The Office for Civil Rights of the Department of Health and Human Services (“OCR”) has issued final regulations modifying the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security, Breach Notification and Enforcement Rules to implement changes under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act’’). Group health plans and business associates who use or disclose protected health information (“PHI”) (including electronic PHI) in performing services for group health plans should take action immediately to ensure timely compliance with the final regulations.
The final regulations have a general effective date of March 23, 2013, and covered entities such as group health plans and business associates must come into compliance by September 23, 2013, with some exceptions. Most notably, group health plans that already have agreements in place with business associates have until September 23, 2014, to bring those agreements into compliance with applicable changes under the final regulations.
A thorough overview by the Health Care Practice Group at Bradley Arant Boult Cummings LLP of the final regulations and corresponding compliance issues for all covered entities (including group health plans and healthcare providers) and their business associates may be accessed here. While much of the existing compliance framework for group health plans remains unaltered by the final regulations—that is, group health plans still must maintain policies and procedures for privacy, security, and breach notification compliance; maintain agreements with business associates; train members of the workforce to use and disclose PHI according to HIPAA regulations; and distribute the notice of privacy practices to plan participants at applicable times—the final regulations do introduce certain changes as well as new compliance obligations that will require timely action by health plan sponsors. Some of the most significant compliance concerns applicable to the administration of group health plans are described below.
The final regulations substantially alter the compliance landscape for the business associates of group health plans. Third-party administrators, actuaries, accountants, and any other consultants or health plan service providers that have access to PHI in performing services are now directly liable for the civil and criminal penalties for certain violations of HIPAA. Previously, compliance was merely a contractual obligation pursuant to the required written agreement with the covered entity relative to HIPAA compliance. As a result, business associates must establish and maintain policies and procedures to implement required safeguards, train their workforce to carry out duties consistent with the policies and procedures, and document compliance. Business associates are also required to enter into written agreements with group health plans to maintain such compliance systems and with their own subcontractors to ensure compliance with HIPAA. In most cases, business associates will have a critical role in breach notification compliance for group health plans.
Business Associate Agreements
The new compliance landscape for business associates also has a significant impact on action items for group health plans as existing business associate agreements must be reviewed and revised as necessary. The final regulations include new required content for business associate agreements. Sponsors of group health plans should also take steps to ensure that other related matters are covered in its agreements with business associates, including indemnification for HIPAA violations by business associates. Moreover, to the extent a group health plan’s third-party administrator plays any role in compliance with the new breach notification rules, the respective responsibilities of the parties should be spelled out in detail. The Department of Health and Human Services has posted sample business associate provisions here.
The final regulations implement rules under the Genetic Information Nondiscrimination Act of 2008 (“GINA”) as it applies to the use and disclosure of PHI by group health plans and business associates. In particular, PHI that is genetic information may not be used or disclosed for underwriting purposes. The final regulations clarify that an authorization cannot be used to permit a use or disclosure of genetic information for underwriting purposes. The notice of privacy practices distributed by group health plans must also now include a provision describing PHI disclosure restrictions under GINA.
Notice of Privacy Practices
In a significant change from prior rules, group health plans that post the notice of privacy practices on a website may now post a material revision of the notice to the website by the effective date of the change and notify individuals of the revision in the next annual mailing to individuals covered by the plan. This is a modification of the earlier rule that required health plans to provide a new notice to individuals within 60 days of a material change. The final regulations require a group health plan to include in its notice of privacy practices with respect to underwriting a statement that the plan is prohibited from using or disclosing PHI that is genetic information about an individual for underwriting purposes. A statement that the health plan is required to notify affected individuals following a breach of unsecured PHI must also be added.
The final regulations made important changes to the interim final rule implementing the breach notification provisions of the HITECH Act. In particular, the final regulations modify the factors that plans and business associates should consider in conducting a risk assessment to determine whether a breach requiring notice to affected individuals, the Department of Health and Human Services, and in some cases the media, has occurred. Under the final regulations, a breach requiring notice will be presumed to have occurred whenever PHI maintained by the plan or business associate is acquired, accessed, used, or disclosed in a manner that violates the privacy rule. The presumption may be rebutted if the plan or business associate can demonstrate, pursuant to four factors provided under the final regulations, that there is a “low probability” that PHI has been compromised.
The final regulations include the civil and criminal penalties that apply to HIPAA violations by group health plans and their business associates. Monetary penalties vary according to the number of violations, the cause of such violations (e.g., whether or not the violation arose from “reasonable cause”), and whether the group health plan or business associate takes timely action to correct the violation. A table of applicable penalties may be viewed here.
Action Items for Group Health Plans
The final regulations require immediate action by group health plans and their business associates to confirm compliance with new requirements applicable to the use and disclosure of PHI. Group health plans must review and revise existing policies and procedures and business associate agreements as necessary to implement new obligations under the revised privacy, security, and breach notification rules. Business associates must establish such policies and procedures to demonstrate compliance with the final regulations. Notices of privacy practices must be revised and provided to individuals covered by the plan.
Regardless of all these changes and new obligations, however, what has not changed is that group health plans still must comply with the HIPAA privacy, security, and breach notification requirements. Given the renewed emphasis on enforcement, including OCR audits and the financial penalty scheme affirmed in the final regulations, compliance is now more important than ever. The issuance of the final regulations is then a great opportunity for group health plans to audit existing compliance and ensure that all is in order. It has been several years now since the initial effective dates of the privacy and security rules under HIPAA. Some plans may have neglected HIPAA since the first wave of compliance or even neglected to implement subsequent compliance obligations, particularly under the HIPAA security and breach notification rules. Now that there are greater penalties, a greater emphasis on enforcement, and the probability of more audits in the future, all group health plans should make it a priority to act now and confirm good compliance. Many group health plans may find it useful to confirm:
- Compliance with the HIPAA security rule, including plan amendments and policies and procedures;
- Establishment of procedures to comply with the breach notification rule;
- Plan amendments, including any modification of the plan and other documents for the final regulations;
- Timely distribution of privacy notices, including notice of availability of notice;
- Written agreements in place with all business associates; and
- Policies and procedures for privacy, security and breach notification that include changes for the final regulations.