Action Required to Comply with Final HIPAA Regulations
June 20, 2013
Attention Group Health Plan Sponsors: Action Required to Comply with Final HIPAA Regulations
Group health plan sponsors have been focusing to a great extent upon the various significant requirements imposed by the Patient Protection and Affordable Care Act, most notably the “play or pay” provisions which become effective in 2014. However, such sponsors with self-insured plans (including FSAs and HRAs) also need to focus upon changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules which become effective later this year.
Earlier this year, the Department of Health and Human Services (HHS) published a final rule modifying HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). Group health plans, as well as their business associates, are subject to various changes and generally must comply by September 23, 2013. Accordingly, prompt action is recommended.
The rules are of less concern to fully insured plans, since in those cases plan sponsors rarely receive protected health information (PHI) other than enrollment and summary information. Under those circumstances, most HIPAA privacy and security compliance responsibility rests with the insurer. However, it is of significant relevance to self-insured health plans maintained by an employer, since the employer then has access (either directly or through a third party administrator) to the medical information of its employees and is responsible for complying with HIPAA’s privacy and security rules.
This Bulletin is not intended to provide an exhaustive summary of the changes. Rather, it is intended to highlight the most significant changes and to suggest action steps.
The final regulations change the rules for the business associates of group health plans. Third-party administrators and other consultants or health plan service providers that have access to PHI in performing services are now directly liable for the civil and criminal penalties for certain violations of HIPAA. Previously, compliance had been a contractual obligation pursuant to the written agreement with the covered entity relative to HIPAA compliance. Therefore, business associates must establish and maintain policies and procedures to implement required safeguards. Business associates must enter into written agreements with group health plans and with their own subcontractors to ensure compliance with HIPAA. Business associates will also often have a major role in breach notification compliance for group health plans.
The final rule allows for a transition period to renegotiate and revise existing agreements. Generally, agreements in place as of January 25, 2013 that are not renewed or modified before September 23, 2013 are considered to be compliant until they are renewed or modified, or September 22, 2014 if earlier. Agreements renewed or modified before September 23, 2013 must comply by September 23, 2013. The HHS website contains a revised model business associate agreement.
The final regulations implement rules under GINA as it applies to the use and disclosure of PHI by group health plans and business associates. PHI that is genetic information may not be used or disclosed for underwriting purposes.
Privacy Policies and Procedures
Self-funded health plans are required to have policies and procedures in place to protect PHI from unauthorized use and disclosure. Some of those policies and procedures will need to be revised to reflect the new requirements.
Notice of Privacy Practices
Notices of Privacy Practices will need to be updated to include the following:
• Individuals will be notified upon a breach of PHI.
• The use or disclosure of genetic information for underwriting purposes is prohibited.
• Written authorization is required for disclosures for marketing purposes and for the sale of PHI.
The notices will need to be revised and posted on the employer’s website, and copies of its revised notice should be provided to participants and beneficiaries.
The final regulations modify the factors that plans and business associates are to take into account in conducting a “risk assessment” to determine whether a breach requiring notice to affected individuals, the Department of Health and Human Services, and in some cases the media, has occurred. A breach requiring notice will be presumed to have occurred whenever PHI maintained by the plan or business associate is acquired, accessed, used or disclosed in a manner that violates the privacy rule. This presumption may be rebutted if the plan or business associate can demonstrate, pursuant to factors provided under the regulations, that there is a “low probability” that PHI has been compromised. The previous standard, which required the violation to pose a “significant risk” of financial, reputational or other harm to the individual, was eliminated.
The regulations include the civil and criminal penalties that apply to HIPAA violations by group health plans and their business associates. Monetary penalties vary according to the number of violations, the cause of such violations, and whether the group health plan or business associate takes timely action to correct the violation. Civil penalties can be up to $1.5 million per year for each violation of a standard or requirement. HHS will continue to conduct random audits and investigate complaints, and increasingly aggressive enforcement is expected.
Action Items for Group Health Plans
The regulations require immediate action by employers sponsoring self-insured group health plans and their business associates. Plans need to:
• Update their HIPAA Policies and Procedures, and related administrative forms, to reflect the final rules.
• For breach notification, replace the “significant risk” standard with the “low probability” standard in conducting a risk assessment.
• Confirm that genetic information is not used for underwriting purposes.
• Update Notices of Privacy Practices.
• Train personnel who have access to PHI.
• Review business associate agreements and incorporate the final rule’s new requirements. Keep in mind the one year transition rule described above.
Business associates will need to come into compliance with the new rules as well, including establishing policies and procedures of their own. Business associates will also need to enter into business associate agreements with their subcontractors. In that connection, business associates should identify which of their subcontractors will access, use or disclose PHI in performing their services. Business associates should also consider whether their existing liability insurance provides coverage for HIPAA violations and whether new or additional coverage is needed.
Please contact any member of the Health Care Group if you need assistance in complying with the new HIPAA requirements applicable to self-insured group health plans.
Please click the pdf below for a printer-friendly version of this newsletter.