|
Look at your April 2006 calendar. If you do not see the word “HIPAA”, dark skies are on the horizon unless you get to work soon.
Two major benefit deadlines loom in April, one each for small and large group health plans. Both deadlines relate to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Small plans ($5 million or less in annual receipts) must comply with HIPAA’s Security Rule by April 21, 2006. This Rule contains 22 Standards, 18 of which pertain to administrative, physical, and technical safeguards. The other four Standards focus on organizational requirements and policies, procedures and documentation. The Security Rule is located at: www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf.
While large plans (annual receipts greater than $5 million) already must comply with the Security Rule, they are not off the hook. These plans must remind participants of the availability of the Notice of Privacy Practices no less than every three years. This requirement is part of the Privacy Rule, effective April 14, 2003, for large plans. Thus, if a large plan has not sent anything to participants since the original deadline, it must do one of the following:
- Send a copy of the Notice;
- Send a reminder of the notice availability and how to receive a copy; or
- Include the Notice in some other publication about its availability and how to obtain a copy.
Those participants who enrolled on or after April 14, 2003 were entitled to the Notice at the time of enrollment. Plans must also reissue the Notice when there are material changes to the Notice. A single Notice may be sent to the home of the primary insured.
The equivalent deadline for small plans is April 14, 2007. The Department of Health and Human Services recently addressed this issue on its Q&A page: http://healthprivacy.answers.hhs.gov. Simply type in 1065 in the Search Text field.
###
News & Review sign-up
sheet | Archive |
