HIPAA Electronic Security: Small Health Plan Compliance Date Approaching

» Articles » Legal Articles » Article

March 14, 2006


The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires group health plans to protect the confidentiality of participant health information. This requirement is implemented primarily through the HIPAA privacy rules, which govern the use and disclosure of protected health information. However, it is also implemented through the HIPAA electronic security rules, which require group health plans to protect the confidentiality, integrity, and availability of “electronic protected health information” (“ePHI”) that they create, receive, maintain, or transmit.

The general effective date for the electronic security rules was April 21, 2005. However, the compliance deadline for small health plans is April 21, 2006. A “small health plan” is one with annual receipts not exceeding $5 million, measured by premiums paid for a fully-insured plan and by claims paid for a self-insured plan. Administrators of small plans should begin the compliance process now by taking the following steps to ensure that ePHI is protected:

  • The security rules require the group health plan to perform a risk analysis to identify how ePHI is handled and to assess the confidentiality, integrity and availability of ePHI in operation. This risk analysis should be done in conjunction with the plan’s information technology specialists.

  • After the risk analysis, any problem areas must be isolated and corrected. This can include changes to technology as well as adjustments to administrative procedures and workspace safeguards.

    Continue reading below

    FREE Legal Training from Lorman

    Lorman has over 35 years of professional training experience.
    Join us for a special white paper and level up your Legal knowledge!

    Litigation or Legal Holds for Reasonably Anticipated or Actual Litigation
    Presented by John E. Delaney

    Learn More
  • Group health plans that have HIPAA privacy policies and procedures in place can build off these existing structures to address adjustments required by the security rules.

  • Plan administrators should use this opportunity to review the policies and procedures currently in place and to update plan documents and business associate agreements to comply with the security rules.

  • Plan administrators should consider whether it is feasible to limit or eliminate ePHI at the employer level to minimize the impact of the security rules on the employer.

  • Plan administrators should coordinate with the group health plan’s third party administrator or insurer to limit or eliminate ePHI where possible and to confirm that the third party administrator or insurer is itself compliant with the security rules.

  • Where ePHI cannot be eliminated, plan administrators should consider implementing security procedures, such as using passwords, to protect ePHI.

The Centers for Medicare and Medicaid Services (“CMS”), the agency responsible for enforcement of the security rules, has indicated that all standards and implementation specifications should be in place by the compliance date, since CMS does not anticipate that there will be an extension of the effective date of these rules. The enforcement process is expected to be similar to the process currently in place for the HIPAA privacy and electronic data interchange rules.


The material appearing in this web site is for informational purposes only and is not legal advice. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal or other professional advice is required, the services of a professional should be sought.

The opinions or viewpoints expressed herein do not necessarily reflect those of Lorman Education Services. All materials and content were prepared by persons and/or entities other than Lorman Education Services, and said other persons and/or entities are solely responsible for their content.

Any links to other web sites are not intended to be referrals or endorsements of these sites. The links provided are maintained by the respective organizations, and they are solely responsible for the content of their own sites.