New HIPAA Regulations Require Action From Group Health Plans

more+
less-

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released final regulations under the Health Insurance Portability and Accountability Act (HIPAA), which implement changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH). Group health plans and business associates must come into compliance with the final regulations by September 23, 2013, although group health plans may have an additional 12 months to bring existing business associate agreements into compliance with these final regulatory requirements.

Impact:

  • If you are an employer who sponsors a self-funded health plan, including medical, dental, vision, health flexible spending accounts, or health reimbursement arrangements, these changes will require you to review and revise your current policies and agreements to ensure compliance with the new rules.

  • If you are a business associate of a group health plan, you are potentially subject to new responsibilities that could result in additional levels of liability, and thus must ensure you are also in compliance with the final rules.

Polsinelli Shughart's Employee Benefits and Executive Compensation group has evaluated the impact of the final regulatory changes on group health plans and identified a list of action items for covered entities.

The new HIPAA regulations include changes in the following areas that will require action by covered group health plans and business associates:

Group Health Plan Issues

Notice of Privacy Practices

The final rules require additional content to be included in a covered entity's Notice of Privacy Practices. Accordingly, most employers will be required to revise and redistribute their Notices of Privacy Practices to include statements that: (i) an individual has a right to receive a notice following a breach of unsecured protected health information (PHI); (ii) the plan is prohibited from using or disclosing PHI that is genetic information for underwriting purposes; and (iii) a plan participant must authorize disclosure of psychotherapy notes, the sale of PHI, the use or disclosure of PHI for marketing purposes, and any other uses or disclosures of PHI. Employers that post the Notice of Privacy Practices on a website should post a revised notice on their website by September 23, 2013. Those employers that do not maintain a website must distribute the revised notice to plan participants within 60 days of its revision.

Breach Notification

HITECH requires covered entities to notify affected individuals, and sometimes the media and the Secretary of HHS, following the discovery of a breach of unsecured PHI. The new rules have expanded the definition of "breach" to mean that any impermissible use or disclosure of PHI is now presumed to be a breach and requires notification, unless the covered entity or business associate demonstrates there is a low probability the PHI has been compromised. The new rules also provide guidance on the factors that plans should consider in conducting a risk assessment to determine whether a breach has occurred.

Penalties and Enforcement

The final rules adopt an increased and tiered civil monetary penalty structure. The monetary penalties are based on the type of violation, which is determined by the knowledge and intent of the covered entity in using and disclosing PHI. Penalties are lowest for violations that occur because a covered entity did not know, and with the exercise of reasonable diligence would not have known. Penalties are not imposed for any violation that is timely corrected, as long as the violation was not due to willful neglect. Penalties range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per calendar year.

Business Associate Issues

Business Associates and Business Associate Agreements

The final rules adopt an increased and tiered civil monetary penalty structure. The monetary penalties are based on the type of violation, which is determined by the knowledge and intent of the covered entity in using and disclosing PHI. Penalties are lowest for violations that occur because a covered entity did not know, and with the exercise of reasonable diligence would not have known. Penalties are not imposed for any violation that is timely corrected, as long as the violation was not due to willful neglect. Penalties range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per calendar year.

Action Items

By the September 23, 2013, compliance date, covered entities (i.e., group health plans and business associates) should complete the following:

  • Group health plans should review and revise business associate agreements and make sure all appropriate business associate agreements are in place as of the dates identified above. Note that certain business associate agreements may not require revision until the delayed compliance date discussed above;

  • Group health plans should review and revise privacy policies and procedures to comply with the new regulations, including incorporating the new standards for breach notifications and other rules;

  • Notices of Privacy Practices should be reviewed, revised, and distributed in a timely manner;

  • Covered entities should train their employees on the new regulatory requirements; and

  • Business associates should establish policies and procedures to demonstrate compliance with the final regulations, and should enter into business associate agreements with any subcontractors.

For More Information

We are happy to assist you in reviewing your policies, procedures and agreements to ensure compliance with HIPAA. Please contact a member of the Employee Benefits and Executive Compensation Practice Group with any questions.

Topics:  Business Associates, Data Protection, Employer Group Health Plans, HHS, HIPAA, HITECH, Notice Requirements

Published In: Health Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »