| |
Yes, there are two deadlines for compliance with the HIPAA Privacy Rule on April 14, 2004:
· "Small health plans" (health plans with annual receipts of $5 million or less), must be in compliance with the Privacy Rule; and
· Covered entities (including small health plans) must, where required, have in place with their business associates written contracts or arrangements that meet Privacy Rule requirements.
Small Health Plans. Small health plans that are subject to HIPAA received an additional year – until April 14, 2004 – to come into compliance with the Privacy Rule. See 45 CFR 164.534(b)(2). These small health plans should already be familiar with HIPAA and should have assessed their covered entity status, since they have also been subject to the requirements of the HIPAA Transactions and Code Set Standards since October 2003.
Plans that are self-administered and have fewer than 50 participants are excluded from HIPAA’s Administrative Simplification requirements. (See the Answer to the FAQ "Must all small health plans comply with the Privacy Rule?") The Department of Health and Human Services’ (HHS) "Am I a Covered Entity?" decision tool, available at the HHS Office for Civil Rights (OCR) website, http://www.hhs.gov/ocr/hipaa, and also at
http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp, helps entities determine whether they are health plans or other HIPAA covered entities. These materials, hundreds of FAQs, and a wide range of other guidance and materials to assist covered entities in complying with HIPAA and the Privacy Rule, are available at the OCR website.
Business Associate Agreements. As of April 14, 2004, whenever the Privacy Rule requires covered entities to have written contracts or other arrangements with their business associates, these documents must include provisions that comply with Privacy Rule requirements. As modified in August, 2002, the Privacy Rule provided most covered entities with up to one additional year – or until April 14, 2004 – to amend written contracts or other written arrangements that existed prior to October 15, 2002, to meet the Rule’s business associate requirements. (Unless they renewed automatically, contracts or other written arrangements were not eligible for this transition period if they were renewed, modified or newly entered into on or after October 15, 2002.) See 45 CFR 164.532(d) and (e). To assist covered entities in meeting these requirements, OCR has published a Fact Sheet regarding compliance with the Privacy Rule’s business associate requirements, sample business associate contract provisions, and a number of related Answers to Frequently Asked Questions, all of which are available on the OCR website at http://www.hhs.gov/ocr/hipaa.
|
Print Answer
E-mail Answer
