Final HIPAA privacy and security regulations issued by the U.S. Department of Health and Human services will require action by group health plan sponsors by September 2013.

The Department of Health and Human Services (HHS) recently issued new final privacy and security regulations (the final rule) under the Health Insurance Portability and Accountability Act (HIPAA) that will require action by employer sponsors of group health plans.  In 2010, HHS issued proposed regulations

to reflect changes to HIPAA made under the Health Information Technology for Economic and Clinical Health Act (HITECH).  The final rule largely adopts the proposed HITECH regulations with some additional expansions and clarifications, adopts revised breach notification rules, adopts a revised penalty structure for covered entities and business associates that violate HIPAA privacy and security rules, and incorporates protections required by the Genetic Information Nondiscrimination Act (GINA).

The differences between the text of the proposed HITECH regulations and the final rule are not material for most employer group health plans.  However, the preamble to the final rule provides new helpful information about how these regulations should be interpreted and implemented.  Below, we summarize significant provisions in the final rule that affect employer sponsors of group health plans.

Expanded Regulation of Business Associates and Subcontractors

Prior to the enactment of HITECH, business associates were not directly subject to the compliance obligations and penalties under the HIPAA privacy and security rules, so covered entity health plans needed to execute business associate agreements to contractually require business associates to follow those rules.  As described in more detail in “New HIPAA Regulations Impact Business Associates and Subcontractors,” the final rule maintains the requirement that business associate agreements are still necessary, but also applies certain HIPAA privacy and security standards and requirements directly to business associates.  HHS has clarified in the preamble to the final rule that business associates are directly liable under the HIPAA privacy and security rules for impermissible uses and disclosures of protected health information (PHI), failure to provide breach notification to the covered entity, failure to disclose PHI as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI, failure to disclose PHI to the Secretary of HHS to investigate or determine the business associate’s compliance with the rules, failure to comply with minimum necessary standards, failure to enter into business associate agreements with subcontractors that create or receive a covered entity’s PHI on its behalf, failure to provide an accounting of disclosures, and failure to comply with the electronic security requirements.

The term “business associate” is amended to include any subcontractors of a business associate (and any subcontractor of a subcontractor, for as far down the chain as PHI may flow) that have access to PHI in the course of performing services for a covered entity customer on behalf of the business associate.  Business associates are required to execute written contracts with any such subcontractors that are similar to the business associate agreements between covered entity health plans and their business associates.  Each agreement in the business associate chain must be at least as stringent as the initial agreement between the covered entity and the business associate with respect to permitted uses and disclosures of protected health information.  For example, if a plan prohibits its business associate from de-identifying PHI, any subcontractors of that business associate that are provided access to the plan’s PHI also cannot be permitted to de-identify the plan’s PHI in the agreement between the business associate and the subcontractor.

Liability for Business Associate Violations

Under the final rule, a covered entity plan is liable for the acts of its business associate (and a business associate is liable for the acts of its subcontractor) that is acting as an agent of the plan.  The agency relationship, and the scope of that relationship, is determined under the federal common law of agency rules.  In the preamble to the regulations, HHS explained that the analysis of whether a business associate is an agent of the covered entity plan would take into account the terms of the business associate agreement and the nature of the relationship between the parties.  The essential factor in determining whether an agency relationship exists is the right or authority of the plan (or the plan sponsor, on behalf of the plan) to control the business associate’s conduct in the course of performing services for the plan.  If the only way to control the actions of a business associate is through a contract that sets the terms and conditions of the provision of services, and the only way to direct the business associate is to amend the contract or sue for breach of contract, then the business associate generally would not be an agent of the plan.  However, if a plan is able to instruct the business associate in the provision of services in other ways—for example, if a business associate agreement provides that the business associate will make PHI available pursuant to an individual’s right of access (under 45 C.F.R. § 164.524) as directed by the covered entity plan, then this would be evidence of an agency relationship.  In the preamble, HHS stated that a business associate agent is not per se acting outside the scope of agency when it violates the HIPAA privacy and security rules in violation of its business associate agreement with the covered entity.  For example, a business associate agent would likely be acting within the scope of its agency relationship if it fails to disclose only minimum necessary PHI, even though doing so would be a clear breach of its business associate agreement with the covered entity.  As a best practice, this should be drafted into a business associate contract between the parties to alleviate any misunderstanding.

Increased HHS Oversight

The final rule adopts the proposed HITECH regulations strengthening HHS oversight when there are indications that HIPAA privacy and security violations are due to willful neglect.  If there is a complaint filed with HHS and a preliminary review of the facts indicates possible willful neglect, then HHS must investigate the complaint and conduct a compliance review.  The previous rules stated that HHS may investigate the complaint, and made no distinction for willful neglect.  The final rule also permits the Secretary of HHS to proceed directly to formal enforcement action to impose penalties—there is no requirement to first attempt to resolve violations using informal means or to seek voluntary compliance with the HIPAA rules, particularly if the violation is a result of willful neglect.  The Secretary of HHS retains discretion to investigate complaints, perform compliance reviews and informally resolve violations when a lower degree of culpability is indicated.

The range of penalty amounts for each of the four tiers of penalties established under the proposed HITECH rules are retained in the final rule, with each tier having the same $1.5 million maximum penalty amount for all violations of an identical provision within the same calendar year.  The Secretary of HHS has discretion to waive imposition of a penalty against a covered entity for a business associate agent’s violation of the HIPAA privacy and security rules if the covered entity did not know, despite the exercise of reasonable diligence, about a business associate agent’s violation.

Protection of Genetic Information

GINA has now been incorporated into the final rule, which prohibits the use or disclosure of genetic information for underwriting purposes, even if a covered entity plan has the individual’s written authorization to do so.  This restriction applies to all health plans subject to the HIPAA privacy and security rules other than long-term care insurance.  The prohibition applies to all genetic information as of March 26, 2013, regardless of when or where the genetic information originated.  Plan sponsors that maintain a long-term care plan in addition to traditional group health plans should reflect this special underwriting exception in their HIPAA policies and procedures and in their privacy notice, as applicable.

Privacy Notice Updates

The final rule requires certain changes to the notice of privacy practices to comply with the new HITECH and GINA requirements.  Most significantly for health plans, the notice must inform individuals of their rights following a breach of unsecured PHI and of the prohibition on the use and disclosure of genetic information for underwriting purposes.  Health plans must ensure the notice of privacy practices satisfies these requirements no later than the compliance date described below.  The final rule specifies timing requirements for posting and distributing the revised privacy notice.  If a health plan posts its privacy notice on its website, any material changes to the privacy notice must be prominently posted on the website on or before the date the changes take effect.  The health plan must also either provide the privacy notice or provide information about how to obtain the revised privacy notice in its next annual mailing to individuals covered under the plan.  A health plan that does not post its privacy notice on its website must automatically provide the revised privacy notice, or information about how to obtain the new privacy notice, to individuals within 60 days of the update.

Breach Notification Requirements

The final rule revises the breach notification requirements previously issued in interim final rules that became effective on September 23, 2009.  Under the final rule, notification of the breach is required unless the covered entity plan or business associate demonstrates there is a low probability that the PHI has been compromised or that an exception to the notification rules applies.  A breach is the unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI.  There is a presumption that any unauthorized acquisition, access, use or disclosure of PHI is a breach; the burden is on the plan or business associate to demonstrate through a risk assessment that there is a low probability that the PHI has been compromised.  The risk assessment must consider (1) the nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to PHI has been mitigated.  Under interim rules currently in effect, the analysis is more subjective and focuses on the risk of harm to the individual affected by the breach.  The preamble to the final rule indicates that additional guidance will be issued to assist covered entities and business associates in performing risk assessments with respect to common scenarios.

The rules governing the timing for notifying affected individuals of a breach, the content of the breach notice and the methods for providing the notice, as previously set forth in interim breach notification regulations, are unchanged.  In the event of a breach, a covered entity plan must notify each affected individual without unreasonable delay and within 60 days of discovery of the breach.  If a business associate is acting as an agent of a plan, knowledge of a breach by the business associate is imputed to the plan and will trigger the 60-day notice requirement under the breach notification rules.  If a business associate is not acting as an agent of a covered entity plan, the 60-day notice requirement under the breach notification rules begins once the business associate notifies the plan of the breach.

A covered entity plan may send a single breach notification to all affected persons at the same address, as long as the notice clearly identifies the individuals to whom the notice applies.  The preamble provides that granted requests for confidential communication of PHI to an alternate address or by alternate means would apply to the distribution of breach notifications.  Although business associates are now directly liable for many types of HIPAA privacy and security violations, the regulators confirm in the preamble that the plan retains responsibility for providing notice of a breach by a business associate.  The obligation to provide a breach notice can be delegated to a business associate by contract.  The interim rules for notifying the media of larger breaches and for notifying HHS are largely unchanged, as are the rules relating to a business associate’s obligations to notify the covered entity of a breach.

Expanded Right of Electronic Access to PHI

An individual has a right under HIPAA to request access to or copies of his or her PHI in a designated record set.  If any such PHI is maintained in electronic records systems, the final rule requires that the covered entity plan provide the requested information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in readable electronic form and format as agreed to by the plan and the requesting individual.  To the extent possible, the information must be provided as a “machine readable copy,” meaning in a standard digital format that can be processed and analyzed by a computer (for example, in Microsoft Word or Excel, text, HTML or text-based PDF).  The final rule expands the scope of the electronic access requirements contemplated under the HITECH statute, which applied the rule only to a subset of electronic information in an “electronic health record.”  Group health plans were unlikely to maintain electronic health records as defined under HITECH, but virtually all plans today maintain PHI in a designated record set in electronic format.  As required under the HIPAA privacy and security rules, a plan must use reasonable safeguards in providing the individual with the electronic copy of his or her PHI.  The timeline for providing access to requested PHI in a designated record set, whether in paper or electronic form, is shortened from 60 days to 30 days for records maintained at an off-site location.  A one-time 30-day extension (for a total of 60 days) is permitted if the individual is timely notified of the need for an extension.

Restrictions on the Use and Disclosure of PHI

Although the regulators declined to be specific in the text of the final rule, the preamble clarifies that the requirement under HITECH for a covered entity to comply with a request for restriction on disclosure of PHI to a health plan, if the PHI pertains to services for which payment has been made out-of-pocket, only applies to health care providers.  The requirement is not intended to impede a health plan’s disclosure of PHI to another health plan as necessary for coordination of benefits information.

Effective Date and Compliance Date

The final rule becomes effective on March 26, 2013.  The changes to the enforcement provisions described above take effect as of that date.  Covered entity plans and business associates will have 180 days after the effective date—September 23, 2013—to comply with most other provisions in the final rule.  There is a special one-year transition period for implementing business associate agreements that comply with the final rule.  This extension until September 23, 2014, is available to covered entities and business associates that have existing written contracts in place prior to January 25, 2013 (the publication date for the final rule), assuming those contracts complied with the prior HIPAA privacy and security rules.  The transition period will automatically terminate if the contract is renewed or modified between March 26, 2013, and September 23, 2014.  The automatic renewal of evergreen contracts would not negate the transition period.

The final rule includes a general guideline that any new or modified standards or implementation specifications under the HIPAA privacy and security rules will have a 180-day compliance delay.  Any exceptions to the 180-day rule will be explicitly stated in issued regulations.

Next Steps

  • Update (or create, if not already in place) HIPAA privacy and electronic security policies and procedures to comply with the final rule by September 23, 2013.
  • Update the HIPAA privacy notice by September 23, 2013, and distribute it to plan participants and beneficiaries.
  • Update existing business associate agreements (and enter into compliant business associate agreements for new vendor relationships).  Consider the parties’ interrelationship (i.e., whether or not there is or should be an agency relationship under federal common law), and be careful that the business associate agreements do not inadvertently create an agency relationship.  Also, be cognizant of the potential for vicarious liability for business associate violations.  Sample business associate agreement provisions are available on the HHS website.  The sample language is written to meet minimum requirements under the final rule; however, most plan sponsors will want to add additional protections or limitations, such as indemnification provisions.
  • Business associates should update or enter into subcontractor agreements, and those agreements should track the initial agreement between the covered entity and the business associate.
  • Train employees with plan administration responsibilities who may use, disclose or have access to PHI on the updated HIPAA privacy and security rules.