The Department of Health and Human Services (HHS) recently published final regulations (the Final Rule) to implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted by Congress in 2009. HITECH significantly modified requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule contains many important changes for employer-sponsored health plans. Two of the most prominent changes-the need to update the Notices of Privacy Practices and changes to the breach notification rules-are discussed in this article. Employers with health plans should carefully review the new rules to determine if any other changes may affect their practices and activities, including changes relating to the right of an individual to obtain a copy of protected health information (PHI) and changes relating to the ability of health plans to use genetic information for underwriting purposes.
Employer Health Plans
1. The Final Rule Requires Changes to the Notice of Privacy Practices
The Final Rule includes a number of changes to the requirements for providing a Notice of Privacy Practices. First, the Final Rule requires the Notice of Privacy Practices to include a description of certain types of uses and disclosures that require an authorization, in addition to the statement that other uses and disclosures not described will be made only with an authorization. Health plans must include a statement that most uses and disclosures of psychotherapy notes, most uses and disclosures of PHI for marketing, and most "sales of PHI" require an authorization.
Second, the Final Rule requires a separate statement in the Notice of Privacy Practices regarding certain activities (if applicable) of a health plan, including statements relating to:
- Fundraising activities and the ability to opt out of fundraising communications;
- A statement that the health plan may not use or disclose genetic information for underwriting purposes; and
- The ability of an individual to restrict PHI if he or she has paid out of pocket in full for the applicable services.
Third, the Final Rule requires health plans to include in their Notice of Privacy Practices information pertaining to the health plan's breach notification responsibilities. Specifically, the Notice of Privacy Practices must include a statement that the health plan is required to: (i) maintain the privacy of PHI; (ii) provide the individual with notice of its legal duties and privacy practices with respect to PHI; and (iii) notify affected individuals following a breach of unsecured PHI.
Health plans must ensure that they provide the updated Notice of Privacy Practices in compliance with applicable HIPAA requirements. For example, health plans must update any Notice of Privacy Practices placed on websites. If a health plan does not have a website, it must provide hard copies of the notice no later than 60 days after September 23, 2013.
2. The Final Rule Modifies the Breach Notification Rules
In the Final Rule, HHS has departed from the interim breach notification rules in several significant ways. HIPAA defines a "breach" as the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. Under the interim breach notification rules, the term "compromises the security or privacy of PHI" means that the acquisition, access, use or disclosure constituted a significant risk of financial, reputational or other harm to the individual. Thus, under the interim breach notification rules, covered entities perform a risk assessment to determine whether an impermissible acquisition, access, use or disclosure actually resulted in a "breach" of PHI, and notification is required only if a significant risk of financial, reputational or other harm to the individual is identified through the risk assessment.
In the Final Rule, HHS has eliminated the "harm" standard. Instead, an impermissible acquisition, access, use or disclosure of PHI is presumed to be a breach, unless the health plan or business associate (as applicable) demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. For example, if the PHI involved could be used by an unauthorized individual in a manner adverse to the subject of the PHI (e.g., particularly sensitive health information), it is more likely that PHI will be considered compromised.
- The unauthorized person who used the PHI or to whom the disclosure was made. For example, a disclosure made to a person or entity required to abide by the Privacy Rule would make it less likely that PHI has been compromised, since the recipient of the PHI must protect the information in a similar manner as the disclosing entity.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk of PHI has been mitigated.
In short, HHS has retained the need for health plans or business associates to perform a risk assessment, but the assessment is more objective. HHS has not otherwise modified the breach notification requirements in any significant manner. For example, HHS has retained the qualification that a "breach" notification is only necessary if the PHI was "unsecured." Thus, no breach notification is required when the PHI that has been impermissibly acquired, accessed, used, or disclosed was encrypted pursuant to HHS guidelines. HHS has also continued to exclude the following incidents from the definition of "breach":
- Unintentional acquisitions, access or uses of PHI by a workforce member or person acting under the authority of a health plan or business associate, if such acquisition, use or disclosure was made in good faith, within the scope of authority, and does not result in a further impermissible use or disclosure under the Privacy Rule.
- Inadvertent disclosures by a person authorized to access PHI at a health plan or business associate to another person authorized to access PHI at the same health plan or business associate if the information received as a result of the disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
- A disclosure of PHI where a health plan or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI.
Updates to Business Associate Agreements
The Final Rule makes a number of changes to the required terms and conditions of a business associate agreement, which will require health plans and business associates to update existing business associate agreements. In addition to other requirements in a business associate agreement, the Final Rule provides that the agreement must:
- Require the business associate to comply with applicable requirements of HIPAA's Security Rule.
- Require the business associate to ensure that subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule by entering into a business associate agreement with the subcontractor that complies with the requirements for business associate agreements.
- Require the business associate to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.
- Require the business associate to report breaches of unsecured PHI.
Health plans and business associates generally have until September 23, 2013 to update and implement business associate agreements to comply with the new requirements. However, HHS has opted to grandfather business associate agreements entered into prior to January 25, 2013 and which complied with the requirement in effect as of such date. Health plans and business associates with such "grandfathered" agreements have until the earlier of September 22, 2014 (an extra one-year transition period) or the date the business associate agreement is modified or renewed after September 23, 2013 to update the "grandfathered" business associate agreements. The parties to such "grandfathered" agreements need to be careful -- if they modify or renew the agreement after September 23, 2013, they can effectively cut short the extra one-year transition period and must make sure the modified or renewed agreement complies with the new rules. Importantly, HHS has clarified that agreements with automatic renewal terms will not be deemed to have "renewed" for purposes of determining whether the agreement is eligible for the extra one-year transition period. Additionally, despite the "grandfathered" status of existing agreements, health plans and business associates must still satisfy the requirements of the Final Rule as of the compliance date (discussed below) even if such requirements are not reflected in the agreement itself.
While the effective date of the Final Rule was March 26, 2013, all health plans have 180 days beyond the effective date, that is, until September 23, 2013, to comply with the new requirements. Note, however, that until September 23, 2013, health plans must continue to comply with the breach notification interim rules.
Employers should train their employees as soon as possible to address the Final Rule's new requirements. HHS has stepped up its enforcement of HIPAA and is taking a far less lenient approach than before. Penalties of up to $50,000 per violation can be triggered even when the violation is due to reasonable cause or if a person does not know that a violation has occurred. A "violation" can occur with respect to each person affected, so the penalties can become large very quickly.
As discussed above, employers with health plans have a lot of work to do before September 2013.
The author would like to thank Godfrey & Kahn's Health Care team for its assistance with the preparation of this article.Copyright © 2014 Godfrey & Kahn S.C.