Under the 2013 revisions to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, employers must update their health information disclosure policies and retrain their employees to ensure compliance, said Timothy Stanton, an attorney in Ogletree Deakins’ Chicago office, and Timothy Verrall, an attorney in the firm’s Houston office, speaking to attendees at the firm’s 2013 Workplace Strategies seminar on May 9.
The Department of Health and Human Services (HHS) issued the new regulations on Jan. 25, 2013, to implement major changes mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as the Genetic Information Nondiscrimination Act (GINA).
New Requirements for Business Associates
Previously, HIPAA regulations generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains or transmits” personal health information (PHI).
“The key addition in this part of the regulation is to be found in the word ‘maintains,’ because any entity that ‘maintains’ PHI on behalf of a covered entity—even if no access to that information is required or expected—will be a business associate,” Stanton and Verrall said.
“This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions” and do not have business associate agreements (BAAs) with such vendors, they noted.
“If you give PHI to a vendor before a BAA is in place, you’re in violation of HIPAA, and if you’re a vendor, you can’t receive PHI without a compliant BAA in place,” they cautioned. There must be a compliant BAA in place first, they emphasized.
Another change Stanton and Verrall noted was that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. They advised plan sponsors to include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.
Presumption of PHI Breach Introduced
Under the previous rules, an impermissible use or disclosure of PHI—including electronic PHI—was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.
“This is a big change,” Stanton and Verrall said. “The only way to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised.”
To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors—at a minimum:
*The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
*The unauthorized person who used the PHI or to whom the disclosure was made.
*Whether the PHI was actually acquired or viewed.
*The extent to which the risk to PHI has been mitigated.
The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.
Action Advised for 2013
While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny, Stanton and Verrall said.
Accordingly, employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors, they advised. In addition, employers should review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted.
At the same time, it is equally important to train employees who have access to PHI on these updated policies and procedures, the attorneys said.
The final regulations take effect Sept. 23, 2013; the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on Jan. 1, 2013. The department also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Consequently, employers should ensure that their business agreements are appropriately tailored to their individual circumstances and business needs, Stanton and Verrall cautioned.