HIPAA Changes Effective Soon
Final privacy and security regulations were published early this year and are generally effective as of September 23, 2013. The most significant changes are summarized below.
Self-funded health plans are most affected by the HIPAA privacy and security requirements. This includes self-funded medical, dental and vision plans, health flexible spending accounts, health reimbursement arrangements and many employee assistance programs. The requirements apply to all kinds of self-funded plans, including government and church plans, and generally apply regardless of the employer's size. (Most insured plans do not receive individually identifiable health information and therefore do not have many obligations under this law.)
In order to meet the new requirements, affected plans must:
- Revise and distribute the updated notice of privacy practices;
- Update business associate agreements to clarify that business associates are directly liable for meeting certain parts of the HIPAA privacy and security rules;
- Revise policies and procedures, particularly those that address impermissible disclosures of information; and
- Train workforce members on the new requirements.
The plan's Notice of Privacy Practices must be updated to include:
- A statement that PHI that is genetic information may not be used for underwriting;
- A statement that the individual is entitled to notice of a breach of PHI;
- A statement that the individual's authorization is required for most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, disclosures that constitute a sale of PHI, and other uses and disclosures not described in the Notice.
Business Associate Agreements
Under a transition rule, existing Business Associate Agreements do not need to be amended until September 22, 2014. The transition rule applies only to updating the agreements; the parties must operate as required under the updated HIPAA rules beginning in September 2013. Any new Business Associate Agreement must include the new requirements.
The new HIPAA rule assumes that all impermissible uses and disclosures of protected health information (PHI) are breaches which require notification to various parties. However, if the plan can show that after completing a risk assessment it is confident that there is a low probability that PHI has been compromised notification is not required.
A risk assessment would look at:
- The nature and extent of the PHI involved, including the types of identifiers disclosed and the likelihood of re-identification;
- The unauthorized person(s) who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
If the plan cannot demonstrate that there is a low probability of compromise to the PHI, notification is required. Notification is always required to the affected individuals, and may be required to the Department of Health and Human Services (HHS) and the media if the breach is significant enough. Note that the government believes that many forms of health information can be sensitive, not just information about sexually transmitted diseases, mental health diseases or substance abuse. In addition, violations of the minimum necessary rules could result in breaches requiring notification. Encryption generally means there is a low probability of exposure.
The obligation to determine whether a breach has occurred and to notify individuals remains with the plan. However, the plan can delegate these functions to a BA (such as a third party administrator).
Written notification by first-class mail is the general, default rule. However, individuals who affirmatively agree to receive notice by e-mail may be notified accordingly. In limited cases, individuals may be notified orally or by telephone.
The updated penalties are large:
- "Did not know" penalty - amount not less than $100 or more than $50,000 per violation when it is established the plan or BA did not know and, by exercising reasonable diligence would not have known, of a violation;
- "Reasonable cause" penalty - amount not less than $1,000 or more than $50,000 per violation when it is established the violation was due to reasonable cause and not to willful neglect;
- "Willful neglect-corrected" penalty - amount not less than $10,000 or more than $50,000 per violation when it is established the violation was due to willful neglect and was timely corrected;
- "Willful neglect-not corrected" penalty - amount not less than $50,000 for each violation when it is established the violation was due to willful neglect and was not timely corrected.
Willful neglect includes extreme carelessness. Examples include:
- A plan disposed of several hard drives containing electronic PHI in an unsecured dumpster. An HHS investigation reveals the plan had failed to implement any policies and procedures to reasonably and appropriately safeguard PHI during the disposal process.
- An employee lost an unencrypted laptop or smart phone that contained unsecured PHI. An HHS investigation reveals the employer feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required.
The maximum penalty per violation type is $1,500,000 in a calendar year.