Employee Benefits and Executive Compensation Update: HIPAA Security Regulations Compliance Required By April 20, 2005

Larger group health plans should comply with the HIPAA Security Regulations no later than April 20, 2005. The following provides background information useful as a starting point in achieving compliance.

I. The Security Regulations in General.

Compliance with the Security Regulations requires group health plans to take various actions. These include:

Identifying a security official responsible for preparing the required security policies and procedures;
Preparation of policies and procedures designed to prevent security violations and permit appropriate access to electronic protected health information;
Implementation of a security awareness and training program;
Amending business associate agreements to add provisions necessary for the business associates to implement appropriate security measures; and
Amending plans to require the plan sponsor to implement security safeguards.

II. Electronic Protected Health Information.

The Security Regulations protect "Electronic Protected Health Information."

"Protected Health Information" refers to individually identifiable health information that is created, received, maintained or transmitted by a group health plan.

"Electronic" means that the information is maintained in Electronic Media or transmitted by Electronic Media.

"Electronic Media" means electronic storage media, including computer hard drives and any removable or transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card. Electronic Media also includes Transmission Media used to exchange information already in electronic storage media.

"Transmission Media" include, for example, the Internet, extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media. It is important to note that certain transmissions, including paper delivery, facsimile, voice (via telephone) and similar transmissions, are not considered to be transmissions via electronic media. This is so because the information being exchanged did not exist in electronic form before the transmission.

III. Preliminary Inquiry Re: Development of Policies and Procedures.

If you desire our assistance with HIPAA Security Regulations compliance, we would want to know on a preliminary basis the following information in order to begin creating the necessary policies and procedures:

	1.		What types of items of Electronic Protected Health Information are maintained by the plans?
	2.		Where is this Electronic Protected Health Information (and each backup copy) kept?
	3.		Who at the plan sponsor works with the Electronic Protected Health Information?
	4.		Is it necessary for each of those individuals to be involved in plan administration?
	5.		From where is the information received? (Is it all created in-house?)
	6.		Is the information transmitted? If so, where?
	7.		By what means is the information transmitted?
	8.		How is the information accessed?
	9.		As the systems are currently set up, can individuals besides the individuals identified above access the information?
	10.		The Regulations require the plans to appoint a "security official" who will have oversight authority with regard to the policies and procedures. We would need to discuss who will be designated to fulfill that role.

* * * *

Only lawyers may properly give you legal advice, and the Schiff Hardin lawyers listed below are prepared to provide you with counsel with regard to this important legal matter.