March 2, 2006

HIPAA Alert For Health Plans: Upcoming Compliance Deadlines

Holland & Knight Alert
Shannon Britton Hartsfield

Adhering to HIPAA’s requirements demands ongoing and vigilant effort. Some health plans have specific compliance deadlines in 2006. Health plans (other than small health plans) were required to comply with HIPAA’s Privacy Rule by April 14, 2003, and with the Security Rule by April 20, 2005. Small health plans (with annual receipts of $5 million or less) had an extra year to comply, which means that, as of April 20, 2006, small health plans must ensure that they have taken adequate measures to protect their electronic health information. These measures include appointment of a security official, implementing technical safeguards, making sure business associate agreements contain the required language, and implementing numerous other specific requirements set forth in the regulations.

Another deadline is coming up for some large health plans. Compliance with the Privacy Rule included providing enrollees with the health plan’s Notice of Privacy Practices. Under the Privacy Rule, health plans are required to notify enrollees of the availability of the plan’s Notice of Privacy Practices and how to obtain the notice at least once every three years. Thus, if a health plan has not provided such notice to the health plan’s enrollees since the initial compliance deadline, the required notice must be given to them by April 14, 2006.

Related Insights