health savings accounts. HIPAA also covers an enterprise sponsoring a fully insured plan and receiving protected health information.

Protected health information is defined as any information received or maintained by a health plan or health insurer relating to an individual’s medical condition, as well as the provision of or payment for his medical care.

Maintaining compliance

Several steps must be taken in order to comply with HIPAA:

• Train and appoint a compliance officer.

• Limit the use and disclosure of health information.

• Notify employees of their right to access their own data.

• Maintain employees’ medical files separate from personnel files, and keep them in a locked file cabinet.

• Use firewalls and password protection if information is kept online.

• To ensure compliance by third-party providers in handling health information, determine whether plan documents have amendments and contracts between the health plan and service providers.

In addition to those steps, associates also should complete personal health information forms when specific medical conditions occur, or when medical information is presented to the company’s compliance officer.

Personal health information forms should include the following information: documentation of demographics, such as the plan identification number, the employee’s name, date of birth, address and telephone number; the name of the compliance officer and the officer’s relationship to the worker; and a list others named by the staff member who have permission to access medical information, with those individuals’ job titles, organizational names and addresses.

The forms also should indicate what can be disclosed, such as all or parts of the medical information, dates of service and specific instructions, and it should describe the purposes for which the information will be used or disclosed. Those purposes include disability, claim dispute resolution, compliance with laws pertaining to workers’ compensation, flexible spending accounts and the Family and Medical Leave Act.

The forms also should detail the expiration and revocation of the authorization. Use a separate release-of-information form for psychotherapy notes.

Be sure to provide the worker with a copy of the completed form(s).

Failure to comply may result in penalties of up to $250,000 and 10 years in prison. Companies can reduce liability by determining risks and developing and implementing the proper policies and procedures.

Lynne Haggerman is president/owner of Haggerman & Associates, a firm specializing in management training, retained search, outplacement and human resource consulting. She can be reached at lynne@haggermanandassociates.com or haggermanandassociates.com.[[In-content Ad]]