If you provide health insurance, you're sitting on a potential time bomb. That's because on April 14, 2004, tough new privacy regulations under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, go into effect for small companies. You have six months to get in compliance or risk a hefty fine--or even jail time.

The new privacy laws are designed "to prevent employers from using information received in connection with an employee benefit plan when making employment-related decisions, such as hiring, promoting, or firing," says Michele Talka, of the McCart Group, a Duluth, Ga., insurance brokerage. To do so, the law erects a formidable privacy shield around your employees' personal health information. It would be a HIPAA violation, for example, for the person handling insurance claims at a small company to tell the CEO that an employee has cancer, even if it will likely affect the organization's insurance premiums.

How to comply? First, restrict the amount of personal health information that comes into your company--for example, by asking your insurance company to provide only summary health information (SHI) for purposes of obtaining premium bids or modifying or terminating the plan. You'll also want to make sure that as few people as possible have access to any health-related data. If claims are handled by one person in your organization, only he or she should have access to the data. Next, you have to make sure that all data, whether in paper or electronic form, is protected physically--stored in a locked office or transmitted via a dedicated fax machine. Finally, you're required to notify your employees of their new privacy rights, which include the right to review and amend their private health information. Got questions? The government has a special HIPAA page for small companies: www.hhs.gov/ocr/hipaa/smallbusiness.html.

Individuals don't have a right to sue directly under HIPAA, but Health and Human Services will be ready to investigate complaints. Penalties include fines of up to $50,000 and one year in prison for certain offenses. As of April 14, 2004, ignorance of your employees' personal health information may be more than just bliss--it may also keep you out of trouble with the law.