HIPAA Rules and Action Steps for Compliance April 2013


Published on

Attorney John Barlament explains employer health plans under the new HIPAA rules and action steps for compliance, April 2013

©2015 Quarles & Brady LLP. This document provides information of a general nature. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations or issues. Additional facts and information or future developments may affect the subjects addressed in this document. You should consult with a lawyer about your particular circumstances before acting on any of this information because it may not be applicable to you or your situation.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Rules and Action Steps for Compliance April 2013

  1. 1. www.quarles.com Employer Health Plans Under the New HIPAA Rules: Action Steps for Compliance John Barlament Quarles & Brady LLP john.barlament@quarles.com 414.277.5727 1
  2. 2. Topics for Today www.quarles.com  Four main areas of HIPAA Administrative Simplification  Enforcement strengthened and penalties increased  Applying Security Rules to business associates (“BAs”)  New breach notification rules  New Privacy Rules  Highlight where new regulations make changes – For many items, new regulations made limited changes 2
  3. 3. Overview www.quarles.com  HIPAA enacted in 1996 and contained several parts  Title I: Portability – Pre-existing condition limitations – Nondiscrimination rules  Title II: Administrative Simplification – Core Requirements – Standard Transaction Rules – Privacy Rules – Security Rules – Breach Notification Rules  Administrative Simplification Rules amended several times, including by HITECH Act in 2009 and health care reform 3
  4. 4. Which Plans are Affected? www.quarles.com  Rules generally apply to “health plans” – Major medical; dental; vision; health reimbursement arrangement (“HRA”); health FSA – Need to examine employee assistance plan (“EAP”) and wellness plan separately  Some may provide medical benefits, but not all will  Complex area and some disagreement – Does not usually apply to:  Health savings accounts (“HSAs”) (although theoretically possible) – Would apply to related high deductible health plan  Self-administered plans with less than 50 “participants”  Non-health plans (e.g., disability) – Can be subject to other laws – e.g., ADA has privacy rules 4
  5. 5. Core Requirements Remain Same www.quarles.com  Standard Transaction Rules: Intended to put the “simplification” in Administrative Simplification Rules – When covered entities talk electronically, use same codes  E.g., use a common identification number for various hospitals and clinics  Claims for benefits follow same electronic format  Privacy: Use and disclosure rules for protected health information (“PHI”) – Administrative requirements for employers on behalf of health plans – Privacy rights for individuals 5
  6. 6. Core Requirements www.quarles.com  Security Rule: Applies to electronic PHI (“ePHI”) – Administrative, physical, technical safeguards  Some are “required”, others “addressable” – Organizational, documentation requirements  Breach Notification: Breach of “unsecured” PHI – New regulations provide changes to “breach” definition  No longer use “significant risk of financial, reputational or other harm” 6
  7. 7. How Rules Apply to Group Health Plans www.quarles.com  “Basic” rules for employers and their plans remains same  Fully-insured plans (usually “hands off” PHI): Minimal obligations – Theoretically state no discrimination  Self-funded plans (usually “hands on” PHI): Significant obligations – Amend plan document so employer follows HIPAA – Create policies and procedures; train “workforce” – Various administrative requirements (e.g., identify BAs)  Vast majority of new regs do not apply “differently” to health plans than to other covered entities 7
  8. 8. Overview – Health Care Reform www.quarles.com  Health care reform made some changes also  New Standard Transactions – Electronic funds transfer (regulations 1/2012; effective 1/2013)  Employers / plan sponsors should have verified in 2012 that current business associate agreement included this  Follow Operating Rules – Staggered effective dates – Eligibility for health plan and health care claim status regulations issued in 2011  Effective January 2013 – Others take effect in 2014 and 2016 8
  9. 9. Overview – Health Care Reform www.quarles.com  Unique health plan identifier – 9/2012 HHS issued final regulations – Health plans apply for a unique number for Standard Transaction purposes – Large health plans need one by 11/2014 – Small receive extra year; both use by 11/2016  New “employer certification” requirement by end of 2013 – Certify compliance with certain Transactions and Operating Rules – No regulations yet (so details unknown) – Penalty range as low as $1 per covered life per day – Put into updated business associate agreements (“BAAs”)?  “Other” health care reform HIPAA changes not covered here – E.g., increasing wellness plan discount / penalty from 20% to 30% - 50% 9
  10. 10. New Regulations www.quarles.com  Very long but maintain many prior proposed changes  Most changes effective September 23, 2013 – E.g., updates to notices of privacy practices and policies and procedures (discussed later) – General “catch-all” provision would not be sufficient  Changes to business associate agreements (“BAAs”): – Complicated rules for whether effective date of updated BAAs is 9/2013 or 9/2014 – However, extra year relief hinges on whether BAA complied with HIPAA as in effect on 1/25/2013 10
  11. 11. New Regulations www.quarles.com – Employer may not be 100% certain, so may want to update all by 9/2013 (not 9/2014)  HHS published new sample BAA which is “better” than prior sample – http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden tities/contractprov.html – Still leaves out some items (e.g., Standard Transaction Rules) – Also does not include some other items employers / plans may want  E.g., no sending of PHI offshore; who determines if there is a breach; who pays if a breach, etc. 11
  12. 12. Applying Rules to Business Associates www.quarles.com  Commentators complained of “gap” in health privacy – BAs only indirectly covered  HITECH now directly applies most HIPAA Security Rules (and some Privacy Rules) directly to BA  New regs: “Subcontractors” also must comply – And subcontractors of subcontractors, etc. – Can create contracting issues  E.g., plan requires BA to notify it of breach within 10 days  BA has Subcontractor 1  Subcontractor 1 has Subcontractor 2  Will agreement between Sub 1 and Sub 2 allow sufficient time for breach at Sub 2 to reach plan within 10 days? Do Sub 1 and Sub 2 (or Sub 3 or Sub 4) even know of 10-day requirement? 12
  13. 13. Applying Rules to Business Associates www.quarles.com  Many business associates will also have a health plan – So, will have two “levels” of HIPAA compliance – as a BA and as a sponsor of a health plan – Some entities covered in three ways (provider; BA; sponsor of plan)  Policies and procedures will not be identical (but could have significant overlap)  Note: Still no direct duty under HIPAA for plans to monitor their BAs – However, ERISA does have a similar fiduciary duty 13
  14. 14. New Breach Notification Rules www.quarles.com  If: (1) covered entity or business associate accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses “unsecured protected health information” and (2) there is a “breach” of such information; and (3) the breach is “discovered”; then (4) notification rules apply  Covered entities and business associates follow rule 14
  15. 15. New Breach Notification Rules www.quarles.com  New regs: For this (and other obligations) plan can require BA (e.g., third party administrator (“TPA”)) to conduct on behalf of plan – – – – If so, must include in BAA Plan still liable (so consider indemnification?) Caution: BAs may have a “bias” Recommend that employer / plan reserve right to determine if “breach” occurred – Also, recommend “quick” report to plan  “Accesses, maintains…unsecured PHI”: – Terms not well-defined but seems broad – “Unsecured PHI” – PHI not secured through technology or methodology approved by HHS  4/17/09 HHS guidance “safe harbor” for data: in motion; at rest; in use; disposed. – Encryption (NIST approved) – Destruction (shredded or purged)  Note: Can have a “breach” of paper PHI or electronic PHI 15
  16. 16. New Breach Rules – Defining “Breach” www.quarles.com  “Breach” is: (1) acquisition, access, use or disclosure (2) of PHI (3) in manner not permitted under Privacy Rules (4) which “compromises” the security or privacy of the PHI – E.g., benefits department employee is curious about coworker’s medical situation and reviews (accesses) medical record – E.g., explanation of benefits (“EOB”) sent to wrong person and actually opened  Prior standard from 2009 regulations now eliminated – “Significant risk of financial, reputational or other harm” 16
  17. 17. Defining “Breach” www.quarles.com  Old standard replaced by somewhat-vague “compromised” standard – Does not require that every improper use or disclosure be treated as a “breach”  Covered entity and business associate assume breach occurred if improper use or disclosure  Both assess probability that PHI has been “compromised” based on a risk assessment – Must consider at least four factors 17
  18. 18. Defining “Breach” www.quarles.com  (1) Nature and extent of PHI involved – Including types of identifiers and likelihood of re-identification  (2) Unauthorized person who used PHI or to whom the disclosure was made  (3) Whether PHI was actually acquired or viewed  (4) Extent to which the risk to the PHI has been mitigated  All should be documented – Plan may want BA to do assessment and provide it to plan – HHS considered, but rejected, idea that third party determines if “breach” occurred – New regs: Burden of proof on plan / BA to prove no breach occurred 18
  19. 19. Exceptions to “Breach” www.quarles.com  Does not include unintentional acquisition, access, use or disclosure of PHI by workforce member (or acting under authority) if done in good faith and within scope and not further used or disclosed – New regs: Does not include “snooping employees”  “Breach” also does not include certain inadvertent disclosures at covered entity or BA if information not further used or disclosed  “Breach” does not include disclosure where person would not have reasonably been able to retain it  New regs: Also may be other situations (above is not exhaustive list) 19
  20. 20. Breach Rules – What Happens if Breach Occurs www.quarles.com  Generally notify affected individuals – Usually within 60 days after breach “discovered”  Includes discovery by an agent – clarify in BAAs that BA is not an “agent”?  HHS notification usually required after end of year  If “major” breach of 500+, notify HHS within 60 days and media – For both, consider impact to employer’s brand / employee relations issues 20
  21. 21. Breach Rules – Include in Content of Notification www.quarles.com  Brief description of what happened, including date of breach and date discovered  Types of unsecured PHI involved (e.g., name, Social Security number, date of birth, home address, account number)  Steps individual should take to protect from potential harm  What covered entity is doing to investigate the branch, mitigate losses and protect against further breaches  Contact procedures for individuals to ask questions; shall include toll-free phone number, email address, web site or postal address  All written in “plain language”  Require BA to provide if BA causes breach? 21
  22. 22. New Access Rules www.quarles.com  Individuals have right to access and obtain copy of PHI in designated record set  Health plan previously had to respond within 60 days – 30 day extension also available  New regs: Must respond within 30 days – 30 day extension still available – Will likely require changes to policies / procedures  New regs: Plan must, if requested by individual, transmit copy of PHI directly to another designated person – Request to do so “must” be in writing, signed by individual and must clearly identify recipient  Can still charge reasonable, cost-based fees – New regs: No standard “retrieval fee” – New regs: Can include cost of CD (if that is what individual requests) 22
  23. 23. New Access Rules www.quarles.com  New Regs: If individual requests electronic copy of PHI and if PHI maintained electronically, plan must provide access to it in electronic form and format requested  If not possible, provide “machine readable” copy – Includes Word, Excel, text, HTML, PDF  Consider risks of allowing direct download on individuals’ portable devices  Employer probably does not have entire “designated record set” – Coordinate with TPA and other BAs (if self-funded) – If employer’s health plan is fully-insured, likely forward employee to insurer 23
  24. 24. Restriction Request Rules www.quarles.com  Individual can make restriction request under 164.522 – and covered entity usually need not follow it  Under HITECH, covered entity must comply with request if: – Disclosure is to a health plan for purposes of carrying out payment or health care operations (but not treatment) and – PHI pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full  Preamble to new regs: Rule only applies to providers (not health plans) – But, wording of regs not so limited – Recommend updating health plan policies and procedures to include 24
  25. 25. Guidance on “Minimum Necessary” www.quarles.com  Currently, most uses and disclosures of PHI must be of “minimum necessary” amount – Not always easy to know what “minimum necessary” means  New Regs: BAs directly subject to rule – Also includes requests a BA makes of another BA – Parties may want to address in BAA  Sample BAA from HHS has some language – Future guidance expected 25
  26. 26. Prohibiting Sale of PHI www.quarles.com  Covered entity and BA cannot “directly or indirectly receive remuneration” in exchange for any PHI unless covered entity obtained valid authorization from individual (and authorization must specify that remuneration is acceptable)  Are some exceptions (e.g., can receive a few dollars form individual for copying medical records; research, treatment)  Will health plans ever “sell” PHI? – Not typical but cannot rule it out – Do include in BAA 26
  27. 27. Marketing of PHI www.quarles.com  Covered entity generally needs authorization for “marketing” (communication encouraging purchase or use of product)  Several exceptions – E.g., to provide refill reminders about current drug (remuneration limited to cost of communication) – Care coordination (no remuneration) – Description of plan benefits (no remuneration) – Non-plan products and services available to enrollees (no remuneration) – Is this broad enough to cover everything a health plan does? 27
  28. 28. PHI of Decedents www.quarles.com  New regs: Ceases to be protected after individual is deceased for 50 years  New regs: Can disclose decedent’s PHI to family members or others involved in decedent’s care or payment for care  Modest change for health plans – May be difficult to track – Should probably include in notice of privacy practices – Discuss with TPA (if self-funded) whether TPA can track this? Or just ignore it because it is optional? 28
  29. 29. GINA www.quarles.com  New regs also address Genetic Information Nondiscrimination Act (“GINA”)  Maintain current rule that genetic information is generally PHI – Update definition of “PHI”  Adopts proposed rule from 10/2009 that genetic information cannot be used for underwriting purposes – Includes: (1) rules for, or determination of, eligibility; (2) computation of premium or contribution amounts; (3) application of pre-existing condition exclusion; (4) other activities related to creation or renewal 29
  30. 30. GINA www.quarles.com  Plan cannot include genetic information in summary health information it discloses to plan sponsor so sponsor can obtain premium bids  Plan can use and disclose genetic information to determine medical appropriateness (e.g., whether to have mammogram before age 40)  If plan engages in “underwriting”, state in notice of privacy practices that it cannot use genetic information for such activity 30
  31. 31. Notices of Privacy Practices www.quarles.com  Will likely need to be updated  New regs confirm that should inform individuals of breach notification rights  Also must state authorization usually needed for: – – – – Most uses and disclosures of psychotherapy notes Uses and disclosures for marketing Sale of PHI Other uses and disclosures not described in notice made only with authorization from individual  Other changes as noted previously  Some new distribution rules – If have web site, post by effective date  But does a plan ever have a web site? – If not, provide it within 60 days of material revision 31
  32. 32. Policies and Procedures www.quarles.com  Will almost certainly need to be updated  Some changes (e.g., definition of “breach”) unexpected and almost certainly not in existing procedures  Remember to re-train after changes made 32
  33. 33. Business Associate Agreements www.quarles.com  Possible but unlikely that no changes needed (e.g., if general terms used – no set definition of “breach”) – If go this route, may need to do analysis of all BAAs – Even if “template” used as starting point, may have changed during negotiations  Given HIPAA enforcement, good idea to re-visit them all and make items more clear 33
  34. 34. Questions and Answers www.quarles.com Thank you for attending John L. Barlament Quarles & Brady LLP 411 E. Wisconsin Avenue Suite 2350 Milwaukee, WI 53202 john.barlament@quarles.com 20861885 34