HIPAA Privacy and Security Rule Changes
With all the publicity about the Affordable Care Act it is easy to lose sight of other requirements for health care plans. New final regulations on HIPAA Privacy and Security were published January 25, 2013. Certain enforcement changes became effective March 26, 2013. The changes to privacy policies, notices of privacy practices and business associate agreements that became effective September 23, 2013 are of greater importance to employers and health care plans.
The notification requirements for security breaches have been modified. Previously notice was required only if a subjective determination of “significant risk of harm” was made. Notification must now be given unless the covered entity (health care plan or provider) demonstrates a low probability that the protected health information has been compromised and the burden of demonstrating this is placed on the covered entity.
Additional changes apply to plan operations and notices. The rules regarding use of PHI for marketing or sale of protected health information (PHI) have been tightened and certain disclosures must be made. Plans that use PHI to underwrite (determine health insurance premiums) may not use genetic information (including family health history). If a breach of a participant’s PHI occurs, the Plan must notify the participant. These and other changes must be made to plan documents, privacy policies and notices of privacy practices.
Self insured plans will have the greatest compliance burden. Fully insured health care plans that operate in a “hands off” mode will be the least affected. However, note that many insured plans operate in conjunction with a health reimbursement arrangement (HRA) and/or a health care flexible spending account plan. These auxiliary plans should be treated like self-insured health plans for these purposes. However, health care plans that are not insured, have fewer than 50 participants and are internally administered by the employer are relieved from HIPAA privacy rules.
The area of the biggest changes involves business associates. Previously, covered entities could protect themselves from liability for business associate conduct by entering into a business associate agreement with them. This safe-harbor no longer applies and the new rules open up covered entities to liability for the acts of their business associates in certain circumstances. And for the first time, business associates are themselves directly liable for violations of the rules and subject to penalties. Furthermore, “downstream” subcontractors of business associates are also liable for HIPAA violations. Business associates are now required to enter into agreements with their subcontractors addressing their responsibilities (subcontractor business associate agreements).
As noted above, certain enforcement provisions became effective March 26, 2013. Of greater importance to health care plans are the operational, disclosure and business associate changes described above. These became effective September 23, 2013. There is a little bit of relief in the area of business associate agreements. Although operational compliance with the rules became effective September 23, 2013, a covered entity with an existing business associate agreement in place on January 25, 2013 does not need to enter into a new business associate agreement with that vendor until March 26, 2014. Other than that exception, all business associate relationships entered into on or after January 25, 2013 and all business associate contract modifications after that date must comply with the new regulations.
If you have not reviewed the HIPAA privacy policies and documents subsequent to these final regulations, we recommend you do so promptly. If you would like assistance with the review of your policies or business associate agreements or employee notices, contact Tim Tornga at (616) 632 8090 or ttornga@mikameyers.com or any other member of the Mika Meyers Labor and Employment Practice team.