Authored by Dannae L. Delano • March 18, 2013
The following action items must be taken to comply with the final HIPAA regulations:
- Plans must update their HIPAA privacy notice where posted online by September 23, 2013. The updated privacy notice should also be added to annual enrollment materials or the plans SPD (if distributed annually). If the notice is not posted online, it may be added to annual enrollment materials provided those materials are given to participants on or before November 23, 2013. If not posted online and open enrollment materials will not be distributed before November 23, 2013, health plan sponsors should add the updated privacy notice to their list of notices that will likely have to be provided this Fall.
- Plans will need to review their risk assessment procedures and standards to comply with the changes to the breach notification rules and update their privacy and security procedures. Any breach should be followed by a careful risk assessment that weighs all the facts and guidance provided with careful documentation of the information considered, the decision made, the rationale for the decision and any actions taken to mitigate the breach. Documentation should be retained in case of an audit.
- Many plans and business associates enter into agreements that delegate breach notification responsibilities to business associates. The final regulations are clear that the responsibility to comply with the breach notification procedures is on the plan and the plan will be subject to any penalty for the failure to provide the notification. If the risk analysis and notification is delegated to a business associate, the agreement should clarify which party is responsible for the related costs, and both parties may want to approve any communication that contains its name to maintain content control of the message that is provided to notify the affected individuals.
- Plans will also need to update privacy and security procedures to allow for individual requests of PHI in electronic form and in the process consider how electronic PHI is stored so it can be produced quickly. HIPAA training should be updated so that the appropriate parties are aware of and can comply with this rule.
- Where a plan thinks it may receive financial remuneration in exchange for participant communication (e.g., a marketing communication), the plan should add the required authorization to open enrollment so that a participant can give his or her authorization to receive the communications at the time coverage is elected.
- Plans should be aware of how business associates will use and retain plan data and consider only allowing de-identified data to be retained and used to avoid the prohibition on the sale of PHI.
- Health plans that have wellness programs or health risk assessments that use family history should review and reconsider the use of family history since GINA violations are HIPAA violations with much stiffer penalties that apply. In addition, any HIPAA excepted benefits that are provided should be reviewed to ensure GINA compliance.
- Health plans need to reassess their business associates and update their agreements as needed. Because many plans updated agreements following HITECH, there may be few updates required. In addition, the agreements should be reviewed not just for content requirements, but the other changes as well, and should consider whether the business associate could be considered the plan’s agent, which would cause increased liability for the plan.
- Plans should mitigate HIPAA risk by reviewing HIPAA privacy and security procedures, conducting new and updated HIPAA training and taking all the action on the other items listed to avoid HHS investigations which are triggered by the audit program, individual complaints and breach notifications. HHS has assessed penalties against group health plans and health care providers, both small and large, for violations that seem to be unintentional errors.
For a more detailed summary of the final HIPAA regulations effective September 23, 2013, please click here.