The regulations known as the HIPAA/HITECH Omnibus Final Rule went into effect in late March 2013, with a 180-day safe harbor compliance period that ends on September 23, 2013, two weeks from today. As discussed in prior blog posts, the new regulations do not fundamentally change the HIPAA compliance obligations for employers who sponsor HIPAA-covered plans (self-insured group health, dental, vision, pharmacy benefits, and long-term care plans; health care reimbursement flexible spending accounts; employee assistance programs; and health reimbursement arrangements). Nonetheless, employers do need to complete several important tasks to attain compliance.
For vendors that provide services to HIPAA-covered plans, such as third-party administrators, pharmacy benefit managers, and insurance brokers – known in HIPAA parlance as “business associates” – the new regulations do introduce fundamental change. Under the new regulations, business associates are required, for the first time, to comply with the HIPAA Security Rule, many provisions of the HIPAA Privacy Rule, and are subject to direct enforcement action by the U.S. Department of Health and Human Services (HHS).
Regardless of whether an organization is a covered health plan or a business associate, some of the following five critical “to do’s” will apply:
- Implement or Update Security Policies and Procedures. A security breach poses the most significant risk for employers and business associates. Since 2011, nine out of 10 settlements publicly announced by HHS have involved a security breach. Six have resulted in settlements exceeding $1 million, and the average settlement has exceeded $800,000. To reduce the risk of a potentially costly security breach, employers and business associates should implement or update policies and procedures to ensure compliance with the HIPAA Security Rule and to address any significant changes in operational reality since security policies were first implemented or last updated. Employers and business associates also should conduct a risk assessment to confirm that these policies and procedures adequately address and mitigate operational risk.
- Enter Into or Update Business Associate Agreements. For the first time, business associates are required to enter into business associate agreements with their subcontractors. Covered health plans are not required to update their existing business associate agreements until September 22, 2014; however, many of the larger vendors who are business associates are already proposing updated agreements to their covered entity clients. While, in many cases, the business associate agreements do not require significant changes for legal compliance purposes, the current round of updates provides employers with the opportunity to address terms of these agreements with a business impact, such as reimbursement of costs incurred in responding to a security breach caused by a business associate and indemnification for third-party claims.
- Update or Implement Privacy Policies and Procedures. Employers that have previously implemented HIPAA policies and procedures will need to update them to address several regulatory changes, such as the new standard for determining whether a security breach has occurred and the new procedures applicable to requests by plan participants for access to protected health information (PHI) in electronic form. From a technical legal compliance perspective, business associates do not have a legal duty to implement policies and procedures. As a practical matter, however, business associates cannot meet their complex HIPAA compliance obligations without policies and procedures that provide direction to the business associate’s employees on what they actually need to do to comply with HIPAA.
- Update HIPAA Privacy Notices. Employers are required to update their HIPAA Notice of Privacy Practices by September 23, 2013, to inform participants in HIPAA-covered plans of new rights and new restrictions on the plans’ use of PHI. If the employer has a benefits web site, the updated notice must be posted there and distributed to the named insured of each HIPAA-covered plan with the next open enrollment mailing. If the employer does not have a benefits web site, the updated notice must be distributed within 60 days of its effective date.
- Conduct Training. Employees need to be informed of the changes to HIPAA regulations that are relevant to their job functions. At the same time, employers and business associates can take advantage of the opportunity to provide refresher training.