Legal Bulletins
HIPAA Privacy Regulations Take Effect: Compliance Required by April 14, 2003
On April 12, 2001, the Secretary of the Department of Health and Human Services (HHS) announced that the HIPAA privacy regulations would take effect as scheduled, on April 14, 2001. The regulations require most health plans to comply by April 14, 2003, although small health plans (those with $5 million or less in annual receipts) will have until April 14, 2004.
The HHS announcement noted that there would be clarifying guidelines, or recommended modifications, in three areas: sharing information among the doctors and hospitals treating a patient; efficient delivery of patient care unhampered by the requirements surrounding consent forms; and parent access to health information relating to their children. Changes in these areas are not likely to have any significant impact on the requirements relating to employers and their health plans.
The HIPAA privacy regulations will affect virtually all employer health plans and will require changes to plan documents, changes in operations, and the creation of new policies and procedures.
The HIPAA privacy regulations are part of a broader set of "administrative simplification" regulations that encourage health care providers, and require health plans, to use electronic transactions and uniform code sets. Most health plans will be required to use the electronic transactions and uniform code sets by October 16, 2002.
Insured health plans and self-funded plans with third-party administrators should contact their insurers or third-party administrators to find out how much assistance will be provided to the plan in complying with the administrative simplification requirements, and should contact their employee benefits counsel to monitor the insurers' or administrators' compliance efforts. Self-funded plans that are administered in-house should contact their employee benefits counsel to begin working toward compliance. Compliance will take time and effort, and all plans should start the process early, to ensure that they will be able to comply by the October 16, 2002 and April 14, 2003 (or April 14, 2004) deadlines.
For more information on electronic transactions and uniform code sets see our article "Employers Need to Comply with New HIPAA Regulations," and for more information on the HIPAA privacy regulations see our article "HIPAA Privacy for Employers and Their Health Plans," both on this website.