Given the complexity of legally analyzing HIPAA’s impact to Hawaii providers and health plans, the following represents a basic approach for a Hawaii entity to perform during its covered entity analysis:
- Identify the various entities or components involved in the analysis. The Hawaii entity should list each separate “entity” or “component” within its “system” as a starting point. For example, a hospital system may include the hospital, a parent corporation, a foundation for fundraising, a co-owned ambulatory surgical center, the hospital’s medical staff, and the benefit plans for all system employees. Each entity, its functions, and its ownership/control should be identified.
- Determine whether each identified entity is a covered entity under HIPAA. This determination is made by comparing each entity’s activities and functions to the definition of covered entity. It is possible that a single entity may engage in more than one type of covered function.
- Determine whether the HRC member sponsors one or more employee benefit plans that are covered entities. Most employers will sponsor one or more group health plans that are covered entities under HIPAA, including hospital and medical benefits plans, dental plans, vision plans, health flexible spending accounts, and employee assistance plans, regardless of whether the plans are insured or self-insured plans.
- Determine what each covered entity’s HIPAA obligations are. The specific HIPAA requirements need to be identified, and a compliance plan developed and implemented for the compliance of each covered entity. For example, the specific obligations vary based on whether the covered entity is a direct provider, an indirect provider, a clearinghouse, a group health plan, or other health plan. Additionally, any organizational options (such as an organized health care arrangement or an affiliated covered entity, or designation of a hybrid entity’s health care components) will affect compliance implementation. (See our earlier memorandum for a discussion of hybrid entities and designation of health care components.) The interrelationships of various entities, whether or not covered entities, also must be assessed.
- Determine who is responsible for implementing those obligations. Responsibilities for compliance implementation should be identified and delegated as appropriate. For group health plans, the plan sponsor should determine who has responsibility for ensuring the plan’s compliance. If the employer is the plan administrator, it likely has a fiduciary obligation to ensure that the plan is compliant. Even if the employer is not a fiduciary of the plan, it makes sense for the employer to check that the appropriate parties, such as insurance providers or third-party administrators, are implementing the plan’s obligations under HIPAA.
- Determine whether the plan sponsor requires access to protected health information. The plan sponsor that wants or needs access to its plan’s protected health information must comply with the plan sponsor requirements in 45 CFR §164.504(f) to receive such information from the plan. The plan sponsor must make the required certifications, amend the plan documents, and establish firewalls between plan functions and employer functions.
The goals of the covered entity analysis include streamlining the compliance process, minimizing risk, and taking advantage of economies of scale.
Contact us for your Hawaii HIPAA needs to ensure your in compliance and meeting requirements.