2003 HIPPA Compliance for Small Businesses



  • bgreene,
    Could I also have a copy of your non-retaliation policy?
  • Bgreene

    We instituted a FSA March 1, so now we are scrambling to gather information, sample forms, etc. to formulate a written program.
    I would appreciate it if you would send me a copy of your Non Retaliation Policy. My email address is: [email]ddavis@farmersmutualofne.com[/email].

    Happy St. Patrick's Day!!
  • I would appreciate a copy of your Non-Retaliation Policy as well. Thank you. My email address is: [email]sklyve@fnbwaseca.com[/email]
  • I would appreciate a copy of the Non Retaliation policy also before the HIPAA enforcers swoop in and take me away :-S. My e-mail address is [email]solesen@thewoodlands.org[/email]. Many thanks.
  • Would you send a copy of your non-retaliation policy to me as well. [email]lzimmerman@greenwood.actaris.com[/email]? We are 101 employees and are just about finished with the HIPAA complaince documents. Not as scary as originally thought. Just took a lot of time on the policy and procedures and which firewalls & safeguards to put into place to safeguard PHI.
    Thanks, Julia
  • I would like a copy of the non retaliation policy. Email [email]ellenp@omahahomeforboys.org[/email]. Thank you!
  • I too would like a copy of your retaliation policy. We are a 100+ small company but still have to be HIPAA compliant. Our legal advisors explained that we needed to identify as "privacy employees" those who also have access to the names of employees who have medical coverage even if they don't have access to personal medical information...for instance, the controller who pays the invoice the insurance company sends in with employees, dependent, SS#, address, (PHI) information on the invoice. Anyway, the first 2 years HHS & DOL will oversee HIPAA complaince to be sure companies are acting on good faith before they start imposing severe fines (unless it is a blantant act of negligence) - We are almost done, just have to dot a few i's and cross some t's, and we are in compliance for 4/14/04.
  • begreene,
    Thanks for the retaliation policy. xclap Just wanted to check in and see if anyone is putting any other statements, policies, comments etc. in their handbook? My supervisor is wanting to draft some type of statement or something, but I am not sure what all to put in it (Definition of HIPAA etc. ?)

    Any comments x:-/
  • Since everyone is talking about a non-retaliation policy, I have to ask this question....can't you just put a non-retaliation statement in the Privacy Policy??? I don't think this requires a separate retaliation policy....have taken several classes on this and believe you can combine this into one policy.....as far as putting in the handbook, we just have a statement saying we will comply with all HIPPA privacy regulations in regard to employee personal information, have safeguards in place, who to contact if they have a complaint and that there will be no retaliation, etc. It is only a paragraph since the policy is the governing document.....
  • OKay...I have to ask a remedial HIPAA quesiton...

    With all of the HIPAA lingo, I am starting to even confuse myself....

    Is there a difference between a Privacy Notice and a Notice of Privacy Practices? I have drafted our companys Notice of Privacy Practices with our lawyers approval, but do I also need to draft a Privacy Notice? or are these two documents considered to be the same thing?

    I hope they are the same thing I don't know if I will ever get out of HIPAA land x:-(
  • They are the same thing--for our mfg. company we need to have:
    1. Privacy Policy (outlines how you will comply with HIPPA internally and externally, who is Privacy Official, etc.)
    2. Notice of Privacy Practices (goes to employees)
    3. Business Associate Agreements (your vendors that have exposure to PHI agree that they will comply with HIPPA)
    4. Disclosure Release (employees sign to authorize you when handling their PHI)
    5. Disclosure Tracking Log (records PHI released,etc.)
    6. Training for Supervisors/Managers and those who handle PHI...

  • Gayle,
    Thankyou for the great listing, but I am a bit confused, you said they are the same thing, yet in your list you listed these two things as separate documents? Am I missing something here x:-)
  • Sorry for the confusion-the Privacy Notice is a separate document from the Privacy Policy-the Privacy Policy is like any other HR policy-written in same format, distributed in same way--the Privacy Notice is different-it is a statement with some required language that goes to employees households....I said the Privacy Notice and the Notice of Privacy Practices are the same thing-different sources refer to those 2 items by one of these names....does this help???
  • I would appreciate receiving a copy of both the Privacy Policy and Privacy Notice. My email address is [email]sklyve@fnbwaseca.com[/email]
  • I would also appreciate receiving a copy of both the Privacy Policy and Privacy Notice. My email is [email]Kimberly_Mabry@DRGNetwork.com[/email]
  • Gayle,

    We are in process of updated policy handbook, and I thought we had everything we needed to be HIPAA compliant; however, you list several other items.
    I hate to ask, seeing that you have been inundated with requests, but would you be kind enough to email me with items 1-5? Thanks in advance.

  • Gayle - I would be most appreciative if I could review your items 1-5 as well as your privacy statement. [email]cnelson@rieke.com[/email] Many thanks!!
  • We would like to review your items 1-5 as well if you are willing to share. Thank you Gayle!
  • Gayle, I would also appreciate anything you are willing to share. We are a health care facility and another dept. handled all the compliance related to our residents, but nothing about the employees! My email is [email]holley@epworthvilla.com[/email].

    This totally slipped up on me, as the several meetings I attended about HIPAA never mentioned that having a FSA made you subject to the requirement.

    I learned it from the forum, thank goodness. And thanks to all of you.
  • Does anyone have a job description for the HIPAA Privacy Officer?
  • bgreene,

    Good question...I do not have a formal job description, b/c we will probably use an HR person as a PO but it would be good to add to their job description.

    However, I do have somewhat of a listing of requirements for the PO....what the HIPAA regs say they are required to do. So, if any does have job description I would be interested in viewing it as well.
  • I found a job description for a Privacy Officer on SHRM's website.

    Good Luck
  • Hi Dixie: Thanks for letting me know I'll check it out.
  • OKAY! I am getting so confused...I read one article is sounds one way another article sounds another....

    I realized FSA have been a hot topic, but I was under the impression from talking with certain people that all companies with FSA are suject to the HIPAA requirements....Well an article I just read said that only those who administer their own HIPAA plans are subject. We have a TPA that administers our plan...so does this mean we have to be compliant or not. :-?
  • I am referring you to read an article from Littler Mendelson. We use an attorney from their firm for Employment Law. They have an article posted on their site - Compliance Options for Employers Facing the HIPAA Transaction Rule's, by Phillip Gordon. He is their expert on HIPAA rquirements. This article will answer your question above FSA's.


  • Thank you I will check it out.

  • I've found you do have to be HIPAA compliant if you touch PHI (maintain invoices which contain PHI, maintain a medical file containing PHI associated with your health plans, discuss and/or assist employees with health claim issues, etc.)
  • [font size="1" color="#FF0000"]LAST EDITED ON 03-24-04 AT 03:59PM (CST)[/font][br][br]I have been researching also, FSAs with less than 50 participants and self-administered are exempt. After carefully reading our FSA documents, they have disclaimers stating that the employer is the plan administrator because we do the enrollments, withhold the money from payroll, etc. It plainly states in bold print that the company we pay for services (to pay out the reimbursements) is the "recordkeeper" and NOT the plan administrator or a third-party administrator.

    It may be splitting hairs, but sounds like an exemption to me.

    After writing the above, I read the Littler link and now the EAP is worrisome. There may be no way out of HIPAA!!!

  • I don't think there is anyway out of HIPAA either for most companies. Even the TPA is a Business Associate and will need to sign a HIPAA Business Associate agreement. If you have an insurance broker, you will need a Business Associate Agreement with them as well in order to get their assistance in resolving claim issues.

    This is what I have found :

    If you take the fully insured exception you will need to 1)identify business associates of the plan 2) execute business associate agreements with business associates 3) develop authorization forms that allow the plan to disclose a participant's PHI at the participant's request (for example to permit employees to assist particpants with their claims 4) maintain documentation (i.e.,maintain business associate agreements, authorizations and other HIPAA privacy information in written or electronic form for 6 years from date of creation 5) evaluate impact of HIPAA privacy on non-health plan operations (i.e. assistance with employee claims, issues reltating to drug testing, FMLA, ADA, and sick leave requests, workers' compensation - some of which are not covered under the HIPAA privacy law but could be impacted by it and how you relate to it)

    If you are self-insured you will need to 1) appoint/designate privacy officer and or privacy contact 2) prepare HIPAA privacy notice 3) identify Business Associates of the Plans 4) Execute Business Aassociate Agreements with Business Associates 5) develop HIPAA privacy policies and procedures 6) execute HIPAA amendment to your health care plans 7) execute plan sponder certification (the empoloyer must sign a certification for each of the plans confirming that the plan documents have been amended to incorporate the HIPAA privacy statement. 8) all employees who will have access to PHI must be trained on the HIPAA privacy policies& procedures for the plans 9) HIPAA Privacy Notice must be distributed to all individuals covered un the plans by April 14,2004 and to any new enrollees as they enroll into the plans. 10) Develop Authorization form (same #3 in paragraph above 11) same as #4 and 12) same as #5 in paragraph above.

    Hope this helps a little. Julia
Sign In or Register to comment.