HIPAA, HIPAA, HIPAA

On April 14, 2004, new privacy rules go into effect for smaller businesses. Under the new rules, health related information received in connection with a health benefit plan cannot be used when making employment-related decisions. HIPAA (which stands for Health Insurance Portability and Accountability Act of 1996) mandates a privacy shield around employees' personal health information.



What is a violation of HIPAA? The kind of thing that goes on routinely in most small and midsize privately-owned businesses. Have an employee who contracts a serious disease like multiple sclerosis? Expect your HR clerk to tell you, because it is going to jack up your company's premiums? Think again. That's a violation of HIPAA.



What small and midsize businesses will need to do is build a "Chinese wall." Businesses have to isolate health-related information and keep it separate from other employment-related data. This applies to both hard copy data and electronic data. Businesses have an obligation to keep health information secure and protected from prying eyes.



Health information can only be distributed on a need-to-know basis. And the definition of who needs to know is extremely narrow--just the person handling claims, and not 6 or 8 other employees. Even the person's manager or the business owner(s) shouldn't be in the loop.



For more information about HIPAA, visit the government's special HIPAA Web pages designed for small and midsize businesses.



What do these new rules mean? They suggest a boomlet (in some cases already underway) for certain kinds of service providers:

- A whole field of consultants has popped up. We are seeing more experts in this field, designing entire practices around advising businesses about HIPAA compliance. Just do a search on Google or one of the other major search engines for "HIPAA consultant" or even just "HIPAA" and you will see how many service providers have jumped on the HIPAA bandwagon.

- Lawyers who advise small and midsize businesses need to be aware of the new rules so they can proactively advise their clients.

- Software and Web developers will experience increased demand to make electronic information secure. Especially as the realization sets in as to how far reaching HIPAA can be.

- Outsourcing of handling of health insurance claims will continue to grow--either to insurance administrators or PEOs (professional employer organizations) or similar third parties. HR in general has become so complex that many companies find it cheaper and easier to outsource than to build all that specialized expertise internally.