Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

HIPAA: Dealership compliance with the Medical Information Privacy Rule

November 22, 2010
The Medical Information Privacy Rule (hereafter Privacy Rule) issued by the U.S. Department of Health and Human Services (HHS) implements the Health Insurance Portability and Accountability Act (HIPAA). The Privacy Rule sets standards governing the use or disclosure of individually identifiable health information-referred to as protected health information (PHI)-to help prevent it from being misused in employment decisions and to protect the privacy rights of individual participants in health plans subject to the Rule. The Health and Human Services Department has the authority to enforce the Privacy Rule, primarily by responding to complaints. Violations potentially are subject to both civil and criminal penalties. To understand the Privacy Rule, dealers must: • Determine if the health plans they sponsor are fully insured or self-funded; • Identify which dealership employees, if any, handle protected health information; and • Recognize how and when those employees use, disclose or request PHI. Protected health information, or PHI, is health information maintained or received in any forma by an entity subject to the Privacy Rule-known as a covered entity-that relates to an individual's medical care and is, or could be, identified with that individual. PHI includes information related to an individual involving the person's past, present or future physical or mental health or condition; the person's health care; or past, present or future payments for the provision of the person's health care. PHI must be disclosed upon request to the individual (or authorized representative of the individual) whose information it is, and to the HHS during a compliance review or enforcement action. There are numerous circumstances where PHI may be used or disclosed. When in doubt, a written authorization should be obtained from the individual whose information is to be used or disclosed. PHI may include summary health information that has been "de-identified," i.e., cleansed of individually identifiable health information. Summary health information, or SHI, should be used only to modify or terminate plans or to seek new plan or coverage bids. SHI summarizes an individual's claims history and expenses. Examples of employees who handle PHI include human resources personnel who assist plan participants with health claim status questions, final claims arbitrators for selffunded plans, reviewers of Third Party Administrator claims handling practices, and health plan administrators. Most dealerships should handle little, if any, PHI. Under the Privacy Rule, employers are not regulated. However, regulated and covered entities include health plans sponsored or funded by employers. The exact compliance requirements that a plan or plan sponsor must meet depend on the plan's structure, the types of PHI it receives, and the type of PHI it shares with others. Health plans subject to the Rule include group health plans, health insurance issuers and HMOs providing medical, dental and/or vision coverage, flexible spending accounts, and employee assistance plans. Most dealership-sponsored or -funded health plans are small health plans (defined as having $5 million or less in annual receipts) and must comply with the Privacy Rule by April 14. Further, most dealerships sponsor fully-insured health plans. The plans typically have extensive compliance obligations under the Privacy Rule, but sponsoring dealerships do not. The above information is excerpted from an NADA Management Bulletin, "HIPAA: Dealership Compliance with the Medical Information Privacy Rule." To order the publication, call the NADA at 800-252-6232, ext. 2. Cost is $2.50 for NADA members plus shipping.