Update on HIPAA Privacy and Other Health Plan Rules

If your company maintains a large health plan, your plan must comply with the privacy rules under HIPAA by April 14, 2003.

If your health plan is self-funded, this means that you have (or will have) amended the plan document, modified business associate agreements, provided privacy notices to employees and taken other steps to comply with the new privacy rules. In most cases, if your health plan is insured, your responsibilities under the privacy rules are limited.

Although the due date is approaching, you have time to make many of the changes required under the privacy rules. If you have any questions about what constitutes a large or small health plan, please review the information below.

If your company maintains a small health plan, the plan must comply with the privacy rules by April 14, 2004.

You have a small plan if the plan has less than $5 million of annual receipts. For a fully insured plan, annual receipts means the total amount of premiums paid during the plan's last fiscal year. For a self-insured plan, annual receipts means the total amount paid for health care claims by the employer during the plan's last fiscal year. For plans that are both insured and self-insured, the amounts paid are combined.

In reviewing whether a plan is a small or large health plan, it is important to review what constitutes a "health plan." For example, if an employer files one Form 5500 for its health, dental and vision benefits, that will constitute one plan.

Regardless of the size of your health plan, there are other new legal requirements that apply. Because many health plans do not comply with legal requirements which are already in effect, these requirements should be reviewed.

These are some of the new requirements for health plans:

• HIPAA contains nondiscrimination rules which currently apply to health plans. The nondiscrimination rules may require a change in eligibility requirements or benefits under your health plan.
• There are new Department of Labor rules which require that specific information be provided in a summary plan document.
• There are new claims procedures for health plans which must be described in the summary plan description or provided as a separate document.
• There are changes to federal law which must be reflected in the summary plan description.
• There are new Department of Labor rules which determine when health plan information can be provided electronically.

In addition to the new rules, there are nondiscrimination rules under the Internal Revenue Code which apply to self-insured plans. Although these are old rules, self-insured plans often fail to comply and that failure may result in tax liability. Finally, the electronic data interchange ("EDI") rules will apply to small health plans, and large plans that requested an extension, on October 15, 2003. The EDI rules standardize how health information is transmitted. Employers will need to confirm that self-funded health plans will be ready to comply with the EDI rules.

Conclusion

The new legal rules impact both plan documents and plan administration. Plan documents are more complicated and are required to contain more legally required provisions. With the HIPAA privacy and EDI rules, employers are subject to new restrictions and responsibilities with respect to their health plans.

If you have any questions about the requirements which apply in your health plan, please contact any of the attorneys in Reinhart's Employee Benefits Department or your own Reinhart attorney."