In January 2013, the Department of Health and Human Services (HHS) released final regulations updating the Health Insurance Portability and Accountability Act (HIPAA) to reflect changes to the HIPAA Privacy and Security Rules, breach notification requirements, and restrictions on the use of genetic information as provided under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act (GINA). This client advisory addresses how these changes impact employer-provided medical plans. The final rules are effective March 26, 2013, but covered entities like employer-sponsored health plans have until September 23, 2013 (or, with respect to business associate agreement modifications for agreements that were in place prior to January 25, 2013, the earlier of contract renewal or September 22, 2014) to comply with the final rules. Although some of these changes codify practices many health plans had in place prior to these new rules, this advisory highlights key areas of focus and is a refresher on the rules.
Actions with Respect to Business Associates
Summary of Major Changes Affecting Business Associates
- The term “business associates” now includes (1) entities that “maintain” protected health information (“PHI”) on behalf of a covered entity, even if the entity does not access the PHI, (2) data transmission services with respect to PHI which require routine access to such PHI, and (3) entities who offer a personal health record to one or more individuals on behalf of a covered entity.
- Business associates (and their subcontractors) are now directly liable under HIPAA for impermissible uses and disclosures of PHI, failure to comply with the requirements of the HIPAA Security Rule, and failure to provide (i) breach notification to the plan sponsor, (ii) access to electronic PHI, (iii) PHI when required by the Secretary of HHS to investigate or determine the business associate’s compliance with HIPAA, or (iv) an accounting of PHI disclosures.
- Business associates are required to enter into business associate agreements (BAAs) with their subcontractors (and subcontractors with their subcontractors) that the subcontractors will safeguard PHI and abide by HIPAA.
What Should a Plan Sponsor Be Doing Now?
Review all BAAs to determine if they contain all the necessary provisions required under the final regulations, as described below. Consider whether any additional provisions should be added to BAAs that, while not legally required, may be designed to ensure business associates, and their subcontractors, meet their HIPAA responsibilities and that the health plan is protected from liability resulting from business associate actions, as discussed below.
New Business Associate Agreement Requirements
- Compliance with the Security Rule
- Report breaches of unsecured PHI to the health plan sponsor
- Ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to the PHI.
Business Associate Agreement Considerations
- While a covered entity is not required to enter into a BAA with a business associate’s subcontractor, it might be beneficial for the covered entity to understand who is handling its PHI. Consider requiring notification be provided to the covered entity when a business associate enters into a BAA with a subcontractor.
- Depending on what obligations are delegated to a business associate (or a business associate subcontractor), the covered entity may be liable for the business associate’s actions. Consider what kind of indemnification the business associate should provide to the covered entity? Does the covered entity want to require the business associate to indemnify the plan for subcontractor actions as well?
- A covered entity may want to delegate its breach notification responsibilities to its business associate. If so, consider the extent to which the covered entity should retain the ability to approve of the business associate’s breach severity determination and breach notification communications and procedures? If the covered entity will handle the breach notification process itself, consider the appropriate timing for the business associate to provide the covered entity with information in connection with the breach. In either case, the covered entity may want to provide for access to a business associate’s records and allow investigation of the business associate if the business associate reports a breach.
Notice of Privacy Practices
Employer-sponsored health plans are required to update their Notice of Privacy Practices (NPP) to reflect the following HIPAA provisions. If a NPP already reflects these provisions (for example, an updated NPP was distributed when the revised HIPAA rules were initially published in proposed form in 2009), then nothing new needs to done now.
- An individual’s PHI may not be sold without the individual’s written authorization.
- An individual’s PHI may not be used in connection with paid marketing activities without the individual’s written authorization.
- Plans have a duty to notify affected individuals of a breach of unsecured PHI.
- An individual may restrict disclosures of PHI to a health plan with respect to health care for which the individual has paid out of pocket in full.
- Uses and disclosures of PHI not otherwise provided for in the NPP may only be made with individual authorization.
- An individual’s genetic information may not be used for underwriting purposes (this is discussed further under Genetic Information).
The NPP may only be distributed electronically if the participant has consented to receive the NPP electronically. Participants can opt-in to receiving the NPP electronically; for example, as part of an employer’s new-hire or open enrollment materials.
Most covered entities have already been complying with GINA; below is a list of GINA’s main restrictions applicable to covered entities.
Prohibition on Use of Genetic Information for Underwriting Purposes
The HIPAA Privacy Rule, as modified by GINA, prohibits genetic information from being used for medical plan underwriting purposes. Genetic information includes, among other items, the plan participant’s and any family members’ genetic tests, receipt of genetic counseling, and the manifestation of a disease in an individual’s family members. Underwriting includes the determination of eligibility to enroll in or receive plan benefits, computation of plan premiums or contribution amounts, application of any pre-existing condition exclusion under the plan, and other activities related to the creation, renewal, or replacement of a health insurance contract.
Genetic Information and Wellness Programs
Employers should examine any practices that condition cost-sharing or other plan benefits on a plan participant’s completion of a health risk assessment or participation in a wellness program to ensure these practices do not require an individual’s, or individual’s family members, to disclose genetic information in contravention of GINA’s restrictions.
Breach Notification Rules
HHS previously issued lengthy and detailed rules concerning the actions a covered entity is required to take if there is a breach of PHI. These rules are largely unchanged in the final regulations, except that the “significant risk of harm standard” that applied when determining whether breach notification was necessary has been eliminated and replaced with risk assessment process whereby a covered entity (or business associate) is required to analyze the probability that the PHI was compromised to determine whether the breach notification is necessary. A plan sponsor is now required to presume that an impermissible use or disclosure of PHI constitutes a breach unless the plan sponsor (or business associate, as applicable) can demonstrate that there is a low possibility that the PHI has been compromised. The final regulations provide that the following factors should be taken into account in its risk assessment whether PHI has been compromised:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Plan sponsors should train employees who have access to PHI on how to identify a breach of PHI and how to report possible breaches to the privacy officer.
An individual must sign an authorization before receiving marketing communications when the health plan receives financial remuneration in exchange for marketing a third party’s product to an individual. There are limited exceptions to this rule. Communications promoting good health in general, but do not promote a product or service from a particular provider, do not require individual authorization.
A health plan may disclose a decedent’s PHI to family members and others involved in the decedent’s care or payment for care prior to death, unless doing so is inconsistent with any prior preference expressed by the individual that is known to the health plan.
Disclosure of PHI
- Upon a participant’s signed, written request, a health plan must provide any requested PHI to another person as directed by the participant.
- A health plan must provide PHI stored electronically in the form and format requested by the individual, if it is readily producible, and if not, in the form agreed to by the health plan and the participant, within 30 days of the request, regardless of whether the PHI is maintained or accessible by the health plan on-site, subject to a one-time 30-day extension; prior rules provided that PHI held off-site could have been provided within as long as 90 days after the request date.