On January 25, 2013, the Department of Health and Human Services issued significant regulations modifying the HIPAA Privacy, Security, and Enforcement rules (the “Final Rule”). The Final Rule’s effective date was March 26, 2013, and the compliance deadline of September 23, 2013 is quickly approaching. Given the many significant changes within the Final Rule, it is crucial that plan administrators of group health plans and their business associates take prompt action to meet the impending deadline.
The Final Rule contains a number of provisions that will affect a broad range of HIPAA covered entities and their business associates who provide services involving protected health information (“PHI”). For example, the Final Rule will greatly impact business associates, HIPAA privacy notices, the security breach notification rules, marketing communications, the sale of PHI, and an individual’s right to access his or her PHI. Examples of the most pressing obligations regarding these changes and the necessary steps to comply with each are addressed below.
Business Associates and Business Associate Agreements
The Final Rule makes certain HIPAA Privacy and Security rules directly applicable to business associates. While business associates are usually contractually obligated to comply with these rules under their business associate agreements, the Final Rule creates increased legal exposure beyond any existing contractual obligations. The Final Rule also provides that covered entities may be liable under the federal common law of agency for the acts and omissions of their business associates.
Specifically, the Final Rule requires business associate agreements to contain certain information. First, the business associate must agree to comply with the HIPAA security standards with respect to electronic PHI. Next, the business associate must agree to report any breaches of unsecured PHI. The business associate must also have a business associate agreement requiring subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate to agree to the same restrictions and conditions as the business associate. Finally, the business associate must agree that it will comply with the requirements of the privacy rule that applies to the covered entity.
Necessary Action: All plan administrators and business associates should first determine whether they have essential business association agreements in place for service providers. Then, they should determine if changes to such agreements are necessary to comply with the requirements listed above.
Changes for HIPAA Notice of Privacy Practices (NPPs)
The Final Rule require the covered entities’ Notice of Privacy Practices to contain the following information:
(1) the sale and use of PHI for paid marketing requires authorization;
(2) other uses and disclosures of PHI not specifically described in the NPP will be made only with authorization;
(3) affected individuals must be notified of breaches of their PHI; and,
(4) individuals can restrict disclosures to their health plan for services for which they pay out-of-pocket.
Necessary Action: Plan administrators should review and update their NPPs to conform to the additional requirements listed above.
Security Breach Notification Rules
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) requires that if a health plan experiences a breach of unsecured PHI, it must notify affected individuals and the Department of Health and Human Services. Prior to the Final Rule, a “breach” was defined as an unauthorized use or disclosure that posed a “significant risk of financial, reputational, or other harm to the individual.” The Final Rule substantially modifies this definition by eliminating the “significant risk” standard and replacing it with a standard requiring a breach notification in all situations except those in which a risk assessment demonstrates there is a “low probability” that the PHI has been compromised.
To meet the “low probability” standard required to avoid the breach notification requirement, the risk assessment must include, at a minimum: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which risk has been mitigated.
Necessary Action: Because the Department of Health and Human Services often uses breach notifications as a basis to launch investigations and penalties, plan administrators and business associates should begin conducting risk assessments that take into account all of the above factors in any security breach situation. These decisions should be carefully documented by trained employees.
Marketing and Sale Limitations on PHI
Generally, HIPAA provides that, with limited exceptions, covered entities and business associates can only use or disclose PHI if they have a valid HIPAA authorization. The Final Rule requires a valid authorization for marketing communications if the covered entity receives either direct or indirect “financial remuneration” for making the communication. “Financial remuneration” is defined as payment from or on behalf of a third party whose product or service is being described. This definition does not include in-kind benefits or payments for purposes other than making a communication.
The Final Rule also restates that the sale of PHI without an individual’s authorization is not permitted. The regulations define “sale of PHI” to include where the plan directly or indirectly receives remuneration for PHI. Unlike marketing, remuneration in the context of the sale of PHI includes financial or nonfinancial benefits. This limitation on the sale of PHI does not apply to exchange of remuneration to business associates in connection with the business associate’s performance of activities. Further, the limitation only applies to disclosures made outside the covered entity.
Necessary Action: Plan administrators first need to identify any situations where the covered entity receives “financial remuneration” for marketing communications or where the sale of PHI may be implicated. Then, it is necessary to evaluate whether changes in operations or agreements with service providers are necessary.
Individual’s Right to Access PHI
Two significant changes regarding an individual’s right to access his or her PHI must be complied with by the impending deadline. First, if an individual’s PHI is maintained in electronic form, the individual has a right to request the information in electronic form. The plan administrators cannot then refuse to provide the information electronically. Second, the Final Rule permits an individual to designate a third party to receive his or her PHI, and the plan must comply with such written designation.
Necessary Action: Plans should be updated to accommodate these changes to an individual’s right to request PHI in electronic form. Because there is generally a 30-day time limit to provide the PHI from the date it is requested, plans should reach out to business associates who may hold this information and develop a strategy to quickly gain access to and provide this information.
Fraser Stryker is a leader in tax, employee benefits law, and health care law. Attorneys in the Firm’s Taxation, Employee Benefits, and Health Care & Physicians Law Practice Groups advise individuals, business entities, governments, and nonprofit/tax-exempt organizations on a wide variety of tax and employee benefits matters and transactions. Attorneys in the Firm’s Health Care & Physicians Law Practice Group advise hospitals, clinics, physicians, and other health care professionals throughout the region on all aspects of health care law and compliance. Attorneys on the Firm’s Patient Protection and Affordable Care Act & Health Care Reform Response Team advise businesses, political subdivisions and other governmental entities, health care organizations, and tax-exempt entities on all aspects of health care reform compliance. For more information HIPAA compliance issues, please contact Jim Quinlan or Kristin Crone.
Formed in 1898, Fraser Stryker has grown to become a nationally recognized law firm that represents local, national, and multinational clients in complex business transactions and litigation matters. Fraser Stryker attorneys participate actively in a wide array of community organizations. Visit our home page for more information about us.
This article is provided by Fraser Stryker for general informational purposes and is not intended to be and should not be construed as legal advice on any specific facts or circumstances.
Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code, or (ii) promoting, marketing or recommending to another party any matters addressed herein.