Advertisement

April 15, 2014

Final Rules Under HIPAA/HITECH Impact Employer Plans

Modifications to the rules require action by group health plan sponsors and their vendors, including revisions to policies and procedures and new privacy notices.

On January 17, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) released final regulations under the Privacy Rule, the Security Rule, and the Enforcement Rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification for Unsecured Protected Health Information Rule (Breach Notification Rule) under the Health Information Technology for Economic and Clinical Health (HITECH) Act.[1]

The final rules are effective on March 26, 2013, and covered entities and business associates generally must comply with the applicable requirements by September 23, 2013. Employer group health plan sponsors and the business associates that service them will be impacted by several modifications under the new rules, as described below.

Business Associate Agreements

The final rules make business associates, such as vendors that provide services to or on behalf of group health plans, directly liable for compliance with the Security Rule and certain standards under the Privacy Rule. The definition of "business associate" has been revised to include all subcontractors of business associates that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity, no matter how "downstream" those subcontractors may be. Business associates are responsible for entering into business associate agreements with their subcontractors.

Employer plan sponsors should review their agreements with plan vendors to ensure that they require the business associate to (1) comply with the Security Rule and report any security breach to the covered entity, (2) comply with the Privacy Rule as it applies to obligations delegated to the business associate under the agreement, and (3) enter into a business associate agreement with each subcontractor that receives the plan's PHI that contains the same (or greater) protections as the agreement with the covered entity.

Breach Investigations

A "breach" was defined under the prior rules as an impermissible use or disclosure that compromises the security or privacy of PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. The final rules eliminate the "significant risk of harm" standard, which HHS deemed too subjective. Under the new definition of "breach," an impermissible use or disclosure of PHI is "presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." The final rules require an analysis that, at a minimum, takes into account the following: (1) the nature and extent of the PHI, (2) who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk to the PHI was mitigated. A covered entity or business associate may choose to provide breach notification with respect to any impermissible use or disclosure of PHI and forego the risk assessment process. HHS has indicated that it will provide additional guidance related to risk assessments and common breach scenarios. Employer plan sponsors should review and revise, as necessary, their policies and procedures with respect to breach investigations to ensure compliance with the new risk assessment standards.

Access to PHI

The final rules expand individuals' rights to receive copies of their PHI by requiring covered entities to provide access to PHI in the electronic form and format requested by the individual, if the PHI is maintained electronically in one or more designated record sets (e.g., enrollment, payment, claims, and medical and billing records). Covered entities still have 30 days to respond to a request for PHI, even if the PHI will be sent electronically. The final rules also allow family members who were involved with a decedent's care to receive access to the decedent's PHI.

Restrictions on Disclosures

The final rules provide that if the full cost of medical care for a particular item or service is paid for by (or on behalf of) an individual out of pocket, the provider must abide by the individual's request to restrict PHI related to such care and not share it with the individual's health plan or insurer.

Authorizations Required for Marketing and Sale of PHI

Under the final rules, an individual authorization is required for communications when a covered entity receives financial remuneration from a third party in exchange for marketing the third party's product or service. Exceptions apply for the costs of labor, supplies, and postage related to refill reminders and other communications about currently prescribed drugs. Promotions of health in general and the promotion of government-sponsored programs are also permitted without authorization. The final rules also generally prohibit a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless the covered entity or business associate has obtained authorization from the individual.

Genetic Information

The final rules prohibit most health plans from using or disclosing genetic information for underwriting purposes, as required under the Genetic Information Nondiscrimination Act of 2008 (GINA).

Notice of Privacy Practices

A number of provisions in the final rules will require changes to the notice of privacy practices required to be issued by covered entities. Health plans must post the revised notices on their websites and provide hard copies to participants at the next annual open enrollment.

Enforcement

HHS will continue to conduct random audits and investigate breach reports and complaints under HIPAA/HITECH. Violations can result in civil penalties of up to $1.5 million per year and criminal penalties of up to 10 years' imprisonment. The final rules maintain the tiered system of civil penalty amounts, based on increasing levels of culpability, that was introduced under HITECH. Also included in the final rules is a provision that allows HHS to impose a civil money penalty without exhausting informal resolution options, although this approach is likely to be limited to cases of willful neglect.

Next Steps

With the final regulations now in hand, employer group health plan sponsors should take a fresh look at their HIPAA/HITECH compliance to identify issues, fill gaps, and correct problems.


[1]. View the January 17, 2013, HHS press release here.

Copyright © 2014 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

About the Author

Of Counsel

Lauren B. Licastro is of counsel in Morgan Lewis's Employee Benefits and Executive Compensation Practice. Ms. Licastro counsels clients on matters related to the implementation, operation, and termination of retirement plans and health and welfare benefit plans in compliance with ERISA, the Internal Revenue Code, COBRA, HIPAA, Healthcare Reform, and other applicable law. She negotiates contracts on behalf of employers with plan service providers, such as insurers, recordkeepers, and third-party administrators, and also provides advice regarding employment agreements...

412.560.3383

About the Author

Associate

Georgina L. O'Hara is an associate in Morgan Lewis's Employee Benefits and Executive Compensation Practice.

Ms. O'Hara is involved in all aspects of the firm's employee benefits practice including health and welfare plans, deferred compensation arrangements, executive compensation arrangements and employment agreements. She also regularly counsels clients on regulatory compliance with the Internal Revenue Code, ERISA, COBRA, and HIPAA.

Ms. O’Hara is also an active member of the firm’s pro bono practice, serving as the liaison for the Women...

215.963.5188

About the Author

Associate

Saghi "Sage" Fattahian is an associate in Morgan Lewis’s Employee Benefits and Executive Compensation Practice. Ms. Fattahian focuses her practice on a variety of employee benefits matters, including the design and implementation of qualified plans, welfare plans, fringe benefits, and other compensation arrangements. She assists clients in developing compliance protocols on regulatory issues dealing with the Internal Revenue Code, ERISA, COBRA, and HIPAA.

312-324-1744

About the Author

Our Employee Benefits and Executive Compensation Practice is one of the largest in the country and offers a level of substantive knowledge, industry experience, and technical skills that makes Morgan Lewis a nationwide leader in employee benefits practice. Every day our more than 80 lawyers and other benefits professionals use their skills as counselors, strategists, problem solvers and trial lawyers to assist clients in finding creative solutions to their employee-benefit-related business problems.

From qualified retirement plans to sophisticated equity...

215-963-5726

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.