• Share
  • Email
  • Embed
  • Like
  • Private Content
Final HIPAA regulations require changes for employers

Final HIPAA regulations require changes for employers



The Health Insurance Portability and Accountability Act privacy rules now restrict the use and disclosure of protected health information. That means employers, providers and their business associates ...

The Health Insurance Portability and Accountability Act privacy rules now restrict the use and disclosure of protected health information. That means employers, providers and their business associates are directly liable for civil penalties if they violate HIPAA requirements. See what steps you can take to become fully compliant.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Final HIPAA regulations require changes for employers Final HIPAA regulations require changes for employers Document Transcript

    • HRS Insight 2013, Issue 5 Final HIPAA regulat ons require regulations changes for employers February 11, 2013 In brief The HIPAA privacy rules restrict the use or disclosure of protected health information by covered entities – including employer group health plans — without express authorization, except when necessary for treatment, payment or health care operations, or certain other permitted purposes. The privacy rules include standards for individuals' certain privacy rights to understand and control how their health information is used. The HIPAA security rules set standards to protect the confidentiality, integrity, and availability of electronic protected health information. availability Employers with self-insured group health plans, including medical, dental, vision, health flexible spending accounts insured or health reimbursement arrangements and certain employee assistance programs, as well as those sponsoring onsite medical clinics or using data warehousing in conjunction with their group health plans, will have HIPAA obligations. In general, employers with insured group health plans that don’t have access to protected health information will have only limited HIPAA obligations. ill The final regulations implement the amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and the Genetic Information Nondiscrimination Act (GINA). Generally, the final regulations: rally,  Modify the HIPAA privacy, security, and enforcement rules, to – – make business associates directly liable for compliance with certain privacy and security rules with – modify the rules for breach notification – require modifications to notices of privacy practices – strengthen limits on use and sale of protected health information – expand rights to electronic copies of health information and restrict disclosures to health plans where the individual has paid for the treatment –  incorporate increased and tiered monetary penalties and expanded enforcement structure of the HITECH Act adopt additional HITECH Act provisions. Modify the HIPAA privacy rule to strengthen and implement the privacy protections for genetic information under GINA There are numerous changes in the final rules from earlier interim and proposed rules; however, employers will find that the general compliance framework for satisfying their HIPAA privacy and security obligations was not significantly altered by this recent round of regulatory guidance. HHS did not finalize other proposed regulations of (published in May 2011) affecting accounting for disclosures and access reports. www.pwc.com
    • HRS Insight In detail The final rules: Penalty and enforcement provisions  require HHS to formally investigate complaints of violations due to willful neglect, and impose civil money penalties upon finding such violations The final rule adopts the increased and tiered civil money penalty structure set out in the HITECH Act, creating significant impetus for group health plan sponsors and other covered entities to exercise diligence in using and disclosing protected health information: Type of violation Did not know (and would not have known) by exercising reasonable diligence) about violation Violation is due to reasonable cause Violation is due to willful neglect but is corrected Violation is due to willful neglect and is not corrected Penalty amount per 1 violation $100 $50,000, up to annual maximum  require HHS to determine civil penalty amounts based on the nature and extent of harm resulting from a violation, and $1,000 $50,000 per violation, up to annual maximum $10,000 $50,000 per violation, up to annual maximum $50,000 per violation, up to annual maximum Expansion of business associate rules 1 Maximum penalty of $1.5 million for all violations of a single provision in a calendar year, for any tier of penalty Violations that occur because a covered entity did not know, and with the exercise of reasonable diligence would not have known, of the violation are not exempt from penalty, but are punishable under the lowest tier of penalties. Penalties are not imposed for any violation that is timely corrected, as long as the violation was not due to willful neglect. 2  make business associates of covered entities directly liable for civil money penalties for violations of certain of the HIPAA rules  provide that HHS’s authority to impose civil penalties will be barred only to the extent criminal penalties have been imposed. Several elements of the final rules will require employers to review the vendors providing services to their group health plans and to review and possibly revise business associate agreements. New types of business associates The final rules clarify that a business associate includes an entity that 'creates, receives, maintains, or transmits' protected health information on behalf of a covered entity, even if they do not actually view the protected health information. Although many group health plans do not contract with these types of service providers, such as patient safety organizations, health information organizations, eprescribing gateways and other entities that facilitate data transmission, as well as entities that offer a personal health record, they should periodically review their plan operations and contracts to confirm. In addition, the regulations specifically expand the definition of business associate to include subcontractors of any covered entity. The requirement for Business Associate Agreements is alive and well Under the HIPAA privacy rule, covered entities, including group health plans, may not disclose protected health information to a business associate unless a business associate agreement is in place. Other HIPAA obligations are imposed on a business associate under these agreements. While some covered entities may have revised their business associate agreements following preliminary guidance on the HITECH Act and other changes, all covered entities and business associates may want to review those agreements again to ensure they comply with the final rules. HHS has posted updated sample business associate agreements provisions on its website. Business associates and covered entities retain flexibility to set forth specific obligations for each party in their business associate agreements. For example, the parties can agree to delegate responsibility for notifying individuals following a breach of unsecured protected health information, so long as all required notifications are provided. However, in the preamble, HHS encouraged the parties to ensure the individual does not receive notifications from both the covered entity and the business associate about the same breach. Therefore, business associate agreement provisions should reflect which entity is in the best position to give notice depending on the circumstances, after considering the functions the business associate pwc
    • HRS Insight performs on behalf of the covered entity and which entity has the relationship with the individual. Business associates are not required to comply with certain other provisions of the privacy rule, such as providing a Notice of Privacy Practices or designating a privacy official, unless the covered entity has chosen to delegate such responsibilities to the business associate, making it a contractual requirement. For example, how and to what extent a business associate is to support or fulfill a covered entity’s obligation to provide individuals with electronic access to their records will be governed by the business associate agreement. The business associate agreement may allow the business associate to give copies of the requested information directly to the individual, or to the covered entity for delivery to the individual. There is no separate requirement for business associates to provide individuals with direct access to their health records, if that is not what has been agreed to between the covered entity and the business associate in the business associate agreement. Covered entities aren’t completely off the hook Although HHS now can directly penalize business associates for their HIPAA violations, the proposed regulations would allow HHS to penalize a covered entity for specific tasks delegated to an agent – even if that agent is a business associate. This is significant because if a covered entity delegates a task that otherwise would not be a business associate’s responsibility under HIPAA and the business associate doesn’t properly perform that task, HHS enforcement would fall on the covered entity. Observation business associates are directly liable for compliance with many of the HIPAA requirements underscore the broad scope of these rules. Breach notification The HITECH Act requires covered entities to notify affected individuals, and in some cases, the media and the Secretary of HHS, following discovery of a breach of unsecured protected health information. This may happen, for example, if a laptop with such information is stolen or lost. Business associates must notify the covered entity of a security breach, and if the covered entity has delegated its breach notification duties to a business associate, the business associate agreement should carefully describe each party’s role and relationship. HHS posts on its web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals. Under earlier rules, covered entities were required to assess the likelihood of significant harm to the individual in the event of a breach. Only if the breach was deemed to constitute significant harm was notice required. Under an expanded definition of a breach, any impermissible use or disclosure of protected health information is presumed to be a breach and requires notification, unless the covered entity or business associate demonstrates there is a low probability the protected health information has been compromised (or one of the other exceptions to the definition of breach applies). The risk assessment should consider at least the following factors:  the nature and extent of the protected health information involved  the unauthorized person who used the protected health information or to whom the disclosure was made  whether the protected health information was actually acquired or viewed, and  the extent to which the risk to the protected health information has been mitigated. If a covered entity decides that a notice is not required, it must document its risk assessment and must be able to prove the low probability of compromise to HHS, or to a state attorney general (now authorized to enforce HIPAA). Observation Covered entities and business associates should examine their privacy and security policies to ensure that they minimize the possibility of breach and the probability of compromise upon a breach. They should also examine their breach notification policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors. The preamble to the final rule emphasizes the importance of ensuring workforce members are trained on the policies and procedures for reporting, analyzing and documenting a possible breach, and notes that updates to policies and procedures and retraining may be necessary to adopt these modifications. Revisions to notices of privacy practices Most employers and other covered entities will be required to revise and redistribute Notices of Privacy Practices by including statements about the following: The expanded definition of business associate and the clarification that 3 pwc
    • HRS Insight  An individual has a right to receive a notice following a breach of unsecured protected health information.  A plan participant must authorize most uses or disclosures of psychotherapy notes; participant authorization is also required to sell protected health information, to use or disclose protected health information for marketing purposes, or to otherwise use or disclose protected health information. based on an individual's genetic information, and added new privacy protections for genetic information to prohibit group health plans and health insurance issuers from using or disclosing genetic information for underwriting purposes.  The plan is prohibited from using or disclosing genetic information for underwriting purposes (except for long term care policies). The final regulations implement the requirements of GINA by revising the definition of 'health information' to include 'genetic information' and prohibiting the use of genetic information in underwriting. In addition to modifying their Notices of Privacy Practices as mentioned above, health plans and other covered entities will need to review their practices and procedures and other HIPAA compliance to be certain that they comply with these changes. Observation  Policies and procedures must be reviewed and revised to incorporate the new standards for breach notifications and other rules, such as incorporating genetic information under the protections.  Notices of Privacy Practices must be reviewed, revised, and distributed in a timely manner. Observation Most employers will have to revise their Notices of Privacy Practices to reflect these changes, and must distribute them to participants in their group health plans. Employers subject to HIPAA that maintain a website with information about benefits must post a revised notice by September 23, 2013. Those not maintaining a website must distribute the revised notice within 60 days of its revision. Employers conducting open enrollment during fall of 2013 should be able to satisfy the notice distribution requirement at that time; however, employers that don’t conduct open enrollment in the fall will have to arrange a special distribution to comply with the 60 day deadline. The HIPAA rules permit Notices of Privacy Practices to be delivered by email if the recipient has agreed to receive an electronic notice (and has not withdrawn that agreement). GINA changes GINA prohibits discrimination in both employment and health coverage 4 Most group health plans no longer consider genetic information in underwriting, so there may be few practical implications of this provision. The takeaway  Employers, health plans, providers and their business associates must be aware that the expanded penalty structure of HIPAA is now fully in effect and these entities are directly liable for civil penalties for violations of the HIPAA requirements.  Covered entities should review their operations to determine if any additional parties are business associates under the expanded definitions, and should revise their contractual agreements with these parties.  Business associate agreements now in effect should be reviewed and revised and renegotiated if necessary. pwc
    • HRS Insight Let’s talk For more information, please contact our authors or your regional PwC Human Resource Services professional: Kerry Eason, Chicago (312) 298-2103 kerry.eason@us.pwc.com Amy Bergner, Washington (202) 312-7598 amy.b.bergner@us.pwc.com Anne Waidmann, Washington (202) 414-1858 birgit.a.waidmann@us.pwc.com Charlie Yovino, Atlanta (678) 419-1330 charles.yovino@us.pwc.com Sharmon Priaulx, Boston (617) 530-5279 sharmon.priaulx@us.pwc.com Pat Meyer, Chicago (312) 298-6229 patrick.meyer@us.pwc.com Terry Richardson, Dallas (214) 999-2549 terrance.f.richardson@us.pwc.com Todd Hoffman, Houston (713) 356-8440 todd.hoffman@us.pwc.com Carrie Duarte, Los Angeles (213) 356-6396 carrie.duarte@us.pwc.com Ed Donovan, New York Metro (646) 471-8855 ed.donovan@us.pwc.com Bruce Clouser, Philadelphia (267) 330-3194 bruce.e.clouser@us.pwc.com Jim Dell, San Francisco (415) 498-6090 jim.dell@us.pwc.com Scott Pollak, San Jose (408) 817-7446 scott.pollak@Saratoga.PwC.com Nik Shah, Washington Metro (703) 918-1208 nik.shah@us.pwc.com © 2013 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers (a Delaware limited liability partnership), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. 5 pwc