2013 has already been a busy year for employers with group health plans who are trying to navigate the Affordable Care Act and its immediate implications for employee benefits. However, there are other, less talked about but equally important, deadlines to address for Fall 2013 under federal law (including the Affordable Care Act). For a complete list of the 2013 and 2014 deadlines, please see our previous Client Advisory titled “2013 and 2014 under the Affordable Care Act”. That Advisory can be accessed by clicking here.
The Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act Omnibus Rules (“HIPAA/HITECH”)
In January, 2013, the long awaited HIPAA/HITECH Final Rule (“the Final Rule”) was issued. While the effective date of the Final Rule was March 26, 2013, the actual compliance date for most of the Rule’s provisions is September 23, 2013. The Final Rule made significant changes to the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, and will require group health plans (“covered entities”) (and the plan sponsors that maintain them) to take immediate action to remain in compliance. While the term “covered entity” for purposes of HIPAA includes health plans, health care providers, and health care clearinghouses, this Client Advisory will address only the HIPAA requirements for health plans. Additionally, for employers that sponsor a fully-insured health plan, many of the requirements discussed below will be taken care of by the plan’s insurer. However, employers of fully-insured health plans will want to confirm with their insurers that all of the new provisions (including providing notices where applicable) are addressed. While the Final Rule will affect each covered entity differently, below is a summary of the most common changes applicable to covered entities and employers.
- Expanding the Definition of Business Associates
The Final Rule broadened the definition of a business associate to include subcontractors, health information organizations, entities that offer a personal health record to individuals on behalf of a covered entity, and other entities that provide data transmission services for covered entities and that require access on a routine basis. With this expanded definition, plan sponsors should be sure that their group health plans have an updated business associate agreement in place with all business associates.
The Final Rule also provides a list of HIPAA Privacy and Security Rule requirements that apply directly to business associates, including the obligation to:
- maintain detailed records of uses or disclosures of protected health information (“PHI”) to be produced upon request;
- provide an electronic copy of PHI to covered entities or individuals upon request;
- enter into business associate agreements with subcontractors that create or receive PHI on their behalf; and
- make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.
As many of these new requirements were not traditionally thought to apply to business associates, business associate agreements will need to be amended to comply with the new provisions. While new business associate agreements must be amended by September 23, 2013, the Final Rule provides that business associate agreements currently in place do not need to be updated to comply with the new requirements until the earlier of: (1) the next renewal after September 23, 2013, or (2) September 23, 2014. It is important for covered entities to ensure that their business associate agreements are updated, and that business associates are adhering to the new requirements as the Final Rule makes clear that covered entities may be held liable vicariously for violations by business associates acting as agents.
- Breach Notification Obligations
In the Breach Notification Rule, the Final Rule adopted a new definition of “breach”, under which any impermissible use or disclosure of PHI is presumed to be a breach for which breach notification is required, unless the covered entity can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised.
This new Breach Notification Rule replaces the “harm standard”, which had previously allowed covered entities to avoid breach notification if they could demonstrate that the breach posed no significant risk of harm to the affected individual. The new, more stringent standard provides factors that must be used in the risk assessment. These factors include:
- the nature and extent of the PHI involved (including the types of PHI and the likelihood of re-identification);
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated.
If a covered entity is unable to prove through the risk assessment that there is a low probability that PHI was compromised, it must provide breach notification to the affected individuals without unreasonable delay and in no event later than sixty days following discovery of the breach. This is important for covered entities to remember when drafting business associate agreements, as the breach notification obligations belong solely to the covered entity and, generally, the date from which a business associate discovers a breach will be imputed to the covered entity. Therefore, covered entities will want to make sure that they receive information as soon as possible from business associates to give the covered entity enough time to act.
- Restriction on the Marketing and Sale of PHI
The Final Rule requires written authorization from individuals if the covered entity will receive direct or indirect remuneration from a third party whose product or service is being marketed. The Final Rule also prohibits the disclosure of PHI without written authorization from an individual, except where the disclosure is made:
- for public health purposes;
- for certain research purposes;
- for treatment and payment purposes; or
- as required by law.
- Notice of Privacy Practices
The Final Rule requires several changes to the Notice of Privacy Practices which must be distributed to individuals. These changes include disclosures regarding:
- the use of psychotherapy notes;
- restrictions on the disclosure of PHI for marketing purposes;
- restrictions on the sale of PHI;
- required authorizations for disclosure of PHI;
- breach notifications; and
- an individual’s right to restrict access to their PHI.
The Final Rule requires that the updated Notice of Privacy Practices be posted on the covered entity’s website, and included in the covered entity’s first annual mailing following September 23, 2013. If the covered entity does not maintain a website, the notice must be mailed within 60 days of the September 23, 2013 deadline (by December 22, 2013). Covered entities will need to update their Notice of Privacy Practices to comply with the Final Rule, and take the proper steps to distribute the Notice to participants by the deadline.
- Implement provisions of the Genetic Information Nondiscrimination Act (“GINA”)
The Final Rule revises the definition of “health information” that must be protected to include genetic information such as an individual’s genetic tests, the genetic tests of family members, and family medical history. The Final Rule clarifies that covered entities may not use or disclose genetic information when it qualifies as PHI except as the privacy rule permits or requires, or the individual has authorized such use in writing. This prohibition on the use of genetic information extends to underwriting purposes. Covered entities should review their PHI policies and procedures to ensure compliance with these rules.
- Increased Rights for Individuals Regarding Access to Their PHI
The Final Rule allows individuals to request a restriction on the uses and disclosures of their PHI if the disclosure is for the purpose of carrying out payment or health care operations not otherwise required by law, and the PHI pertains solely to a health care item or service for which the individual, or person on the individual’s behalf, has paid for in full. Covered entities should ensure that appropriate policies are in place for individuals who request restrictions on the use of their PHI, and that business associates are notified of such restrictions.
The Final Rule also provides that a covered entity must provide an individual with copies of his or her PHI in the form requested (i.e., electronic) if the PHI does in fact exist in that form. Individuals also have the right under the Final Rules to make a written request that his or her PHI be sent to a third party.
Health Insurance Marketplace
The Affordable Care Act requires employers subject to the Fair Labor Standards Act to provide employees with a written notice describing the Health Insurance Exchange, also known as the Health Insurance Marketplace (the “Marketplace Notice”). This Notice should include information on:
- the existence of the Marketplace;
- the services provided by the Marketplace;
- the tax credits that are available for some employees who purchase coverage through the Marketplace; and
- the effect that purchasing coverage through the Marketplace can have on employer contributions and tax savings towards the cost of employer-sponsored coverage.
The deadline for distributing the required Marketplace Notice to all existing employees (not just plan participants) is October 1, 2013. After that date, new employees must be given the notice at the time they are hired. The Department of Labor has issued model notices which can be used to satisfy the notice requirement. One model notice is available for employers that provide group health plan coverage, and one is available for employers that do not provide such coverage. The Department of Labor’s model notices can be found at: http://www.dol.gov/ebsa/pdf/FLSAwithplans.pdf.
COBRA Election Notice
The Department of Labor also has issued a new model COBRA Election Notice to make COBRA qualified beneficiaries aware of their coverage options under the Marketplace and the tax credits that may be available to help pay for coverage purchased through the Marketplace. The new COBRA Election Notice also makes changes to the language of prior COBRA Election Notices related to pre-existing conditions (which, effective for plan years starting on or after January 1, 2014, will be prohibited in all plans). There are certain blanks in the model COBRA Election Notice that employers must fill in to make the notice complete. Although the DOL has not yet indicated when the new COBRA Election Notice must be used, because it references the Marketplace, it would appear that the new COBRA Election Notice should be used after October 1, 2013. The model notice can be found at: http://www.dol.gov/ebsa/modelelectionnotice.doc.