Part I: Overview of HIPAA Standards and Requirements
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
- HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
- HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
- The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
- HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.
View the Combined Regulation Text – PDF (as of March 2013). This is an unofficial version that presents all the HIPAA regulatory standards in one document. The official version of all federal regulations is published in the Code of Federal Regulations (CFR). View the official versions at 45 C.F.R. Part 160 – PDF, Part 162 – PDF, and Part 164 – PDF.
Other HIPAA Administrative Simplification Rules are administered and enforced by the Centers for Medicare & Medicaid Services, and include:
However, understanding, deciphering, and making practical sense of these requirements is altogether another story. Employer plan sponsors that are HIPAA Covered Entities have a range of legal and regulatory mandates with which they must contend under the law of HIPAA. Broadly, these mandates are divided into three camps based upon the final three rules mentioned before: the Privacy Rule (with the Breach Notification Rule), the Security Rule, and the Enforcement Rule.
Part II: HIPAA Complete, a Comprehensive Solution for Compliance
Meet HIPAA Complete. The Baldwin Group’s answer to HIPAA compliance for covered entities. If you sponsor a self- funded or partially self-funded core benefits platform (including level-funded arrangements), then you should get acquainted with HIPAA Complete. HIPAA Complete offers employer a single shop – one point of contact and resolution – for developing and implementing a comprehensive HIPAA regulatory compliance plan. Working with a national team of specialty trained practitioners, HIPAA Complete marries the employer’s compliance obligations into a single stream of performance, conducting all compliance operations on behalf of an employer under one roof – including security operations. Read on to discover how this industry leading solution covers all the bases for HIPAA Privacy and Security Rule compliance for covered entities.
HIPAA Complete offers HIPAA covered entities a single-source compliance solution for Privacy and Security. Designed to accomplish the multiple administrative simplification provisions of HIPAA, the solution contains the elements of each of these important administrative requirements, as detailed below and categorized according to the Four A’s methodology.
Part I: Appointments
Privacy Officer. HIPAA Complete offers both consultation and management support for the selection and appointment of the covered entity’s required Privacy Officer, including a custom HIPAA Privacy Officer Job Description, along with essential consultation support to assist the covered entity in selection and appointment of the appropriate individual or individuals for this vital task (timing is approximately one week).
Security Officer. HIPAA Complete offers both consultation and management support for the selection and appointment of the covered entity’s required Security Officer, including a custom HIPAA Security Officer Job Description, along with essential consultation support to assist the covered entity in selection and appointment of the appropriate individual or individuals for this vital task (timing is approximately one week).
Designated Individuals. Defined as those individuals within the covered entity who require access to PHI and/or e-PHI to perform their essential job functions, a covered entity’s selection and designation of its Designated Individuals is perhaps one of the most important tasks of the HIPAAA compliance implementation process. HIPAA Complete includes both consultation and management support for select5ion and designation of these individuals (timing is approximately one week).
Privacy Contacts. Each covered entity must identify appropriate Privacy Contacts within its organization who can answer participant and employee questions and respond to complaints, requests for information, and requests for enhanced protections. Referred to as the organization’s Privacy Contacts, HIPAA Complete subscribers are coached with respect to the selection and orientation of the entity’s contact team (timing is approximately one week).
Part II(a): Assessments
Training & Assessment. Each HIPAA covered entity must appropriate and adequately train its officers, designated individuals, and its privacy contacts respecting the scope and breadth of its organizational written HIPAA Privacy and Security Policies & Procedures. HIPAA Complete offers three different types of training and training is available in a variety of delivery formats.
Training Modules. Officer training consists of four modules that take approximately three hours to complete. For designated individuals, there are two training modules to complete that take approximately two hours to complete. For privacy contacts, basic HIPAA Privacy Rule refresher training is available in a single module that takes approximately one hour to complete.
Delivery Modes. Training resources are available via regularly scheduled group live webcasts offered once per month (rotating monthly through Four (4) comprehensive training modules), via live (as well as pre-recorded) webcast presentations. We even offer the option to host live, on-site training sessions (for an additional fee).
Time to Completion. It is estimated that a medium-sized employer can complete all training requirements for their team within four to six weeks, depending largely upon the selected delivery mode.
Part II(b): A Risk Assessment is Required
The Security Rule also mandates the performance of a written Privacy and Security Risk Assessment. Most vendors do not offer a solution for this requirement because it entails comprehensive and working knowledge of prevailing security standards. However, The Baldwin Group includes performance of the required Security Risk Assessment part and parcel of the HIPAA Complete solution. For this aspect of the HIPAA Complete solution, we partner with the US Department of Health and Human Services to utilize their public domain Security Risk Assessment software package. Subscribers merely download the free, public software to a laptop or desktop computer, open the application, and following the Q&A prompts to populate the assessment. At the conclusion of the assessment, the software offers a written report for download that satisfies the Security Rule’s written assessment requirement.
Training & Consultation Support. HIPAA Complete subscribers are provided with an instruction module to view which is designed to orient them to the software package, along with the provision of comprehensive advisory support for any questions that arise during the assessment process.
Timing. While the assessment is admittedly lengthy, HIPAA Complete subscribers have all necessary information to conduct a fast-paced Q&A query, typically requiring no more than two to three hours of the subscriber’s time to complete the full assessment.
Reoccurrence. Once the written Security Risk Assessment report is obtained, the subscriber merely updates the assessment to reflect any environmental modifications the employer makes to its hardware and/or software configurations, or to the extent a significant breach occurs necessitating the performance of a new risk assessment.
Part III: Adoptions
Required Adoptions. The HIPAA Administrative Simplification provisions require each covered entity to draft and adopt reasonable and appropriate written policies and procedures governing the administration (creation, receipt, transfer, and storage) of all PHI/e-PHI arising from plan operations. Further, the covered entity must train its officers, designated individuals, and its privacy related contacts as to the directives incorporated within the written policies and procedures.
Living Documents. HIPAA policy and procedure documents are considered “living documents,” so a single round of preparation and drafting is generally the exception, rather than the rule. On the contrary, an organization’s policies and procedures must be reviewed annually and appropriately modified to the extent an organization makes modifications respecting its physical, administrative and/or technical safeguards, as designed to protect the confidentiality, availability and integrity of its PHI/e-PHI.
Custom Policies and Procedures Prepared In-house at BRP. HIPAA complete offers a full suite of written HIPPA Privacy and Security Policies and Procedures, custom drafted by one of our HIPAA specialists for each HIPAA Complete subscriber, including all logs and guides, template breach letters, employee sanctions policies, a breach notification worksheet, and others.
Time to Completion. Preparation time for a subscriber’s policies and procedures preparation and adoption is highly
client specific and largely dependent on the level of engagement of each client. For a highly engaged clients, written policies and procedures may be ready for adoption within four to six weeks, but the production may take as long as twelve to sixteen weeks in the instance of a less engaged client.
ERISA Adopting Documents. Covered entities also must draft and adopt several ERISA required documents to make the organization’s policies and procedures effective respecting the employer’s employee benefit plans. This is accomplished via three ERISA-required documents, including the following:
- Summary of Material Modifications;
- Action of the Board of Directors; and,
- A written Plan Amendment.
HIPAA Complete subscribers also receive a prepared copy of each required ERISA adopting document, along with their customized written policy and procedure manuals.
Part IV: Business Associates
Satisfactory Assurances. Lastly, HIPAA requires each covered entity to obtain satisfactory assurances that each vendor partners also adheres to prevailing privacy and security standards under HIPAA, just as the employer is charged to comply. This means that each vendor partner (referred to as a “business associate”) must agree to implement the required and addressable technical, administrative, and physical safeguards to protect the creation, transfer, receipt, and storage of PHI/e-PHI, all the while adhering to HIPAA’s rule of minimum disclosure. Memorialization of these satisfactory assurance is typically accomplished through mutual adoption of an effective business associate agreement (or “BAA”).
Business Associate Agreement Development Support. HIPAA Complete subscribers receive a customized BAA template they may utilize for contracting with their vendors. Also, subscribers are entitled to BAA drafting and adoption consultation and support with the assistance of their assigned HIPAA Specialist. The HIPAA Complete solution comes standard with consultation and support for the adoption of three (3) unique BAAs; however, to the extent a subscriber requires support respecting more than three mutually effective BAAs, the client may incur an additional fee.
Part III: Questions & Additional Support
Additional Regulatory Support
In closing, please note that a variety of public and private informational resources are readily available to assist employers in the performance of their HIPAA related duties. To that end, following please find several internet links which navigate to resources published and maintained by HHS & OCR related to this topic.
The resources identified in the following table are offered free of charge and may assist with your ongoing HIPAA compliance assuredness endeavors:
Employer Resources Related to ERISA Requirements
Resource Topic
- Overview of HIPAA’s Privacy Rule Requirements
- Overview of HIPAA’s Security Rule Requirements
- Understanding HIPAA’s Breach Notification Rule Requirements
- Submission of HIPAA Breach Notifications to the Secretary of HHS
Additional Support
To obtain additional support for performance of these and other HIPAA requirements, as mandated by the Security and Privacy Rules, please reach out to your local service colleague or your client advisor. The Baldwin Group maintains an extensive suite of support solutions and advisory guidance capabilities respecting a covered entity’s performance of HIPAA’s preempting security preparedness activities. The Baldwin Regulatory Compliance Collaborative (the “BRCC”) also offers a carefully curated range of consultative and advisory support solutions related to the administration of US-based employee benefit plans, program, and other offerings.
Contact Us
To obtain HIPAA-related support, including subscription details for HIPAA Complete, the Baldwin Group’s proprietary solution for HIPAA Privacy & Security Rule compliance assuredness, please contact HIPAA Complete, as follows:
Natashia Wright
Associate Director of Compliance HIPAA Complete
Email: Natashia.Wright@baldwin.com
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
