Business Counselor July 30, 2014 Timothy J. Tornga

HIPAA Compliance Deadline Approaching

With all the news about the Affordable Care Act (ACA), it is easy to lose sight of other employee benefit obligations. Failure to address health care plan HIPAA obligations could lead to serious consequences.

All health care plans must fulfill their duty to protect, use, and disclose protected health information (PHI) in an appropriate and careful manner. Most plans must do so by complying with detailed documentation and procedural steps described below. Others may comply with only very limited responsibilities. Application of this rule involves four categories of plans:

  • self-funded plans less than 50 participants and internally administered – limited.
  • self-funded plans that either have 50 or more participants or use an outside third-party administrator to process claims – detailed.
  • insured plans that create or receive some protected health information (PHI) – detailed.

insured plans that do not create or receive ANY PHI – limited.
We have found that it is difficult for an employer to avoid the compliance with the privacy and security rules simply because of the insured plan status. If the employer sponsors a high deductible insured plan, but couples it with a health reimbursement arrangement (HRA) to defray some of the expenses, this will trigger the detailed compliance. In a similar manner, maintaining a medical expense reimbursement flexible spending account (medical FSA) plan or an employee assistance plan (EAP) will trigger compliance with the detailed policy and other compliance duties. Sharing any claims information with a broker, agent or insurance company other than limited enrollment information will also forfeit the limited compliance status. For a more detailed look at evaluating possible exemption from detailed HIPAA compliance, see “Are Small Health Care Plans Exempt From HIPAA Privacy and Security Rules?”

The responses of health care plan sponsors to the detailed rules begins with adoption of a Privacy Policy and a Security Policy, distribution of a Notice of Privacy Practices to plan participants and entry into Business Associate agreements with vendors assisting in the operation of the health care plan. These obligations began in 2003 and 2004. Many changes have been made to these documents since then due to new regulations, increased vulnerability of data (more aggressive hacking) and the U.S. Department of Health and Human Services (HHS) enforcement activities.

Our current focus is on the changes arising out of a package of regulations published January 25, 2013. These regulations addressed the HITECH Act changes to the HIPAA privacy and security rules. One of the most obvious changes addressed the obligations of business associates making them directly responsible for privacy rule compliance and subject to penalties for their failures. Other changes addressed the rights of participants in health care plans with respect to their own PHI and obligations of health plans to respond to participant requests. These regulations require updating of privacy policies, updating and redistribution of notices of privacy practices and entry into revised agreements with business associates. Training and threat analysis should also be addressed.

These changes became effective September 23, 2013. However, the deadline for actually updating the business associate agreements was delayed until September 22, 2014, less than two months from now. If you have not updated your health care plan HIPAA documents since January 25, 2013, then they are likely out-of-date. If so, they must be updated as soon as possible. Privacy policies, security policies and notices of privacy practices are likely to be out-of-date and failure to update them could subject the plan to penalty. Therefore, we recommend restatement at this time also. Note that these final regulations describe entry into updated business associate agreements and distribution of updated notices of privacy practices as “bright line” compliance requirements.

We also mentioned enforcement changes above. There have been several notable instances of lost laptops or misdirected information leading to six and seven figure penalties. Prior enforcement has been focused on health care providers. However, health care plans are also vulnerable. HHS recently begun a pilot audit program of audits of 500 covered entities, at least 30% of which will be health care plans. This pilot program will eventually lead to a broader and more routine audit program for many more health care plan and other covered entities.

While prediction of penalties for failure to maintain updated documents is an uncertain exercise, the impact of updated documents on the likelihood of a breach and on the occurrence of a breach is more clear. In addition to the ability to withstand audits, it is even more important to have up-to-date documents so that a plan sponsor may minimize penalties in the event that a breach of PHI occurs. The most important aspect of an updated set of program documents is the education of health care plan staff that occurs with the updating exercise. With greater awareness of the HIPAA procedures, health care plans are less likely to have a breach of PHI. If a breach does occur, the presence of updated plan documents will be considered in mitigation of penalties.

If you have questions about HIPAA compliance or would like assistance with reviewing and updating your HIPAA compliance package, contact another member of the Mika Meyers Labor and Employee Benefits Practice Group.

Let’s start a partnership worth keeping.