HIPAA

The U. S. Department of Health and Human Services began enforcing the new medical privacy regulations, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on April 2003. HIPAA’s privacy regulations provide a sweeping new set of federal patient rights with which health plans, health care providers, health care clearinghouses and other covered entities must comply. Covered entities, including self insuring employers and employers who are health plan sponsors, will need to take at least six actions to comply with HIPAA.

 1. Appoint a Privacy Officer
 2. Develop access, privacy and security practices and develop    appropriate administrative, technical and physical safeguards;
 3. Develop and distribute a privacy notice
 4. Develop a privacy complaint process and anti-retaliation policy;
 5. Train workers on HIPAA privacy issues, and;
 6. Develop and sign business associate agreements with vendors,    where applicable.

All employers will need to obtain an employee’s authorization to obtain or disclose personal health information needed for certain purposes:

 1. Psychotherapy notes needed to carry out treatment, payment    and health care cooperation functions;
 2. PHI needed for employment-related purposes, such as return    to work examination or drug testing;
 3. PHI needed for purposes related to administering benefit plans    other than a health plan (determining whether an individual is    entitled to a disability benefit from a pension plan for example);
 4. Health information needed from a health care provider to    administer the employer’s obligations under the ADA;
 5. Medical certification needed to evaluate eligibility for leave and    fitness for return to duty under the FMLA, and:
 6. Information from one health care provider needed to evaluate    claims payment for services provided by another provider.