The Health Insurance Portability and Accountability Act (HIPAA) generated quite a buzz across the nation around this time last year. Health care providers and insurers issued a flurry of privacy notices to patients and subscribers through the mail and at doctor’s offices visits. Although HIPAA was directed mainly at health care providers and insurance companies, many employers were concerned that, because they sponsored group health plans or received medical information regarding their employees, they would have to implement a number of new policies and procedures in order to be compliant with HIPAA's rules and regulations. As stated in our April 2003 legal alert discussing this issue, HIPAA has a limited effect on employers because they are not considered “covered entities” under HIPAA. Covered entities include health plans, health care clearinghouses, and health care providers. Employers providing health insurance to their employees through fully insured health plans do not fit within these categories.

However, there was still some uncertainty as to how the Department of Health and Human Services would treat employer-sponsored flexible spending account and cafeteria plans under HIPAA. The Department of Health and Human Services has now clarified that issue and has stated that flexible spending account and cafeteria plans are covered by HIPAA because they fall within the statutory definition of a group health plan. A group health plan is covered by HIPAA if it pays for medical expenses, has 50 or more participants and is not self-administered. As group health plans, those flexible spending accounts and cafeteria plans (50 or more participants and third party administered) fall within the definition of small health plans. Small health plans are defined as plans that have receipts of $5 million or less. These plans must become HIPAA compliant by the April 14, 2004 deadline or risk fines or other penalties.

In order to become compliant with HIPAA, a group health plan must:

• Notify patients about their privacy rights and how their information can be used.
• Adopt and implement privacy procedures for the plan.
• Train employees so that they understand the privacy procedures.
• Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
• Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
• Amend the plan document to include language regarding the group health plan's obligations under HIPAA.

The Department of Health and Human Services recognizes that, based on the size of and information received by a group health plan, the amount of effort expended to comply with these requirements must necessarily vary. For small health plans or flexible spending account plans, where limited individually identifiable information is received, the standards implemented by the plan do not have to be as involved as they would be in a health care practice or other setting where complete medical records on patients are maintained. In fact, the training requirements contemplated by HIPAA could be satisfied by simply providing employees with a copy of the privacy policy and documenting that they have reviewed the policies.

Many employers have third party administrators for their flexible spending account or cafeteria plans. Utilizing third party administrators does not relieve employers, as plan sponsors, of their obligations to comply with HIPAA's requirements, and the burden is on the group health plan sponsor, not the third party administrator, to ensure that privacy policies and procedures are adopted, privacy notices are distributed, and plan documents are amended. We recommend that employers, as sponsors of small group health plans, enter into “business associate” agreements with their third party administrators In order to ensure that third party administrators are compliant with HIPAA's requirements. Such agreements will protect employers in the event of any breaches of the HIPAA rules by third party administrators. A covered entity, such as the group health plan, is not required to monitor or oversee the means by which a business associate carries out its responsibilities under the law or the extent to which the business associate abides by the privacy requirements of the contract. A covered entity is also not responsible or liable for the actions of its business associate. If, however, a covered entity learns of a violation by its business associate, it has an obligation to require the business associate to correct the violation and, if the business associate refuses to make such a correction, to report the violation to the Department of Health and Human Services.

Employers who have flexible spending account plans or cafeteria plans have until April 14, 2004 to adopt and implement the required safeguards. If you have any questions regarding the issues addressed in this alert or would like assistance in meeting HIPAA's requirements with regard to flexible spending accountsand cafeteria plans, please contact James A. Spitz, Jr. (585-419-8640 or jspitz@harrisbeach.com), Melissa Fingar (585-419-8715 or mfingar@harrisbeach.com), or the Harris Beach attorney with whom you usually consult.

This legal alert provides brief analysis or comments on matters of labor and employment law. This legal alert does not purport to be a substitute for advice of counsel on specific matters.