Tagged ‘HIPAA‘

HIPAA: Update Your BAAs Now

Right now–in fact, this very minute–would be an excellent time to double-check your group health plan’s business associate agreements for compliance with the latest HIPAA privacy and security regulations. Covered entities that had written agreements with business associates in place prior to January 25, 2013 have enjoyed a grace period of deemed compliance with the most recent regulations concerning documentation of BAAs. September 22, 2014 marks the end of this transitional period. If your group health plan took advantage of this grace period, there’s still time to get your BAAs in order before the deadline runs out!

HIPAA Busts: Avoid Them By Learning from the Mistakes of Others

The Importance of HIPAA and PHI Compliance

HIPAA has become a topic of intense interest to The Department of Health and Human Services, which recently published its annual report to Congress on breaches of unsecured protected health information (“PHI”).  Reviewing data from 2009-2012, HHS noted that the three most significant causes for a breach of unsecured PHI were theft of electronic devices or paper records, loss of electronic media or paper records, and unauthorized access or disclosure of records containing PHI. In particular, theft of laptop computers containing unsecured PHI remains a persistent problem.

How can plan sponsors reduce the risk of a breach of unsecured PHI? Some practical suggestions may be found in the report’s summary of remedial steps taken by entities that reported a HIPAA breach involving the PHI of more than 500 individuals.  These HIPAA compliance suggestions include:

  • Performing a risk assessment;
  • Adopting encryption technologies;
  • Installing new security systems;
  • Relocating equipment and records to a more secure area;
  • Training workforce members who handle PHI
  • Performing a new risk assessment;
  • Updating business associate agreements to include more detailed provisions concerning the protection of health information;
  • Providing free credit monitoring to customers.




Health Plan Identification Numbers (HPID): Large Group Health Plans Must be Obtained by November, 2014

Health Plan Identification Numbers Required by November 2014

Self-insured group health plans are required to obtain health plan identification numbers (HPID).  Health Plan Identification Numbers are required for each “controlling health plan” or CHP and may be used by a “subhealth plan” (SHP).  Under 45 CFR 162.103, a CHP is a plan that (i) controls its own business activities, actions or policies or (ii) is controlled by an entity that is not a health plan and, if it has an SHP, exercises sufficient control over the SHP to direct its business activities, actions or policies.  An SHP is a health plan whose business activities, actions or policies are directed by a CHP.  Most self-insured group health plans are likely to qualify as controlling health plans.

If all goes as planned, the use of standardized HPIDs will help health care providers to determine eligibility, process bills and perform other insurance-related tasks more efficiently by increasing automation and decreasing the time spent on interactions with health plans.   In addition to requiring business associates to refer to the HPID when performing certain tasks for a covered entity, the Department of Health and Human Services suggests that the HPID could be used by health plans on internal files and health insurance cards in order to facilitate the smooth processing of claims and detect fraud and abuse.

The deadline for large plans (those with annual cost of $5 million ore more) to apply for an HPID is November 5, 2014.  Small group health plans must apply for an HPID by November 5, 2015.