Aug. 7, 2013 – New regulations will substantially affect employers that sponsor group health plans (and their lawyers) with respect to “protected health information.”
The federal Department of Health and Human Services (HHS) recently published a final omnibus rule (final rule) modifying provisions of the federal Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in 2009.
HITECH significantly modified requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which establishes privacy, security and enforcement standards for the use and disclosure of protected health information (PHI).
The final rule contains many important modifications, with effective dates triggering on Sept. 23, 2013. This article discusses several significant changes affecting employer-sponsored health plans, including the need for employers to update HIPAA “Notice of Privacy Practices” and note changes to privacy breach notification rules.
Other changes relate to an individual’s right to obtain PHI, the ability of health plans to use genetic information for underwriting purposes, and required updates to agreements regarding industry “business associates,” which are certain entities that create, receive, maintain, or transmit protected health information.
Employer Health Plans: Changes to the Notice of Privacy Practices
The final rule includes changes to the requirements for providing a HIPAA “Notice of Privacy Practices” to individuals with employer-sponsored health plan coverage, meaning employers must distribute updated notices to employees.
First, the final rule requires the privacy notice to include a description of certain types of uses and disclosures of PHI that require an authorization, in addition to the statement that other uses and disclosures not described will be made only with an authorization.
Health plans must include a statement that authorization is required for most uses and disclosures of psychotherapy notes, PHI for marketing, and "sales of PHI."
Second, the final rule requires a separate statement in the Notice of Privacy Practices to health plan participants regarding certain activities (if applicable) of a health plan, including statements relating to:
Fundraising activities and the ability to opt out of fundraising communications;
A statement that the health plan may not use or disclose genetic information for underwriting purposes; and
The ability of an individual to restrict PHI if he or she has paid out-of-pocket in full for the applicable services.
Third, the final rule requires employers to include in their Notice of Privacy Practices information pertaining to the health plan's breach notification responsibilities. Specifically, the Notice of Privacy Practices must include a statement that the health plan is required to:
maintain the privacy of PHI;
provide the individual with notice of its legal duties and privacy practices with respect to PHI; and
notify affected individuals following a breach of unsecured PHI.
com tcleary gklaw Todd Cleary (Cornell 1999) is shareholder in the Employee Benefits Practice Group at Godfrey & Kahn’s Madison and Milwaukee offices. His practice includes compliance with employer-sponsored health plans under HIPAA. Reach him by com tcleary gklaw email, or by phone at (414) 287-9433 or (608) 284-2613.
Employers must ensure that they provide the updated Notice of Privacy Practices in compliance with applicable HIPAA requirements.
For example, employers must update any Notice of Privacy Practices placed on benefits websites. If an employer does not have a website, it must provide hard copies of the notice to participants no later than 60 days after Sept. 23, 2013.
Employer Health Plans: Breach Notification Rules
In the final rule, HHS has departed from the interim breach notification rules in several significant ways. HIPAA defines a "breach" as the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.
Under the interim breach notification rules, the term "compromises the security or privacy of PHI" means that the acquisition, access, use or disclosure constituted a significant risk of financial, reputational or other harm to the individual.
Thus, under the interim breach notification rules, covered entities perform a risk assessment to determine whether an impermissible acquisition, access, use or disclosure actually resulted in a "breach" of PHI, and notification is required only if a significant risk of financial, reputational or other harm to the individual is identified through the risk assessment. In the final rule, HHS has eliminated the "harm" standard.
Instead, an impermissible acquisition, access, use or disclosure of PHI is presumed to be a breach, unless the health plan or business associate (as applicable) demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. For example, if the PHI involved could be used by an unauthorized individual in a manner adverse to the subject of the PHI (e.g., particularly sensitive health information), it is more likely that PHI will be considered compromised;
The unauthorized person who used the PHI or to whom the disclosure was made. For example, a disclosure made to a person or entity required to abide by the Privacy Rule would make it less likely that PHI has been compromised, since the recipient of the PHI must protect the information in a similar manner as the disclosing entity;
In short, HHS has retained the need for health plans or business associates to perform a risk assessment, but the assessment is more objective.
HHS has not otherwise modified the breach notification requirements in any significant manner. For example, HHS has retained the qualification that a "breach" notification is only necessary if the PHI was “unsecured.”
Thus, no breach notification is required when the PHI that has been impermissibly acquired, accessed, used, or disclosed was encrypted pursuant to HHS guidelines. HHS has also continued to exclude the following incidents from the definition of “breach”:
Unintentional acquisitions, access or uses of PHI by a workforce member or person acting under the authority of a health plan or business associate, if such acquisition, use or disclosure was made in good faith, within the scope of authority, and does not result in a further impermissible use or disclosure under the Privacy Rule;
Updates to Business Associate Agreements
The Final Rule makes a number of changes to the required terms and conditions of a business associate agreement, which will require health plans and business associates to update existing business associate agreements. In addition to other requirements in a business associate agreement, the final rule provides that the agreement must:
Require the business associate to ensure that subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule by entering into a business associate agreement with the subcontractor that complies with the requirements for business associate agreements;
Require the business associate to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI;
Health plans and business associates generally have until Sept. 23, 2013 to update and implement business associate agreements to comply with the new requirements.
However, HHS has opted to grandfather business associate agreements entered into prior to Jan. 25, 2013 and which complied with the requirement in effect as of such date.
Health plans and business associates with such “grandfathered” agreements have until the earlier of Sept. 22, 2014 (an extra one-year transition period) or the date the business associate agreement is modified or renewed after Sept. 23, 2013 to update the grandfathered business associate agreements.
The parties to such grandfathered agreements need to be careful -- if they modify or renew the agreement after Sept. 23, 2013, they can effectively cut short the extra one-year transition period and must make sure the modified or renewed agreement complies with the new rules.
Importantly, HHS has clarified that agreements with automatic renewal terms will not be deemed to have "renewed" for purposes of determining whether the agreement is eligible for the extra one-year transition period.
Additionally, despite the "grandfathered" status of existing agreements, health plans and business associates must still satisfy the requirements of the final rule as of the compliance date (discussed below) even if such requirements are not reflected in the agreement itself.
While the effective date of the final rule was March 26, 2013, all health plans have 180 days beyond the effective date, that is, until Sept. 23, 2013, to comply with the new requirements. Note, however, that until Sept. 23, 2013, health plans must continue to comply with the breach notification interim rules.
Employers should train their employees as soon as possible to address the final rule’s new requirements. HHS has stepped up its enforcement of HIPAA and is taking a far less lenient approach than previously.
Penalties of up to $50,000 per violation can be triggered even when the violation is due to reasonable cause or if a person does not know that a violation has occurred. A “violation” can occur with respect to each person affected, so the penalties can become large very quickly.
As discussed above, employers with health plans have a lot of work to do. Employers, with the help of lawyers, should carefully review the new rules to determine if any other changes may affect their practices and activities. Meanwhile, business and employment lawyers should advise their clients to take appropriate steps to comply.