April 2006 HIPAA Security Deadline for Small Plans

The security provisions of the HIPAA Administrative Simplification Rules (the "Security Rule") go into effect for small health plans on April 20, 2006. A plan is a small health plan if it has annual receipts of $5 million or less. For an insured plan, receipts will equal the amount of premiums paid for the year. For a self-insured plan, receipts will equal the total claims paid for the year.

Under the Security Rule, covered entities, including group health plans, must protect the confidentiality, integrity and availability of electronic protected health information ("ePHI"). The Security Rule requires covered entities to implement administrative, physical and technical safeguards to protect ePHI in their care. The Security Rule affects how plans transmit, record or store participants' protected health information through electronic means. The Security Rule includes the following requirements:

1. Security Officer. Plan sponsors must appoint a security officer.
2. Plan Amendments. If plan sponsors intend to receive ePHI, they should prepare plan amendments that allow them to receive ePHI. Plan sponsors may also receive de-identified health information (health information that does not identify a connection to a plan participant) electronically or receive PHI through non-electronic means to avoid the burdens of complying with the Security Rule.
3. Business Associate Agreements. Plan sponsors must enter into updated business associate agreements with plan service providers.
4. Administrative Safeguards—Policies and Procedures. Plan sponsors must conduct a risk analysis regarding their use of ePHI and adopt administrative safeguards in the form of written policies and procedures, outlining how the health plan will protect ePHI. These safeguards will be specific to each health plan and its circumstances. The Security Rule provides standards and implementation specifications for compliance with this requirement.
5. Technical and Physical Safeguards. Plan sponsors must conduct and document a review of technical and physical safeguards with respect to their office spaces and computer systems. The Security Rule also includes standards and implementation specifications for these requirements.
6. Training. Plan sponsors must ensure that any employees handling ePHI are trained to comply with the changes required by the Security Rule.

The requirements of the Security Rule will be limited for those plans that contract with a third party administrator that handles a majority of the plan's administration. Those plans that are self-administered should confirm that the plan office is prepared to comply with the requirements of the Security Rule.