|
The Privacy Time Bomb
Comply with HIPAA now or risk big fines later
If you provide health insurance, you're sitting on a potential time bomb.
That's because on April 14, 2004, tough new privacy regulations under the
Health Insurance Portability and Accountability Act of 1996, or HIPAA, go
into effect for small companies. You have six months to get in compliance or
risk a hefty fine- or even jail time.
The new privacy laws are designed "to prevent
employers from using information received in connection with an employee
benefit plan when making employment-related decisions, such as hiring,
promoting, or firing," says Michele Talk, of the McCart Group, a
Duluth, Ga., Insurance brokerage. To do so, the law erects a formidable
privacy shield around your employee' personal health information. It would
be a HIPAA violation, for example, for the person handling insurance claims
at a small company to tell the CEO that an employee has cancer, even if it
will likely affect the organization's insurance premiums.
How to comply? First, restrict the amount of
personal health information that comes into your company- for example, by
asking your insurance company to provide only summary health information
(SHI) for purposes of obtaining premium bids or modifying or terminating the
plan. You'll also want to make sure that as few people as possible have
access to any health-related data. If one person in your organization
handles claims, only he or she should have access to the data. Next, you
have to make sure that all data, whether in paper or electronic form, is
protected physically- stored in a locked office or transmitted via a
dedicated fax machine. Finally, you're required to notify your employees of
their new privacy rights, which include the right to review and amend their
private health information. Got questions? The government has a special
HIPAA page for small companies: http://www.hhs.gov/ocr/hipaa/smallbusiness.html
Individuals don't have a right to sue directly
under HIPAA, but Health and Human Services will be ready to investigate
complaints. Penalties include fines of up to $50,000 and one year in prison
for certain offenses. As of April 14, 2004, ignorance of your employees'
personal health information may be more than just bliss- it may also keep
your out of trouble with the law.
|