The Department of Health and Human Services (HHS) recently released the long-awaited “omnibus final rule” (the Final Rule) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Final Rule becomes effective March 26, 2013. “Covered entities” under the Health Insurance Portability and Accountability Act (HIPAA), including group health plans, and their “business associates,” must generally comply with the Final Rule by Sept. 23, 2013, but will have one additional year from that date to amend existing business associate agreements.
This WorkCite article addresses the key provisions of the Final Rule that apply to employer-sponsored group health plans subject to HIPAA and outlines the critical steps employers should take in the coming months.
Definition and Liability of “Business Associate” Expanded
Prior to the Final Rule, HHS regulations defined a business associate as including a person who performs or assists in the performance of a function or activity involving the use or disclosure of protected health information (PHI) for a covered entity, such as claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; repricing; and professional and management services.
The Final Rule expands this definition to include persons who create, receive, maintain or transmit PHI in connection with performing a function or service for a covered entity, even if they do not actually view the PHI. Additionally, among the new categories in the definition of a business associate is a subcontractor who creates, receives, maintains or transmits PHI on behalf of a business associate. Thus, subcontractors of a business associate who use or disclose the covered entity’s PHI are now directly subject to HIPAA.
The Final Rule now makes business associates directly liable for noncompliance with the Security Rule and most provisions of the Privacy Rule. Prior to HITECH, business associates were contractually liable to covered entities pursuant to executed business associate agreements, but did not have direct liability under HIPAA.
Revisions Required for Business Associate Agreements
HIPAA requires that a covered entity enter into a business associate agreement in order to disclose PHI to a business associate. The Final Rule includes several new provisions that must be included in a business associate agreement to comply with HIPAA. In particular, such an agreement must require the business associate to:
- Comply with the applicable provisions of the Privacy Rule;
- Comply with the Security Rule regarding electronic PHI; and
- Report a breach of unsecured PHI to the covered entity (as discussed further below).
Additionally, a business associate must agree to enter into business associate agreements with any subcontractors who receive the covered entity’s PHI. This means that a business associate who discloses PHI to a subcontractor must now enter into a business associate agreement with the subcontractor that provides assurances that the subcontractor will appropriately safeguard the PHI and agree to the same protections and restrictions as the agreement between the covered entity and business associate.
Tightened Breach Notification Standard
The Final Rule also requires covered entities to notify individuals (and, in some cases, the media and the Secretary of HHS) following the discovery of a breach of unsecured PHI. A previous article from McGuireWoods provides an explanation of what constitutes “unsecured PHI” and the details of the notification requirements.
Under the Final Rule, an impermissible acquisition, access, use or disclosure of PHI is presumed to be a breach of unsecured PHI, unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment considering, at a minimum, each of the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
The covered entity must thoroughly document any risk assessment performed and has the burden of demonstrating that it provided all required breach notifications or, in the alternative, that the impermissible use or disclosure did not constitute a breach.
GINA prohibits employers and health insurance plans from discrimination on the basis of genetic information. To implement the requirements of GINA, the Final Rule adds “genetic information” to the definition of “health information” and prohibits the use or disclosure of genetic information for underwriting purposes. A plan may still use genetic information to determine medical appropriateness when a participant or dependent seeks a benefit under the plan.
Revisions Required for Notice of Privacy Practices
For the first time since HIPAA began requiring group health plans to issue a notice of privacy practices back in 2003, the Final Rule will require several revisions to this notice, including adding provisions indicating that:
- The health plan will notify affected participants if a breach of unsecured PHI occurs;
- The plan may not use or disclose PHI that is genetic information for underwriting purposes, consistent with GINA; and
- The plan will obtain an individual’s authorization before it uses PHI for marketing purposes, sells PHI, or uses or discloses PHI for any purpose not described in the notice.
A health plan that posts the notice of privacy practices on its website must (i) prominently post the material changes or a revised notice by Sept. 23, 2013; and (ii) provide the revised notice, or information about the material change and how to obtain the revised notice, in the health plan’s next annual mailing to individuals covered by the plan at that time, such as during open enrollment or at the beginning of the plan year.
Heightened Enforcement Environment
The Final Rule implements the penalty structure mandated by HITECH, in which the civil penalty amount significantly increases with the level of culpability up to $1.5 million per year and adds criminal penalties of up to 10 years of imprisonment. An earlier McGuireWoods article provides an in-depth discussion of the new enforcement provisions and tiered penalty structure.
The Final Rule makes a covered entity liable for its own HIPAA violations and also the violations of its business associates that are its agents. Additionally, as indicated above, business associates are now directly liable for HIPAA violations.
What Employers Must Do
In light of the newly-effective changes to HIPAA as a result of the Final Rule, employers sponsoring group health plans must:
- Review the vendors with whom they contract for group health plan services to determine whether any vendor previously not identified as a business associate now fits within the expanded definition;
- Review and update HIPAA documents and practices to reflect the changes under HITECH, particularly business associate agreements and notices of privacy practices; and
- Review and enhance their privacy and security practices to avoid breaches of unsecured PHI.
McGuireWoods is prepared to assist with updating these HIPAA documents and to provide training sessions and/or materials for organizations to ensure compliance with HIPAA under the Final Rule.
For further information, please contact either of the authors, Elizabeth A. Diller and James P. McElligott, Jr., or any other member of the McGuireWoods employee benefits team.