Last September, the Society for Human Resource Management (SHRM) held a teleconference for its members on the Health Insurance Portability and Accountability Act (HIPAA). Lots of people attended, which is not unusual -- normally SHRM teleconferences draw 300 to 400 people. But for this particular teleconference, 2,500 people called in. Why? Because, says Mary Huttlinger, manager of tax and benefits policy for SHRM, confusion abounds about HIPAA, a wide-ranging Clinton-era regulatory package that the country's largest companies must partly comply with by April 14. "HIPAA is one of those issues that come in under the radar screen, and once people start to realize who is impacted and responsible for this, they begin to equate it with Y2K," says Huttlinger. Denise Brady, supervisor of health and welfare plans for International Specialty Products Corp. (ISP), Wayne, N.J., and the company's newly appointed "privacy officer," thinks the Y2K analogy doesn't go far enough. "I believe [HIPAA] is much more involved and has many more gray areas," she says. At the crux of HIPAA is an attempt to make health information management more efficient and to limit disclosure of employee health-related information, particularly to prevent it from being used to discriminate against employees. The sweeping legislation contains loads of requirements, including but not limited to: using electronic data interchange for insurance claims processing; securing insular storage of medical records; and limiting and recording who has access to medical records. It's the type of legislative package that sounds easy and common-sensical but in practice requires mountains of paperwork and countless meetings to implement. Brady says ISP, an international manufacturer of specialty chemicals with 1,800 employees, has been working on HIPAA compliance for at least 18 months. In addition to Brady picking up the title and responsibilities of privacy officer, ISP has appointed junior privacy officers and reporting staff at its nine U.S. locations, established a HIPAA grievance committee, held numerous HIPAA training sessions, written HIPAA policy and procedures, established authorization forms and a logging system for records and training, separated all health/benefit files from personnel files, worked with vendors on HIPAA-related compliance, and begun notifying employees of the new laws. HIPAA will give employees more control over health information, Brady says, but "unfortunately, there will be more steps and procedures in place in order for employees to have more control and protection over health information." Huttlinger says companies the size of ISP are better equipped to handle HIPAA's requirements than small and midsize companies. In addition, in smaller business settings, employees often share job responsibilities and are more informal. That raises the question of where exactly the line for an improper disclosure of employee health information is. "Say someone is in the hospital. Can you tell other employees that this individual is in the hospital?" Huttlinger says. "It's unclear who is covered. Some say for those not in 'managing roles' of processing and tracking health information, it's OK to talk about a co-worker who is in the hospital." Still, Huttlinger stresses, that's speculation because despite HIPAA's lengthy regulatory requirements, it is unclear about some aspects of health information disclosure, including information related to communicable diseases or toxic exposures. She expects courts, regulatory refinement and lawsuits to eventually reduce the fuzziness. Some companies have chosen to outsource HIPAA compliance efforts while others yet don't grasp all that's required of them, Huttlinger says. "Unfortunately, we haven't seen the big push from the HR side to understand the issue, understand what they're responsible for and how to come into compliance, and to be comfortable with these responsibilities," she says. "A lot of people don't realize this is something that falls into their lap of responsibility." HIPAA imposes civil penalties of up to $25,000 a year for violations, and higher criminal penalties and prison time for misusing employee health information. "Employers are opening themselves up to not only fines and penalties, but litigation and negative publicity if they don't comply with HIPAA," says John Knapp, a health law attorney with Cozen O'Connor, Philadelphia. "They need to understand that time is running out. Whether they agree with the new standards or not, the fact remains that they must comply."
- Appoint a privacy officer.
- Amend ERISA plans and file the amended plans with the IRS.
- Identify sources and uses of "personal health information." (PHI).
- Develop policies and procedures to govern the use and disclosure of PHI, both within and outside of the organization.
- Identify business partners that receive PHI from the employer or create PHI on behalf of the employer and establish an agreement that meets HIPAA requirements.
- Develop and hold training programs for applicable employees.