April 14, 2004 HIPAA Deadline Approaches for Small Health Plans
Employers that sponsor small health plans must comply with the HIPAA Privacy Rule by April 14, 2004. A small health plan is an insured health plan with $5 million or less of annual health insurance premiums or a self-funded health plan with $5 million or less of annual health care claims paid. Small health plans were not required to meet the April 14, 2003 HIPAA compliance deadline that applied to large health plans and health care providers.
Self-funded health plans such as medical flexible spending accounts and self-funded dental and medical plans, and fully insured health plans that create or receive protected health information, are required to fully implement HIPAA's administrative protections, such as appointing a privacy official, maintaining (and in some cases distributing) a privacy notice, training the workforce, and developing policies and procedures for protecting health information.
Fully insured health plans are not required to implement HIPAA's administrative protections if they limit their contact with protected health information to enrollment information and summary health information.
Employers with small health plans that have not begun their HIPAA compliance process should (1) determine which of their health plans are self-funded and which are fully insured, (2) identify their health plan's use of protected health information, if any, and (3) re-visit their HIPAA compliance obligations.
Claims Advocacy and TPAs
Employers with self-insured plans should also identify their health plan service providers, such as the third-party administrator (TPA) of a medical flexible spending account. If a TPA uses a health plan's protected health information, the plan and TPA will need to enter into a HIPAA business associate agreement, under which the TPA agrees to safeguard the protected health information.
Employers with fully insured plans should also be aware that they often do not have to fully implement HIPAA's protective scheme in order for human resources personnel to help employees resolve health claims issues with insurers; employers can often provide this service to employees if an employee simply signs an appropriate HIPAA authorization.
The April 14, 2004 deadline applies only to small health plans. Employers with covered on-site health care providers, such as health clinics that treat employees and that also conduct electronic billing, claims or referrals, were required to bring their health care provider component into compliance with the Privacy Rule by April 14, 2003. This is regardless of whether the employer sponsored a small health plan or a large health plan.
Update on HIPAA Privacy Complaints
According to the chair of the WEDI/SNIP Security and Privacy Workgroup, a HIPAA workgroup established by the health care industry, approximately 3,000 HIPAA Privacy complaints were filed against covered entities by mid-November 2003 with the Office of Civil Rights of the U.S. Department of Health & Human Services. The most frequently alleged violations in the complaints reportedly include inappropriate disclosures of protected health information in provider settings (such as clinic, hospital, or doctor waiting rooms), the visibility of computer screens of health care workers to other patients or those who pass by, and the failure to provide a privacy notice.
As the Office of Civil Rights has repeatedly stated that it currently intends to enforce the Privacy Rule by complaints received and not by audits, employers should implement sound internal HIPAA complaint procedures in order to resolve complaints at the lowest level. A clear and workable mechanism for managing complaints will help employers avoid more protracted HIPAA dilemmas.
EU Privacy Update
Active enforcement of E.U. data laws has reportedly begun in several European countries. U.S. companies with operations in, or receiving employee or customer data from, firms in Europe should pay appropriate attention to these developments and adjust their privacy practices and compliance accordingly.
The following examples illustrate that after an initial "warm-up" period of several years, European data protection authorities are now issuing fines and not just recommendations, and in some cases are initiating criminal prosecutions to enforce national privacy laws.
The Irish Data Protection Commissioner prosecuted two Irish law firms for failing to register with the Office of the Irish Data Protection Commissioner. The two law firms were put on probation. The reports do not disclose whether a fine was imposed or whether the firms may be at risk of having their license to practice affected, as some reports suggested.
After investigating the extent of law firms' compliance with the Irish Data Protection Act, the Commissioner indicated that his next round of visits would include other relevant sectors, such as education, hospitals and insurance companies.
Registration, called "notification" in European parlance, is a fairly simple process whereby the company enrolls with the data protection authority, identifying how it uses or processes personal data and of what sorts. In many European countries, failing to notify the data authority of a company's data processing activities is a criminal offense.
The following list summarizes businesses that must register with the Irish data authority:
- financial institutions;
- insurance companies;
- direct marketers;
- internet access and telecommunications service providers;
- businesses processing data relating to:
- racial origin,
- political opinions,
- religious or other beliefs,
- physical or mental health (other than such information reasonably kept and used only for ordinary personnel administration purposes),
- sexual life, or
- criminal convictions.
Registration is valid for one year only and must then be renewed.
On December 18, 2003, the Dutch data protection authority (the "CBP") posted on its website findings of its first major compliance review. Almost 60% of the organizations investigated failed to comply with the notification obligation. The CBP imposed fines of up to 15,000 euros (approximately $18,500) on three organizations, and said that it would continue its investigations and enforcement activity in 2004.
The Italian Data Protection Authority ("DPA") recently reported a graphic arts business to criminal authorities because it did not comply with a cease and desist order issued by the DPA. The graphic arts firm violated the Italian Data Protection Code when it sent out unsolicited advertisement emails without the recipients' prior consent.
New Italian Law
On January 1, 2004, Italy enacted a new Data Protection Code. If an entity is processing personal data in Italy (such as the name, address, or salary of employees, customers, or corporate entity data), the following points may be of interest:
The new Code incorporates an extensive list of information that must be disclosed in writing to a data subject (e.g., to the employee or consumer) to obtain a valid consent. The Code for instance requires that the data subject be informed of the purpose and the modalities of the processing, the consequences if the data subject does not provide certain information, the rights the data subject enjoys and whether the data will be transferred abroad.
- Notification of the Italian DPA
By April 30, 2004, data controllers must notify the Italian DPA if they carry out any of the following acts of processing:
- transferring data outside of Italy;
- processing financial and central risk databases and data relating to consumer profiles or use of telecommunication services; or
- processing genetic or sensitive data (data disclosing, physical or mental health conditions, sexual life, political associations).
Notification must be done electronically (with fee of 150 euros), and the form must contain a digital signature.
- Minimum Security Measures
The Code provides that by June 30, 2004, data controllers must comply with the technical and organizational minimum security measures set forth in the Code.
Earlier this year, a Danish court fined a Danish company for sending some 7,600-15,000 unsolicited faxes. The fine of DKK 400,000 (approximately $68,000) was lower that the typical fine of about DKK 100 ($17) per unsolicited fax because of the large number of faxes. It is likely that similar fine standards will apply to unsolicited emails.
Developments In Global Corporate Privacy Policies
Global privacy policies, called binding corporate rules in Europe, appear to offer an interesting alternative for businesses that need to transfer or share personal data of European residents with operations located outside of Europe. A number of large multi-national companies, such as DaimlerChrysler, Accenture, and Philips, after exhaustive efforts, have adopted this approach to governing their cross-border data transfers and processing of personal data between or among their worldwide operations.
Currently, the cross-boarder transfer of such data is restricted and generally only permitted (1) with the individual's specific consent, (2) after the European and non-European entity enter into a data transfer agreement, or (3) after the US business enrolls in the US Safe Harbor framework. However, the E.C. Commission Article 29 Working Party and some data protection authorities have begun to explore the applicability of and requirements for effective binding corporate rules.
The UK Data Protection Commissioner, for example, recently published a briefing paper summarizing the circumstances under which a multinational organization may transfer personal data internationally under binding corporate rules.
The Commissioner lists in the briefing paper the key components that binding corporate rules must address or include to be approved by the Commissioner. Here are some of the more challenging elements:
- Implementation of data protection safeguards that are not less than those provided by the UK Data Protection Act;
- The rules must be enforceable by the UK supervisory authority and grant data subjects certain specific rights (such as the right to access or rectify data and to object to data processing);
- Inclusion of a complaint procedure to handle complaints raised by data subjects;
- The data subjects must be compensated for data privacy breaches, and the UK business entity must accept liability if the rules have been breached by any of the company's operations subject to the rules.
It is not yet certain under what circumstances other European data protection authorities will honor the procedures approved by the UK Commissioner.
Questions about HIPAA issues covered in this update may be directed to:
Mark E. Schreiber, Chair, Privacy Group, 617.239.0585, firstname.lastname@example.org
David H. Johnson, 617.239.0687, email@example.com
Questions about EU Privacy issues covered in this update may be directed to:
Mark E. Schreiber, Chair, Privacy Group, 617.239.0585, firstname.lastname@example.org
Michael Zurcher, 617.239.0678, email@example.com.
The content of this update is general in nature and is not intended as legal advice related to individual situations. Counsel should be consulted for specific legal planning and advice.
©Copyright 2004 Palmer & Dodge LLP