Calfee counsels employers, health plans, health care providers, and health insurers in all aspects of compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Standards for Privacy of Individually Identifiable Health Information, Standards for Electronic Transactions, Standards for Unique Identifiers and Security and Electronic Signature Standards. Our Employee Benefits, Health Care and Information Technology practice groups permit a multi‑disciplinary approach to HIPAA compliance counseling.
Our attorneys act as HIPAA counsel to a broad range of clients including Akron General Health System, Benjamin Rose Institute, FirstEnergy Corporation, Invacare Corporation, MetroHealth Hospital, Nestlé USA, Inc., Ohio State Teachers Retirement System, Sealy Corporation, the Ohio School Employees Retirement System and Vantage Financial. Calfee attorneys have spoken about HIPAA before national and state associations including the American Health Lawyers Association and Ohio Hospital Association.
Employers and Health Plans
For employers, the first step in formulating a HIPAA compliance strategy is to identify its group health plans and sort them along fully-insured and self-insured lines. Our attorneys counsels employers to take advantage of the virtually complete exclusion from coverage provided to fully-insured plans that do not create or receive protected health information. In order to take advantage of this exclusion, we encourage clients to perform an extensive review of their business and human resources operations to discover any and all functions that they perform using protected health information. Calfee then assists clients in transitioning these functions to outside service providers or performing them with summary health information or de-identified information.
Initially, we ask clients with self-insured plans to weigh the benefits of continuing to maintain their self-insured plans against the burden of HIPAA compliance. If clients do not want to convert to fully-insured plans, Calfee assists them in performing a similar review of business and human resources operations to discover any and all plan administration functions they perform. Generally, we encourage clients to outsource these functions. In the event that a client wants to continue performing these functions, we help the client comply with HIPAA’s plan amendment, firewall and certification requirements. Finally, our attorneys educate clients with self-insured plans about the unique problems under HIPAA arising from the fact that plan sponsors are not “covered entities” — namely, that their plans still need to be brought into compliance with HIPAA’s administrative, business associate, and other requirements.
Providers and Health Plans
We provide ongoing counsel to providers and health plans concerning compliance and breach notification.
Health Care Providers
Our attorneys have extensively counseled health care providers on HIPAA matters. Specifically, we have analyzed HIPAA’s impact on providers’ operations and have created detailed plans for compliance with HIPAA’s privacy and electronic transactions requirements. We have also reviewed providers’ policies and procedures; drafted HIPAA privacy forms including notices, comments, authorizations and business associate agreements; assisted with staff education; and counseled clients on audit requirements, grievance procedures and on-going changes to the privacy regulations.
At Calfee, we recognize that HIPAA’s privacy and electronic transaction regulations pose unique challenges to health insurers. As “group health plans,” health insurers are subject to the full panalopy of HIPAA requirements. In the group policy context, their compliance efforts are complicated by the fact that they must coordinate with customers with varying levels of knowledge about HIPAA. As a result, Calfee believes that HIPAA compliance counseling for health insurers requires a two-prong approach: 1) detail-oriented assistance with drafting and implementing internal operating policies, procedures and forms, and 2) development of a proactive approach for informing customers of their responsibilities under both HIPAA and their group policies.