Contact Us Client Extranet Register / Login
Jackson Lewis
Search:

Register for Email Alerts
Home > Legal Updates > email this article  printer friendly version

CMS Clarifies Compliance with the HIPAA Security Obligations for Sponsors of Group Health Plans

Posted: November 22, 2005
Page Tools:
For More Information Contact:
Related Practice Areas:

Employers sponsoring group health plans have had to come to grips with the compliance requirements under the Health Insurance Portability and Accountability Act administrative simplification regulations governing the privacy, security and electronic transmission of "protected health information." Many of these plan sponsors, however, were able to take advantage of the administrative safe harbor under the privacy regulations for plans that (i) are fully insured and (ii) with respect to which the plan sponsor has no access to protected health information. 

While this same safe harbor does not exist under the security regulations, Centers for Medicare and Medicaid Services (CMS) officials have informally clarified the roles of group health plan sponsors in complying with HIPAA's security rules.  CMS officials stated:

The employer must go through the risk analysis required by the HIPAA security rules to determine if any of their computer systems contain [any protected health information to which the security rules apply, i.e., electronic protected health information (e-PHI)]. Assuming no e-PHI was discovered during the analysis, based on the flexible standards of the HIPAA security rules there would not be much more for the employer to do.

A similar analysis also is likely to apply to self funded group health plans that do not receive e-PHI from their third party administrators or any other business associate.

This guidance, albeit informal, further supports that the first step of any group health plan in the HIPAA security regulation compliance process is to determine what, if any, e-PHI it maintains. In this regard, the plan should appoint a security officer to make this determination. (A security officer must be a single individual, but may be the same person as the privacy officer.) If no e-PHI is discovered, that fact should be documented and maintained with the plan's HIPAA compliance records. Plan documents and business associate agreements should, however, still be amended for the security regulations. Of course, if e-PHI is found, the plan must then fully comply with all of the standards under the security rule.

Please note that the statements of CMS officials discussed above were made informally and do not represent the official position of the agency.
Home | About Us | Offices | Attorneys | Practice Areas | Events | Legal Updates | Employment

Copyright © 1998-2010 Jackson Lewis LLP | Disclaimer | Privacy Policy | Site Map
Email: info@jacksonlewis.com | Phone: (800) 648-2551
Attorney Advertising