Page 1 of 1
Under the 2013 Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules provisions, employers must update their health information disclosure policies and retrain employees to ensure compliance.
The Department of Health and Human Services (HHS) issued the new HIPAA regulations on January 25, 2013, to execute major changes that were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as the Genetic Information Nondiscrimination Act (GINA).
New Requirements for Business Associates
HIPAA regulations previously generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains, or transmits” personal health information (PHI).
The key addition in this part of the regulation is found in the word ‘maintains’ because any entity that ‘maintains’ PHI on behalf of a covered entity- even if no access to that information is required or expected- will now be considered a business associate.
This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions and do not have business associate agreements (BAAs) with such vendors.
If you give PHI to a vendor before a BAA is in place, you will be in violation of HIPAA, and if you are a vendor, you can’t receive PHI without a compliant BAA in place. There must be a compliant BAA in place first.
Another change is that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. Plan sponsors should include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.
Presumption of PHI Breach Introduced
Under the previous rules, an impermissible use or disclosure of PHI- including electronic PHI- was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.
Under the new rules, the only way now to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised.
To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors- at a minimum:
The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.
Action Advised for 2013
While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny.
Employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors. Employers should also review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted. It is also important to train employees who have access to PHI on these updated policies and procedures.
The final regulations take effect September 23, 2013 and the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on January 1, 2013. HHS also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Employers should ultimately ensure that their business associate agreements are appropriately tailored to their individual circumstances and business needs.