Earlier this year, the Department of Health and Human Services (HHS) issued final omnibus regulations that revise and expand the privacy and security protections under HIPAA and also finalize the civil enforcement and breach notification rules under the Health Information Technology for Economic and Clinical Health Act ("HITECH").
The final regulations, the "Omnibus Rule," includes important changes that affect covered entities, including group health plans and the employers that sponsor such plans, as well as business associates. This final rule impacts group health plans in two significant ways. First, the Omnibus Rule expands the existing definition and obligations of a business associate of a group health plan under HIPAA. Second, the Omnibus Rule modifies the obligation of a group health plan in regard to breaches of protected health information ("PHI") that is unsecured.
Group health plans have until September 23, 2013 to comply with the Omnibus Rule. Key steps to ensure compliance for many employers that sponsor health plans will entail distribution of revised Privacy Practice Notices, modified Business Associate Agreements (BAAs), and implementation of new HIPAA Authorizations, as summarized below:
1. Privacy Practice Notice - Employers Will Need to Issue Revised Privacy Notices:
While not fundamentally changing employers' HIPAA compliance obligations, the final rule does make some changes to warrant mandatory distribution of an updated Privacy Practice Notice. The revised notices need to inform recipients of:
(a) their right to receive security breach notification,
(b) HIPAA's new prohibition on the use of genetic information for underwriting purposes, and
(c) the requirement that the employer obtain the subject's authorization before using PHI for marketing purposes and before selling PHI.
Because HHS has determined that this new language constitutes a material change to the notice, employers that maintain a benefits website are required under the HIPAA Privacy Rule to (a) post the revised Privacy Practice Notice on their benefits website by the Omnibus Final Rule's compliance deadline of September 23, 2013; and (b) distribute the revised policy to the named insured in its next annual mailing to plan participants.
Employers that do not maintain a benefits website must distribute the revised notice within 60 days of the material revision to the notice, essentially a deadline of December 22, 2013 for such employers. Employers can distribute the revised privacy notice by email as long as the named insured agrees to electronic delivery.
2. Business Associates Agreement (BAA) - Employers Should Review and Amend BAAs as Necessary:
The final rule modifies the minimum required contents of agreements with service providers, known in HIPAA phraseology as "business associates," who receive PHI from a covered entity, such as TPAs and insurance brokers. In addition to previously required provisions, these BAAs must now include provisions that require business associates to:
(a) comply with the HIPAA Security Rule's requirements,
(b) report any security breach to the covered entity,
(c) enter into a BAA with any subcontractor that receives the covered entity's PHI, and
(d) comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate.
Many employers started to include in their BAAs provisions addressing these requirements after the HITECH Act was enacted in February 2009. The general application date for updating the BAA is September 23, 2013. However, the final rule provides a transitional period for updating BAAs where there was already a BAA in place on January 25, 2013 (the date the final rules were issued). These BAAs must be amended by the earlier of the next renewal after September 23, 2013 or by September 23, 2014.
3. Employee's Authorization for Release of Health Information:
All covered entities and business associates should obtain a signed authorization from any health plan enrollee that requests assistance involving the disclosure of PHI. These situations typically involve assistance with claim-related issues.
The final regulations will have the greatest impact on self-insured health plans due their exposure to PHI. Self-insured health, dental, vision and prescription plans will need to have HIPAA Privacy Policies and Procedures, Business Associate Agreements, a Notice of Privacy Practices, etc., and update them for final rule.
Generally, employers that are completely fully-insured have very light HIPAA exposure. If an employer with fully-insured health plans has access to PHI (other than enrollment / disenrollment and eligibility data and summary claims information that is stripped of all individual health identifiers), they will also generally need to have HIPAA Privacy Policies and Procedures, Business Associate Agreements, a Notice of Privacy Practices, etc., and update them for the Omnibus Final Rule.
However, if an employer only sponsors fully-insured plans (i.e., no health FSA, HRA) and has no access to PHI, then the carrier is responsible for the majority of HIPAA compliance (e.g., the carrier will develop the privacy notice). The fully-insured employer may not need HIPAA policies and procedures or business associate agreements in that case (because the employer isn't handling any PHI).
The deadline for compliance with the Omnibus Rule is quickly approaching. An employer that sponsors a group health plan should take action now to ensure timely compliance. Failure to comply with these key requirements can result in stiff penalties for group health plans.
Please reference Proskauer's client alert of January 29, 2013, HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations for more detail regarding the HIPAA Omnibus Rule.
As with all issues involving the interpretation or application of laws and regulations, it is recommended that clients consult their legal counsel for advice on the interpretation and application of the Affordable Care Act.