The Health Insurance Portability and Accountability Act (HIPAA) requires protection for individually identifiable health information (otherwise known as Protected Health Information (PHI)). Under the Privacy Rule, individuals are entitled to certain rights with respect to their PHI, and covered entities must comply with certain administrative requirements to protect the privacy of PHI. While employers generally are not covered entities their health plans are, and employers who sponsor a self-insured health plan, Flexible Spending Account plan and/or a Health Reimbursement Arrangement plan administered by a third party must comply with these privacy and security requirements. To satisfy the Privacy Rule, employers/plan sponsors accepting PHI must, among other things, (a) specify that disclosure of PHI is permitted only upon receipt of written certification, (b) establish an adequate “fire wall” around employee PHI, (c) provide certification that the Plan Document includes necessary restrictions and, (d) provide a HIPAA Privacy Notice to their employees. In addition, to satisfy the HIPAA Security Rule the employer must have in place certain safeguards, policies and procedures to protect the security of electronically transmitted and electronically stored PHI.
January 7, 2016 @ 9:00 am – 10:00 am