The Health Insurance Portability and Accountability Act (HIPAA) includes administrative simplification standards that are intended to streamline industry inefficiencies, reduce paperwork, and protect the security and privacy of individual health information.

There are three components to HIPAA’s administrative simplification standards:

  • Security Standards
  • Privacy Standards
  • Electronic Data Interchange (EDI) Standards

Most cities with employer-sponsored health plans need to comply with certain aspects of the security and privacy rules. They also need to enter contracts with any business associates that work with the city on group health plans, such as third party administrators and/or the city’s agent, broker, and/or benefits consultant.

The League, in cooperation with the attorneys at Hitesman & Wold, P.A., developed the following tools to help member cities with HIPAA compliance activities.

HIPAA assessment tool

Since most cities offer some type of employer-sponsored health plan—including a health plan, dental plan, medical reimbursement plan under the city’s cafeteria plan, etc.—your city will likely have to comply with some of HIPAA’s privacy and security standards.

Before your city can determine if it is subject to the HIPAA privacy and security requirements, an assessment of each of the city’s benefit plans must be conducted. Each of the city’s health plans must be reviewed independently because one plan could be subject to full HIPAA requirements while another may only need to meet minimal requirements.

To help determine the status of your city’s health plans as a covered entity, the League has a flow chart to lead you through a HIPAA assessment. It is available on request from [email protected].

Policies and procedures templates

HIPAA requires covered entities to have policies and procedures reflecting HIPAA’s privacy and security mandates. City health plans that are subject to HIPAA must have policies and procedures that reflect these mandates.

If a city sponsors more than one health plan, HIPAA allows for the city to designate these plans as an Organized Health Care Arrangement (OHCA). This allows the city to satisfy the HIPAA privacy requirements together, as if they are a single covered entity.

Templates of required policies and procedures are available to member cities at no charge on request from [email protected].