Sunday, June 23, 2013


Group health plan sponsors have been focusing to a great extent upon the various
significant requirements imposed by the Patient Protection and Affordable Care Act,
most notably the “play or pay” provisions which become effective in 2014. However,
such sponsors with self-insured plans (including FSAs and HRAs) also need to focus
upon changes to the Health Insurance Portability and Accountability Act (HIPAA)
privacy and security rules which become effective later this year.
Earlier this year, the Department of Health and Human Services (HHS) published
a final rule modifying HIPAA, as amended by the Health Information Technology
for Economic and Clinical Health Act (HITECH) and the Genetic Information
Nondiscrimination Act (GINA). Group health plans, as well as their business
associates, are subject to various changes and generally must comply by September
23, 2013. Accordingly, prompt action is recommended.

The rules are of less concern to fully insured plans, since in those cases plan
sponsors rarely receive protected health information (PHI) other than enrollment and
summary information. Under those circumstances, most HIPAA privacy and security
compliance responsibility rests with the insurer. However, it is of significant relevance
to self-insured health plans maintained by an employer, since the employer then
has access (either directly or through a third party administrator) to the medical
information of its employees and is responsible for complying with HIPAA’s privacy
and security rules.
This Bulletin is not intended to provide an exhaustive summary of the changes
Rather, it is intended to highlight the most significant changes and to suggest action

Business Associates
The final regulations change the rules for the business associates of group health
plans. Third-party administrators and other consultants or health plan service
providers that have access to PHI in performing services are now directly liable for
the civil and criminal penalties for certain violations of HIPAA. Previously, compliance
had been a contractual obligation pursuant to the written agreement with the covered
entity relative to HIPAA compliance. Therefore, business associates must establish
and maintain policies and procedures to implement required safeguards. Business
associates must enter into written agreements with group health plans and with their
own subcontractors to ensure compliance with HIPAA. Business associates will also
often have a major role in breach notification compliance for group health plans.

The final rule allows for a transition period to renegotiate and revise existing
agreements. Generally, agreements in place as of January 25, 2013 that are not
renewed or modified before September 23, 2013 are considered to be compliant
until they are renewed or modified, or September 22, 2014 if earlier. Agreements
renewed or modified before September 23, 2013 must comply by September 23,
2013. The HHS website contains a revised model business associate agreement.

GINA Compliance
The final regulations implement rules under GINA as it applies to the use and
disclosure of PHI by group health plans and business associates. PHI that is genetic
information may not be used or disclosed for underwriting purposes.

Privacy Policies and Procedures
Self-funded health plans are required to have policies and procedures in place
to protect PHI from unauthorized use and disclosure. Some of those policies and
procedures will need to be revised to reflect the new requirements.

Notice of Privacy Practices
Notices of Privacy Practices will need to be updated to include the following:
• Individuals will be notified upon a breach of PHI.
• The use or disclosure of genetic information for underwriting purposes is
• Written authorization is required for disclosures for marketing purposes and for
the sale of PHI.
The notices will need to be revised and posted on the employer’s website, and copies
of its revised notice should be provided to participants and beneficiaries.

Breach Notification
The final regulations modify the factors that plans and business associates are to
take into account in conducting a “risk assessment” to determine whether a breach
requiring notice to affected individuals, the Department of Health and Human
Services, and in some cases the media, has occurred. A breach requiring notice will
be presumed to have occurred whenever PHI maintained by the plan or business
associate is acquired, accessed, used or disclosed in a manner that violates the
privacy rule. This presumption may be rebutted if the plan or business associate can
demonstrate, pursuant to factors provided under the regulations, that there is a “low
probability” that PHI has been compromised. The previous standard, which required
the violation to pose a “significant risk” of financial, reputational or other harm to the
individual, was eliminated.

The regulations include the civil and criminal penalties that apply to HIPAA violations
by group health plans and their business associates. Monetary penalties vary
according to the number of violations, the cause of such violations, and whether the
group health plan or business associate takes timely action to correct the violation.
Civil penalties can be up to $1.5 million per year for each violation of a standard or
requirement. HHS will continue to conduct random audits and investigate complaints,
and increasingly aggressive enforcement is expected.

Action Items for Group Health Plans
The regulations require immediate action by employers sponsoring self-insured
group health plans and their business associates. Plans need to:
• Update their HIPAA Policies and Procedures, and related administrative forms,
to reflect the final rules.
• For breach notification, replace the “significant risk” standard with the “low
probability” standard in conducting a risk assessment.
• Confirm that genetic information is not used for underwriting purposes.
• Update Notices of Privacy Practices.
• Train personnel who have access to PHI.
• Review business associate agreements and incorporate the final rule’s new requirements. Keep in mind the one year transition rule described above.
Business associates will need to come into compliance with the new rules as well,
including establishing policies and procedures of their own. Business associates will
also need to enter into business associate agreements with their subcontractors. In
that connection, business associates should identify which of their subcontractors
will access, use or disclose PHI in performing their services. Business associates
should also consider whether their existing liability insurance provides coverage for
HIPAA violations and whether new or additional coverage is needed.
Please contact any member of the Health Care Group if you need assistance in
complying with the new HIPAA requirements applicable to self-insured group health

No comments:

Post a Comment