According to HIPAA Compliance for Group, in late January, the Department of Health and Human Services (HHS) issued final regulations that significantly modify the HIPAA privacy, security and enforcement regulations. These final regulations are generally effective September 23, 2013, although there are transition provisions that allow for longer periods for compliance. The final rules impact the following: HIPAA privacy notices, security breach notification rules, individuals’ rights regarding their protected health information (PHI), marketing communications, enforcement, and business associate agreements and the entities that are considered business associates. The following discusses the final rules changes and action items for group health plan sponsors to comply with the final rules. HIPAA compliance for group health plans should be a priority now that HHS is auditing covered entities, including group health plans, for HIPAA compliance and with increased enforcement and penalties, noncompliance can result in significant penalties, up to $50,000 for each violation.
Privacy Notices. HIPAA privacy notices must be updated for new content required by the regulations, including information regarding notification for breaches of unsecured PHI, new uses and disclosures that require authorization, and notification of the prohibition on using or disclosing genetic information for underwriting purposes. Updated notices must be posted on the plan’s a website by September 23, 2013. If the notice is currently posted on the plan’s website, then notices must also be delivered to participants as part of the plan’s next annual mailing following the date the notice is posted on the website. If the notice is not currently posted on a website, notices must be delivered to participants by November 23, 2013 (within 60 days of the September 23, 2013 effective date).
Security Breach Notification. Effective in September of 2009, if a health plan experienced a breach of unsecured PHI, certain notification rules had to be followed if the breach poses “significant risk of financial, reputational, or other harm to the individual. The new regulations require notification if the breach “compromises” the security or privacy of the PHI. Instead of the significant risk of harm standard to require notification, HHS clarifies in the new rules that notification is required unless there is a low probability that the security or privacy of the PHI has been compromised. In the event of a breach, a plan must conduct a risk assessment to determine whether notification is required. The new rules provide factors to consider during the risk assessment that are very similar to the factors set forth in the final rules. Finally, there is no longer an exception for breaches of limited data sets that do not contain birth dates or zip codes. A risk assessment must be conducted for any breach that involves a limited data set.
Individual Rights. Individuals still have the right to access their PHI during specific timeframes, but under the new regulations, if the PHI is maintained electronically, participants may request to access the PHI in electronic form. In addition, an individual may request that a designated third party receive the PHI and the plan must comply provided the request is in writing and signed by the requesting individual.
Marketing Communications. Plans are currently required to obtain an individual’s authorization to use PHI to make communications for marketing purposes with certain exceptions. The new regulations modify this requirement by providing that if a health plan receives financial remuneration in exchange for the communication, the individual’s authorization is required and must acknowledge that remuneration is involved. The new regulations also add an exception to this requirement for authorization for refill reminders or other communications about a drug currently prescribed for an individual even where the plan received financial remuneration from a pharmaceutical company provided that the remuneration is reasonably related to the cost of the communication. Finally, authorization is now required if the plan sells PHI and the authorization must acknowledge that remuneration is involved.
Enforcement. Enforcement is expanded under the new regulations, including making health plans liable for business associate actions where an agency relationship exists (under the current rule the plan is only liable if it knew of a pattern of activity or practice that constituted a breach of its obligations) and making business associates directly liable for privacy and security requirements (where before HITECH business associates were only contractually liable). The rules also treat certain violations of the Genetic Information Nondiscrimination Act (GINA) as HIPAA privacy violations as well, which increases potential penalties for GINA violations. The final rules also provide that GINA restriction apply to both group health plans and HIPAA excepted benefits, such as limited scope dental and vision benefits, supplemental plans, long term care coverage, and disease only plans.
Business Associates. Business associates now include health information organizations, e-prescribing gateways, or other entities that provide data transmission services to a health plan that requires access of PHI on a routine basis. In addition, personal health record vendors that offer personal health records on behalf of the plan are also business associates. Business associate subcontractors are required to enter into business associate agreements with a business associate under the new regulations. An entity that does not require access to PHI on a routine basis and is acting as a mere conduit for the transport of PHI is not considered to be a business associate, but the new regulations make it clear that this exception is narrow and meant to apply to mere courier services and internet providers. Business associates and subcontractors are directly liable for certain HIPAA violations and are contractually liable for other requirements outlined in a business associate agreement. Finally, business associate agreements may need updating for certain new content requirements, and there is a transition period for updating these agreements. Where a business associate agreement was already in place as of January 25, 2013, the agreement must be updated by the earlier of: (1) the next renewal after September 23, 2013; or (2) September 23, 2014. While the substantive HIPAA rules still apply September 23, 2013, the transition rule will allow later documentation compliance. HHS has provided a sample business associate agreement based on the new regulations, available by clicking here.
The following action items must be taken to comply with the final HIPAA regulations:
This E-Alert is intended as in informal summary of certain recent legislation, cases, rulings and other evelopments. This E-Alert does not constitute legal advice or a legal opinion and is not an adequate substitute for advice of counsel. This E-Alert is not intended to nor does it create an attorney-client relationship. The choice of a lawyer is an important decision and should not be based solely upon advertisements. If this E-Alert is deemed to be an advertisement please disregard this solicitation if you have already engaged a lawyer in connection with the legal matter referred to in this solicitation. You may wish to consult your lawyer or another lawyer instead of us. The exact nature of your legal situation will depend on many facts not known to us at this time. You should understand that the advice and information in this solicitation is general and that your own situation may vary. This statement is required by rule of the Supreme Court of Missouri.