Legal Alerts

18 Mar 2013

2013 HIPAA Compliance for Group Health Plans

According to HIPAA Compliance for Group, in late January, the Department of Health and Human Services (HHS) issued final regulations that significantly modify the HIPAA privacy, security and enforcement regulations.  These final regulations are generally effective September 23, 2013, although there are transition provisions that allow for longer periods for compliance.  The final rules impact the following:  HIPAA privacy notices, security breach notification rules, individuals’ rights regarding their protected health information (PHI), marketing communications, enforcement, and business associate agreements and the entities that are considered business associates.  The following discusses the final rules changes and action items for group health plan sponsors to comply with the final rules.  HIPAA compliance for group health plans should be a priority now that HHS is auditing covered entities, including group health plans, for HIPAA compliance and with increased enforcement and penalties, noncompliance can result in significant penalties, up to $50,000 for each violation.

The Changes

Privacy Notices.  HIPAA privacy notices must be updated for new content required by the regulations, including information regarding notification for breaches of unsecured PHI, new uses and disclosures that require authorization, and notification of the prohibition on using or disclosing genetic information for underwriting purposes.  Updated notices must be posted on the plan’s a website by September 23, 2013.  If the notice is currently posted on the plan’s website, then notices must also be delivered to participants as part of the plan’s next annual mailing following the date the notice is posted on the website.  If the notice is not currently posted on a website, notices must be delivered to participants by November 23, 2013 (within 60 days of the September 23, 2013 effective date).

Security Breach Notification.  Effective in September of 2009, if a health plan experienced a breach of unsecured PHI, certain notification rules had to be followed if the breach poses “significant risk of financial, reputational, or other harm to the individual.  The new regulations require notification if the breach “compromises” the security or privacy of the PHI.  Instead of the significant risk of harm standard to require notification, HHS clarifies in the new rules that notification is required unless there is a low probability that the security or privacy of the PHI has been compromised.  In the event of a breach, a plan must conduct a risk assessment to determine whether notification is required.  The new rules provide factors to consider during the risk assessment that are very similar to the factors set forth in the final rules. Finally, there is no longer an exception for breaches of limited data sets that do not contain birth dates or zip codes.  A risk assessment must be conducted for any breach that involves a limited data set.

Individual Rights.  Individuals still have the right to access their PHI during specific timeframes, but under the new regulations, if the PHI is maintained electronically, participants may request to access the PHI in electronic form.  In addition, an individual may request that a designated third party receive the PHI and the plan must comply provided the request is in writing and signed by the requesting individual.

Marketing Communications.  Plans are currently required to obtain an individual’s authorization to use PHI to make communications for marketing purposes with certain exceptions.  The new regulations modify this requirement by providing that if a health plan receives financial remuneration in exchange for the communication, the individual’s authorization is required and must acknowledge that remuneration is involved.  The new regulations also add an exception to this requirement for authorization for refill reminders or other communications about a drug currently prescribed for an individual even where the plan received financial remuneration from a pharmaceutical company provided that the remuneration is reasonably related to the cost of the communication.  Finally, authorization is now required if the plan sells PHI and the authorization must acknowledge that remuneration is involved.

Enforcement.  Enforcement is expanded under the new regulations, including making health plans liable for business associate actions where an agency relationship exists (under the current rule the plan is only liable if it knew of a pattern of activity or practice that constituted a breach of its obligations) and making business associates directly liable for privacy and security requirements (where before HITECH business associates were only contractually liable).  The rules also treat certain violations of the Genetic Information Nondiscrimination Act (GINA) as HIPAA privacy violations as well, which increases potential penalties for GINA violations.  The final rules also provide that GINA restriction apply to both group health plans and HIPAA excepted benefits, such as limited scope dental and vision benefits, supplemental plans, long term care coverage, and disease only plans.

Business Associates.  Business associates now include health information organizations, e-prescribing gateways, or other entities that provide data transmission services to a health plan that requires access of PHI on a routine basis.  In addition, personal health record vendors that offer personal health records on behalf of the plan are also business associates.  Business associate subcontractors are required to enter into business associate agreements with a business associate under the new regulations.  An entity that does not require access to PHI on a routine basis and is acting as a mere conduit for the transport of PHI is not considered to be a business associate, but the new regulations make it clear that this exception is narrow and meant to apply to mere courier services and internet providers.  Business associates and subcontractors are directly liable for certain HIPAA violations and are contractually liable for other requirements outlined in a business associate agreement.  Finally, business associate agreements may need updating for certain new content requirements, and there is a transition period for updating these agreements.  Where a business associate agreement was already in place as of January 25, 2013, the agreement must be updated by the earlier of:  (1) the next renewal after September 23, 2013; or (2) September 23, 2014.  While the substantive HIPAA rules still apply September 23, 2013, the transition rule will allow later documentation compliance.  HHS has provided a sample business associate agreement based on the new regulations, available by clicking here

Action Items

The following action items must be taken to comply with the final HIPAA regulations:

  • Plans must update their HIPAA privacy notice where posted online by September 23, 2013.  The updated privacy notice should also be added to annual enrollment materials or the plans SPD (if distributed annually).  If the notice is not posted online, it may be added to annual enrollment materials provided those materials are given to participants on or before November 23, 2013.  If not posted online and open enrollment materials will not be distributed before November 23, 2013, health plan sponsors should add the updated privacy notice to their list of notices that will likely have to be provided this Fall.
  • Plans will need to review their risk assessment procedures and standards to comply with the changes to the breach notification rules and update their privacy and security procedures.  Any breach should be followed by a careful risk assessment that weighs all the facts and guidance provided with careful documentation of the information considered, the decision made, the rationale for the decision and any actions taken to mitigate the breach.  Documentation should be retained in case of an audit.
  • Many plans and business associates enter into agreements that delegate breach notification responsibilities to business associates.  The final regulations are clear that the responsibility to comply with the breach notification procedures is on the plan and the plan will be subject to any penalty for the failure to provide the notification.  If the risk analysis and notification is delegated to a business associate, the agreement should clarify which party is responsible for the related costs, and both parties may want to approve any communication that contains its name to maintain content control of the message that is provided to notify the affected individuals.
  • Plans will also need to update privacy and security procedures to allow for individual requests of PHI in electronic form and in the process consider how electronic PHI is stored so it can be produced quickly.  HIPAA training should be updated so that the appropriate parties are aware of and can comply with this rule.
  • Where a plan thinks it may receive financial remuneration in exchange for participant communication (e.g., a marketing communication), the plan should add the required authorization to open enrollment so that a participant can give his or her authorization to receive the communications at the time coverage is elected.
  • Plans should be aware of how business associates will use and retain plan data and consider only allowing de-identified data to be retained and used to avoid the prohibition on the sale of PHI.
  • Health plans that have wellness programs or health risk assessments that use family history should review and reconsider the use of family history since GINA violations are HIPAA violations with much stiffer penalties that apply.  In addition, any HIPAA excepted benefits that are provided should be reviewed to ensure GINA compliance.
  • Health plans need to reassess their business associates and update their agreements as needed.  Because many plans updated agreements following HITECH, there may be few updates required.  In addition, the agreements should be reviewed not just for content requirements, but the other changes as well, and should consider whether the business associate could be considered the plan’s agent, which would cause increased liability for the plan.
  • Plans should mitigate HIPAA risk by reviewing HIPAA privacy and security procedures, conducting new and updated HIPAA training and taking all the action on the other items listed to avoid HHS investigations which are triggered by the audit program, individual complaints and breach notifications.  HHS has assessed penalties against group health plans and health care providers, both small and large, for violations that seem to be unintentional errors.

This E-Alert is intended as in informal summary of certain recent legislation, cases, rulings and other evelopments. This E-Alert does not constitute legal advice or a legal opinion and is not an adequate substitute for advice of counsel. This E-Alert is not intended to nor does it create an attorney-client relationship. The choice of a lawyer is an important decision and should not be based solely upon advertisements. If this E-Alert is deemed to be an advertisement please disregard this solicitation if you have already engaged a lawyer in connection with the legal matter referred to in this solicitation. You may wish to consult your lawyer or another lawyer instead of us. The exact nature of your legal situation will depend on many facts not known to us at this time. You should understand that the advice and information in this solicitation is general and that your own situation may vary. This statement is required by rule of the Supreme Court of Missouri.