The open enrollment to-do list of employee notices and important messages to deliver, which was already lengthy, has gotten longer. Now added to these annual tasks are more Health Insurance Portability and Accountability Act (HIPAA) procedures, required by final regulations that the Department of Health and Human Services (HHS) issued in January 2013.
HIPAA's privacy rule established a set of national standards to protect certain health information. This rule applies to covered entities (health plans, health care clearinghouses and health care providers that transmit health information in electronic form). The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act in 2009, gave HIPAA teeth by requiring notification of, and imposing significant penalties for, unauthorized acquisition, access, use or disclosure of protected health information. In 2008 the Genetic Information Nondiscrimination Act (GINA) extended privacy protection to genetic information, disallowing its use for underwriting purposes and employment decisions.
The omnibus final regulation comprises four final rules that make HITECH and GINA taxing—literally, in the form of penalties. The final rules went into effect on March 26, 2013. Covered entities and business associates were given 180 days or until Sept. 23, 2013, to comply with most of the final regulations.
A transition period is available until sept. 23, 2014, for covered entities and business associates to amend their agreements to comply with the new requirements; at that time, all business associate agreements must be updated as necessary to reflect the Omnibus Rule requirements. However, covered entities and business associates must meet all other HIPAA requirements by Sept. 23, 2013.
The first rule modifies HIPAA privacy, security and enforcement rules mandated by HITECH. Specifically, it:
- Expands privacy protection and control of protected health information (PHI) to business associates that receive PHI, such as contractors and subcontractors (e.g., a personal-health-record vendor, a pharmacy benefit manager, a patient-safety organization). Such business associates are directly liable if not in compliance with the privacy and security rules’ requirements.
- Strengthens the limitations on the use and disclosure of PHI for marketing and fundraising purposes and prohibits the sale of PHI without the individual’s authorization.
- Expands the customer’s rights to receive electronic copies of his or her health information and to restrict disclosures about treatment to health plans if the patient makes full payment in cash.
- Requires modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Facilitates research and disclosure of child immunization proof to schools by modifying individual authorization and other requirements, and enables a decedent’s family members or others to gain access to his or her information.
- Finalizes the breach notification interim rule under HITECH to improve enforcement.
The second rule finalizes the 2009 interim civil monetary penalty structure for noncompliance. These penalties apply to breaches that occurred on or after Sept. 23, 2009.
The third rule finalizes a more objective standard of the HITECH breach notification rule’s “harm” threshold. Essentially, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies). Covered entities have the burden of proving that an impermissible use or disclosure did not constitute a breach.
The fourth rule finalizes modifications to the HIPAA privacy rule, as required by GINA. This rule excludes long-term-care plans from the underwriting prohibition; however, such plans are subject to the Privacy Rule.
Steps to Take
Plan sponsors need to make sure their health plans (self-funded or fully insured) complete action items to achieve compliance. These items include the following steps:
- Become familiar with the expanded definition of business associates; take an inventory of vendors that meet the definition of business associates, and revise business associate agreements to include the new direct-liability provisions.
- Review the model business associate agreement provisions.
- Revise the notice of privacy practices to include:
- The limitations on the use and disclosure of PHI for marketing and fundraising purposes.
- The prohibition on the sale of PHI without the individual’s authorization.
- A statement about the impermissible use of genetic information for underwriting and employment purposes.
- A statement about the obligations of covered entities to maintain the privacy of an individual’s PHI and the right of an individual to be notified if a breach occurs.
- Any other changes that may have occurred since the privacy notice was last updated—for example, changes in vendors, telephone numbers and privacy officers.
- Distribute the privacy notice or post an announcement about the availability of the notice and synopsis of the material changes to the notice.
Distributing the Revised Notice
"Because HHS has determined that this new language constitutes a material change to the notice, employers that maintain a benefits website are required under the HIPAA Privacy Rule to (a) post the revised notice on their benefits website by the Omnibus Final Rule's compliance deadline of Sept. 23, 2013; and (b) distribute the revised policy to the named insured in its next annual mailing to plan participants," wrote Philip Gordon, chair of the privacy and data protection practice group at law firm Littler Mendelson, in BNA’s Privacy & Security Law Report, reposted on Littler's website.
"Employers that do not maintain a benefits website must distribute the revised notice within 60 days of the material revision to the notice. If this group of employers waits until Sept. 23, 2013, for their revised notice to become effective, then distribution of the notice by Nov. 22, 2013, should coincide with their open enrollment season. Employers can distribute the revised privacy notice by email as long as the named insured agrees to electronic delivery," Gordon noted.
The Department of Health and Human Services has posted additional information about the HIPAA privacy rule and the notice requirements, including model notice language.
- Meet with your business associates to review and execute new agreements and authorizations for release of information.
- Update training manuals with new provisions in the omnibus final rule, and conduct refresher training to familiarize staff with its provisions.
- Update summary plan descriptions that include privacy notices.
Privacy protection is a hot-button issue. Enforcement is mandatory through the Office of Civil Rights within the HHS. Fines for willful neglect are significant, with virtually no cap, since fines apply per violation, not per year.
Leanne Fosbre is the senior compliance writer at HighRoads, a provider of health care compliance and benefits plan management services.