June 27, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

HIPAA and HITECH Act: The Stakes Have Gotten Higher for Group Health Plans

Health plan sponsors have long been aware of the HIPAA privacy and security rules that apply to their employee’s protected health information (PHI). More recently, the HITECH Act added several new obligations, including breach notification requirements. These changes have made HIPAA compliance a much higher-stakes proposition. The HITECH Act empowers state attorneys general to enforce HIPAA violations, directs HHS to conduct HIPAA compliance audits, and increases penalties for HIPAA noncompliance from an annual per-provision maximum of $25,000 to $1.5 million. HHS and state attorneys general are taking their new enforcement role seriously, the former having announced it will conduct an audit of every entity reporting a breach that affects more than 500 people, and the latter having already pursued at least one enforcement action. With the compliance stakes raised so substantially, let’s consider some of the more pressing requirements and what you can do about them.

Develop a written breach response procedure. The new breach notification rule requires both a written response procedure and employee training. The procedure should take into account how you will provide required notifications to affected individuals, HHS and, in some cases, the media. Ideally, it will also account for existing state breach notification laws that may also apply.

Ensure Security Rule compliance. Security Rule compliance is particularly important in order to prevent potential breaches. And, if you are compliant but have a breach anyway, making sure your program is “regulatory ready” (i.e., fully documented) will be helpful to show that the incident occurred despite your best efforts. In past breach-related enforcement actions where security was deemed lacking, regulators have charged penalties as high as $2.25 million, required implementation of a comprehensive written information security program, and required biennial third party audits of that program over a period as long as 20 years.

Update your business associate agreements. In addition, the HITECH Act requires business associates to fully comply with the HIPAA Security Rule and imposes several other obligations. As a result, updating all of your business associate agreements is mandatory. It’s also a good idea to think about other provisions that increase protections, particularly in a breach situation. Under the law, your business associates need only notify you if they have had a breach; providing notifications to affected individuals and the cost of mitigating and responding will be left with your organization if the contract does not provide otherwise.

Review your HIPAA policies, procedures and training. With the myriad of legal changes, evolving security technologies, and significantly increased enforcement, this is a great time to review your HIPAA compliance program. (Periodic reviews of your security compliance are mandatory.) Although maintaining an up-to-date program is certainly a concern for self-insured health plans, employers with fully-insured plans should also have HIPAA policies and procedures in place if they assist employees with resolution of medical claims, or offer other covered plans like certain wellness programs.

© 2019 Poyner Spruill LLP. All rights reserved.


About this Author

Elizabeth Johnson, Privacy, Information Security Attorney, Poyner Spruill, law

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s “2008...

Nancy C. Brower, Employee benefits lawyer, ERISA Attorney, Poyner Spruill Law Firm

Nancy practices in the area of employee benefits and ERISA. She has significant experience designing and documenting retirement plans and executive compensation plans as well as providing administrative advice on these plans. Nancy has represented clients before the Internal Revenue Service and Department of Labor, and she has represented clients in matters involving employee benefit due diligence, negotiation and planning in the context of mergers and acquisitions.

Representative Experience...