Self-insured employer health plans, whether administered by the sponsor or by a third party administrator (TPA), need to be in compliance with the amended HIPAA rules, effective September 23, 2013. That date has now passed and not all employers with self-insured plans are aware of their obligations or have fully complied. Some rely on their TPA’s to perform these updates, but a number of the new duties fall squarely on the employer plan and are not performed by the TPA.
The September compliance date for the Final Omnibus HIPAA Rule (the “Rule”) adopted by the Department of Health and Human Services (“HHS”) is a critical one. The Rule extensively modifies the HIPAA privacy, security, breach notification, and enforcement regulations. The Office for Civil Rights characterizes the Rule as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
These changes, among other things, impact employer-sponsored health plans, since these plans are “covered entities” subject to all of these regulations. The employer should confirm with its benefits and compliance departments and with its TPA (if any), which tasks listed below have been done and which potentially remain open.
First, all health plans need to have an updated Notice of Privacy Practices by September 23, 2013. HHS has made it clear that the Rule requires material changes to the Notice, requiring a new form of Notice.
Second, all health plans must have business associate agreements (BAA’s) that comply with the Rule’s new requirements. While some business associate agreements may qualify for the extended compliance deadline of September 23, 2014, others will not. Even for agreements that qualify for the extended compliance date, the health plan’s continued use of old business associate forms may expose it and its sponsor to additional risks that could otherwise be avoided. For example, the Rule, the plan may actually be liable for violations of the HIPAA privacy and security rule by business associates that are deemed to be agents of the plan, including in data breaches by the business associate. Therefore, business associate agreements should be updated in terms of indemnification, data breach notification provisions, breach insurance, and possibly other requirements. TPA’s, for example, will not usually negotiate or amend other service agreements or BAA’s of the employer’s self-insured plan beside their own.
Third, policies and procedures for data breach notification must be updated. The Rule expands the scope of data breach notification, and the circumstances in which individuals must be notified of the improper use and disclosure of their protected health information. The “harm threshold” for breach notification has been substantially revised, many commentators say reversed, and those responsible for analyzing potential security breaches need to be familiar with the new threshold and related requirements. Failure to give notices to individuals when required can lead to substantial penalties.
Fourth, the Rule, along with recent enforcement actions by the Office of Civil Rights, puts a new emphasis on privacy and security risk assessment. Health plans that fail to implement a thoughtful information security program based on risk assessment, gap analysis, and reasonable implementation of safeguards now face an increased risk that a “routine” data breach will turn into a finding of “willful neglect,” and associated civil monetary penalties.
Fifth, plans that engage in underwriting should review their underwriting standards, and confirm their compliance with the Genetic Information Nondiscrimination Act (GINA) with respect to the use of genetic test results and other genetic information.
Finally, plan sponsors also should confirm that the plan document contains the required terms concerning the permitted uses and disclosures of Protected Health Information, and confirm that the data released to plan sponsor does not exceed what is permitted under the privacy rule or the plan document.
Under the revised HIPAA enforcement rule, the government will access the intent and diligence of covered entities and business associates when a breach or violation occurs. A finding of “willful neglect” can expose a health plan or its business associates to substantial civil monetary penalties. On the other hand, a good faith, thoughtful effort to comply with the rules can reduce the risk of these penalties, even if a breach or violation subsequently occurs.
Of course, appropriate training of personnel must reflect the new requirements and standards of the Rule, including the provisions of the rule affecting the privacy notices, policies and procedures; breach notification requirements; and vendor management issues related to business associates and BAA’s.